Comment 0 for bug 9447

Package: gs-common
Version: 0.3.6
Severity: serious
Tags: security

CAN-2004-0967 describes multiple insecure uses of temporary files in
programs ghostscript:

  The (1) pj-gs.sh, ps2epsi(2) , (3) pv.sh, and (4) sysvlp.sh scripts in the ESP
  Ghostscript (espgs) package in Trustix Secure Linux 1.5 through 2.1, and
  possibly other operating systems, allow local users to overwrite files via a
  symlink attack on temporary files.

Of these, ps2epsi and pv.sh were all I could find in Debian, in the
gs-common package.

ps2epsi is clearly vulnerable:

tmpfile=/tmp/ps2epsi$$

I think this part of pv.sh is vulnerable, if it happens to be run in /tmp or
another world-writable directory.

dvips -p $PAGE -n 1 $FILE $* -o $FILE.$$.pv

There's a patch here:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136321

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages gs-common depends on:
ii debconf 1.4.39 Debian configuration management sy
ii debianutils 2.10.3 Miscellaneous utilities specific t
ii defoma 0.11.8-0.1 Debian Font Manager -- automatic f
ii gs 8.01-5 Transitional package
ii gs-gpl [gs] 8.01-5 The GPL Ghostscript PostScript int
ii gsfonts 8.14+v8.11-0.1 Fonts for the Ghostscript interpre

-- no debconf information

--
see shy jo