Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 676212 - app-text/evince should not enable postscript by default
Summary: app-text/evince should not enable postscript by default
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-01-25 10:59 UTC by Hanno Böck
Modified: 2019-02-23 19:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2019-01-25 10:59:27 UTC 
evince has +postscript in IUSE, making it the default.

Postscript support is opening up evince to very dangerous code execution vulnerabilities. Given that evince also installs a thumbnailer basically viewing a directory with a malicious Postscript file is enough to gain code execution.

The background is that postscript is effectively not just a document format, but a programming language. The ghostscript software has a weak "sandbox" (the -DSAFER parameter) which evince uses (through libspectre), but there's a constant flood of bugs bypassing this protection. Tavis Ormandy just published an exploit that works in the latest version of ghostscript [1].

Upstream has disabled postscript by default a while ago [2].

As a first step I think evince should disable postscript by default. But even just enabling it with USE="postscript" seems dangerous to me, as users wouldn't be aware that enabling postscript support also enables code execution vulnerabilities. Maybe renaming the use flag to "postscript-dangerous" or have some "IKNOWWHATIMDOING" var that needs to be set.


[1] https://www.openwall.com/lists/oss-security/2019/01/23/5
[2] https://gitlab.gnome.org/GNOME/evince/commit/1621cacf75ebff4ab4ab0fa6855977a2d8da0ac6
Comment 1 Gilles Dartiguelongue (RETIRED) gentoo-dev 2019-01-25 15:37:38 UTC 
ack on disabling the USE flag by default. If you consider renaming it, you most likely want to do it distribution wise though.
Comment 2 Mart Raudsepp gentoo-dev 2019-01-25 19:12:27 UTC 
I am fine with changing IUSE=+postscript to just IUSE=postscript.

Thumbnailers are sandboxed with gnome-desktop-3.26 and newer, except for alpha, ia64, m68k, sh and sparc.

There will be no individual USE flag renaming, as this is no more insecure than all other distro-wide IUSE=postscript usages.
If you ask for postscript support - you get it.
Comment 3 Hanno Böck gentoo-dev 2019-01-25 19:19:10 UTC 
Yeah I think I'll open a separate bug how to handle the general issue.

Let's just start with removing the + from evince.
Comment 4 Larry the Git Cow gentoo-dev 2019-02-23 19:39:25 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=88959e1e79c27822192f67bb7d65bbed4990d4aa

commit 88959e1e79c27822192f67bb7d65bbed4990d4aa
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2019-02-23 18:34:29 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2019-02-23 19:38:24 +0000

    app-text/evince: don't default enable postscript (security concerns)
    
    Closes: https://bugs.gentoo.org/676212
    Package-Manager: Portage-2.3.52, Repoman-2.3.12
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 app-text/evince/{evince-3.28.5.ebuild => evince-3.28.5-r1.ebuild} | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)