Debian Bug report logs - #583316
/usr/bin/gv: Insecure gs workaround "gs -P-"

version graph

Package: gv; Maintainer for gv is Bernhard R. Link <brlink@debian.org>; Source for gv is src:gv.

Reported by: Paul Szabo <paul.szabo@sydney.edu.au>

Date: Thu, 27 May 2010 00:09:01 UTC

Severity: grave

Tags: security

Found in version gv/1:3.6.5-2

Fixed in version gv/1:3.6.91-1

Done: brlink@debian.org (Bernhard R. Link)

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, brlink@debian.org (Bernhard R. Link):
Bug#583316; Package gv. (Thu, 27 May 2010 00:09:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <paul.szabo@sydney.edu.au>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, brlink@debian.org (Bernhard R. Link). (Thu, 27 May 2010 00:09:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Paul Szabo <paul.szabo@sydney.edu.au>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: /usr/bin/gv: Insecure gs workaround "gs -P-"
Date: Thu, 27 May 2010 10:07:01 +1000
Package: gv
Version: 1:3.6.5-2
Severity: grave
File: /usr/bin/gv
Tags: security
Justification: user security hole


Please see
  http://bugs.ghostscript.com/show_bug.cgi?id=691339
  http://bugs.debian.org/583183
for details: gv should use the -P- switch when invoking gs.

Thanks, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia


-- System Information:
Debian Release: 5.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-pk03.17-svr (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages gv depends on:
ii  ghostscript-x [gs- 8.62.dfsg.1-3.2lenny1 The GPL Ghostscript PostScript/PDF
ii  gs-gpl             8.62.dfsg.1-3.2lenny1 Transitional package
ii  libc6              2.7-18lenny2          GNU C Library: Shared libraries
ii  libx11-6           2:1.1.5-2             X11 client-side library
ii  libxmu6            2:1.0.4-1             X11 miscellaneous utility library
ii  libxt6             1:1.0.5-3             X11 toolkit intrinsics library
ii  xaw3dg             1.5+E-17              Xaw3d widget set

gv recommends no packages.

gv suggests no packages.

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, brlink@debian.org (Bernhard R. Link):
Bug#583316; Package gv. (Thu, 27 May 2010 04:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to paul.szabo@sydney.edu.au:
Extra info received and forwarded to list. Copy sent to brlink@debian.org (Bernhard R. Link). (Thu, 27 May 2010 04:39:04 GMT) Full text and rfc822 format available.

Message #10 received at 583316@bugs.debian.org (full text, mbox):

From: paul.szabo@sydney.edu.au
To: 583316@bugs.debian.org
Subject: Re: Bug#583316: /usr/bin/gv: Insecure gs workaround "gs -P-"
Date: Thu, 27 May 2010 14:31:27 +1000
I have been using a wrapper around gs that sets both -P- -dSAFER.
That seems to work fine for viewing PS files, but does NOT allow
gv to work for PDFs: the (first?) invoked gs cannot have either of
those "security options" when attempting "gv some.pdf".

As with PS files, "gv /tmp/some.pdf" first does "chdir /tmp" then
invokes gs, which is rather unsafe without -P-.

I slightly wonder about the writing of the tmp file
  open("/tmp/gv_random_some.pdf.tmp", O_WRONLY|O_CREAT|O_TRUNC, 0666)
from within gs (no O_EXCL so would follow a symlink allowing clobber).

Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Information forwarded to debian-bugs-dist@lists.debian.org, brlink@debian.org (Bernhard R. Link):
Bug#583316; Package gv. (Thu, 27 May 2010 11:18:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to paul.szabo@sydney.edu.au:
Extra info received and forwarded to list. Copy sent to brlink@debian.org (Bernhard R. Link). (Thu, 27 May 2010 11:18:07 GMT) Full text and rfc822 format available.

Message #15 received at 583316@bugs.debian.org (full text, mbox):

From: paul.szabo@sydney.edu.au
To: 583316@bugs.debian.org
Subject: Re: Bug#583316: /usr/bin/gv: Insecure gs workaround "gs -P-"
Date: Thu, 27 May 2010 21:16:42 +1000
I wrote a while ago:

> I slightly wonder about the writing of the tmp file
>   open("/tmp/gv_random_some.pdf.tmp", O_WRONLY|O_CREAT|O_TRUNC, 0666)
> from within gs (no O_EXCL so would follow a symlink allowing clobber).

It is not for gs to verify the security of the tmp file passed as
argument (it cannot do that), but gv should pre-create the file in
a safe way.

Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Information forwarded to debian-bugs-dist@lists.debian.org, brlink@debian.org (Bernhard R. Link):
Bug#583316; Package gv. (Fri, 28 May 2010 13:42:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to paul.szabo@sydney.edu.au:
Extra info received and forwarded to list. Copy sent to brlink@debian.org (Bernhard R. Link). (Fri, 28 May 2010 13:42:07 GMT) Full text and rfc822 format available.

Message #20 received at 583316@bugs.debian.org (full text, mbox):

From: paul.szabo@sydney.edu.au
To: 583316@bugs.debian.org
Subject: Re: Bug#583316: /usr/bin/gv: Insecure gs workaround "gs -P-"
Date: Fri, 28 May 2010 23:41:01 +1000
I guess this issue can be exploited remotely.

If /etc/mailcap uses gs, then we are done: neither -P- nor -dSAFER are
defaults.

My Debian /etc/mailcap uses gv, and gv knows to use -dSAFER. First
"feed" the victim a "bad" PS file named gs_res.ps or pdf_base.ps or
similar. No harm done yet. Then "feed" the victim any PS or PDF file:
quite likely the old file will have its original name, still in place,
in the same place as the new file: gv does not use -P- and our first
file will be used.

Would it help if I (or someone with actual knowledge) would put together
a proof-of-concept demo?

Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Information forwarded to debian-bugs-dist@lists.debian.org, brlink@debian.org (Bernhard R. Link):
Bug#583316; Package gv. (Fri, 28 May 2010 18:27:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Bernhard R. Link" <brlink@debian.org>:
Extra info received and forwarded to list. Copy sent to brlink@debian.org (Bernhard R. Link). (Fri, 28 May 2010 18:27:05 GMT) Full text and rfc822 format available.

Message #25 received at 583316@bugs.debian.org (full text, mbox):

From: "Bernhard R. Link" <brlink@debian.org>
To: paul.szabo@sydney.edu.au
Cc: 583316@bugs.debian.org, bug-gv@gnu.org
Subject: Re: Bug#583316: /usr/bin/gv: Insecure gs workaround "gs -P-"
Date: Fri, 28 May 2010 20:23:15 +0200
* paul.szabo@sydney.edu.au <paul.szabo@sydney.edu.au> [100527 06:39]:
> I have been using a wrapper around gs that sets both -P- -dSAFER.
> That seems to work fine for viewing PS files, but does NOT allow
> gv to work for PDFs: the (first?) invoked gs cannot have either of
> those "security options" when attempting "gv some.pdf".
>
> As with PS files, "gv /tmp/some.pdf" first does "chdir /tmp" then
> invokes gs, which is rather unsafe without -P-.

I guess the reason why it changes the directory and why -P- is not
working here is that the pdf is opened by some postscript code and will
not find it with relative path.

There seems explicit code in gv to make sure that filename is always
relative which has a comment:
"/* Strip off directory from p to satisfy GS 8.00 security change */"

I wonder what that is about...

And it's really quite annoying that gs seems to have no option to add .
in the search path after everything else.

	Bernhard R. Link
-- 
"Never contain programs so few bugs, as when no debugging tools are available!"
	Niklaus Wirth




Information forwarded to debian-bugs-dist@lists.debian.org, brlink@debian.org (Bernhard R. Link):
Bug#583316; Package gv. (Sat, 29 May 2010 07:39:14 GMT) Full text and rfc822 format available.

Acknowledgement sent to Markus Steinborn <gnugv_maintainer@yahoo.de>:
Extra info received and forwarded to list. Copy sent to brlink@debian.org (Bernhard R. Link). (Sat, 29 May 2010 07:39:14 GMT) Full text and rfc822 format available.

Message #30 received at 583316@bugs.debian.org (full text, mbox):

From: Markus Steinborn <gnugv_maintainer@yahoo.de>
To: "Bernhard R. Link" <brlink@debian.org>, 583316@bugs.debian.org
Cc: paul.szabo@sydney.edu.au, bug-gv@gnu.org
Subject: Re: Bug#583316: /usr/bin/gv: Insecure gs workaround "gs -P-"
Date: Sat, 29 May 2010 09:35:37 +0200
Bernhard R. Link schrieb:
> * paul.szabo@sydney.edu.au<paul.szabo@sydney.edu.au>  [100527 06:39]:
>    
>> I have been using a wrapper around gs that sets both -P- -dSAFER.
>> That seems to work fine for viewing PS files, but does NOT allow
>> gv to work for PDFs: the (first?) invoked gs cannot have either of
>> those "security options" when attempting "gv some.pdf".
>>
>> As with PS files, "gv /tmp/some.pdf" first does "chdir /tmp" then
>> invokes gs, which is rather unsafe without -P-.
>>      
> I guess the reason why it changes the directory and why -P- is not
> working here is that the pdf is opened by some postscript code and will
> not find it with relative path.
>
> There seems explicit code in gv to make sure that filename is always
> relative which has a comment:
> "/* Strip off directory from p to satisfy GS 8.00 security change */"
>    
Both are introduced by the commit

commit c135e449c8aa5f08a6931355adc9f9704bde7fea
Author: Jose E. Marchesi <jemarch@gnu.org>
Date:   Thu Mar 31 12:14:09 2005 +0000

    Applied the gs 8.0 SAFE patch from John Bowman

Therefore there is reason to believe that both, the chdir and the 
relative filename are needed for ghostscript 8.0.


By adjusting the settings in "State - Ghostscript options", you can add 
the requested "-P-" quite easy: Add "-P-" to arguments and to the 
beginning of "Scan PDF" and "Convert PDF". Let's start with this and 
test if this breaks something.


Greetings from Germany

Markus Steinborn
GNU gv maintainer



PS: If using a wrapper for calling "gs", make sure that "-P-" is added 
to the beginning of the parameters, not at the end. That may be a cause 
why GNU gv does not work with a wrapper.





Information forwarded to debian-bugs-dist@lists.debian.org, brlink@debian.org (Bernhard R. Link):
Bug#583316; Package gv. (Sat, 29 May 2010 08:54:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Markus Steinborn <gnugv_maintainer@yahoo.de>:
Extra info received and forwarded to list. Copy sent to brlink@debian.org (Bernhard R. Link). (Sat, 29 May 2010 08:54:05 GMT) Full text and rfc822 format available.

Message #35 received at 583316@bugs.debian.org (full text, mbox):

From: Markus Steinborn <gnugv_maintainer@yahoo.de>
To: paul.szabo@sydney.edu.au, 583316@bugs.debian.org
Subject: Re: Bug#583316: /usr/bin/gv: Insecure gs workaround "gs -P-"
Date: Sat, 29 May 2010 10:50:35 +0200
vail.szabo@sydney.edu.au schrieb:
> I wrote a while ago:
>    
>> I slightly wonder about the writing of the tmp file
>>    open("/tmp/gv_random_some.pdf.tmp", O_WRONLY|O_CREAT|O_TRUNC, 0666)
>> from within gs (no O_EXCL so would follow a symlink allowing clobber).
>>      
> It is not for gs to verify the security of the tmp file passed as
> argument (it cannot do that), but gv should pre-create the file in
> a safe way.
>    
I cannot find a problem there. GNU gv creates the file as follows:

(ps.c, psscan()):  filename_dsc=file_getTmpFilename(NULL,filename_raw);
where getTmpFilename itself uses mkstemp to create the file (assuming 
mkstemp is available on your system, which is the case on GNU/Linux).
Have verified that the permissions are 600 after getTmpfilename().

Greetungs from Germany

Markus Steinborn
GNU gv maintainer





Information forwarded to debian-bugs-dist@lists.debian.org, brlink@debian.org (Bernhard R. Link):
Bug#583316; Package gv. (Sat, 29 May 2010 10:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to paul.szabo@sydney.edu.au:
Extra info received and forwarded to list. Copy sent to brlink@debian.org (Bernhard R. Link). (Sat, 29 May 2010 10:27:04 GMT) Full text and rfc822 format available.

Message #40 received at 583316@bugs.debian.org (full text, mbox):

From: paul.szabo@sydney.edu.au
To: 583316@bugs.debian.org, brlink@debian.org, gnugv_maintainer@yahoo.de
Cc: bug-gv@gnu.org
Subject: Re: Bug#583316: /usr/bin/gv: Insecure gs workaround "gs -P-"
Date: Sat, 29 May 2010 20:25:38 +1000
Markus Steinborn <gnugv_maintainer@yahoo.de> wrote:

> PS: If using a wrapper for calling "gs", make sure that "-P-" is added 
> to the beginning of the parameters, not at the end. That may be a cause 
> why GNU gv does not work with a wrapper.

Yes that is what I do:

#!/usr/bin/perl --
#...
$c = $0;
$c =~ s/.*\///;
exec "/usr/bin/$c", '-P-', '-dSAFER', @ARGV;

and my testing suggested it breaks gv.

Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Information forwarded to debian-bugs-dist@lists.debian.org, brlink@debian.org (Bernhard R. Link):
Bug#583316; Package gv. (Sat, 29 May 2010 10:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Markus Steinborn <gnugv_maintainer@yahoo.de>:
Extra info received and forwarded to list. Copy sent to brlink@debian.org (Bernhard R. Link). (Sat, 29 May 2010 10:51:03 GMT) Full text and rfc822 format available.

Message #45 received at 583316@bugs.debian.org (full text, mbox):

From: Markus Steinborn <gnugv_maintainer@yahoo.de>
To: paul.szabo@sydney.edu.au, 583316@bugs.debian.org
Cc: brlink@debian.org, bug-gv@gnu.org
Subject: Re: Bug#583316: /usr/bin/gv: Insecure gs workaround "gs -P-"
Date: Sat, 29 May 2010 12:47:57 +0200
paul.szabo@sydney.edu.au schrieb:
> Yes that is what I do:
>
> #!/usr/bin/perl --
> #...
> $c = $0;
> $c =~ s/.*\///;
> exec "/usr/bin/$c", '-P-', '-dSAFER', @ARGV;
>
> and my testing suggested it breaks gv.
>    
Well, the DSC parsing seems to be "-dSAFER"-incompatible. But with the 
following settings I can open ps and pdf files - and pdf to postscript 
conversion has sucessfully been tested on an example.

$ cat .gv
GV.gsArguments:         -P- -dFIXEDMEDIA
GV.antialias:           False
GV.infoVerbose:         All
GV.gsInterpreter:       gs
!GV.saveposFilename:    ~/test.gv
GV*international:               False
GV.version:             gv 3.6.7.90

GV.gsCmdConvPDF:        gs -P- -dSAFER -dNOPAUSE -dQUIET -dBATCH 
-sDEVICE=pswrite -sOutputFile=%s -f %s -c save pop quit
GV.gsCmdScanPDF:        gs -P- -dNODISPLAY -dQUIET -sPDFname=%s 
-sDSCname=%s %s pdf2dsc.ps -c quit



So "-P-" may work with GNU gv - but some testing would help before 
changing the defaults.

BTW: I have done my test with ghostscript 8.71.


Greetings from Germany

Markus Steinborn
GNU gv maintainer





Information forwarded to debian-bugs-dist@lists.debian.org, brlink@debian.org (Bernhard R. Link):
Bug#583316; Package gv. (Sat, 29 May 2010 11:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to paul.szabo@sydney.edu.au:
Extra info received and forwarded to list. Copy sent to brlink@debian.org (Bernhard R. Link). (Sat, 29 May 2010 11:03:03 GMT) Full text and rfc822 format available.

Message #50 received at 583316@bugs.debian.org (full text, mbox):

From: paul.szabo@sydney.edu.au
To: 583316@bugs.debian.org, gnugv_maintainer@yahoo.de
Subject: Re: Bug#583316: /usr/bin/gv: Insecure gs workaround "gs -P-"
Date: Sat, 29 May 2010 21:01:41 +1000
Markus Steinborn <gnugv_maintainer@yahoo.de> wrote:

> vail.szabo@sydney.edu.au schrieb:

Surely you meant paul.szabo@sydney.edu.au .

>> I wrote a while ago:
>>    
>>> I slightly wonder about the writing of the tmp file
>>>    open("/tmp/gv_random_some.pdf.tmp", O_WRONLY|O_CREAT|O_TRUNC, 0666)
>>> from within gs (no O_EXCL so would follow a symlink allowing clobber).
>>>      
>> It is not for gs to verify the security of the tmp file passed as
>> argument (it cannot do that), but gv should pre-create the file in
>> a safe way.
>
> I cannot find a problem there. GNU gv creates the file as follows:
>
> (ps.c, psscan()):  filename_dsc=file_getTmpFilename(NULL,filename_raw);
> where getTmpFilename itself uses mkstemp to create the file (assuming 
> mkstemp is available on your system, which is the case on GNU/Linux).
> Have verified that the permissions are 600 after getTmpfilename().

Sorry, but my ltrace or strace shows otherwise: gv does NOT use mkstemp,
gv does NOT open the file but gs does. (Thankfully gv seems to set a sane
"umask 077" before invoking gs.)

If gv used mkstemp as you say, opening and pre-creating the file as I
suggested, then things would be "right".

Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Information forwarded to debian-bugs-dist@lists.debian.org, brlink@debian.org (Bernhard R. Link):
Bug#583316; Package gv. (Sat, 29 May 2010 11:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Bernhard R. Link" <brlink@debian.org>:
Extra info received and forwarded to list. Copy sent to brlink@debian.org (Bernhard R. Link). (Sat, 29 May 2010 11:15:03 GMT) Full text and rfc822 format available.

Message #55 received at 583316@bugs.debian.org (full text, mbox):

From: "Bernhard R. Link" <brlink@debian.org>
To: Markus Steinborn <gnugv_maintainer@yahoo.de>
Cc: 583316@bugs.debian.org, bug-gv@gnu.org
Subject: Re: Bug#583316: /usr/bin/gv: Insecure gs workaround "gs -P-"
Date: Sat, 29 May 2010 13:12:34 +0200
* Markus Steinborn <gnugv_maintainer@yahoo.de> [100529 12:49]:
> Well, the DSC parsing seems to be "-dSAFER"-incompatible. But with the  
> following settings I can open ps and pdf files - and pdf to postscript  
> conversion has sucessfully been tested on an example.

Looking at the commit that introduced removing the path name, I think
adding -dDELAYSAFER (or something like that, take a look at the commit)
might be better than removing -dSAFER, assuming it still works...

	Bernhard R. Link




Information forwarded to debian-bugs-dist@lists.debian.org, brlink@debian.org (Bernhard R. Link):
Bug#583316; Package gv. (Sat, 29 May 2010 11:33:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Markus Steinborn <gnugv_maintainer@yahoo.de>:
Extra info received and forwarded to list. Copy sent to brlink@debian.org (Bernhard R. Link). (Sat, 29 May 2010 11:33:05 GMT) Full text and rfc822 format available.

Message #60 received at 583316@bugs.debian.org (full text, mbox):

From: Markus Steinborn <gnugv_maintainer@yahoo.de>
To: paul.szabo@sydney.edu.au
Cc: 583316@bugs.debian.org, bug-gv@gnu.org
Subject: Re: Bug#583316: /usr/bin/gv: Insecure gs workaround "gs -P-"
Date: Sat, 29 May 2010 13:31:13 +0200
paul.szabo@sydney.edu.au schrieb:
> Sorry, but my ltrace or strace shows otherwise: gv does NOT use mkstemp,
> gv does NOT open the file but gs does. (Thankfully gv seems to set a sane
> "umask 077" before invoking gs.)
>    
Well, that may be explained that debian lenny is shipped with a rather 
old version of GNU gv.
As upstream maintainer, I did my test with an up to date verasion of GNU 
gv (because that is what I need for the development of GNU gv).

The following commit contains the fix (you see it is rather old):

commit a17416c462e5b6c9cc7c98c5ea01f580152f2da9
Author: Markus Steinborn <gnugv_maintainer@yahoo.de>
Date:   Sat Jul 19 16:21:35 2008 +0000

    Use mkstemp for getting the temporary filename if available

Perhaps these changes may be packported by debian (if you know debian 
stable you know about the changes that lenny will get an up to date GNU 
gv, so backporting looks like the only option. ).

That patch applies to GNU gv 3.6.5 with some fuzz but well (except for 
the update of the Changelog, but that should not be a problem).

> If gv used mkstemp as you say, opening and pre-creating the file as I
> suggested, then things would be "right".
>    
Well, then I can close the bug upstream. But for debian, it has to be 
kept open - as lenny is vulnerable.


Greetings

Markus Steinborn
GNU gv maintainer





Information forwarded to debian-bugs-dist@lists.debian.org, brlink@debian.org (Bernhard R. Link):
Bug#583316; Package gv. (Sat, 29 May 2010 11:39:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Markus Steinborn <gnugv_maintainer@yahoo.de>:
Extra info received and forwarded to list. Copy sent to brlink@debian.org (Bernhard R. Link). (Sat, 29 May 2010 11:39:05 GMT) Full text and rfc822 format available.

Message #65 received at 583316@bugs.debian.org (full text, mbox):

From: Markus Steinborn <gnugv_maintainer@yahoo.de>
To: Markus Steinborn <gnugv_maintainer@yahoo.de>, 583316@bugs.debian.org
Cc: paul.szabo@sydney.edu.au, bug-gv@gnu.org
Subject: Re: Bug#583316: /usr/bin/gv: Insecure gs workaround "gs -P-"
Date: Sat, 29 May 2010 13:34:25 +0200
Markus Steinborn schrieb:
> Well, then I can close the bug upstream. But for debian, it has to be 
> kept open - as lenny is vulnerable.
Addendum: Of cause only the part of the original bug report that 
addresses file handling, not the options "-P-", "-dSAFE" and related.




Information forwarded to debian-bugs-dist@lists.debian.org, brlink@debian.org (Bernhard R. Link):
Bug#583316; Package gv. (Sat, 29 May 2010 11:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Markus Steinborn <gnugv_maintainer@yahoo.de>:
Extra info received and forwarded to list. Copy sent to brlink@debian.org (Bernhard R. Link). (Sat, 29 May 2010 11:45:03 GMT) Full text and rfc822 format available.

Message #70 received at 583316@bugs.debian.org (full text, mbox):

From: Markus Steinborn <gnugv_maintainer@yahoo.de>
To: "Bernhard R. Link" <brlink@debian.org>, 583316@bugs.debian.org
Cc: bug-gv@gnu.org
Subject: Re: Bug#583316: /usr/bin/gv: Insecure gs workaround "gs -P-"
Date: Sat, 29 May 2010 13:42:58 +0200
Bernhard R. Link schrieb:
> * Markus Steinborn<gnugv_maintainer@yahoo.de>  [100529 12:49]:
>    
>> Well, the DSC parsing seems to be "-dSAFER"-incompatible. But with the
>> following settings I can open ps and pdf files - and pdf to postscript
>> conversion has sucessfully been tested on an example.
>>      
> Looking at the commit that introduced removing the path name, I think
> adding -dDELAYSAFER (or something like that, take a look at the commit)
> might be better than removing -dSAFER, assuming it still works...
>    
First test works... Bit I would feel much better if we could test these 
settings before changing the default settings.

Greetings from Germany

Markus Steinborn
GNU gv maintainer





Information forwarded to debian-bugs-dist@lists.debian.org, brlink@debian.org (Bernhard R. Link):
Bug#583316; Package gv. (Sat, 29 May 2010 12:12:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to paul.szabo@sydney.edu.au:
Extra info received and forwarded to list. Copy sent to brlink@debian.org (Bernhard R. Link). (Sat, 29 May 2010 12:12:06 GMT) Full text and rfc822 format available.

Message #75 received at 583316@bugs.debian.org (full text, mbox):

From: paul.szabo@sydney.edu.au
To: 583316@bugs.debian.org, gnugv_maintainer@yahoo.de
Cc: brlink@debian.org, bug-gv@gnu.org
Subject: Re: Bug#583316: /usr/bin/gv: Insecure gs workaround "gs -P-"
Date: Sat, 29 May 2010 22:09:47 +1000
Markus Steinborn <gnugv_maintainer@yahoo.de> wrote:

> Well, the DSC parsing seems to be "-dSAFER"-incompatible. But with the 
> following settings I can open ps and pdf files - and pdf to postscript 
> conversion has sucessfully been tested on an example.
>
> $ cat .gv
> GV.gsArguments:         -P- -dFIXEDMEDIA
> GV.antialias:           False
> GV.infoVerbose:         All
> GV.gsInterpreter:       gs
> !GV.saveposFilename:    ~/test.gv
> GV*international:               False
> GV.version:             gv 3.6.7.90
> GV.gsCmdConvPDF:        gs -P- -dSAFER -dNOPAUSE -dQUIET -dBATCH -sDEVICE=pswrite -sOutputFile=%s -f %s -c save pop quit
> GV.gsCmdScanPDF:        gs -P- -dNODISPLAY -dQUIET -sPDFname=%s -sDSCname=%s %s pdf2dsc.ps -c quit

Would it be possible to give the "unsafe" gs invocations an explicit
-dNOSAFER or somesuch argument, to override whatever I may set in my
wrapper, and to handle gs changing their defaults to secure settings?

> So "-P-" may work with GNU gv - but some testing would help before 
> changing the defaults.

I will try to dig up the file I was testing with, and re-do the tests.
My vague memory is that the layout of the two-page-per-sheet file
changed with -P-.

Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Bug 583316 cloned as bug 583668. Request was from "Bernhard R. Link" <brlink@debian.org> to control@bugs.debian.org. (Sat, 29 May 2010 12:18:01 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, brlink@debian.org (Bernhard R. Link):
Bug#583316; Package gv. (Sat, 29 May 2010 13:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Bernhard R. Link" <brlink@debian.org>:
Extra info received and forwarded to list. Copy sent to brlink@debian.org (Bernhard R. Link). (Sat, 29 May 2010 13:21:03 GMT) Full text and rfc822 format available.

Message #82 received at 583316@bugs.debian.org (full text, mbox):

From: "Bernhard R. Link" <brlink@debian.org>
To: 583316@bugs.debian.org
Cc: 583668@bugs.debian.org, paul.szabo@sydney.edu.au
Subject: Splitting of bugs
Date: Sat, 29 May 2010 15:18:08 +0200
I've cloned 583316 as 583668.

Please use 583316 for the issues with -P-
and 583668 for the issues with temporary file creation...

	Bernhard R. Link




Information forwarded to debian-bugs-dist@lists.debian.org, brlink@debian.org (Bernhard R. Link):
Bug#583316; Package gv. (Sat, 29 May 2010 13:57:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Markus Steinborn <gnugv_maintainer@yahoo.de>:
Extra info received and forwarded to list. Copy sent to brlink@debian.org (Bernhard R. Link). (Sat, 29 May 2010 13:57:04 GMT) Full text and rfc822 format available.

Message #87 received at 583316@bugs.debian.org (full text, mbox):

From: Markus Steinborn <gnugv_maintainer@yahoo.de>
To: paul.szabo@sydney.edu.au
Cc: 583316@bugs.debian.org, brlink@debian.org, bug-gv@gnu.org
Subject: Re: Bug#583316: /usr/bin/gv: Insecure gs workaround "gs -P-"
Date: Sat, 29 May 2010 15:52:52 +0200
paul.szabo@sydney.edu.au schrieb:
> Would it be possible to give the "unsafe" gs invocations an explicit
> -dNOSAFER or somesuch argument, to override whatever I may set in my
> wrapper, and to handle gs changing their defaults to secure settings?
>    
Dunno. But currently ghostscript upstream says: WONTF




Information forwarded to debian-bugs-dist@lists.debian.org, brlink@debian.org (Bernhard R. Link):
Bug#583316; Package gv. (Sat, 29 May 2010 17:57:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Markus Steinborn <gnugv_maintainer@yahoo.de>:
Extra info received and forwarded to list. Copy sent to brlink@debian.org (Bernhard R. Link). (Sat, 29 May 2010 17:57:09 GMT) Full text and rfc822 format available.

Message #92 received at 583316@bugs.debian.org (full text, mbox):

From: Markus Steinborn <gnugv_maintainer@yahoo.de>
To: Markus Steinborn <gnugv_maintainer@yahoo.de>, 583316@bugs.debian.org
Cc: "Bernhard R. Link" <brlink@debian.org>
Subject: Re: Bug#583316: /usr/bin/gv: Insecure gs workaround "gs -P-"
Date: Sat, 29 May 2010 19:51:06 +0200
Something does completely wrong (__not__ running debian):

msteinbo@acer:/tmp/2>cp  /usr/share/cups/data/testprint.ps .
msteinbo@acer:/tmp/2>touch gs_init.ps
msteinbo@acer:/tmp/2>gs -P- -dSAFER testprint.ps
GPL Ghostscript 8.71: Initialization file gs_init.ps does not begin with 
an integer.
msteinbo@acer:/tmp/2>gs -P- -dSAFER -dPARANOIDSAGER testprint.ps
GPL Ghostscript 8.71: Initialization file gs_init.ps does not begin with 
an integer.

Of cause, without the empty "gs_init.ps", it works. What does this test 
do on debian?


May have something to do with:

msteinbo@acer:/tmp/2>gs --help | tail -10
Search path:
   . : /home/msteinbo/.fonts : /usr/share/ghostscript/8.71/Resource/Init :
   /usr/share/ghostscript/8.71/lib :
   /usr/share/ghostscript/8.71/Resource/Font :
   /usr/share/ghostscript/fonts : /usr/share/fonts/default/ghostscript :
   /usr/share/fonts/default/Type1 : /usr/share/fonts/default/amspsfnt/pfb :
   /usr/share/fonts/default/cmpsfont/pfb : /usr/share/fonts :
   /usr/share/ghostscript/conf.d : /etc/ghostscript : /etc/ghostscript/8.71
For more information, see /usr/share/ghostscript/8.71/doc/Use.htm.
Please report bugs to bugs.ghostscript.com.


Note that the search path begins with ".".



Thanks

Markus Steinborn
GNU gv maintainer





Information forwarded to debian-bugs-dist@lists.debian.org, brlink@debian.org (Bernhard R. Link):
Bug#583316; Package gv. (Sat, 29 May 2010 18:12:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Bernhard R. Link" <brlink@debian.org>:
Extra info received and forwarded to list. Copy sent to brlink@debian.org (Bernhard R. Link). (Sat, 29 May 2010 18:12:10 GMT) Full text and rfc822 format available.

Message #97 received at 583316@bugs.debian.org (full text, mbox):

From: "Bernhard R. Link" <brlink@debian.org>
To: Markus Steinborn <gnugv_maintainer@yahoo.de>
Cc: 583316@bugs.debian.org
Subject: Re: Bug#583316: /usr/bin/gv: Insecure gs workaround "gs -P-"
Date: Sat, 29 May 2010 20:08:57 +0200
* Markus Steinborn <gnugv_maintainer@yahoo.de> [100529 19:52]:
> Something does completely wrong (__not__ running debian):

I realized that, too. I've written two mails to http://bugs.debian.org/58183:
Ghostscript seems to simply ignore the -P- option (or rather does
something, but without any effect).

Anyone has a ghostscript bugzilla account and wants to report this?

	Bernhard R. Link




Information forwarded to debian-bugs-dist@lists.debian.org, brlink@debian.org (Bernhard R. Link):
Bug#583316; Package gv. (Sat, 29 May 2010 22:27:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to paul.szabo@sydney.edu.au:
Extra info received and forwarded to list. Copy sent to brlink@debian.org (Bernhard R. Link). (Sat, 29 May 2010 22:27:05 GMT) Full text and rfc822 format available.

Message #102 received at 583316@bugs.debian.org (full text, mbox):

From: paul.szabo@sydney.edu.au
To: 583183@bugs.debian.org, 583316@bugs.debian.org, brlink@debian.org, gnugv_maintainer@yahoo.de
Subject: gs bug: gs_init.ps tried in current dir despite -P-
Date: Sun, 30 May 2010 08:23:16 +1000
Bernhard wrote:
> Anyone has a ghostscript bugzilla account and wants to report this?

I created a new bugzilla account (after the nice gs people disabled my
real account), and filed
  http://bugs.ghostscript.com/show_bug.cgi?id=691350

Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Information forwarded to debian-bugs-dist@lists.debian.org, brlink@debian.org (Bernhard R. Link):
Bug#583316; Package gv. (Sun, 30 May 2010 14:48:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Bernhard R. Link" <brlink@debian.org>:
Extra info received and forwarded to list. Copy sent to brlink@debian.org (Bernhard R. Link). (Sun, 30 May 2010 14:48:05 GMT) Full text and rfc822 format available.

Message #107 received at 583316@bugs.debian.org (full text, mbox):

From: "Bernhard R. Link" <brlink@debian.org>
To: 583316@bugs.debian.org
Subject: Running gs in a safe directory.
Date: Sun, 30 May 2010 16:45:09 +0200
[Message part 1 (text/plain, inline)]
Attached patch is what I plan to use in an package targeted
at stable-security I hope to have ready soon.

Instead of trying to use -P- (which currently does not work
anyway) with all the complexity of guessing where to add it
if the commands are taken from some user config file, it just
changes to an empty directory befor calling gs.

	Bernhard R. Link
[0005-delay-safer-in-pdfdsc.patch (text/x-diff, attachment)]
[0006-start-gs-in-a-safe-working-directory.patch (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, brlink@debian.org (Bernhard R. Link):
Bug#583316; Package gv. (Mon, 31 May 2010 02:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to paul.szabo@sydney.edu.au:
Extra info received and forwarded to list. Copy sent to brlink@debian.org (Bernhard R. Link). (Mon, 31 May 2010 02:51:03 GMT) Full text and rfc822 format available.

Message #112 received at 583316@bugs.debian.org (full text, mbox):

From: paul.szabo@sydney.edu.au
To: 583316@bugs.debian.org, gnugv_maintainer@yahoo.de, psz@maths.usyd.edu.au
Cc: brlink@debian.org, bug-gv@gnu.org
Subject: Re: Bug#583316: /usr/bin/gv: Insecure gs workaround "gs -P-"
Date: Mon, 31 May 2010 12:49:45 +1000
I wrote a few days ago:

>> So "-P-" may work with GNU gv - but some testing would help before 
>> changing the defaults.
>
> I will try to dig up the file I was testing with, and re-do the tests.
> My vague memory is that the layout of the two-page-per-sheet file
> changed with -P-.

File sent privately to Markus and Bernhard (was Adrian's newsol11.pdf).

Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Information forwarded to debian-bugs-dist@lists.debian.org, brlink@debian.org (Bernhard R. Link):
Bug#583316; Package gv. (Mon, 31 May 2010 23:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to paul.szabo@sydney.edu.au:
Extra info received and forwarded to list. Copy sent to brlink@debian.org (Bernhard R. Link). (Mon, 31 May 2010 23:06:03 GMT) Full text and rfc822 format available.

Message #117 received at 583316@bugs.debian.org (full text, mbox):

From: paul.szabo@sydney.edu.au
To: 583316@bugs.debian.org
Subject: Running gs in a safe directory.
Date: Tue, 1 Jun 2010 09:02:58 +1000
Dear Bernhard,

> Instead of trying to use -P- (which currently does not work
> anyway) with all the complexity of guessing where to add it
> if the commands are taken from some user config file, it just
> changes to an empty directory befor calling gs.

Sounds good... except:

I do not see where /usr/lib/gv/safe-gs-workdir is created.

I would prefer to check it actually is empty... pure paranoia, is
root-owned so is unlikely to change. Name it "please-keep-empty" maybe?

Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Information forwarded to debian-bugs-dist@lists.debian.org, brlink@debian.org (Bernhard R. Link):
Bug#583316; Package gv. (Tue, 01 Jun 2010 15:36:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to 583316@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to brlink@debian.org (Bernhard R. Link). (Tue, 01 Jun 2010 15:36:06 GMT) Full text and rfc822 format available.

Message #122 received at 583316@bugs.debian.org (full text, mbox):

From: "Bernhard R. Link" <brlink@debian.org>
To: paul.szabo@sydney.edu.au, 583316@bugs.debian.org
Subject: Re: Bug#583316: Running gs in a safe directory.
Date: Tue, 1 Jun 2010 17:33:47 +0200
* paul.szabo@sydney.edu.au <paul.szabo@sydney.edu.au> [100601 01:06]:
> I do not see where /usr/lib/gv/safe-gs-workdir is created.

It's done in debian/rules so that not makefiles have to be changed.
(and it's /usr/share/gv/safe-gs-workdir btw).

> I would prefer to check it actually is empty... pure paranoia, is
> root-owned so is unlikely to change. Name it "please-keep-empty" maybe?

Someone might actuall want to put stuff. Anf putting unsafe stuff in
a directory called safe-gs-workdir is nothing I guess a normal person
will do...

	Bernhard R. Link




Reply sent to brlink@debian.org (Bernhard R. Link):
You have taken responsibility. (Thu, 03 Jun 2010 17:06:07 GMT) Full text and rfc822 format available.

Notification sent to Paul Szabo <paul.szabo@sydney.edu.au>:
Bug acknowledged by developer. (Thu, 03 Jun 2010 17:06:07 GMT) Full text and rfc822 format available.

Message #127 received at 583316-close@bugs.debian.org (full text, mbox):

From: brlink@debian.org (Bernhard R. Link)
To: 583316-close@bugs.debian.org
Subject: Bug#583316: fixed in gv 1:3.6.91-1
Date: Thu, 03 Jun 2010 17:03:25 +0000
Source: gv
Source-Version: 1:3.6.91-1

We believe that the bug you reported is fixed in the latest version of
gv, which is due to be installed in the Debian FTP archive:

gv_3.6.91-1.debian.tar.gz
  to main/g/gv/gv_3.6.91-1.debian.tar.gz
gv_3.6.91-1.dsc
  to main/g/gv/gv_3.6.91-1.dsc
gv_3.6.91-1_sparc.deb
  to main/g/gv/gv_3.6.91-1_sparc.deb
gv_3.6.91.orig.tar.gz
  to main/g/gv/gv_3.6.91.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 583316@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bernhard R. Link <brlink@debian.org> (supplier of updated gv package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 03 Jun 2010 13:27:24 +0200
Source: gv
Binary: gv
Architecture: source sparc
Version: 1:3.6.91-1
Distribution: unstable
Urgency: medium
Maintainer: Bernhard R. Link <brlink@debian.org>
Changed-By: Bernhard R. Link <brlink@debian.org>
Description: 
 gv         - PostScript and PDF viewer for X
Closes: 583316
Changes: 
 gv (1:3.6.91-1) unstable; urgency=medium
 .
   * new upstream prerelease
   - targeted to unstable as it fixes security bugs:
   - run gs by default in safe directories (Closes: 583316)
   * build-depend on autotools-dev and do the config.{guess,sub}
     dance, as usage of more gnulib now needs those files again.
   * work around Makefile not creating directories recursively by
     creating /usr/share/gv before calling make install
Checksums-Sha1: 
 773c3ee7bbe9d5f2eaf22c7cfea2bdd6bd3e82fd 1294 gv_3.6.91-1.dsc
 f6868b482e1a153550412ddc18418846fc51d28d 746920 gv_3.6.91.orig.tar.gz
 7cda3ca7648ea8b04533f0595c2816a2ee3b3a0b 15371 gv_3.6.91-1.debian.tar.gz
 4ef7f01262b6a80582997df2a66a8f5f573f54de 228360 gv_3.6.91-1_sparc.deb
Checksums-Sha256: 
 01b5e7e754432dff94b650de052cb4135bdcb891d22e5913419ca0f7ed9ee946 1294 gv_3.6.91-1.dsc
 f8fc478e78d4547f21278212ca502f1060a4b0451b99b1371e7a2bebe807e318 746920 gv_3.6.91.orig.tar.gz
 a5de345b6684147e242bcf634ef520d8bb63a07a2cadefac95a8e2da68dc2d67 15371 gv_3.6.91-1.debian.tar.gz
 ac106b314dd01eedd33eecad53d3ac4ef64d28a208e398d5476f2fa64e34e2c3 228360 gv_3.6.91-1_sparc.deb
Files: 
 60d3c72cdcbf096293280dbee897682e 1294 text optional gv_3.6.91-1.dsc
 06fba27b92ff3bfdb72d478da833aba0 746920 text optional gv_3.6.91.orig.tar.gz
 c9370b580eaa3e0661e81ab3ffbacb33 15371 text optional gv_3.6.91-1.debian.tar.gz
 299f4eca0c8d728217ff14e13af561fb 228360 text optional gv_3.6.91-1_sparc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iJwEAQECAAYFAkwH3mgACgkQWzIpWA8dktrfTAP/UyAtaqyPsFhxt6uY4v0V4sPA
DN1L0RtmV5faA02o/BUqgU4+1jDkwxrpDP1KrlgGQRCk6lonviYLQw4yXMtWCpMC
JYpF/jHKiX+C15YLEoLnhvjSTzMJPX083Oe9U/3QUGyB0HQej2lz5vA64NRN2OGa
vV05p+z6AsfDv9OuWJU=
=JQdW
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 07 Mar 2011 08:05:10 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 25 09:13:45 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.