Bug 599564 (CVE-2010-2055) - CVE-2010-2055 ghostscript: gs_init.ps searched in current directory despite -P-
Summary: CVE-2010-2055 ghostscript: gs_init.ps searched in current directory despite -P-
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-2055
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 599168 (view as bug list)
Depends On: 755924 755925 755926 755928 755929
Blocks: 733386
TreeView+ depends on / blocked
 
Reported: 2010-06-03 14:06 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:36 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-02-14 13:56:09 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Ghostscript 691350 0 None None None Never
Novell 608071 0 None None None Never
Red Hat Product Errata RHSA-2012:0095 0 normal SHIPPED_LIVE Moderate: ghostscript security update 2012-02-03 03:42:16 UTC

Description Jan Lieskovsky 2010-06-03 14:06:17 UTC
Security flaws were found in the way gs handled its initialization:
1, library search path include '.' (current working directory) by default,
   causing ghostscript to search '.' for initialization and library postscript
   files
2, explicit use of "-P-" command line option, did not prevent ghostscript from
   executing PostScript commands, contained within "gs_init.ps" file. 

A local attacker could use this flaw to execute arbitrary PostScript commands, if the victim was tricked into opening a PostScript file in the directory writeable by the attacker

References:
[1] http://bugs.ghostscript.com/show_bug.cgi?id=691339
[2] http://bugs.ghostscript.com/show_bug.cgi?id=691350
[3] http://www.securityfocus.com/archive/1/511433
[4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583316
[5] https://bugzilla.novell.com/show_bug.cgi?id=608071
[6] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583183

Comment 1 Jan Lieskovsky 2010-06-03 14:18:58 UTC
Initial list of packages, shipped within
Fedora, which might be affected by this:

1, a2ps
2, asymptote
3, c2050
4, cups
5, cups-pdf
6, dblatex
7, efax
8, evince
9, fig2ps
10, flpsed
11, grace
12, gimp
13, hevea
14, hpijs
15, hpoj
16, kdissert
17, latex-mk
18, latexmk
19, mpage
20, pnm2ppa
21, prosper
22, ps2eps
23, pstoedit
24, scribus
25, texmacs
26, wv
27, xfig
28, xournal
29, xpaint

Above list is currently under investigation, and will be updated later,
as soon as more details are available.

Comment 2 Jan Lieskovsky 2010-06-03 14:21:59 UTC
*** Bug 599168 has been marked as a duplicate of this bug. ***

Comment 3 Jan Lieskovsky 2010-06-03 14:25:51 UTC
Another list from SUSE's Werner Fink:
  [1] https://bugzilla.novell.com/show_bug.cgi?id=608071#c23

to compare against.

Comment 4 M. Steinborn 2010-06-03 19:14:11 UTC
Reference [2] from above now announces:

----------- begin cite -------------
Hin-Tak Leung      2010-06-03 17:39:36 UTC

Due to the perceived gravity of the bug, the patch sent out for review a day
ago is committed as r11352 . It was tested okay in combination with
691355/691356 before sending out for review:
http://bugs.ghostscript.com/show_bug.cgi?id=691355#c12
http://bugs.ghostscript.com/show_bug.cgi?id=691356#c5

Await feedback and possible refinement from other Artifex personnel before
closing.
----------- end cite -------------

Please note that r11351 is also security related.

Comment 15 Fedora Update System 2010-07-08 18:12:14 UTC
gv-3.7.1-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2010-07-08 18:25:29 UTC
gv-3.7.1-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2010-07-09 05:58:33 UTC
gv-3.7.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2010-07-09 06:00:59 UTC
gv-3.7.1-1.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Tomas Hoger 2010-08-25 09:38:14 UTC
Following upstream commit changes SEARCH_HERE_FIRST default to make -P- default instead of -P:
  http://svn.ghostscript.com/viewvc?view=rev&revision=11494

Comment 20 Tim Waugh 2010-08-25 14:58:51 UTC
Also possibly related:

11351:
Adding -P- and -dSAFER to many POSIX shell scripts, win32 and OS/2 batch scr

11352:
observe minst->search_here_first condition in file search; bug 691350

Wish upstream would release an 8.71.1 for this or something. :-(

Comment 21 M. Steinborn 2010-08-25 18:44:50 UTC
(In reply to comment #20)
> Wish upstream would release an 8.71.1 for this or something. :-(

Take a look at the upstream repository. They already have tagged ghostscript-9.00 (unless they deleted the tag again).


More related patches from upstream:

11390+11496   Documentation update

11499, 11500, 11510, 11514, 11515: Regression fixes for Patches in Comment #20 and this Comment. They should fix http://bugs.ghostscript.com/show_bug.cgi?id=691350#c17 and http://bugs.ghostscript.com/show_bug.cgi?id=691350#c19 (Dunno if I missed a regression fixing patch).


Except 11351 I applied every patch from comment #20 and #21 (11532 needs backporting to 8.71), it's working fine for me.

Furthermore I made "-dSAFER" the default for ghostscript on my system. Please consider making that, too.

Comment 22 Tomas Hoger 2010-08-26 08:43:40 UTC
(In reply to comment #20)
> 11351:
> Adding -P- and -dSAFER to many POSIX shell scripts, win32 and OS/2 batch scr

We won't really care about -P- part if the default is changed.  Most script already use -dSAFER, no objections to making consistent across all scripts.

> 11352:
> observe minst->search_here_first condition in file search; bug 691350

That should be the patch to fix broken -P-, not too well described in 2, in comment #0.

Comment 23 Tim Waugh 2010-08-26 15:26:48 UTC
(In reply to comment #21)
> More related patches from upstream:
> 
> 11390+11496   Documentation update

Already have that one.

> 11499, 11500, 11510, 11514, 11515: Regression fixes for Patches in Comment #20
> and this Comment.

Several of these fails to apply to 8.71.

As for -dSAFER, I'd rather stick more closely to upstream.  I agree that -dSAFER should be the default, but this is something that the ghostscript developers should change (and test...).

Comment 24 Tim Waugh 2010-10-25 15:52:12 UTC
pdfmerge needs to be changed to use -P (or -I.) as it intentionally reads files from the current directory.  See bug #642427.

Comment 28 Ramon de C Valle 2011-11-22 12:44:02 UTC
Created ghostscript tracking bugs for this issue

Affects: fedora-all [bug 755929]

Comment 31 Tomas Hoger 2012-01-08 13:18:53 UTC
As described in comment #0, this bug originally tracked two issues. CVE-2010-2055 was assigned to 2, in comment #0, i.e. the problem with gs_init.ps being read from the current working directory even when library search path does not include CWD (i.e. when using -P- gs option).  This is tracked under upstream bug report:
  http://bugs.ghostscript.com/show_bug.cgi?id=691350

The problem 1, in comment #0, the use of CWD in the default library search path, got a separate CVE id CVE-2010-4820 and has a separate bug #771853 now.

Comment 32 errata-xmlrpc 2012-02-02 22:45:36 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2012:0095 https://rhn.redhat.com/errata/RHSA-2012-0095.html


Note You need to log in before you can comment on or make changes to this bug.