[gs-bugs] [Bug 690337] New: Security Problem with GPL Ghostscript 8.2 and possibly others

bugs.ghostscript.com-bugzilla-daemon at ghostscript.com bugs.ghostscript.com-bugzilla-daemon at ghostscript.com
Tue Mar 17 12:04:38 PDT 2009 

http://bugs.ghostscript.com/show_bug.cgi?id=690337

           Summary: Security Problem with GPL Ghostscript 8.2 and possibly
                    others
           Product: Ghostscript
           Version: 8.62
          Platform: PC
        OS/Version: FreeBSD
            Status: UNCONFIRMED
          Severity: critical
          Priority: P4
         Component: Printer Driver
        AssignedTo: support at artifex.com
        ReportedBy: papowell at astart.com
         QAContact: gs-bugs at ghostscript.com


The GPL Ghostscript Version 8.62 (GS) allows files in the same directory to be
opened and read by PostScript files being processed by GS.

When GS is used by the LPRng, CUPS, or legacy LPR printing system to process
print files the current directory is set to the 'spool queue' directory.
A carefully crafted PostScript print job could open, read, and print files
submitted by other users.

While GPL GhostScript has a '-dPARNOID' option that eliminates other security
issues,  it appears that this one has been missed.  In previous versions of
Ghostscript -dPARANOIDSAFER prevented this problem.  However, the current version
of GPL Ghostscript Version 8.62 (GS) allows files in the 'Search path' to be
read.  The current search path is:

    #> gs --help
    GPL Ghostscript 8.62 (2008-02-29)
    Copyright (C) 2008 Artifex Software, Inc.  All rights reserved.
    Usage: gs [switches] [file1.ps file2.ps ...]
    Most frequently used switches: (you can use # in place of =)
     -dNOPAUSE           no pause after page   | -q       `quiet', fewer messages
     -g<width>x<height>  page size in pixels   | -r<res>  pixels/inch resolution
     -sDEVICE=<devname>  select device         | -dBATCH  exit after last file
     -sOutputFile=<file> select output file: - for stdout, |command for pipe,
                                             embed %d or %ld for page #
    Input formats: PostScript PostScriptLevel1 PostScriptLevel2 PostScriptLevel3 PDF
    Default output device: x11alpha
    Available devices:
       alc1900 alc1900 alc2000 alc2000 alc4000 alc4000 alc4100 alc4100 alc8500

    ....
    Search path:
->     . : /install/root/.fonts : /usr/local/share/ghostscript/8.62/lib :
       /usr/local/share/ghostscript/8.62/Resource :
       /usr/local/share/ghostscript/fonts :
       /usr/local/share/fonts/default/ghostscript :
       /usr/local/share/fonts/default/Type1 :
       /usr/local/share/fonts/default/TrueType : /usr/lib/DPS/outline/base :
       /usr/openwin/lib/X11/fonts/Type1 : /usr/openwin/lib/X11/fonts/TrueType
    For more information, see /usr/local/share/ghostscript/8.62/doc/Use.htm.
    Please report bugs to bugs.ghostscript.com.

-> shows that '.' is in the search path.


Save the following to 'gs_security_check' and run the shell script:

#!/bin/sh
GS=gs
tmpdir=/tmp
cat <<EOF >$tmpdir/gsQuit
quit
EOF
cat <<EOF >$tmpdir/gsTest
($tmpdir/gsQuit) (r) file quit
EOF

cat <<EOF >$tmpdir/gsTestSameDir
(gsQuit) (r) file quit
EOF


  echo "checking GhostScript -dSAFER and -dPARANOIDSAFER option"
  if ! $GS -q -dBATCH -dNOPAUSE -dSAFER -dPARANOIDSAFER -sDEVICE=nullpage
-sOutputFile=- $tmpdir/gsQuit ; then
        echo ERROR
        exit 1
  fi
  if $GS -q -dBATCH -dNOPAUSE -dSAFER -dPARANOIDSAFER -sDEVICE=nullpage
-sOutputFile=- $tmpdir/gsTest 1>/dev/null 2>/dev/null ;
                            then
          cat <<EOF
WARNING: '($GS) -dSAFER -dPARANOIDSAFER ' allows files to be read
Please read README.GhostScriptSecurityProblem
and fix your distribution of GhostScript
EOF
                exit 1
  fi
  cd $tmpdir
  if $GS -q -dBATCH -dNOPAUSE -dSAFER -dPARANOIDSAFER -sDEVICE=nullpage
-sOutputFile=- gsTestSameDir 1>/dev/null 2>/dev/null ;
                           then
        cat <<EOF;
WARNING: '($GS) -dSAFER -dPARANOIDSAFER ' allows files
in same directory to be read.
Please read README.GhostScriptSecurityProblem
and fix your distribution of GhostScript
EOF
        exit 1
  fi


If

test_i386: {69} # ./gs_security_check
checking GhostScript -dSAFER and -dPARANOIDSAFER option
WARNING: '(gs) -dSAFER -dPARANOIDSAFER ' allows files
in same directory to be read.
Please read README.GhostSand fix your distribution of GhostScript


Fix:

Modify GPL Ghostscript 8.62 (2008-02-29) so that the -dPARANOIDSAFER
option removes the '.' from the search path
and fix your distribution of GhostScript



------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

More information about the gs-bugs mailing list