Package: netpbm
Version: 2:10.0-8
Severity: important
Tags: security woody sarge etch sid patch
Hi Andi,
we've already talked about this, I'm just filing it to keep track.
Please refer to message <[EMAIL PROTECTED]>
(sent to maintainer and security team) for all details.
Quick description: pstopnm calls the ghostscript interpreter on
potentially untrusted postscript without specifying the -dSAFER option.
Not running under -dSAFER allows postscript code to do file IO and to
open pipes to arbitrary external programs, including /bin/sh.
I'm filing this as important bug since I'm not clear in which situations
users would run pstopnm on untrusted postscript. In principle, when that
happens, an attacker could have arbitrary shell commands executed with
the permissions of the user who runs pstopnm.
This bug affects oldstable, stable, testing and sid (as of 2:10.0-8)
cheers,
Max
--- netpbm-free-10.0/pnm/pstopnm.c~ 2005-06-02 16:20:03.205694176 +0200
+++ netpbm-free-10.0/pnm/pstopnm.c 2005-06-02 16:24:24.978262856 +0200
@@ -568,11 +568,11 @@
pm_message("execing '%s' with args '%s' (arg 0), "
"'%s', '%s', '%s', '%s', '%s', '%s', '%s'",
ghostscriptProg, arg0,
- deviceopt, outfileopt, gopt, ropt, "-q", "-dNOPAUSE", "-");
+ deviceopt, outfileopt, gopt, ropt, "-q", "-dNOPAUSE",
"-dSAFER", "-");
}
execl(ghostscriptProg, arg0, deviceopt, outfileopt, gopt, ropt, "-q",
- "-dNOPAUSE", "-", NULL);
+ "-dNOPAUSE", "-dSAFER", "-", NULL);
pm_error("execl() of Ghostscript ('%s') failed, errno=%d (%s)",
ghostscriptProg, errno, strerror(errno));
