Package: pstotext
Version: 1.9-1
Severity: grave
Justification: remote code execution
Tags: security woody sarge etch sid patch
Hi Ray,
we've already talked about this, I'm just filing it to keep track.
Please refer to message <[EMAIL PROTECTED]>
(sent to maintainer and security team) for all details.
Quick description: pstotext calls the ghostscript interpreter on
untrusted postscript without specifying the -dSAFER option. Not running
under -dSAFER allows postscript code to do file IO and to open pipes to
arbitrary external programs, including /bin/sh.
I'm filing this as a grave bug since pstotext is listed in mailcap and
used to display postscript by several programs, including for example
mutt. An attacker who knows that one is using a mail program that uses
mailcap could exploit this bug by sending malicious postscript as email
attachment and tricking the user into viewing it.
This bug affects oldstable, stable, testing and sid (as of 1.9-1).
cheers,
Max
--- pstotext-1.9/main.c~ 2005-06-02 15:42:33.754177096 +0200
+++ pstotext-1.9/main.c 2005-06-02 15:45:20.412084016 +0200
@@ -231,9 +231,9 @@
sprintf(
gs_cmdline,
#ifdef VMS
- "%s -r72 \"-dNODISPLAY\" \"-dFIXEDMEDIA\" \"-dDELAYBIND\"
\"-dWRITESYSTEMDICT\" %s \"-dNOPAUSE\" %s %s %s",
+ "%s -r72 \"-dNODISPLAY\" \"-dFIXEDMEDIA\" \"-dDELAYBIND\"
\"-dWRITESYSTEMDICT\" %s \"-dNOPAUSE\" \"-dSAFER\" %s %s %s",
#else
- "%s -r72 -dNODISPLAY -dFIXEDMEDIA -dDELAYBIND -dWRITESYSTEMDICT %s
-dNOPAUSE %s %s %s",
+ "%s -r72 -dNODISPLAY -dFIXEDMEDIA -dDELAYBIND -dWRITESYSTEMDICT %s
-dNOPAUSE -dSAFER %s %s %s",
#endif
gs_cmd,
(debug ? "" : "-q"),
