Your message dated Sun, 04 Sep 2005 14:17:09 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#319757: fixed in netpbm-free 2:10.0-9
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 24 Jul 2005 15:41:38 +0000
>From [EMAIL PROTECTED] Sun Jul 24 08:41:38 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mx01.hinterhof.net [83.137.99.114]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1Dwibh-0007oj-00; Sun, 24 Jul 2005 08:41:38 -0700
Received: from localhost (localhost [127.0.0.1])
by mx01.hinterhof.net (Postfix) with ESMTP id 72B7610DC0;
Sun, 24 Jul 2005 17:43:32 +0200 (CEST)
Received: from dp.roam.hinterhof.net (p54A7A326.dip0.t-ipconnect.de
[84.167.163.38])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "dp.roam.hinterhof.net", Issuer "hinterhofCA" (verified OK))
by mx01.hinterhof.net (Postfix) with ESMTP id 7D96410934;
Sun, 24 Jul 2005 17:43:30 +0200 (CEST)
Received: by dp.roam.hinterhof.net (Postfix, from userid 1000)
id 703DEE158E; Sun, 24 Jul 2005 17:41:31 +0200 (CEST)
Date: Sun, 24 Jul 2005 17:41:31 +0200
From: Max Vozeler <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: netpbm: arbitrary postscript code execution
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="LQksG6bCIzRHxTLp"
Content-Disposition: inline
User-Agent: Mutt/1.5.9i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
--LQksG6bCIzRHxTLp
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Package: netpbm
Version: 2:10.0-8
Severity: important
Tags: security woody sarge etch sid patch
Hi Andi,
we've already talked about this, I'm just filing it to keep track.
Please refer to message <[EMAIL PROTECTED]>
(sent to maintainer and security team) for all details.
Quick description: pstopnm calls the ghostscript interpreter on
potentially untrusted postscript without specifying the -dSAFER option.
Not running under -dSAFER allows postscript code to do file IO and to
open pipes to arbitrary external programs, including /bin/sh.
I'm filing this as important bug since I'm not clear in which situations
users would run pstopnm on untrusted postscript. In principle, when that
happens, an attacker could have arbitrary shell commands executed with
the permissions of the user who runs pstopnm.
This bug affects oldstable, stable, testing and sid (as of 2:10.0-8)
cheers,
Max
--LQksG6bCIzRHxTLp
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline; filename="pstopnm_dsafer.diff"
--- netpbm-free-10.0/pnm/pstopnm.c~ 2005-06-02 16:20:03.205694176 +0200
+++ netpbm-free-10.0/pnm/pstopnm.c 2005-06-02 16:24:24.978262856 +0200
@@ -568,11 +568,11 @@
pm_message("execing '%s' with args '%s' (arg 0), "
"'%s', '%s', '%s', '%s', '%s', '%s', '%s'",
ghostscriptProg, arg0,
- deviceopt, outfileopt, gopt, ropt, "-q", "-dNOPAUSE", "-");
+ deviceopt, outfileopt, gopt, ropt, "-q", "-dNOPAUSE",
"-dSAFER", "-");
}
execl(ghostscriptProg, arg0, deviceopt, outfileopt, gopt, ropt, "-q",
- "-dNOPAUSE", "-", NULL);
+ "-dNOPAUSE", "-dSAFER", "-", NULL);
pm_error("execl() of Ghostscript ('%s') failed, errno=%d (%s)",
ghostscriptProg, errno, strerror(errno));
--LQksG6bCIzRHxTLp--
---------------------------------------
Received: (at 319757-close) by bugs.debian.org; 4 Sep 2005 21:23:22 +0000
>From [EMAIL PROTECTED] Sun Sep 04 14:23:22 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
id 1EC1rR-00081O-00; Sun, 04 Sep 2005 14:17:09 -0700
From: Andreas Barth <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#319757: fixed in netpbm-free 2:10.0-9
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Sun, 04 Sep 2005 14:17:09 -0700
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 3
Source: netpbm-free
Source-Version: 2:10.0-9
We believe that the bug you reported is fixed in the latest version of
netpbm-free, which is due to be installed in the Debian FTP archive:
libnetpbm10-dev_10.0-9_i386.deb
to pool/main/n/netpbm-free/libnetpbm10-dev_10.0-9_i386.deb
libnetpbm10_10.0-9_i386.deb
to pool/main/n/netpbm-free/libnetpbm10_10.0-9_i386.deb
libnetpbm9-dev_10.0-9_i386.deb
to pool/main/n/netpbm-free/libnetpbm9-dev_10.0-9_i386.deb
libnetpbm9_10.0-9_i386.deb
to pool/main/n/netpbm-free/libnetpbm9_10.0-9_i386.deb
netpbm-free_10.0-9.diff.gz
to pool/main/n/netpbm-free/netpbm-free_10.0-9.diff.gz
netpbm-free_10.0-9.dsc
to pool/main/n/netpbm-free/netpbm-free_10.0-9.dsc
netpbm_10.0-9_i386.deb
to pool/main/n/netpbm-free/netpbm_10.0-9_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Barth <[EMAIL PROTECTED]> (supplier of updated netpbm-free package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 4 Sep 2005 23:00:43 +0200
Source: netpbm-free
Binary: libnetpbm10-dev netpbm libnetpbm9 libnetpbm9-dev libnetpbm10
Architecture: source i386
Version: 2:10.0-9
Distribution: unstable
Urgency: low
Maintainer: Andreas Barth <[EMAIL PROTECTED]>
Changed-By: Andreas Barth <[EMAIL PROTECTED]>
Description:
libnetpbm10 - Shared libraries for netpbm
libnetpbm10-dev - Development libraries and header files
libnetpbm9 - Shared libraries for netpbm
libnetpbm9-dev - Development libraries and header files
netpbm - Graphics conversion tools
Closes: 285340 303102 319757 326513
Changes:
netpbm-free (2:10.0-9) unstable; urgency=low
.
* fix arbitrary postscript execution, CAN-2005-2471. Closes: #319757
* fix typo in pbmtoppa manpage. Closes: #326513
* drop dependency on bc. Closes: #303102
* fix typo in pam manpage. Closes: #285340
Files:
e3a6d7f6302b6d76864f845ef48e64bd 745 graphics optional netpbm-free_10.0-9.dsc
61b764e83228ca964c439905c9a63012 45292 graphics optional
netpbm-free_10.0-9.diff.gz
a028ab246699e2f86a3c41ba28ed39b7 1186744 graphics optional
netpbm_10.0-9_i386.deb
98947f62cb985fc074ec30d698b6ac71 62948 libs optional
libnetpbm10_10.0-9_i386.deb
cbe1680c43fd3c009bec3a14759dd1dc 109182 libdevel optional
libnetpbm10-dev_10.0-9_i386.deb
043f6c752a8741860e1b74bc46e65263 69358 libs optional libnetpbm9_10.0-9_i386.deb
cf74d4577a8568eb6c511cbd7adb85ff 109428 libdevel optional
libnetpbm9-dev_10.0-9_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iEYEARECAAYFAkMbYl8ACgkQmdOZoew2oYXsXgCglVwiSzawS2hFdaa1DBhKfBN/
PJYAn11+4cNrEPAJNxubGfs7RUqE5USL
=QWYE
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
