Let's see if I get all the issues correctly:
1) when processing ghostscript files or translated pdf files,
no -P- is given, causing gs to look in the current directory
first.
That is the most easy to fix. (See attached patch 002.patch)
This problem causing gs possibly executing postscript code one not
intended to do.
The biggest danger seems to be having a gs_init.ps in the current
directory, in which case even -DSAFER might not have an effect
(as I can see it, it has an effect in gs_init.ps, so if that is
replaced, no effect)
For Lenny the patch breaks pdf file opening, as that version of gv does
not add the DELAYSAFER option. (For that one only also needs the
differences 6907bf5..7f7ae12, see 003.patch)
2) No -P- when scanning a pdf file with pdf2dsc
There is no -P- option.
The -dSAFER seems to be no unrelated danger, as ghostscript's
pdf2dsc.ps is calling .setsafe unconditionally after having opened
the file
(at least in lenny the third line is
systemdict /.setsafe known { .setsafe } if
)
So the problem is again the postscript setup code (gs_init.ps) to be
replaced by a copy in the current directory unless -P- is given.
Adding a -P- needs to change this resource. I've not looked but I fear
the user having a .gv file might making changing the default hard,
so a proper fix for this is not that easy...
3) Scaning pdf2dsc using pdf2dsc.ps
Related to 2, there is an other issue: The scanning is done by
pdf2dsc.ps, which is specified on the command line. As far as I can
tell, gs looks for files specified as command line arguments in the
current directory first, even with -P-. So even with -P- this could
be exploited by adding a pdf2dsc.ps in the current directory (think
/tmp). I do not know how to fix this best. Perhaps shipping a postscript
file with gv (thus one has an absolute path) that reads and executes
the one from the system path?
4) Converting pdf files to postscript files is not called with -P-
either and not even with -dSAFER.
I'm not sure if the missing of -dSAFER is an issue unrelated to
ghoscript's brain-dead path traversal as that command gets a pdf
file so has not that many commands available, but fixing that at
the same time might be sensible.
Again the missing -P- means gs_init.ps in the same directory causes
harvoc. Again changing the default is easy but users might have config
files. Perhaps one should replace the first space with " -P- " in
this string if there is no -P in it. (so -P- and -P will cause the user
to get their setting, otherwise a safe value is generated).
5) issues with giving gs only a filename and not having made sure
the file is correct.
Have I missed anything?
Bernhard R. Link
From: Bernhard R. Link <brl...@debian.org>
Date: Sat, 29 May 2010 14:19:16 +0200
Subject: Add -P- in safer mode.
Without -P- gs will look in the currect directory for postscript
libraries first, so disable that when in safer mode.
---
doc/gv.texi | 4 +++-
src/Ghostview.c | 1 +
2 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/doc/gv.texi b/doc/gv.texi
index b4cf127..211f983 100644
--- a/doc/gv.texi
+++ b/doc/gv.texi
@@ -216,7 +216,9 @@ usefull for viewing encrypted PDF files.
@item --presentation
Is actually a shortcut for @code{--fullscreen --noresize --scale=-1000 --widgetless}.
@item --safer, --nosafer
-Whether to start ghostscript with the @code{-dSAFER} option.
+Whether to start ghostscript in safer mode
+(that includes he @code{-dSAFER} option or the @code{-dDELAYSAFER}
+mode where appropriate) and the @code{-P-} option.
@item --spartan
This is a shortcut for @code{--style=gv_spartan.dat}.
@item --sty...@var{file}
diff --git a/src/Ghostview.c b/src/Ghostview.c
index 572794b..df1b56a 100644
--- a/src/Ghostview.c
+++ b/src/Ghostview.c
@@ -1444,6 +1444,7 @@ StartInterpreter(w)
if (gvw->ghostview.quiet) argv[argc++] = "-dQUIET";
if (gvw->ghostview.safer)
{
+ argv[argc++] = "-P-";
argv[argc++] = "-dSAFER";
# ifdef ALLOW_PDF
/* The file created by pdf2dsc opens the original
--
1.5.6.5
diff --git a/src/Ghostview.c b/src/Ghostview.c
index 6907bf5..7f7ae12 100644
--- a/src/Ghostview.c
+++ b/src/Ghostview.c
@@ -1442,6 +1442,12 @@ StartInterpreter(w)
if (gvw->ghostview.safer)
{
argv[argc++] = "-dSAFER";
+# ifdef ALLOW_PDF
+ /* The file created by pdf2dsc opens the original
+ pdf file with the read operator. */
+ if (gv_filename_dsc && (!gvw->ghostview.filename || !strcmp(gvw->ghostview.filename,"-")))
+ argv[argc++] = "-dDELAYSAFER";
+# endif
}
if (gvw->ghostview.arguments) {
