Bug#583183: /usr/bin/gs: Insecure gs initialization
paul.sz...@sydney.edu.au wrote: The ghostscript people in http://bugs.ghostscript.com/show_bug.cgi?id=691339 told me to use the -P- switch, and marked it RESOLVED WONTFIX. I guess -P- should be the default, as well as -dSAFER should be. I agree, instead of fixing this in every single package using ghostscript in the archive we should rather patch Ghostscript to set a proper default. This also solves the problem for all applications using Ghostscript not packaged in the archive. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#583183: /usr/bin/gs: Insecure gs initialization
wouldn't it make more sense to solve these issues in the ghostscript package by itself; rather than 100 different packages. even if ghostscript won't change their code, debian always has the option to fix it anyway. that could be done be either applying a patch that automatically uses the safer options by default, or by installing wrapper scripts that the safer options. fixing 100 different packages is a significant undertaking, and that should be avoided if there is a simpler approach. mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#583183: /usr/bin/gs: Insecure gs initialization
Further gs issues. The gs scripts mentioned below are in /usr/bin: bdftops dumphint dvipdf eps2eps font2c gsbj gsdj gsdj500 gslj gslp gsnd pdf2dsc pdf2ps pdfopt pf2afm pfbtopfa printafm ps2ascii ps2epsi ps2pdf ps2pdf12 ps2pdf13 ps2pdf14 ps2pdfwr ps2ps ps2ps2 wftopfa (maybe others?). The bad code is a non-issue (but illustrates quality of ghostscript); the other issues are likely to be execute-any-code, maybe remotely. Maybe the problems below should be split into separate bugs. --- Missing -P- and -dSAFER in scripts Bernhard R. Link brl...@debian.org noticed that there is no -P- flag on gs invocations in any gs scripts, many are also missing a -dSAFER. Reported to ghostscript: http://bugs.ghostscript.com/show_bug.cgi?id=691355 --- Relative filenames in scripts Many gs scripts use auxiliary PS files. No absolute pathnames are used, and thus are tried from current directory first, leading to unsafe code execution. Reported to ghostscript: http://bugs.ghostscript.com/show_bug.cgi?id=691356 --- Bad code in scripts Many gs scripts in /usr/bin contain code like: GS_EXECUTABLE=gs gs=`dirname $0`/$GS_EXECUTABLE if test ! -x $gs; then gs=$GS_EXECUTABLE fi GS_EXECUTABLE=gs Surely that last line is meant to be GS_EXECUTABLE=$gs as is on current gs distribution. But even then is badly written, should probably be: GS_EXECUTABLE=gs gs=`dirname $0`/$GS_EXECUTABLE if test -x $gs; then GS_EXECUTABLE=$gs fi --- Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#583183: /usr/bin/gs: Insecure gs initialization
Should some or all be alerted to the this security issue? So far gv and libspectre1 only have been alerted (bugs #583316 and #583634). Yes, please. Done, all mentioned packages alerted: http://bugs.debian.org/584039 a2ps http://bugs.debian.org/583994 advi http://bugs.debian.org/583995 advi-examples http://bugs.debian.org/584040 apsfilter http://bugs.debian.org/583996 asymptote http://bugs.debian.org/583997 bmv http://bugs.debian.org/583998 c2050 http://bugs.debian.org/584000 capisuite http://bugs.debian.org/584041 caspar http://bugs.debian.org/584042 cd-circleprint http://bugs.debian.org/584043 cedilla http://bugs.debian.org/584001 courier-faxmail http://bugs.debian.org/584002 cups http://bugs.debian.org/584003 cups-pdf http://bugs.debian.org/584044 dblatex http://bugs.debian.org/584045 derivations http://bugs.debian.org/584046 efax http://bugs.debian.org/584004 epix1 http://bugs.debian.org/584005 epstool http://bugs.debian.org/584006 fbi http://bugs.debian.org/584007 fig2ps http://bugs.debian.org/584008 flpsed http://bugs.debian.org/584069 gimp http://bugs.debian.org/584047 grace http://bugs.debian.org/584048 grace6 http://bugs.debian.org/583316 gv http://bugs.debian.org/584009 hevea http://bugs.debian.org/584010 hpijs http://bugs.debian.org/584049 hpoj http://bugs.debian.org/584011 hylafax-client http://bugs.debian.org/584012 hylafax-server http://bugs.debian.org/584013 hyperlatex http://bugs.debian.org/584014 ifhp http://bugs.debian.org/584015 ijsgutenprint http://bugs.debian.org/584050 impose+ http://bugs.debian.org/584052 kdelibs4c2a http://bugs.debian.org/584051 kdissert http://bugs.debian.org/584016 kghostview http://bugs.debian.org/584017 latex-make http://bugs.debian.org/584053 latex-mk http://bugs.debian.org/584054 latexmk http://bugs.debian.org/584018 libgs-dev http://bugs.debian.org/583634 libspectre http://bugs.debian.org/584019 logidee-tools http://bugs.debian.org/584055 lpr http://bugs.debian.org/584020 lsb-printing http://bugs.debian.org/584021 mediawiki-math http://bugs.debian.org/584056 mgetty-fax http://bugs.debian.org/584057 mpage http://bugs.debian.org/584058 opensched http://bugs.debian.org/584022 page-crunch http://bugs.debian.org/584023 passepartout http://bugs.debian.org/584024 pkpgcounter http://bugs.debian.org/584059 plywood http://bugs.debian.org/584025 pnm2ppa http://bugs.debian.org/584026 printconf http://bugs.debian.org/584037 prosper http://bugs.debian.org/584027 ps2eps http://bugs.debian.org/584028 pspresent http://bugs.debian.org/584029 pstoedit http://bugs.debian.org/584030 pstotext http://bugs.debian.org/584060 python-codespeak-lib http://bugs.debian.org/584031 pyxplot http://bugs.debian.org/584061 recoll http://bugs.debian.org/584032 scribus http://bugs.debian.org/584033 scribus-ng http://bugs.debian.org/584062 sdf http://bugs.debian.org/584063 tex4ht-common http://bugs.debian.org/584064 texlive-base-bin http://bugs.debian.org/584034 texmacs http://bugs.debian.org/584035 webmagick http://bugs.debian.org/584065 wv http://bugs.debian.org/584066 xapian-omega http://bugs.debian.org/584067 xfig http://bugs.debian.org/584036 xournal http://bugs.debian.org/584068 xpaint http://bugs.debian.org/584038 zope-textindexng3 Other references of interest (some been mentioned already): http://www.securityfocus.com/archive/1/511433 http://www.securityfocus.com/archive/1/511472 http://www.securityfocus.com/archive/1/511492 http://www.securityfocus.com/archive/1/511512 http://www.securityfocus.com/archive/1/511561 http://www.securityfocus.com/bid/40369 Ghostscript './Encoding/' Search Path Local Privilege Escalation Vulnerability http://bugs.ghostscript.com/show_bug.cgi?id=691339 Insecure gs initialization http://bugs.ghostscript.com/show_bug.cgi?id=691350 gs_init.ps tried in current dir despite -P- http://bugs.ghostscript.com/show_bug.cgi?id=691355 Missing -P- and -dSAFER in scripts http://bugs.ghostscript.com/show_bug.cgi?id=691356 Relative filenames in scripts Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#583183: /usr/bin/gs: Insecure gs initialization
tags 583183 help thanks On Mon, May 31, 2010 at 01:36:00PM +1000, paul.sz...@sydney.edu.au wrote: Seems to me that the following packages depend on ghostscript: advi advi-examples asymptote bmv c2050 capisuite courier-faxmail cups cups-pdf epix1 epstool fbi fig2ps flpsed gv hevea hpijs hylafax-client hylafax-server hyperlatex ifhp ijsgutenprint kghostview latex-make libgs-dev libspectre1 logidee-tools lsb-printing mediawiki-math page-crunch passepartout pkpgcounter pnm2ppa printconf prosper ps2eps pspresent pstoedit pstotext pyxplot scribus scribus-ng texmacs webmagick xournal zope-textindexng3 and additionally the following suggest it: a2ps apsfilter caspar cd-circleprint cedilla dblatex derivations efax gimp grace grace6 hpoj impose+ kdelibs4c2a kdissert latex-mk latexmk lpr mgetty-fax mpage opensched plywood python-codespeak-lib recoll sdf tex4ht-common texlive-base-bin wv xapian-omega xfig xpaint Should some or all be alerted to the this security issue? So far gv and libspectre1 only have been alerted (bugs #583316 and #583634). Yes, please. I am following this but really am incapable of solving it myself (and my fellow maintainers seem missing for quite some time, unfortunately), so really appreciate all the help I can get! - Jonas -- * Jonas Smedegaard - idealist Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: Digital signature
Bug#583183: /usr/bin/gs: Insecure gs initialization
Seems to me that the following packages depend on ghostscript: advi advi-examples asymptote bmv c2050 capisuite courier-faxmail cups cups-pdf epix1 epstool fbi fig2ps flpsed gv hevea hpijs hylafax-client hylafax-server hyperlatex ifhp ijsgutenprint kghostview latex-make libgs-dev libspectre1 logidee-tools lsb-printing mediawiki-math page-crunch passepartout pkpgcounter pnm2ppa printconf prosper ps2eps pspresent pstoedit pstotext pyxplot scribus scribus-ng texmacs webmagick xournal zope-textindexng3 and additionally the following suggest it: a2ps apsfilter caspar cd-circleprint cedilla dblatex derivations efax gimp grace grace6 hpoj impose+ kdelibs4c2a kdissert latex-mk latexmk lpr mgetty-fax mpage opensched plywood python-codespeak-lib recoll sdf tex4ht-common texlive-base-bin wv xapian-omega xfig xpaint Should some or all be alerted to the this security issue? So far gv and libspectre1 only have been alerted (bugs #583316 and #583634). Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#583183: /usr/bin/gs: Insecure gs initialization
I guess this issue can be exploited remotely. If /etc/mailcap uses gs, then we are done: neither -P- nor -dSAFER are defaults. My Debian /etc/mailcap uses gv, and gv knows to use -dSAFER. First feed the victim a bad PS file named gs_res.ps or pdf_base.ps or similar. No harm done yet. Then feed the victim any PS or PDF file: quite likely the old file will have its original name, still in place, in the same place as the new file: gv does not use -P- and our first file will be used. Would it help if I (or someone with actual knowledge) would put together a proof-of-concept demo? Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#583183: /usr/bin/gs: Insecure gs initialization
The ghostscript people in http://bugs.ghostscript.com/show_bug.cgi?id=691339 told me to use the -P- switch, and marked it RESOLVED WONTFIX. I guess -P- should be the default, as well as -dSAFER should be. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#583183: /usr/bin/gs: Insecure gs initialization
Package: ghostscript
Version: 8.62.dfsg.1-3.2lenny1
Severity: grave
File: /usr/bin/gs
Tags: security
Justification: user security hole
Please see
http://bugs.ghostscript.com/show_bug.cgi?id=691339
for details, quoted below for completeness.
I am not convinced that my security wrapper protects in all cases,
or that it does not prevent some safe usage.
Cheers,
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
---
Referring to:
http://bugs.ghostscript.com/show_bug.cgi?id=691316
http://www.securityfocus.com/archive/1/511433
I see that at gs tries many files in (under) current directory
at startup, so it is dangerous to do e.g.
cd /tmp; gs any.ps
To see list of files that gs tries, use:
strace -omylog gs; grep '\./' mylog | sort -u
I now use a security wrapper (attached), to protect.
-- System Information:
Debian Release: 5.0.4
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-pk03.17-svr (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages ghostscript depends on:
ii debconf [debc 1.5.24 Debian configuration management sy
ii debianutils 2.30 Miscellaneous utilities specific t
ii defoma0.11.10-0.2Debian Font Manager -- automatic f
ii gs-common 8.62.dfsg.1-3.2lenny1 Dummy package depending on ghostsc
ii gsfonts 1:8.11+urwcyr1.0.7~pre44-3 Fonts for the Ghostscript interpre
ii libc6 2.7-18lenny2 GNU C Library: Shared libraries
ii libgs88.62.dfsg.1-3.2lenny1 The Ghostscript PostScript/PDF int
Versions of packages ghostscript recommends:
ii psfontmgr0.11.10-0.2 PostScript font manager -- part of
Versions of packages ghostscript suggests:
ii ghostscript-x 8.62.dfsg.1-3.2lenny1 The GPL Ghostscript PostScript/PDF
pn hpijs none(no description available)
-- no debconf information
#!/bin/bash -
# Wrapper for gs thus for:
# /usr/bin/ghostscript
# /usr/bin/gs
# /usr/bin/gsbj
# /usr/bin/gsdj
# /usr/bin/gsdj500
# /usr/bin/gslj
# /usr/bin/gslp
# /usr/bin/gsnd
if [ ! -O . ]; then
cat 'EOF'
Current directory '.' is unsafe!
Cannot run gs here, see:
Ghostscript 8.64 executes random code at startup
http://www.securityfocus.com/archive/1/511433
Bug 691339 - Insecure gs initialization
http://bugs.ghostscript.com/show_bug.cgi?id=691339
(Please see Paul Szabo if this causes problems.)
EOF
exit 1
fi
c=${0##*/}
exec /usr/bin/$c $@
