Debian Bug report logs - #356988
pstotext: doesn't correctly quote characters to nested shell

version graph

Package: pstotext; Maintainer for pstotext is Jan Jeroným Zvánovec <jero@zvano.net>; Source for pstotext is src:pstotext.

Reported by: Brian May <bam@debian.org>

Date: Wed, 15 Mar 2006 06:03:02 UTC

Severity: grave

Tags: help, patch, security, upstream

Found in version pstotext/1.9-1sarge1

Fixed in versions pstotext/1.9-3, pstotext/1.9-4

Done: jdassen@debian.org (J.H.M. Dassen (Ray))

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, jdassen@debian.org (J.H.M. Dassen (Ray)):
Bug#356988; Package pstotext. Full text and rfc822 format available.

Acknowledgement sent to Brian May <bam@debian.org>:
New Bug report received and forwarded. Copy sent to jdassen@debian.org (J.H.M. Dassen (Ray)). Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Brian May <bam@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: pstotext: doesn't correctly quote characters to nested shell
Date: Wed, 15 Mar 2006 16:58:10 +1100
Package: pstotext
Version: 1.9-1sarge1
Severity: grave
Justification: user security hole

bam@debian:/tmp/deleteme$ pstotext "a'b.ps"
sh: -c: line 1: unexpected EOF while looking for matching `''
sh: -c: line 2: syntax error: unexpected end of file
bam@debian:/tmp/deleteme$ mv "a'b.ps" ab.ps
bam@debian:/tmp/deleteme$ pstotext "ab.ps"
ESP Ghostscript 7.07.1: Unrecoverable error, exit code 1

bam@debian:/tmp/deleteme$ strace -s 256 -e trace=process -ff  pstotext "a'b.ps"
execve("/usr/bin/pstotext", ["pstotext", "a\'b.ps"], [/* 35 vars */]) = 0
vfork(Process 25977 attached
)                                 = 25977
[pid 25977] execve("/bin/sh", ["sh", "-c", "gs -r72 -dNODISPLAY
-dFIXEDMEDIA -dDELAYBIND -dWRITESYSTEMDICT -q -dNOPAUSE -dSAFER
/tmp/ps2tvQBxTF -- \'a\'b.ps\'"], [/* 35 vars */]) = 0
sh: -c: line 1: unexpected EOF while looking for matching `''
sh: -c: line 2: syntax error: unexpected end of file
[pid 25977] exit_group(258)             = ?
Process 25977 detached
--- SIGCHLD (Child exited) @ 0 (0) ---
waitpid(25977, [{WIFEXITED(s) && WEXITSTATUS(s) == 2}], 0) = 25977
exit_group(3)                           = ?

You can see that I correctly quoted the parameter in the invoking shell, and
pstotext passes the parameter to the nested sh as 'a'b.ps' which obviously gets
it confused.

This could be a security issue, if you can run pstotext with an
arbitrary filename (eg. via swish++ running on some untrusted source).
eg:

ivt@ivtintranet:/tmp/data$ strace -s 256 -e trace=process -ff "pstotext" "hi.txt'; id>/tmp/abc.key; echo 'silly"
execve("/usr/bin/pstotext", ["pstotext", "hi.txt\'; id>/tmp/abc.key; echo \'silly"], [/* 19 vars */]) = 0
arch_prctl(ARCH_SET_FS, 0x2aaaaaf7e6d0) = 0
clone(Process 9983 attached
child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x2aaaaaf7e760) = 9983
[pid  9983] execve("/bin/sh", ["sh", "-c", "gs -r72 -dNODISPLAY -dFIXEDMEDIA -dDELAYBIND -dWRITESYSTEMDICT -q -dNOPAUSE -dSAFER  /tmp/ps2tIqkOjd -- \'hi.txt\'; id>/tmp/abc.key; echo \'silly\'"], [/* 19 vars */]) = 0
[pid  9983] arch_prctl(ARCH_SET_FS, 0x2aaaab0576d0) = 0
[pid  9983] clone(Process 9984 attached
child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x2aaaab057760) = 9984
[pid  9983] wait4(-1, Process 9983 suspended
 <unfinished ...>
[pid  9984] execve("/usr/bin/gs", ["gs", "-r72", "-dNODISPLAY", "-dFIXEDMEDIA", "-dDELAYBIND", "-dWRITESYSTEMDICT", "-q", "-dNOPAUSE", "-dSAFER", "/tmp/ps2tIqkOjd", "--", "hi.txt"], [/* 18 vars */]) = 0
[pid  9984] arch_prctl(ARCH_SET_FS, 0x2aaaace67b30) = 0
ESP Ghostscript 7.07.1: Unrecoverable error, exit code 1
[pid  9984] exit_group(0)               = ?
Process 9983 resumed
Process 9984 detached
[pid  9983] <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 9984
[pid  9983] --- SIGCHLD (Child exited) @ 0 (0) ---
[pid  9983] wait4(-1, 0x7fffffb1ce14, WNOHANG, NULL) = -1 ECHILD (No child processes)
[pid  9983] clone(Process 9985 attached
child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x2aaaab057760) = 9985
[pid  9983] wait4(-1, Process 9983 suspended
 <unfinished ...>
[pid  9985] execve("/usr/bin/id", ["id"], [/* 18 vars */]) = 0
[pid  9985] arch_prctl(ARCH_SET_FS, 0x2aaaaadf96d0) = 0
[pid  9985] exit_group(0)               = ?
Process 9983 resumed
Process 9985 detached
[pid  9983] <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 9985
[pid  9983] --- SIGCHLD (Child exited) @ 0 (0) ---
[pid  9983] wait4(-1, 0x7fffffb1ce34, WNOHANG, NULL) = -1 ECHILD (No child processes)
[pid  9983] exit_group(0)               = ?
Process 9983 detached
--- SIGCHLD (Child exited) @ 0 (0) ---
wait4(9983, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 9983
exit_group(0)                           = ?

You can clearly see that I tricked pstotext into running id and outputing the
result into a temp file.

If I do the following:

ivt@ivtintranet:/tmp/data$ touch "hi.txt'; id>abc.key; echo 'silly.ps"

ivt@ivtintranet:/tmp/data$ rm abc.key
ivt@ivtintranet:/tmp/data$ ls -l
total 0
-rw-r--r--  1 ivt ivt 0 2006-03-15 16:50 hi.txt'; id>abc.key; echo 'silly.ps

I can trick swish++ into running an arbitrary command by passing
the filename through pstotext:

ivt@ivtintranet:/tmp/data$ 'index++' -v4 '--config-file' '/usr/share/sitebuilder/core/indexing.conf' '--index-file' /tmp/abcd /tmp/data

/tmp/data:
  hi.txt'; id>abc.key; echo 'silly.psESP Ghostscript 7.07.1: Unrecoverable error, exit code 1
 (skipped: can not open)

index++: done:
  00:01 (min:sec) elapsed time
  1 files, 0 indexed
  0 words, 0 indexed, 0 unique

ivt@ivtintranet:/tmp/data$ ls -l
total 4
-rw-r--r--  1 ivt ivt 162 2006-03-15 16:51 abc.key
-rw-r--r--  1 ivt ivt   0 2006-03-15 16:50 hi.txt'; id>abc.key; echo 'silly.ps
ivt@ivtintranet:/tmp/data$ cat abc.key
uid=1000(ivt) gid=1000(ivt) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),104(lpadmin),105(scanner),106(admin),1000(ivt)

as you can see, pstotext was tricked into running the id command and
the result appeared in abc.key.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (50, 'unstable')
Architecture: powerpc (ppc)
Kernel: Linux 2.6.8-pegasos
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)

Versions of packages pstotext depends on:
ii  gs                          8.01-5       Transitional package
ii  gs-esp [gs]                 7.07.1-9     The Ghostscript PostScript interpr
ii  gs-gpl [gs]                 8.01-5       The GPL Ghostscript PostScript int
ii  libc6                       2.3.2.ds1-22 GNU C Library: Shared libraries an

-- no debconf information

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (50, 'unstable')
Architecture: powerpc (ppc)
Kernel: Linux 2.6.8-pegasos
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)

Versions of packages pstotext depends on:
ii  gs                          8.01-5       Transitional package
ii  gs-esp [gs]                 7.07.1-9     The Ghostscript PostScript interpr
ii  gs-gpl [gs]                 8.01-5       The GPL Ghostscript PostScript int
ii  libc6                       2.3.2.ds1-22 GNU C Library: Shared libraries an

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, jdassen@debian.org (J.H.M. Dassen (Ray)):
Bug#356988; Package pstotext. Full text and rfc822 format available.

Acknowledgement sent to "J.H.M. Dassen (Ray)" <jdassen@debian.org>:
Extra info received and forwarded to list. Copy sent to jdassen@debian.org (J.H.M. Dassen (Ray)). Full text and rfc822 format available.

Message #10 received at 356988@bugs.debian.org (full text, mbox):

From: "J.H.M. Dassen (Ray)" <jdassen@debian.org>
To: 356988@bugs.debian.org
Subject: Re: Bug#356988: pstotext: doesn't correctly quote characters to nested shell
Date: Wed, 15 Mar 2006 23:16:40 +0100
[Message part 1 (text/plain, inline)]
On Wed, Mar 15, 2006 at 16:58:10 +1100, Brian May wrote:
> This could be a security issue, if you can run pstotext with an arbitrary
> filename (eg. via swish++ running on some untrusted source).

pstotext currently popen(3)s a command containing a filename supplied by its
caller. The only way to secure it against nasty filenames would be to
rewrite it not to use popen(3). The attached patch seems to do the trick but
should be reviewed - I'm not sure I've done the fork'n'pipe completely
right; there may be some cleanup missing and it breaks the VMS build (though
I doubt someone cares about that). Oh well, it's a start.

Ray
-- 
Sexual paranoia: did I once unknowingly sleep with THEM?
[patch (text/plain, attachment)]

Tags added: upstream, help, patch Request was from "J.H.M. Dassen (Ray)" <jdassen@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, jdassen@debian.org (J.H.M. Dassen (Ray)):
Bug#356988; Package pstotext. Full text and rfc822 format available.

Acknowledgement sent to Brian May <bam@debian.org>:
Extra info received and forwarded to list. Copy sent to jdassen@debian.org (J.H.M. Dassen (Ray)). Full text and rfc822 format available.

Message #17 received at 356988@bugs.debian.org (full text, mbox):

From: Brian May <bam@debian.org>
To: 356988@bugs.debian.org
Subject: pstotext: doesn't correctly quote characters to nested shell
Date: Tue, 21 Mar 2006 11:46:10 +1100
Hello,

I noticed your patch to this problem, so I decided to review it.

It looks good to me. Other solutions are also possible, but your
solution looks better.

However, I notice the cleanup() routine still calls pclose(...). This
has me puzzled because no errors are generated, so maybe the cleanup
code isn't being called for some reason (it looks like gs==null???).

I think pclose (which is documented only to work with popen) needs to be
replaced with waitpid(...). This function should also perform the
cleanup you were concerned about (not really a major issue with pstotext
because it exits so quickly anyway - but it seems like a good idea to
get the exit status). For this to work, you will need to save the PID
returned by fork so cleanup can access it.

As for VMS, this is something I have no idea what-so-ever about. I would
assume it should work, but I have never been near a VMS system so I have
no idea.

(disclaimer: I am no expert at this either).

Please CC responses to me, thanks.
-- 
Brian May <bam@debian.org>




Information forwarded to debian-bugs-dist@lists.debian.org, jdassen@debian.org (J.H.M. Dassen (Ray)):
Bug#356988; Package pstotext. Full text and rfc822 format available.

Acknowledgement sent to "J.H.M. Dassen (Ray)" <jdassen@debian.org>:
Extra info received and forwarded to list. Copy sent to jdassen@debian.org (J.H.M. Dassen (Ray)). Full text and rfc822 format available.

Message #22 received at 356988@bugs.debian.org (full text, mbox):

From: "J.H.M. Dassen (Ray)" <jdassen@debian.org>
To: 356988@bugs.debian.org
Subject: Re: Bug#356988: pstotext: doesn't correctly quote characters to nested shell
Date: Tue, 21 Mar 2006 21:59:20 +0100
[Message part 1 (text/plain, inline)]
On Tue, Mar 21, 2006 at 11:46:10 +1100, Brian May wrote:
> I noticed your patch to this problem, so I decided to review it.

Thanks.

> It looks good to me. Other solutions are also possible, but your
> solution looks better.
> 
> However, I notice the cleanup() routine still calls pclose(...). This has
> me puzzled because no errors are generated, so maybe the cleanup code
> isn't being called for some reason (it looks like gs==null???).
> 
> I think pclose (which is documented only to work with popen) needs to be
> replaced with waitpid(...). This function should also perform the
> cleanup you were concerned about (not really a major issue with pstotext
> because it exits so quickly anyway - but it seems like a good idea to
> get the exit status). For this to work, you will need to save the PID
> returned by fork so cleanup can access it.

I'm attaching an updated version of my patch. Note that I'm not explicitly
saving the child PID yet, but it might just do the trick.

> As for VMS, this is something I have no idea what-so-ever about. I would
> assume it should work, but I have never been near a VMS system so I have
> no idea.

Frankly, I don't think anyone cares about the VMS port. I'm just trying to
make minimal changes at this point to make it easier to integrate this
upstream.

Ray
-- 
FUD for dummies by example in 21 days Lesson 3: use braindead analogies.
"Open source raises various security issues. How many banks will tell you
where their cameras are and where their vaults are?"
A Microsoft droid in http://www.zdnet.co.uk/news/1999/47/ns-11895.html
[patch (text/plain, attachment)]

Reply sent to jdassen@debian.org (J.H.M. Dassen (Ray)):
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Brian May <bam@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #27 received at 356988-close@bugs.debian.org (full text, mbox):

From: jdassen@debian.org (J.H.M. Dassen (Ray))
To: 356988-close@bugs.debian.org
Subject: Bug#356988: fixed in pstotext 1.9-3
Date: Fri, 05 May 2006 08:32:37 -0700
Source: pstotext
Source-Version: 1.9-3

We believe that the bug you reported is fixed in the latest version of
pstotext, which is due to be installed in the Debian FTP archive:

pstotext_1.9-3.diff.gz
  to pool/main/p/pstotext/pstotext_1.9-3.diff.gz
pstotext_1.9-3.dsc
  to pool/main/p/pstotext/pstotext_1.9-3.dsc
pstotext_1.9-3_i386.deb
  to pool/main/p/pstotext/pstotext_1.9-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 356988@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
J.H.M. Dassen (Ray) <jdassen@debian.org> (supplier of updated pstotext package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri,  5 May 2006 17:09:48 +0200
Source: pstotext
Binary: pstotext
Architecture: source i386
Version: 1.9-3
Distribution: unstable
Urgency: high
Maintainer: J.H.M. Dassen (Ray) <jdassen@debian.org>
Changed-By: J.H.M. Dassen (Ray) <jdassen@debian.org>
Description: 
 pstotext   - Extract text from PostScript and PDF files
Closes: 356988
Changes: 
 pstotext (1.9-3) unstable; urgency=high
 .
   * [main.c] Security fix. popen(3) was being used in a construct which could
     did not perform sufficient cleanup/quoting of filenames; these filenames
     could come from untrusted sources like a web indexing service and could
     thus be misused to execute shell code as the user running pstotext. The
     use of popen(3) has been replaced by an explicit fork/pipe construct
     which does not involve the use of a shell. (Closes: #356988)
   * [debian/control] Change the non-virtual package suggestion for the
     dependency on the "gs" virtual package to gs-gpl as gs-aladdin has become
     a transitional package.
   * [debian/control] Updated Standards-Version.
Files: 
 1a601f83c3461e09af5d08546fe73424 554 text optional pstotext_1.9-3.dsc
 537914be4b8e09203b0020262be4404e 9045 text optional pstotext_1.9-3.diff.gz
 4c3447207f721bcde1afe116ce1f89f4 32604 text optional pstotext_1.9-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEW24TIwmOUm50p9ERAnb9AKCh/djALjSnFy+jGRPtROC4U7hVHwCg6VRP
jMAzbBlAmSkZZMORwk/DZX4=
=VIKG
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, jdassen@debian.org (J.H.M. Dassen (Ray)):
Bug#356988; Package pstotext. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to jdassen@debian.org (J.H.M. Dassen (Ray)). Full text and rfc822 format available.

Message #32 received at 356988@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: 356988@bugs.debian.org, control@bugs.debian.org, team@security.debian.org
Subject: pstotext: doesn't correctly quote characters to nested shell
Date: Sat, 6 May 2006 13:08:52 +0200
tags 356988 security
thanks

Hi security team,

this bug wasn't tagged security, so I don't know whether you are aware 
of it. I think a DSA might be appropriate.

Cheers,
Stefan



Tags added: security Request was from Stefan Fritsch <sf@sfritsch.de> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, jdassen@debian.org (J.H.M. Dassen (Ray)):
Bug#356988; Package pstotext. Full text and rfc822 format available.

Acknowledgement sent to Martin Ehmsen <ehmsen@gentoo.org>:
Extra info received and forwarded to list. Copy sent to jdassen@debian.org (J.H.M. Dassen (Ray)). Full text and rfc822 format available.

Message #39 received at 356988@bugs.debian.org (full text, mbox):

From: Martin Ehmsen <ehmsen@gentoo.org>
To: 356988@bugs.debian.org
Subject: patch doesn't work with stdin
Date: Fri, 19 May 2006 12:22:51 +0200
[Message part 1 (text/plain, inline)]
Hi,

The current patch does not work with input from stdin.
See the gentoo bug report: https://bugs.gentoo.org/show_bug.cgi?id=132662

I have attached a modified patch that fixes the security issue and still
works with stdin.

/Martin
[pstotext-1.9-quote-chars-fix.patch (text/plain, inline)]
diff -urN pstotext-1.9.orig/main.c pstotext-1.9/main.c
--- pstotext-1.9.orig/main.c	2004-01-09 11:17:38.000000000 +0100
+++ pstotext-1.9/main.c	2006-05-19 11:43:52.000000000 +0200
@@ -126,12 +126,14 @@
 static int cleanup(void) {
   int gsstatus, status = 0;
   pstotextExit(instance);
-  if (gs!=NULL) {
 #ifdef VMS
+  if (gs!=NULL) {
     gsstatus = fclose(gs);
+  }
 #else
-    gsstatus = pclose(gs);
+  waitpid(-1, &gsstatus, 0);
 #endif
+  if (gsstatus) {
     if (WIFEXITED(gsstatus)) {
       if (WEXITSTATUS(gsstatus)!=0) status = 3;
       else if (WIFSIGNALED(gsstatus)) status = 4;
@@ -166,8 +168,13 @@
 
 static int do_it(char *path) {
   /* If "path" is NULL, then "stdin" should be processed. */
-  char *gs_cmdline;
-  char *input;
+  char *gs_argv[32];
+  int gs_argc=0;
+#ifdef DEBUG
+  int i;
+#endif
+  int fd[2];
+  pid_t p;
   int status;
   char norotate[] = "";
   FILE *fileout;
@@ -201,47 +208,31 @@
     exit(1);
   }
 
-  if (path==NULL) {
-    input = (char*)malloc(2);
-    if (input == NULL) {
-      fprintf(stderr,"No memory available\n");
-      cleanup();
-      exit(1);
-    }
-    strcpy(input, "-");
-  } else {
-    input = (char*)malloc(strlen(path) + 6);
-    if (input == NULL) {
-      fprintf(stderr,"No memory available\n");
-      cleanup();
-      exit(1);
-    }
-    strcpy(input, "-- '"); strcat(input, path); strcat(input, "'");
+  gs_argv[gs_argc++] = "gs";
+  gs_argv[gs_argc++] = "-r72";
+  gs_argv[gs_argc++] = "-dNODISPLAY";
+  gs_argv[gs_argc++] = "-dFIXEDMEDIA";
+  gs_argv[gs_argc++] = "-dDELAYBIND";
+  gs_argv[gs_argc++] = "-dWRITESYSTEMDICT";
+  if (!debug) {
+    gs_argv[gs_argc++] = "-q";
+  }
+  gs_argv[gs_argc++] = "-dNOPAUSE";
+  gs_argv[gs_argc++] = "-dSAFER";
+  if (rotate_path && strcmp(rotate_path, "")) {
+    gs_argv[gs_argc++] = rotate_path;
+  }
+  if (ocr_path && strcmp(ocr_path, "")) {
+    gs_argv[gs_argc++] = ocr_path;
+  }
+  if (path == NULL ) {
+    gs_argv[gs_argc++] = "-";
+  }
+  else {
+    gs_argv[gs_argc++] = "--";
+    gs_argv[gs_argc++] = path;
   }
-
-  gs_cmdline = (char*)malloc(strlen(gs_cmd)+strlen(rotate_path)+
-	strlen(ocr_path) + strlen(input) + 128);
-
-  if (gs_cmdline == NULL) {
-    fprintf(stderr, "No memory available\n");
-    cleanup();
-    exit(1);
-  }
-
-  sprintf(
-    gs_cmdline,
-#ifdef VMS
-    "%s -r72 \"-dNODISPLAY\" \"-dFIXEDMEDIA\" \"-dDELAYBIND\" \"-dWRITESYSTEMDICT\" %s \"-dNOPAUSE\" %s %s %s",
-#else
-    "%s -r72 -dNODISPLAY -dFIXEDMEDIA -dDELAYBIND -dWRITESYSTEMDICT %s -dNOPAUSE %s %s %s",
-#endif
-    gs_cmd,
-    (debug ? "" : "-q"),
-    rotate_path,
-    ocr_path,
-    input
-    );
-  if (debug) fprintf(stderr, "%s\n", gs_cmdline);
+  gs_argv[gs_argc++] = NULL;
 #ifdef VMS
   cmdfile = tempnam("SYS$SCRATCH:","PS2TGS");
   gsoutfile = tempnam("SYS$SCRATCH:","GSRES");
@@ -259,8 +250,25 @@
 	exit(1);
   }
 #else
-  gs = popen(gs_cmdline, "r");
-  if (gs==0) {perror(cmd); exit(1);}
+  if (pipe(fd)) {
+	perror("pipe failed: "); exit(1);
+  };
+  p = fork();
+  if (p == -1) {
+	perror("fork failed: "); exit(1);
+  }
+  if (p == 0) { /* child */
+    close(fd[0]);
+    dup2(fd[1], 1); /* Redirect stdout into pipe to parent */
+    execvp("/usr/bin/gs", gs_argv);
+    perror("execvp: "); status=cleanup(); exit(1);
+  } else { /* parent */
+    close(fd[1]);
+    gs = fdopen(fd[0], "r");
+    if (gs == NULL) {
+      perror("fdopen: "); status=cleanup(); exit(1);
+    }
+  }
 #endif
   status = pstotextInit(&instance);
   if (status!=0) {

Reply sent to jdassen@debian.org (J.H.M. Dassen (Ray)):
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Brian May <bam@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #44 received at 356988-close@bugs.debian.org (full text, mbox):

From: jdassen@debian.org (J.H.M. Dassen (Ray))
To: 356988-close@bugs.debian.org
Subject: Bug#356988: fixed in pstotext 1.9-4
Date: Sun, 21 May 2006 11:32:08 -0700
Source: pstotext
Source-Version: 1.9-4

We believe that the bug you reported is fixed in the latest version of
pstotext, which is due to be installed in the Debian FTP archive:

pstotext_1.9-4.diff.gz
  to pool/main/p/pstotext/pstotext_1.9-4.diff.gz
pstotext_1.9-4.dsc
  to pool/main/p/pstotext/pstotext_1.9-4.dsc
pstotext_1.9-4_i386.deb
  to pool/main/p/pstotext/pstotext_1.9-4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 356988@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
J.H.M. Dassen (Ray) <jdassen@debian.org> (supplier of updated pstotext package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 21 May 2006 20:14:12 +0200
Source: pstotext
Binary: pstotext
Architecture: source i386
Version: 1.9-4
Distribution: unstable
Urgency: medium
Maintainer: J.H.M. Dassen (Ray) <jdassen@debian.org>
Changed-By: J.H.M. Dassen (Ray) <jdassen@debian.org>
Description: 
 pstotext   - Extract text from PostScript and PDF files
Closes: 356988
Changes: 
 pstotext (1.9-4) unstable; urgency=medium
 .
   * [main.c] Applied patch courtesy of Martin Ehmsen <ehmsen@gentoo.org> to
     unbreak pstotext on input from stdin which was broken by 1.9-3's security
     patch. (Closes: #356988)
Files: 
 830b23ca9b94a69897b24d551950e9a8 554 text optional pstotext_1.9-4.dsc
 e3ca5c97cfbd00a93d4ebcda60429a54 9205 text optional pstotext_1.9-4.diff.gz
 6b2e9739e535e561c9238b4c2348917d 32682 text optional pstotext_1.9-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEcLFBIwmOUm50p9ERAtHgAJ0erl3xwLSfkLs8IqBdNtkIDEXR7gCggXHN
6wvEDGl5YzRZ25mx5jIicGY=
=dc4k
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2007 00:28:49 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 15:58:57 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.