Security flaws were found in the way gs handled its initialization: 1, library search path include '.' (current working directory) by default, causing ghostscript to search '.' for initialization and library postscript files 2, explicit use of "-P-" command line option, did not prevent ghostscript from executing PostScript commands, contained within "gs_init.ps" file. A local attacker could use this flaw to execute arbitrary PostScript commands, if the victim was tricked into opening a PostScript file in the directory writeable by the attacker References: [1] http://bugs.ghostscript.com/show_bug.cgi?id=691339 [2] http://bugs.ghostscript.com/show_bug.cgi?id=691350 [3] http://www.securityfocus.com/archive/1/511433 [4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583316 [5] https://bugzilla.novell.com/show_bug.cgi?id=608071 [6] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583183
Initial list of packages, shipped within Fedora, which might be affected by this: 1, a2ps 2, asymptote 3, c2050 4, cups 5, cups-pdf 6, dblatex 7, efax 8, evince 9, fig2ps 10, flpsed 11, grace 12, gimp 13, hevea 14, hpijs 15, hpoj 16, kdissert 17, latex-mk 18, latexmk 19, mpage 20, pnm2ppa 21, prosper 22, ps2eps 23, pstoedit 24, scribus 25, texmacs 26, wv 27, xfig 28, xournal 29, xpaint Above list is currently under investigation, and will be updated later, as soon as more details are available.
*** Bug 599168 has been marked as a duplicate of this bug. ***
Another list from SUSE's Werner Fink: [1] https://bugzilla.novell.com/show_bug.cgi?id=608071#c23 to compare against.
Reference [2] from above now announces: ----------- begin cite ------------- Hin-Tak Leung 2010-06-03 17:39:36 UTC Due to the perceived gravity of the bug, the patch sent out for review a day ago is committed as r11352 . It was tested okay in combination with 691355/691356 before sending out for review: http://bugs.ghostscript.com/show_bug.cgi?id=691355#c12 http://bugs.ghostscript.com/show_bug.cgi?id=691356#c5 Await feedback and possible refinement from other Artifex personnel before closing. ----------- end cite ------------- Please note that r11351 is also security related.
More links from Bernhard R. Link related to this: [7] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584653 [8] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584663 [9] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584667
gv-3.7.1-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
gv-3.7.1-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
gv-3.7.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
gv-3.7.1-1.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report.
Following upstream commit changes SEARCH_HERE_FIRST default to make -P- default instead of -P: http://svn.ghostscript.com/viewvc?view=rev&revision=11494
Also possibly related: 11351: Adding -P- and -dSAFER to many POSIX shell scripts, win32 and OS/2 batch scr 11352: observe minst->search_here_first condition in file search; bug 691350 Wish upstream would release an 8.71.1 for this or something. :-(
(In reply to comment #20) > Wish upstream would release an 8.71.1 for this or something. :-( Take a look at the upstream repository. They already have tagged ghostscript-9.00 (unless they deleted the tag again). More related patches from upstream: 11390+11496 Documentation update 11499, 11500, 11510, 11514, 11515: Regression fixes for Patches in Comment #20 and this Comment. They should fix http://bugs.ghostscript.com/show_bug.cgi?id=691350#c17 and http://bugs.ghostscript.com/show_bug.cgi?id=691350#c19 (Dunno if I missed a regression fixing patch). Except 11351 I applied every patch from comment #20 and #21 (11532 needs backporting to 8.71), it's working fine for me. Furthermore I made "-dSAFER" the default for ghostscript on my system. Please consider making that, too.
(In reply to comment #20) > 11351: > Adding -P- and -dSAFER to many POSIX shell scripts, win32 and OS/2 batch scr We won't really care about -P- part if the default is changed. Most script already use -dSAFER, no objections to making consistent across all scripts. > 11352: > observe minst->search_here_first condition in file search; bug 691350 That should be the patch to fix broken -P-, not too well described in 2, in comment #0.
(In reply to comment #21) > More related patches from upstream: > > 11390+11496 Documentation update Already have that one. > 11499, 11500, 11510, 11514, 11515: Regression fixes for Patches in Comment #20 > and this Comment. Several of these fails to apply to 8.71. As for -dSAFER, I'd rather stick more closely to upstream. I agree that -dSAFER should be the default, but this is something that the ghostscript developers should change (and test...).
pdfmerge needs to be changed to use -P (or -I.) as it intentionally reads files from the current directory. See bug #642427.
Created ghostscript tracking bugs for this issue Affects: fedora-all [bug 755929]
As described in comment #0, this bug originally tracked two issues. CVE-2010-2055 was assigned to 2, in comment #0, i.e. the problem with gs_init.ps being read from the current working directory even when library search path does not include CWD (i.e. when using -P- gs option). This is tracked under upstream bug report: http://bugs.ghostscript.com/show_bug.cgi?id=691350 The problem 1, in comment #0, the use of CWD in the default library search path, got a separate CVE id CVE-2010-4820 and has a separate bug #771853 now.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2012:0095 https://rhn.redhat.com/errata/RHSA-2012-0095.html