Inkscape reads .eps files from /tmp instead of the current directory

Note that this has been flagged as a security issue in Debian: https://security-tracker.debian.org/tracker/TEMP-0654341-9198B9

Please find the suggested patch by Michael Karcher <email address hidden>.

This patch adds expansion of relative file names in the filename parameter before passing it to external scripts.

I have also included this patch in the Debian package and uploaded it as another NMU into unstable (0.48.3.1-1.3).

Cheers,

Adrian

CVE assigned: http://www.openwall.com/lists/oss-security/2012/12/30/2

CVE-2012-6076

> When I want to open a .eps file with something like
>
> inkscape file.eps
>
> inkscape tries to open the file from /tmp instead of the current
> directory (if the file doesn't exist, I get a ghostscript error from
> ps2pdf, which is the same error as when ps2pdf is run manually).

Opening EPS files on the command line with relative paths was broken in the previous stable releases (Inkscape 0.48 - 0.48.3.1), and only was fixed in the most recent bug fix release 0.48.4:
- Bug #695120 “cannot open relative paths using script extensions from command line”
  <https://bugs.launchpad.net/inkscape/+bug/695120>

> According to strace, inkscape does a chdir to /tmp before running
> ps2pdf on the argument, hence the problem.

AFAIU Inkscape does not changedir into /TMP - it passes the absolute path names of the temporary file copies in $TMPDIR to ps2pdf. Handling of PS/EPS files with relative paths on the command line was broken in 0.48 due to other changes which make Inkscape change directory into $XDG_CONFIG/inkscape/extensions (not $TMPDIR) before spawning the interpreter for the script extension (python in the case of PS/EPS files).

(Note: I haven't tested the proposed patch from comment #2 yet with current trunk or stable 0.48.4)

> AFAIU Inkscape does not changedir into /TMP - it passes the absolute path names of the temporary
> file copies in $TMPDIR to ps2pdf.

From share/extensions/run_command.py:

    # ps2pdf may attempt to write to the current directory, which may not
    # be writeable, so we switch to the temp directory first.
    try:
        os.chdir(tempfile.gettempdir())

and share/extensions/ps2pdf-ext.py:

import sys
from run_command import run

cmd = 'ps2pdf'
if (sys.argv[1] == "--dEPSCrop=true"): cmd += ' -dEPSCrop '

run((cmd+' "%s" "%%s"') % sys.argv[-1].replace("%","%%"), "ps2pdf")

It clearly changes into /tmp before running ps2pdf.

Adrian

On 30/12/2012 10:27, John Paul Adrian Glaubitz wrote:>From share/extensions/run_command.py:
>
> # ps2pdf may attempt to write to the current directory, which may not
> # be writeable, so we switch to the temp directory first.
> try:
> os.chdir(tempfile.gettempdir())
(…)
> It clearly changes into /tmp before running ps2pdf.

Sorry, you are correct (I thought I did check both python modules before replying, but obviously missed that line).

John Paul Adrian Glaubitz wrote:
> This patch adds expansion of relative file names in the
> filename parameter before passing it to external scripts.

AFAICT this patch is no longer required for Inkscape 0.48.4 and current trunk, since the fix for bug #695120 (combined with the later fix for bug #1022719) already does that (make sure that the relative path from the command line argument is expanded to an absolute path before being passed to the extension script).

@JazzyNico - could you test current stable (0.48.4) and trunk, and review the patch from comment #2 if it is still necessary?

> AFAICT this patch is no longer required for Inkscape 0.48.4

I cannot say anything regarding 0.48.4. The reason we created this patch was to be able to patch the version in Debian which is going to be included in upcoming Debian Wheezy release.

Since we're currently in freeze, new upstream packages are not allowed for testing anymore.

Cheers,

Adrian

> @JazzyNico - could you test current stable (0.48.4) and trunk, and review the patch from comment #2 if it is still necessary?

AFAICT, 0.48.4 and trunk are no longer affected by bug #695120 and the regression (bug #1022719) is fixed.
But the patch looks more elegant than the one we applied, and I would be interesting to test it.

> AFAICT, 0.48.4 and trunk are no longer affected by bug #695120 and the regression (bug #1022719) is fixed.
> But the patch looks more elegant than the one we applied, and I would be interesting to test it.

The patch by Michael Karcher actually fixes both bug #695120 and avoids the regression bug #1022719 introduced by the fix for bug #695120. Both patches in bug #695120 and bug #1022719 can therefore be replaced with this single patch.

Michael's patch relies on GLib for testing for relative pathnames and building an absolute one if necessary. Thus, there is no need to worry about (invalid) pathnames and URLs since everything is handled by GLib. The patches that have been applied so far duplicate the code in GLib.

Cheers,

Adrian

Patch that removes the previous corrections and apply the new code to the trunk (created with revision 11998).

New patch tested successfully (not a big surprise!) on Crunchbang Waldorf (based on Debian testing), Inkscape trunk revision 11998.

Also tested on Windows XP, same Inkscape revision. Bug #695120 is fixed but unfortunately the regression (bug #1022719) is not, and the URL fails to open with the following error message:

** (inkscape.exe:1308): CRITICAL **: Inkscape::XML::Document* sp_repr_read_file(const gchar*, const gchar*): assertion `Inkscape::IO::file_test( filename, G_FILE_TEST_EXISTS )' failed

> but unfortunately the regression (bug #1022719) is not

Hmm, I thought this never worked on Windows before anyway (hence to be tracked in a separate report - bug #1027914, as feature request)?

Confirmed after quick test with PostScript file (using relative path) and URL on the command line:
Patch '1022719-NewAndUndoOld.diff' with current trunk (r11998) works with regular (linux-style) builds on OS X 10.7.4, too.
(dependencies: GTK+/X11 2.24.13, glib 2.32.4; GTK+/Quartz 2.24.15, glib 2.34.3)

> Hmm, I thought this never worked on Windows before anyway (hence to be tracked in a separate report - bug #1027914, as
> feature request)?

Well, I guess that's something that can be easily verified by installing an older version (~0.47.x) on Windows XP and Windows 7.

It would actually be interesting to know whether this bug is specific to Windows XP or applies to newer versions of Windows as well.

Adrian

I confirm it didn't work on XP with the trunk and older versions (tested with 0.45.1, 0.46 and 0.47).
Not specific to XP. It also fails with Seven (tested with the trunk only).

> tracked in a separate report - bug #1027914

Well, I even completely forgot that report...

Then OK, I guess it's safe to remove the old patch and commit the new one (maybe only in the trunk for now, and later backport to the branch).

Fixed in the trunk with the new patch from Michael Karcher, revision 12127.