On Sat, 31 Jul 2004, Matt Zimmerman wrote: > > > > [Florian] > > > > l.s 69, 409 and 416: > > > > gs invoked this way allows any file operations > > [Upstream] > > True, but call is managed by the cups-pdf binary. I.e. as long as no bug > > allows insertion of malicious code into the system call, gs will do > > exactly as intended. > > The problem is that the _input_ to gs is being trusted here, and that (as I > understand it) is under the control of the user who submitted the print job. > That is, an attacker could submit a print job containing PostScript commands > which, when interpreted by gs, would open files, etc. with the privileges of > cups-pdf (apparently, root).
My question here, since Volker's time is currently limitted because of his work on his thesis is, will using -dSAFER fix this particular problem, as previously suggested, yes or no? If yes, then I could fix that part on my own and include the file permission fix from 1.4.1 as well. > At least the gs issue seems like a genuine concern and justifies Severity: > grave, so I have changed the severity of that bug. cups-pdf should not be > released with sarge unless that bug is fixed. Agreed. -- Martin-Éric Racine, ICT Consultant http://www.iki.fi/q-funk/
