[323] in linux-security and linux-alert archive
Ghostscript problem
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Tue Aug 22 18:22:32 1995
From: okir@monad.swb.de (Olaf Kirch)
To: linux-security@tarsier.cv.nrao.edu
Date: Tue, 22 Aug 1995 21:28:40 +0200 (MET DST)
-----BEGIN PGP SIGNED MESSAGE-----
Hi all,
There's another problem with ghostscript that makes you vulnerable to
attacks via postscript code. Ghostscript has a file type that lets you
execute arbitrary commands through the shell. While the -dSAFER option
to gs protects you from ordinary file write/rename/removal attacks, it
does not check for this special file type. The hole is present in all
GNU versions up to 2.6.2 and Aladdin versions earlier than 3.22.
The exploit code is disturbingly simple:
%!PS-
(%pipe%echo spoofed > /tmp/hurz) (r) file
quit
Below's a fix to gs_init.ps that fixes this.
Please also make sure that all programs that use ghostscript set the -dSAFER
option. ghostview 1.5 does by default, but version 1.4 does not. I'd
suggest you also check your ps printer filter if you print postscript
files using gs, and xdvi if you use a version that uses ghostscript to
display postscript \special's. I checked only xdvi-20, and it's safe.
Olaf
PS: Patch follows. PGP will garble initial `-' characters in the
patch; make sure to replace `- -' with `-' before applying it.
- ------------------------------------------------------------------
- --- gs_init.ps.orig Sun Aug 20 23:22:01 1995
+++ gs_init.ps Sun Aug 20 23:22:46 1995
@@ -302,7 +302,8 @@
% If we want a "safer" system, disable some obvious ways to cause havoc.
SAFER not { (%END SAFER) .skipeof } if
/file
- - { dup (r) eq
+ { exch dup /..fname exch def exch
+ dup (r) eq ..fname (%pipe%*) .stringmatch not and
{ file }
{ /invalidfileaccess signalerror }
ifelse
- ------------------------------------------------------------------
- --
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
For my PGP public key, finger okir@brewhq.swb.de.
-----BEGIN PGP SIGNATURE-----
Version: 2.6
iQCVAgUBMDovyOFnVHXv40etAQHzkAP9EXfrBT9AU5TsVOpUgFNSFc3UYf8TnKxb
a9ojX27qIXtjAceFjP8G95E5dlwwS3vxPgvhC4SUaL6MPhcBwg/52n8sANIUy0py
K1xLU8BaBpKno1ZEJcF+/50WhFU/SqX0hh1bU2hp3K9ez7D+6TAZlo/XdozGpSpH
N7mWJ0WjEMU=
=bVpO
-----END PGP SIGNATURE-----
