On Tue, Aug 17, 2004 at 06:32:30PM -0700, Ken Bloom wrote: > > The third was written by someone else, but it's very useful: > Package: svp > Version: 0.2-3 > Description: An SVGAlib based viewer for PostScript and PDF files > svp is an SVGAlib based GhostScript frontend, allowing you to view > PostScript and PDF files on your virtual consoles. > > All of my packages are at http://wwwcsif.cs.ucdavis.edu/~bloom/
I will sponsor this package when it has been fixed to avoid a local root attack. The binary is installed setuid(root), and contains the following code: snprintf(command, 255, "gs -dBATCH -dNOPAUSE -dSAFER -sDEVICE=nullpage \"%s\" 2>&1", filename); f=popen(command, "r"); That is it invokes a copy of 'gs' without dropping root privileges and without specifying the path to gs. This allows a local user to setup a trojan gs command and use it to gain root... Appropriate solutions could be forking and dropping privileges temporarily, dropping the +s bit, or something else. Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit
