Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 100245 - app-text/pstotext: Arbitrary Postscript Code Execution by pstotext
Summary: app-text/pstotext: Arbitrary Postscript Code Execution by pstotext
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/16183/
Whiteboard: B2 [glsa] DerCorny
Keywords:
Depends on:
Blocks:
 
Reported: 2005-07-25 09:06 UTC by Jimi A.
Modified: 2005-07-31 10:37 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments
Debian patch for this issue (pstotext_dsafer-1.diff,668 bytes, patch)
2005-07-26 07:57 UTC, Stefan Cornelius (RETIRED)
no flags Details | Diff
Patch for package (safer.patch,2.67 KB, patch)
2005-07-27 07:06 UTC, Jan Jitse Venselaar
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jimi A. 2005-07-25 09:06:39 UTC
Max Vozeler has reported a vulnerability in pstotext, which can be exploited by
malicious people to compromise a vulnerable system.

The vulnerability is caused due to pstotext not using the "-dSAFER" option when
calling GhostScript to extract plain-text from PostScript files. This
potentially allows malicious postscript code to execute arbitrary commands on
the system.

The vulnerability has been reported in version 1.9. Other versions may also be
affected.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.




Solution:
Only use pstotext on trusted files.
Comment 1 Jimi A. 2005-07-25 09:09:24 UTC
http://secunia.com/advisories/16183/
Comment 2 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-25 09:55:27 UTC
Ok, there is no active maintainer so i CC'ed the ones from the changelog and
maintainer-needed. If there is no volunteer to get this done, we might have to
mask or remove this package.
Comment 3 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-26 07:57:54 UTC
Created attachment 64353 [details, diff]
Debian patch for this issue

This is a patch for this issue taken from the debian bug. Still nobody wants to
do this?
Comment 4 Jan Jitse Venselaar 2005-07-27 07:06:34 UTC
Created attachment 64443 [details, diff]
Patch for package

This patch updates the ebuild, so it cannot be easier. Still needs a ChangeLog
entry and a GnuPG signature, but I'm not a developer, so I cannot do that.
Comment 5 solar (RETIRED) gentoo-dev 2005-07-27 09:41:18 UTC
pstotext-1.8g-r1 is in the tree with the deb patch. 
KEYWORDS= ~amd64 ~x86 ~ppc ~sparc ~ppc64
Comment 6 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-27 10:48:06 UTC
Thanks a lot for the help bumping!
Arches, please test pstotext-1.8g-r1 and mark stable, also thanks.
Comment 7 Jory A. Pratt 2005-07-27 10:56:18 UTC
Stable on PPC
Comment 8 Markus Rothe (RETIRED) gentoo-dev 2005-07-27 13:10:27 UTC
stable on ppc64
Comment 9 Gustavo Zacarias (RETIRED) gentoo-dev 2005-07-27 13:11:43 UTC
sparc stable.
Comment 10 solar (RETIRED) gentoo-dev 2005-07-30 11:19:30 UTC
Passes local regression testing.
I processed 236 .ps files without error, and confirmed it now uses -dSAFER when
calling gs.

stable on x86.

It appears to to not free a small chunk of memory before exiting and could 
probably use a wee bit of Makefile and gcc syntax loving at a later time.

amd64 never appears to of had it marked stable. This would be a good time to go
ahead and do it.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-07-30 11:49:32 UTC
About amd64 testing: sure it's a good time to mark stable, but it shouldn't
block GLSA release.

Ready for GLSA
Comment 12 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-31 10:37:41 UTC
GLSA 200507-29. Thanks to everybody involved.