CAN-2004-0967 describes multiple insecure uses of temporary files in
programs ghostscript:
The (1) pj-gs.sh, ps2epsi(2) , (3) pv.sh, and (4) sysvlp.sh scripts in the ESP
Ghostscript (espgs) package in Trustix Secure Linux 1.5 through 2.1, and
possibly other operating systems, allow local users to overwrite files via a
symlink attack on temporary files.
Of these, ps2epsi and pv.sh were all I could find in Debian, in the
gs-common package.
ps2epsi is clearly vulnerable:
tmpfile=/tmp/ps2epsi$$
I think this part of pv.sh is vulnerable, if it happens to be run in /tmp or
another world-writable directory.
Versions of packages gs-common depends on:
ii debconf 1.4.39 Debian configuration management sy
ii debianutils 2.10.3 Miscellaneous utilities specific t
ii defoma 0.11.8-0.1 Debian Font Manager -- automatic f
ii gs 8.01-5 Transitional package
ii gs-gpl [gs] 8.01-5 The GPL Ghostscript PostScript int
ii gsfonts 8.14+v8.11-0.1 Fonts for the Ghostscript interpre
Package: gs-common
Version: 0.3.6
Severity: serious
Tags: security
CAN-2004-0967 describes multiple insecure uses of temporary files in
programs ghostscript:
The (1) pj-gs.sh, ps2epsi(2) , (3) pv.sh, and (4) sysvlp.sh scripts in the ESP
Ghostscript (espgs) package in Trustix Secure Linux 1.5 through 2.1, and
possibly other operating systems, allow local users to overwrite files via a
symlink attack on temporary files.
Of these, ps2epsi and pv.sh were all I could find in Debian, in the
gs-common package.
ps2epsi is clearly vulnerable:
tmpfile= /tmp/ps2epsi$ $
I think this part of pv.sh is vulnerable, if it happens to be run in /tmp or
another world-writable directory.
dvips -p $PAGE -n 1 $FILE $* -o $FILE.$$.pv
There's a patch here: bugzilla. redhat. com/bugzilla/ show_bug. cgi?id= 136321
http://
-- System Information: ISO-8859- 1)
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=
Versions of packages gs-common depends on:
ii debconf 1.4.39 Debian configuration management sy
ii debianutils 2.10.3 Miscellaneous utilities specific t
ii defoma 0.11.8-0.1 Debian Font Manager -- automatic f
ii gs 8.01-5 Transitional package
ii gs-gpl [gs] 8.01-5 The GPL Ghostscript PostScript int
ii gsfonts 8.14+v8.11-0.1 Fonts for the Ghostscript interpre
-- no debconf information
--
see shy jo