Debian Bug report logs - #319758
[CAN-2005-2536] pstotext: arbitrary postscript code execution

version graph

Package: pstotext; Maintainer for pstotext is Jan Jeroným Zvánovec <jero@zvano.net>; Source for pstotext is src:pstotext.

Reported by: Max Vozeler <xam@debian.org>

Date: Sun, 24 Jul 2005 16:03:02 UTC

Severity: grave

Tags: etch, patch, security, upstream

Found in version 1.9-1

Fixed in version pstotext/1.9-2

Done: 319758@bugs.debian.org

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, jdassen@debian.org (J.H.M. Dassen (Ray)):
Bug#319758; Package pstotext. Full text and rfc822 format available.

Acknowledgement sent to Max Vozeler <xam@debian.org>:
New Bug report received and forwarded. Copy sent to jdassen@debian.org (J.H.M. Dassen (Ray)). Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Max Vozeler <xam@debian.org>
To: submit@bugs.debian.org
Subject: pstotext: arbitrary postscript code execution
Date: Sun, 24 Jul 2005 17:47:37 +0200
[Message part 1 (text/plain, inline)]
Package: pstotext
Version: 1.9-1
Severity: grave
Justification: remote code execution
Tags: security woody sarge etch sid patch

Hi Ray,

we've already talked about this, I'm just filing it to keep track.
Please refer to message <20050602141310.GA13733@dp.roam.hinterhof.net>
(sent to maintainer and security team) for all details.

Quick description: pstotext calls the ghostscript interpreter on
untrusted postscript without specifying the -dSAFER option. Not running
under -dSAFER allows postscript code to do file IO and to open pipes to
arbitrary external programs, including /bin/sh. 

I'm filing this as a grave bug since pstotext is listed in mailcap and
used to display postscript by several programs, including for example 
mutt. An attacker who knows that one is using a mail program that uses
mailcap could exploit this bug by sending malicious postscript as email
attachment and tricking the user into viewing it.

This bug affects oldstable, stable, testing and sid (as of 1.9-1). 

cheers,
Max
[pstotext_dsafer.diff (text/plain, inline)]
--- pstotext-1.9/main.c~	2005-06-02 15:42:33.754177096 +0200
+++ pstotext-1.9/main.c	2005-06-02 15:45:20.412084016 +0200
@@ -231,9 +231,9 @@
   sprintf(
     gs_cmdline,
 #ifdef VMS
-    "%s -r72 \"-dNODISPLAY\" \"-dFIXEDMEDIA\" \"-dDELAYBIND\" \"-dWRITESYSTEMDICT\" %s \"-dNOPAUSE\" %s %s %s",
+    "%s -r72 \"-dNODISPLAY\" \"-dFIXEDMEDIA\" \"-dDELAYBIND\" \"-dWRITESYSTEMDICT\" %s \"-dNOPAUSE\" \"-dSAFER\" %s %s %s",
 #else
-    "%s -r72 -dNODISPLAY -dFIXEDMEDIA -dDELAYBIND -dWRITESYSTEMDICT %s -dNOPAUSE %s %s %s",
+    "%s -r72 -dNODISPLAY -dFIXEDMEDIA -dDELAYBIND -dWRITESYSTEMDICT %s -dNOPAUSE -dSAFER %s %s %s",
 #endif
     gs_cmd,
     (debug ? "" : "-q"),

Tags added: upstream Request was from "J.H.M. Dassen (Ray)" <jdassen@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 1.9-2, send any further explanations to Max Vozeler <xam@debian.org> Request was from "J.H.M. Dassen (Ray)" <jdassen@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from "J.H.M. Dassen (Ray)" <jdassen@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: sid Request was from "J.H.M. Dassen (Ray)" <jdassen@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: woody, sarge Request was from Max Vozeler <max@decl.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 00:46:45 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 14:25:21 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.