Bug 599564 (CVE-2010-2055)

Summary: CVE-2010-2055 ghostscript: gs_init.ps searched in current directory despite -P-
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gnugv_maintainer, lijli, rcvalle, twaugh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-14 13:56:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 755924, 755925, 755926, 755928, 755929    
Bug Blocks: 733386    

Description Jan Lieskovsky 2010-06-03 14:06:17 UTC 
Security flaws were found in the way gs handled its initialization:
1, library search path include '.' (current working directory) by default,
   causing ghostscript to search '.' for initialization and library postscript
   files
2, explicit use of "-P-" command line option, did not prevent ghostscript from
   executing PostScript commands, contained within "gs_init.ps" file. 

A local attacker could use this flaw to execute arbitrary PostScript commands, if the victim was tricked into opening a PostScript file in the directory writeable by the attacker

References:
[1] http://bugs.ghostscript.com/show_bug.cgi?id=691339
[2] http://bugs.ghostscript.com/show_bug.cgi?id=691350
[3] http://www.securityfocus.com/archive/1/511433
[4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583316
[5] https://bugzilla.novell.com/show_bug.cgi?id=608071
[6] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583183
Comment 1 Jan Lieskovsky 2010-06-03 14:18:58 UTC 
Initial list of packages, shipped within
Fedora, which might be affected by this:

1, a2ps
2, asymptote
3, c2050
4, cups
5, cups-pdf
6, dblatex
7, efax
8, evince
9, fig2ps
10, flpsed
11, grace
12, gimp
13, hevea
14, hpijs
15, hpoj
16, kdissert
17, latex-mk
18, latexmk
19, mpage
20, pnm2ppa
21, prosper
22, ps2eps
23, pstoedit
24, scribus
25, texmacs
26, wv
27, xfig
28, xournal
29, xpaint

Above list is currently under investigation, and will be updated later,
as soon as more details are available.
Comment 2 Jan Lieskovsky 2010-06-03 14:21:59 UTC 
*** Bug 599168 has been marked as a duplicate of this bug. ***
Comment 3 Jan Lieskovsky 2010-06-03 14:25:51 UTC 
Another list from SUSE's Werner Fink:
  [1] https://bugzilla.novell.com/show_bug.cgi?id=608071#c23

to compare against.
Comment 4 M. Steinborn 2010-06-03 19:14:11 UTC 
Reference [2] from above now announces:

----------- begin cite -------------
Hin-Tak Leung      2010-06-03 17:39:36 UTC

Due to the perceived gravity of the bug, the patch sent out for review a day
ago is committed as r11352 . It was tested okay in combination with
691355/691356 before sending out for review:
http://bugs.ghostscript.com/show_bug.cgi?id=691355#c12
http://bugs.ghostscript.com/show_bug.cgi?id=691356#c5

Await feedback and possible refinement from other Artifex personnel before
closing.
----------- end cite -------------

Please note that r11351 is also security related.
Comment 10 Jan Lieskovsky 2010-06-05 18:38:51 UTC 
More links from Bernhard R. Link related to this:
  [7] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584653
  [8] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584663
  [9] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584667
Comment 15 Fedora Update System 2010-07-08 18:12:14 UTC 
gv-3.7.1-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2010-07-08 18:25:29 UTC 
gv-3.7.1-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2010-07-09 05:58:33 UTC 
gv-3.7.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2010-07-09 06:00:59 UTC 
gv-3.7.1-1.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Tomas Hoger 2010-08-25 09:38:14 UTC 
Following upstream commit changes SEARCH_HERE_FIRST default to make -P- default instead of -P:
  http://svn.ghostscript.com/viewvc?view=rev&revision=11494
Comment 20 Tim Waugh 2010-08-25 14:58:51 UTC 
Also possibly related:

11351:
Adding -P- and -dSAFER to many POSIX shell scripts, win32 and OS/2 batch scr

11352:
observe minst->search_here_first condition in file search; bug 691350

Wish upstream would release an 8.71.1 for this or something. :-(
Comment 21 M. Steinborn 2010-08-25 18:44:50 UTC 
(In reply to comment #20)
> Wish upstream would release an 8.71.1 for this or something. :-(

Take a look at the upstream repository. They already have tagged ghostscript-9.00 (unless they deleted the tag again).


More related patches from upstream:

11390+11496   Documentation update

11499, 11500, 11510, 11514, 11515: Regression fixes for Patches in Comment #20 and this Comment. They should fix http://bugs.ghostscript.com/show_bug.cgi?id=691350#c17 and http://bugs.ghostscript.com/show_bug.cgi?id=691350#c19 (Dunno if I missed a regression fixing patch).


Except 11351 I applied every patch from comment #20 and #21 (11532 needs backporting to 8.71), it's working fine for me.

Furthermore I made "-dSAFER" the default for ghostscript on my system. Please consider making that, too.
Comment 22 Tomas Hoger 2010-08-26 08:43:40 UTC 
(In reply to comment #20)
> 11351:
> Adding -P- and -dSAFER to many POSIX shell scripts, win32 and OS/2 batch scr

We won't really care about -P- part if the default is changed.  Most script already use -dSAFER, no objections to making consistent across all scripts.

> 11352:
> observe minst->search_here_first condition in file search; bug 691350

That should be the patch to fix broken -P-, not too well described in 2, in comment #0.
Comment 23 Tim Waugh 2010-08-26 15:26:48 UTC 
(In reply to comment #21)
> More related patches from upstream:
> 
> 11390+11496   Documentation update

Already have that one.

> 11499, 11500, 11510, 11514, 11515: Regression fixes for Patches in Comment #20
> and this Comment.

Several of these fails to apply to 8.71.

As for -dSAFER, I'd rather stick more closely to upstream.  I agree that -dSAFER should be the default, but this is something that the ghostscript developers should change (and test...).
Comment 24 Tim Waugh 2010-10-25 15:52:12 UTC 
pdfmerge needs to be changed to use -P (or -I.) as it intentionally reads files from the current directory.  See bug #642427.
Comment 28 Ramon de C Valle 2011-11-22 12:44:02 UTC 
Created ghostscript tracking bugs for this issue

Affects: fedora-all [bug 755929]
Comment 31 Tomas Hoger 2012-01-08 13:18:53 UTC 
As described in comment #0, this bug originally tracked two issues. CVE-2010-2055 was assigned to 2, in comment #0, i.e. the problem with gs_init.ps being read from the current working directory even when library search path does not include CWD (i.e. when using -P- gs option).  This is tracked under upstream bug report:
  http://bugs.ghostscript.com/show_bug.cgi?id=691350

The problem 1, in comment #0, the use of CWD in the default library search path, got a separate CVE id CVE-2010-4820 and has a separate bug #771853 now.
Comment 32 errata-xmlrpc 2012-02-02 22:45:36 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2012:0095 https://rhn.redhat.com/errata/RHSA-2012-0095.html