[gs-bugs] [Bug 691350] gs_init.ps tried in current dir despite -P-

bugzilla-daemon at ghostscript.com bugzilla-daemon at ghostscript.com
Mon Jul 12 07:45:06 UTC 2010


--- Comment #18 from Dr. Werner Fink <werner at suse.de> 2010-07-12 07:45:02 UTC ---
@Ray:  It is a simple security risk to allow reading configuration files
       from the working directory.  Think about /tmp or /var/tmp and
       a modified gs_init.ps ... or a simply tar or zip archive including
       such a modified gs_init.ps.  With this any user of gs will become
       an attack victim.  Maybe the search scheme should be able to detect
       if a file is part of the tree below /usr/share/ghostscript/<version>
       and accept any path below this even if not explicitly mentioned in
       the default GS_LIB path.

       For glibc based systems the way could be the clibc function call
       realpath(3) which is declared for (_BSD_SOURCE || _XOPEN_SOURCE >= 500)
       with the real path of /usr/share/ghostscript/<version> in comparision
       to any real path of a configuration file it is possible to determine
       if the last one is below to the first one.

Configure bugmail: http://bugs.ghostscript.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

More information about the gs-bugs mailing list