[329] in linux-security and linux-alert archive
Re: Ghostscript problem
daemon@ATHENA.MIT.EDU (Jeff Uphoff)
Thu Aug 24 05:50:27 1995
Date: Thu, 24 Aug 1995 04:30:30 -0400
From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
To: linux-security@tarsier.cv.nrao.edu
Cc: mgetty@muc.de
In-Reply-To: Your message of Wed, August 23, 1995 20:55:56 +0200
"OK" == Olaf Kirch <okir@monad.swb.de> writes:
OK> Thomas Koenig wrote:
>> What other programs are there which invoke gs transparently?
OK> I just grepped my xv-3.00 binary, and found that it invokes /usr/bin/gs
OK> somewhere. A grep for SAFER turned up -- nothing.
I've just browsed the xv-3.10 code (not v3.00, which I don't happen to
have sitting in my archive any more), and here's my findings:
The default configuration does *not* support Postscript file-viewing.
>From config.h:
/* #define GS_PATH "/usr/local/bin/gs" */
/* #define GS_LIB "." */
/* #define GS_DEV "ppmraw" */
They're commented-out by default, at least in the source copy that I
have, MD5 checksum: "26c2306e3c401f109c8e4df272a0215e xv-3.10.tar.gz",
which is the version that ships with Slackware 2.3.0. The Slackware
diff does not enable this either, and the 3.10 binary shipping with
Slackware appears safe (i.e. Postscript viewing disabled); grepping the
binary did not turn up the GS_PATH string anywhere.
>From v3.10's xvps.c:
#ifdef GS_PATH
[...VMS and other code...]
sprintf(tmp,
"%s \"-sDEVICE=%s\" -r%d -q \"-dNOPAUSE\" \"-sOutputFile=%s%%d\" ",
GS_PATH, gsDev, gsRes, tmpname);
[...more code, strcat() calls and the like, none doing -dSAFER...]
gsresult = !system(tmp);
Simply adding "-dSAFER" after the path in the GS_PATH definition (if
you're using it, which I'm not) should suffice, for all put the %pipe%
hole of course.
OK> Does anyone volunteer to draw up a list of programs that use gs? Here's
OK> a start, off the top of my head:
Gert Döring's mgetty+sendfax package uses it to convert postscript to
FAX formats. I just checked his 'faxspool' script, which auto-detects
file types and does the appropriate format-conversions (among other
things). For Postscript files, 'faxspool' calls 'gs' with "-dSAFER".
No problems there; it appears safe all the way back to at least his
version 0.22 release (and probably earlier--I didn't look past 0.22).
OK> * xv (3.0 seems to be vulnerable).
Version 3.01 also does not support Postscript by default; you must
un-comment the support definitions in the Imakefile in this version. As
with v3.10, it appears that simply adding "-dSAFER" when you define the
path to Ghostscript should do the trick. Looks like I need to scrounge
up a copy of the v3.00 source and take a peek...
--Up.
P.S. Note to 'mgetty' list recipients: Security problems exist in
Ghostscript. Gert avoids the well-known one(s) by using "-dSAFER" when
he calls 'gs'. Unfortunately, there is now at least one nasty known
hole that -dSAFER does not prevent exploitation of and that can be fixed
by patching the gs_init.ps file in your Ghostscript library area. I'll
post details separately to the 'mgetty' list, as the Linux security
lists have already addressed this.
--
Jeff Uphoff - systems/network admin. | juphoff@nrao.edu
National Radio Astronomy Observatory | jeff.uphoff@linux.org
Charlottesville, VA, USA | http://linux.nrao.edu/~juphoff/
