Bug 599564 - (CVE-2010-2055) CVE-2010-2055 ghostscript: gs_init.ps searched in current directory despite -P-
CVE-2010-2055 ghostscript: gs_init.ps searched in current directory despite -P-
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,source=debian,reporte...
: Security
: 599168 (view as bug list)
Depends On: 755924 755925 755926 755928 755929
Blocks: 733386
  Show dependency treegraph
 
Reported: 2010-06-03 10:06 EDT by Jan Lieskovsky
Modified: 2012-02-14 08:56 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-02-14 08:56:09 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Novell 608071 None None None Never
Ghostscript 691350 None None None Never

  None (edit)
Description Jan Lieskovsky 2010-06-03 10:06:17 EDT
Security flaws were found in the way gs handled its initialization:
1, library search path include '.' (current working directory) by default,
   causing ghostscript to search '.' for initialization and library postscript
   files
2, explicit use of "-P-" command line option, did not prevent ghostscript from
   executing PostScript commands, contained within "gs_init.ps" file. 

A local attacker could use this flaw to execute arbitrary PostScript commands, if the victim was tricked into opening a PostScript file in the directory writeable by the attacker

References:
[1] http://bugs.ghostscript.com/show_bug.cgi?id=691339
[2] http://bugs.ghostscript.com/show_bug.cgi?id=691350
[3] http://www.securityfocus.com/archive/1/511433
[4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583316
[5] https://bugzilla.novell.com/show_bug.cgi?id=608071
[6] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583183
Comment 1 Jan Lieskovsky 2010-06-03 10:18:58 EDT
Initial list of packages, shipped within
Fedora, which might be affected by this:

1, a2ps
2, asymptote
3, c2050
4, cups
5, cups-pdf
6, dblatex
7, efax
8, evince
9, fig2ps
10, flpsed
11, grace
12, gimp
13, hevea
14, hpijs
15, hpoj
16, kdissert
17, latex-mk
18, latexmk
19, mpage
20, pnm2ppa
21, prosper
22, ps2eps
23, pstoedit
24, scribus
25, texmacs
26, wv
27, xfig
28, xournal
29, xpaint

Above list is currently under investigation, and will be updated later,
as soon as more details are available.
Comment 2 Jan Lieskovsky 2010-06-03 10:21:59 EDT
*** Bug 599168 has been marked as a duplicate of this bug. ***
Comment 3 Jan Lieskovsky 2010-06-03 10:25:51 EDT
Another list from SUSE's Werner Fink:
  [1] https://bugzilla.novell.com/show_bug.cgi?id=608071#c23

to compare against.
Comment 4 M. Steinborn 2010-06-03 15:14:11 EDT
Reference [2] from above now announces:

----------- begin cite -------------
Hin-Tak Leung      2010-06-03 17:39:36 UTC

Due to the perceived gravity of the bug, the patch sent out for review a day
ago is committed as r11352 . It was tested okay in combination with
691355/691356 before sending out for review:
http://bugs.ghostscript.com/show_bug.cgi?id=691355#c12
http://bugs.ghostscript.com/show_bug.cgi?id=691356#c5

Await feedback and possible refinement from other Artifex personnel before
closing.
----------- end cite -------------

Please note that r11351 is also security related.
Comment 15 Fedora Update System 2010-07-08 14:12:14 EDT
gv-3.7.1-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2010-07-08 14:25:29 EDT
gv-3.7.1-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2010-07-09 01:58:33 EDT
gv-3.7.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2010-07-09 02:00:59 EDT
gv-3.7.1-1.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Tomas Hoger 2010-08-25 05:38:14 EDT
Following upstream commit changes SEARCH_HERE_FIRST default to make -P- default instead of -P:
  http://svn.ghostscript.com/viewvc?view=rev&revision=11494
Comment 20 Tim Waugh 2010-08-25 10:58:51 EDT
Also possibly related:

11351:
Adding -P- and -dSAFER to many POSIX shell scripts, win32 and OS/2 batch scr

11352:
observe minst->search_here_first condition in file search; bug 691350

Wish upstream would release an 8.71.1 for this or something. :-(
Comment 21 M. Steinborn 2010-08-25 14:44:50 EDT
(In reply to comment #20)
> Wish upstream would release an 8.71.1 for this or something. :-(

Take a look at the upstream repository. They already have tagged ghostscript-9.00 (unless they deleted the tag again).


More related patches from upstream:

11390+11496   Documentation update

11499, 11500, 11510, 11514, 11515: Regression fixes for Patches in Comment #20 and this Comment. They should fix http://bugs.ghostscript.com/show_bug.cgi?id=691350#c17 and http://bugs.ghostscript.com/show_bug.cgi?id=691350#c19 (Dunno if I missed a regression fixing patch).


Except 11351 I applied every patch from comment #20 and #21 (11532 needs backporting to 8.71), it's working fine for me.

Furthermore I made "-dSAFER" the default for ghostscript on my system. Please consider making that, too.
Comment 22 Tomas Hoger 2010-08-26 04:43:40 EDT
(In reply to comment #20)
> 11351:
> Adding -P- and -dSAFER to many POSIX shell scripts, win32 and OS/2 batch scr

We won't really care about -P- part if the default is changed.  Most script already use -dSAFER, no objections to making consistent across all scripts.

> 11352:
> observe minst->search_here_first condition in file search; bug 691350

That should be the patch to fix broken -P-, not too well described in 2, in comment #0.
Comment 23 Tim Waugh 2010-08-26 11:26:48 EDT
(In reply to comment #21)
> More related patches from upstream:
> 
> 11390+11496   Documentation update

Already have that one.

> 11499, 11500, 11510, 11514, 11515: Regression fixes for Patches in Comment #20
> and this Comment.

Several of these fails to apply to 8.71.

As for -dSAFER, I'd rather stick more closely to upstream.  I agree that -dSAFER should be the default, but this is something that the ghostscript developers should change (and test...).
Comment 24 Tim Waugh 2010-10-25 11:52:12 EDT
pdfmerge needs to be changed to use -P (or -I.) as it intentionally reads files from the current directory.  See bug #642427.
Comment 28 Ramon de C Valle 2011-11-22 07:44:02 EST
Created ghostscript tracking bugs for this issue

Affects: fedora-all [bug 755929]
Comment 31 Tomas Hoger 2012-01-08 08:18:53 EST
As described in comment #0, this bug originally tracked two issues. CVE-2010-2055 was assigned to 2, in comment #0, i.e. the problem with gs_init.ps being read from the current working directory even when library search path does not include CWD (i.e. when using -P- gs option).  This is tracked under upstream bug report:
  http://bugs.ghostscript.com/show_bug.cgi?id=691350

The problem 1, in comment #0, the use of CWD in the default library search path, got a separate CVE id CVE-2010-4820 and has a separate bug #771853 now.
Comment 32 errata-xmlrpc 2012-02-02 17:45:36 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2012:0095 https://rhn.redhat.com/errata/RHSA-2012-0095.html

Note You need to log in before you can comment on or make changes to this bug.