I am getting distressed:
- having now seen DSA2093, which did not fix these issues
- looking in
http://security-tracker.debian.org/tracker/CVE-2010-2055
+ which does not list bug numbers, but says:
[lenny] - ghostscript <no-dsa> (too risky for regressions)
(does that mean no lenny fix is forthcoming?)
+ says
NVD severity high (attack range: local)
- looking in
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2055
which says
CVSS Severity ... (HIGH) (AV:L ...)
All the above seems to mean that people think this (and bug#583183 etc)
is a "local" attack only, not worth fixing.
I thought it might be nice to demo a remote attack. I took Bernhard's
example from
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584653#5
(which is the "original report" for this bug), stashed it away in
http://www.maths.usyd.edu.au/u/psz/592569.ps
Visiting that webpage with Ubuntu Firefox, and choosing "open with" gs,
I see the file "doh" being created in my home directory. (Would be just
as easy to overwrite ~/.bashrc with something malicious.)
Admittedly, Firefox does not default to open PS files with gs; I wonder
what other browsers do. If they do not have a reasonable default then
users might pick gs, not knowing they need "gs -dSAFER".
I wonder whether there are browsers or similar that do "cd /tmp" before
running gs, so using bug#584653 with a webpage named .../gs_init.ps
would get around all restrictions.
Cheers, Paul
Paul Szabo [email protected] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
