Vulnerable PDF can trigger remote shell with PDF export and ghostscript

Bug #1979575 reported by Robert Lyon
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
21.04
Fix Released
Medium
Unassigned
21.10
Fix Released
Medium
Unassigned
22.04
Fix Released
Medium
Unassigned
22.10
Fix Released
Medium
Unassigned

Bug Description

The problem is Ubuntu 18.04 servers require the use of the flag -dSAFER with ghostscript, otherwise if you submit a vulnerable PDF you can trigger a remote shell.

In Mahara, ghostscript can be used to combine generated pdfs for pdf export.

As it's not the default way to combine pds and the fact that pdf export is not used by most systems I will mark this as a medium security issue.

CVE References

summary: - Potential security with pdf export and ghostscript
+ Vulnerable PDF can trigger remote shell with PDF export and ghostscript
Revision history for this message
Robert Lyon (robertl-9) wrote :
Robert Lyon (robertl-9)
information type: Private Security → Public Security
no longer affects: mahara
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.