[ resent due to incorrect bug number in the first mail ] Hi
Passepartout uses ghostscript in an unsafe way to render EPS files into PDF and PNG format. To do this it constructs a special postscript "program" which loads and manipulates the EPS file. Since this postscript code relies on access to external files it can not run under the -dSAFER ghostscript option. If a user is tricked into adding a malicious EPS file to a passepartout document or to open a document which contains such a file, the malicious EPS file has potentially access to the system through postscript commands. This access is restricted to the user running passepartout. I became aware of the issue after checking the bug report on passepartout from the mass-bug filing by Paul Szabo. I'm in the process of uploading a fixed version to unstable and sending the fix to the upstream author. I attach the necessary code fix to this mail. All versions of passepartout currently in stable, testing and unstable (did not check oldstable) are affected by this. I'm not sure if a security upload for stable is waranted. The issue is real, but in my opinion fairly minimal as it's only locally exploitable, there is no privilige escalation involved and passepartout is not in wide use. If you think that an upload should be done, I will repare a fixed package over the weekend. Gaudenz -- Ever tried. Ever failed. No matter. Try again. Fail again. Fail better. ~ Samuel Beckett ~
From 1b92eca6573f117fd38f593aa4ccb1196e6b87b5 Mon Sep 17 00:00:00 2001
From: Gaudenz Steinlin <gaud...@soziologie.ch>
Date: Thu, 3 Jun 2010 13:43:26 +0200
Subject: [PATCH] Safe handling of gs calls with external eps files
This removes the -dSAFE/-dSAFER option from the gs calls actually
rendering the EPS files. The generation in imageframe.cc did not work
previously and the -dSAFE option in postscriptviewent.cc had no effect.
Without the -dSAFER option passepartout is vulnerable to malicious EPS
files. This vulnerability is avoided by only allowing read access to the
EPS file being rendered and then locking the SAFER option.
Additionally this patch adds -P- to all gs calls to avoid reading
accidentially reading library files from the current directory. It also
adds -dSAFER to the call detecting the pngalpha driver.
---
src/pptout/document/imageframe.cc | 13 ++++++++++++-
src/pptout/postscriptviewent.cc | 4 ++--
2 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/src/pptout/document/imageframe.cc b/src/pptout/document/imageframe.cc
index 20e81f8..8047b9f 100644
--- a/src/pptout/document/imageframe.cc
+++ b/src/pptout/document/imageframe.cc
@@ -165,7 +165,7 @@ void ImageFrame::print_pdf(PDF::Content::Ptr pdf) const {
std::vector<std::string> argv;
argv.push_back("gs");
argv.push_back("-q");
- argv.push_back("-dSAFER");
+ argv.push_back("-P-");
argv.push_back("-dNOPAUSE");
argv.push_back("-dBATCH");
argv.push_back("-sDEVICE=pdfwrite");
@@ -177,6 +177,11 @@ void ImageFrame::print_pdf(PDF::Content::Ptr pdf) const {
argv.push_back("-");
Process proc = ProcessManager::instance().run(argv);
+ // Only allow reading of the associated eps file and the lock gs into
+ // safer mode.
+ proc->get_cin() << "<</PermitFileReading [ (" << association << ")] /PermitFileWriting [ ] /PermitFileControl [ ] >> "
+ << "setuserparams .locksafe\n";
+
// Just like generate_picture, but without applying the matrix
// (that is done when calling the xobject)
/// \todo genereate_picture should ingore the matrix, then it could be
@@ -287,6 +292,12 @@ void ImageFrame::generate_picture(std::ostream& psstream) const {
throw GenPicError(ASSOCIATION, "Can't read " + association);
const Matrix &m = get_matrix();
+
+ // Only allow reading of the associated eps file and the lock gs into
+ // safer mode.
+ psstream << "<</PermitFileReading [ (" << association << ")] /PermitFileWriting [ ] /PermitFileControl [ ] >> "
+ << "setuserparams .locksafe\n";
+
// We don't have to write the image data to gs, just tell it where it's at.
// The save/restore/showpage stuff is so there is one and only one effective
// showpage sent to gs.
diff --git a/src/pptout/postscriptviewent.cc b/src/pptout/postscriptviewent.cc
index 9b85e57..ff4786a 100644
--- a/src/pptout/postscriptviewent.cc
+++ b/src/pptout/postscriptviewent.cc
@@ -33,7 +33,7 @@ namespace {
" PSInterpreter property set.");
if(ProcessManager::instance()
- .system(psinterpreter + " -q -dBATCH -sDEVICE=pngalpha") == 0)
+ .system(psinterpreter + " -P- -dSAFER -q -dBATCH -sDEVICE=pngalpha") == 0)
devicename = "pngalpha";
else
devicename = "ppmraw";
@@ -132,7 +132,7 @@ bool PostscriptViewent::regenerate_bg() {
std::ostringstream tmp;
tmp << psinterpreter //assuming it is ghostscript
- << " -q -dSAFE -dNOPAUSE -dBATCH"
+ << " -q -P- -dNOPAUSE -dBATCH"
<< " -sDEVICE=" << preferredDeviceName();
// gs doesn't use fontconfig, so give font paths as parameters
--
1.7.1
signature.asc
Description: Digital signature
