Debian Bug report logs -
#319757
netpbm: arbitrary postscript code execution (CAN-2005-2471)
Reported by: Max Vozeler <xam@debian.org>
Date: Sun, 24 Jul 2005 15:48:09 UTC
Severity: important
Tags: etch, patch, sarge, security, sid, woody
Found in version 2:10.0-8
Fixed in version netpbm-free/2:10.0-9
Done: Andreas Barth <aba@not.so.argh.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Andreas Barth <aba@not.so.argh.org>:
Bug#319757; Package netpbm.
(full text, mbox, link).
Acknowledgement sent to Max Vozeler <xam@debian.org>:
New Bug report received and forwarded. Copy sent to Andreas Barth <aba@not.so.argh.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: netpbm
Version: 2:10.0-8
Severity: important
Tags: security woody sarge etch sid patch
Hi Andi,
we've already talked about this, I'm just filing it to keep track.
Please refer to message <20050602144046.GA16927@dp.roam.hinterhof.net>
(sent to maintainer and security team) for all details.
Quick description: pstopnm calls the ghostscript interpreter on
potentially untrusted postscript without specifying the -dSAFER option.
Not running under -dSAFER allows postscript code to do file IO and to
open pipes to arbitrary external programs, including /bin/sh.
I'm filing this as important bug since I'm not clear in which situations
users would run pstopnm on untrusted postscript. In principle, when that
happens, an attacker could have arbitrary shell commands executed with
the permissions of the user who runs pstopnm.
This bug affects oldstable, stable, testing and sid (as of 2:10.0-8)
cheers,
Max
[pstopnm_dsafer.diff (text/plain, inline)]
--- netpbm-free-10.0/pnm/pstopnm.c~ 2005-06-02 16:20:03.205694176 +0200
+++ netpbm-free-10.0/pnm/pstopnm.c 2005-06-02 16:24:24.978262856 +0200
@@ -568,11 +568,11 @@
pm_message("execing '%s' with args '%s' (arg 0), "
"'%s', '%s', '%s', '%s', '%s', '%s', '%s'",
ghostscriptProg, arg0,
- deviceopt, outfileopt, gopt, ropt, "-q", "-dNOPAUSE", "-");
+ deviceopt, outfileopt, gopt, ropt, "-q", "-dNOPAUSE", "-dSAFER", "-");
}
execl(ghostscriptProg, arg0, deviceopt, outfileopt, gopt, ropt, "-q",
- "-dNOPAUSE", "-", NULL);
+ "-dNOPAUSE", "-dSAFER", "-", NULL);
pm_error("execl() of Ghostscript ('%s') failed, errno=%d (%s)",
ghostscriptProg, errno, strerror(errno));
Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Barth <aba@not.so.argh.org>:
Bug#319757; Package netpbm.
(full text, mbox, link).
Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Extra info received and forwarded to list. Copy sent to Andreas Barth <aba@not.so.argh.org>.
(full text, mbox, link).
Message #10 received at 319757@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
retitle 319757 netpbm: arbitrary postscript code execution (CAN-2005-2471)
thanks
This is referenced in the recent Fedora Advisory (FEDORA-2005-728)
as CAN-2005-2471. Please use this CVE name in the changelog so that
the security team can track this bug.
Javier
[signature.asc (application/pgp-signature, inline)]
Changed Bug title.
Request was from Javier Fernández-Sanguino Peña <jfs@computer.org>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to Andreas Barth <aba@not.so.argh.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Max Vozeler <xam@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #17 received at 319757-close@bugs.debian.org (full text, mbox, reply):
Source: netpbm-free
Source-Version: 2:10.0-9
We believe that the bug you reported is fixed in the latest version of
netpbm-free, which is due to be installed in the Debian FTP archive:
libnetpbm10-dev_10.0-9_i386.deb
to pool/main/n/netpbm-free/libnetpbm10-dev_10.0-9_i386.deb
libnetpbm10_10.0-9_i386.deb
to pool/main/n/netpbm-free/libnetpbm10_10.0-9_i386.deb
libnetpbm9-dev_10.0-9_i386.deb
to pool/main/n/netpbm-free/libnetpbm9-dev_10.0-9_i386.deb
libnetpbm9_10.0-9_i386.deb
to pool/main/n/netpbm-free/libnetpbm9_10.0-9_i386.deb
netpbm-free_10.0-9.diff.gz
to pool/main/n/netpbm-free/netpbm-free_10.0-9.diff.gz
netpbm-free_10.0-9.dsc
to pool/main/n/netpbm-free/netpbm-free_10.0-9.dsc
netpbm_10.0-9_i386.deb
to pool/main/n/netpbm-free/netpbm_10.0-9_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 319757@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Barth <aba@not.so.argh.org> (supplier of updated netpbm-free package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 4 Sep 2005 23:00:43 +0200
Source: netpbm-free
Binary: libnetpbm10-dev netpbm libnetpbm9 libnetpbm9-dev libnetpbm10
Architecture: source i386
Version: 2:10.0-9
Distribution: unstable
Urgency: low
Maintainer: Andreas Barth <aba@not.so.argh.org>
Changed-By: Andreas Barth <aba@not.so.argh.org>
Description:
libnetpbm10 - Shared libraries for netpbm
libnetpbm10-dev - Development libraries and header files
libnetpbm9 - Shared libraries for netpbm
libnetpbm9-dev - Development libraries and header files
netpbm - Graphics conversion tools
Closes: 285340 303102 319757 326513
Changes:
netpbm-free (2:10.0-9) unstable; urgency=low
.
* fix arbitrary postscript execution, CAN-2005-2471. Closes: #319757
* fix typo in pbmtoppa manpage. Closes: #326513
* drop dependency on bc. Closes: #303102
* fix typo in pam manpage. Closes: #285340
Files:
e3a6d7f6302b6d76864f845ef48e64bd 745 graphics optional netpbm-free_10.0-9.dsc
61b764e83228ca964c439905c9a63012 45292 graphics optional netpbm-free_10.0-9.diff.gz
a028ab246699e2f86a3c41ba28ed39b7 1186744 graphics optional netpbm_10.0-9_i386.deb
98947f62cb985fc074ec30d698b6ac71 62948 libs optional libnetpbm10_10.0-9_i386.deb
cbe1680c43fd3c009bec3a14759dd1dc 109182 libdevel optional libnetpbm10-dev_10.0-9_i386.deb
043f6c752a8741860e1b74bc46e65263 69358 libs optional libnetpbm9_10.0-9_i386.deb
cf74d4577a8568eb6c511cbd7adb85ff 109428 libdevel optional libnetpbm9-dev_10.0-9_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iEYEARECAAYFAkMbYl8ACgkQmdOZoew2oYXsXgCglVwiSzawS2hFdaa1DBhKfBN/
PJYAn11+4cNrEPAJNxubGfs7RUqE5USL
=QWYE
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 26 Jun 2007 00:14:09 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Nov 6 00:55:15 2018;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.