Debian Bug report logs - #319757
netpbm: arbitrary postscript code execution (CAN-2005-2471)

version graph

Package: netpbm; Maintainer for netpbm is Andreas Barth <aba@not.so.argh.org>; Source for netpbm is src:netpbm-free.

Reported by: Max Vozeler <xam@debian.org>

Date: Sun, 24 Jul 2005 15:48:09 UTC

Severity: important

Tags: etch, patch, sarge, security, sid, woody

Found in version 2:10.0-8

Fixed in version netpbm-free/2:10.0-9

Done: Andreas Barth <aba@not.so.argh.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Andreas Barth <aba@not.so.argh.org>:
Bug#319757; Package netpbm. Full text and rfc822 format available.

Acknowledgement sent to Max Vozeler <xam@debian.org>:
New Bug report received and forwarded. Copy sent to Andreas Barth <aba@not.so.argh.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Max Vozeler <xam@debian.org>
To: submit@bugs.debian.org
Subject: netpbm: arbitrary postscript code execution
Date: Sun, 24 Jul 2005 17:41:31 +0200
[Message part 1 (text/plain, inline)]
Package: netpbm
Version: 2:10.0-8
Severity: important
Tags: security woody sarge etch sid patch

Hi Andi,

we've already talked about this, I'm just filing it to keep track.
Please refer to message <20050602144046.GA16927@dp.roam.hinterhof.net>
(sent to maintainer and security team) for all details.

Quick description: pstopnm calls the ghostscript interpreter on                
potentially untrusted postscript without specifying the -dSAFER option.
Not running under -dSAFER allows postscript code to do file IO and to
open pipes to arbitrary external programs, including /bin/sh.

I'm filing this as important bug since I'm not clear in which situations
users would run pstopnm on untrusted postscript. In principle, when that
happens, an attacker could have arbitrary shell commands executed with
the permissions of the user who runs pstopnm.

This bug affects oldstable, stable, testing and sid (as of 2:10.0-8)

cheers,
Max
[pstopnm_dsafer.diff (text/plain, inline)]
--- netpbm-free-10.0/pnm/pstopnm.c~	2005-06-02 16:20:03.205694176 +0200
+++ netpbm-free-10.0/pnm/pstopnm.c	2005-06-02 16:24:24.978262856 +0200
@@ -568,11 +568,11 @@
         pm_message("execing '%s' with args '%s' (arg 0), "
                    "'%s', '%s', '%s', '%s', '%s', '%s', '%s'",
                    ghostscriptProg, arg0,
-                   deviceopt, outfileopt, gopt, ropt, "-q", "-dNOPAUSE", "-");
+                   deviceopt, outfileopt, gopt, ropt, "-q", "-dNOPAUSE", "-dSAFER",  "-");
     }
 
     execl(ghostscriptProg, arg0, deviceopt, outfileopt, gopt, ropt, "-q",
-          "-dNOPAUSE", "-", NULL);
+          "-dNOPAUSE", "-dSAFER", "-", NULL);
     
     pm_error("execl() of Ghostscript ('%s') failed, errno=%d (%s)",
              ghostscriptProg, errno, strerror(errno));

Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Barth <aba@not.so.argh.org>:
Bug#319757; Package netpbm. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Extra info received and forwarded to list. Copy sent to Andreas Barth <aba@not.so.argh.org>. Full text and rfc822 format available.

Message #10 received at 319757@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: 319757@bugs.debian.org, control@bugs.debian.org
Subject: This is CAN-2005-2471
Date: Mon, 22 Aug 2005 10:27:12 +0200
[Message part 1 (text/plain, inline)]
retitle 319757 netpbm: arbitrary postscript code execution (CAN-2005-2471)
thanks

This is referenced in the recent Fedora Advisory (FEDORA-2005-728)
as CAN-2005-2471. Please use this CVE name in the changelog so that
the security team can track this bug.

Javier
[signature.asc (application/pgp-signature, inline)]

Changed Bug title. Request was from Javier Fernández-Sanguino Peña <jfs@computer.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Andreas Barth <aba@not.so.argh.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Max Vozeler <xam@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #17 received at 319757-close@bugs.debian.org (full text, mbox):

From: Andreas Barth <aba@not.so.argh.org>
To: 319757-close@bugs.debian.org
Subject: Bug#319757: fixed in netpbm-free 2:10.0-9
Date: Sun, 04 Sep 2005 14:17:09 -0700
Source: netpbm-free
Source-Version: 2:10.0-9

We believe that the bug you reported is fixed in the latest version of
netpbm-free, which is due to be installed in the Debian FTP archive:

libnetpbm10-dev_10.0-9_i386.deb
  to pool/main/n/netpbm-free/libnetpbm10-dev_10.0-9_i386.deb
libnetpbm10_10.0-9_i386.deb
  to pool/main/n/netpbm-free/libnetpbm10_10.0-9_i386.deb
libnetpbm9-dev_10.0-9_i386.deb
  to pool/main/n/netpbm-free/libnetpbm9-dev_10.0-9_i386.deb
libnetpbm9_10.0-9_i386.deb
  to pool/main/n/netpbm-free/libnetpbm9_10.0-9_i386.deb
netpbm-free_10.0-9.diff.gz
  to pool/main/n/netpbm-free/netpbm-free_10.0-9.diff.gz
netpbm-free_10.0-9.dsc
  to pool/main/n/netpbm-free/netpbm-free_10.0-9.dsc
netpbm_10.0-9_i386.deb
  to pool/main/n/netpbm-free/netpbm_10.0-9_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 319757@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Barth <aba@not.so.argh.org> (supplier of updated netpbm-free package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun,  4 Sep 2005 23:00:43 +0200
Source: netpbm-free
Binary: libnetpbm10-dev netpbm libnetpbm9 libnetpbm9-dev libnetpbm10
Architecture: source i386
Version: 2:10.0-9
Distribution: unstable
Urgency: low
Maintainer: Andreas Barth <aba@not.so.argh.org>
Changed-By: Andreas Barth <aba@not.so.argh.org>
Description: 
 libnetpbm10 - Shared libraries for netpbm
 libnetpbm10-dev - Development libraries and header files
 libnetpbm9 - Shared libraries for netpbm
 libnetpbm9-dev - Development libraries and header files
 netpbm     - Graphics conversion tools
Closes: 285340 303102 319757 326513
Changes: 
 netpbm-free (2:10.0-9) unstable; urgency=low
 .
   * fix arbitrary postscript execution, CAN-2005-2471. Closes: #319757
   * fix typo in pbmtoppa manpage. Closes: #326513
   * drop dependency on bc. Closes: #303102
   * fix typo in pam manpage. Closes: #285340
Files: 
 e3a6d7f6302b6d76864f845ef48e64bd 745 graphics optional netpbm-free_10.0-9.dsc
 61b764e83228ca964c439905c9a63012 45292 graphics optional netpbm-free_10.0-9.diff.gz
 a028ab246699e2f86a3c41ba28ed39b7 1186744 graphics optional netpbm_10.0-9_i386.deb
 98947f62cb985fc074ec30d698b6ac71 62948 libs optional libnetpbm10_10.0-9_i386.deb
 cbe1680c43fd3c009bec3a14759dd1dc 109182 libdevel optional libnetpbm10-dev_10.0-9_i386.deb
 043f6c752a8741860e1b74bc46e65263 69358 libs optional libnetpbm9_10.0-9_i386.deb
 cf74d4577a8568eb6c511cbd7adb85ff 109428 libdevel optional libnetpbm9-dev_10.0-9_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iEYEARECAAYFAkMbYl8ACgkQmdOZoew2oYXsXgCglVwiSzawS2hFdaa1DBhKfBN/
PJYAn11+4cNrEPAJNxubGfs7RUqE5USL
=QWYE
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 00:14:09 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 16:54:12 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.