On Thu, Jun 03, 2010 at 07:28:22PM +0200, Gaudenz Steinlin wrote:
> [ resent due to incorrect bug number in the first mail ]
>
> Hi
>
> Passepartout uses ghostscript in an unsafe way to render EPS files into
> PDF and PNG format. To do this it constructs a special postscript "program"
> which loads and manipulates the EPS file. Since this postscript code relies on
> access to external files it can not run under the -dSAFER ghostscript
> option.
>
> If a user is tricked into adding a malicious EPS file to a passepartout
> document or to open a document which contains such a file, the malicious
> EPS file has potentially access to the system through postscript
> commands. This access is restricted to the user running passepartout.
>
> I became aware of the issue after checking the bug report on
> passepartout from the mass-bug filing by Paul Szabo. I'm in the process
> of uploading a fixed version to unstable and sending the fix to the
> upstream author. I attach the necessary code fix to this mail.
>
> All versions of passepartout currently in stable, testing and unstable
> (did not check oldstable) are affected by this.
>
> I'm not sure if a security upload for stable is waranted. The issue is
> real, but in my opinion fairly minimal as it's only locally exploitable,
> there is no privilige escalation involved and passepartout is not in
> wide use.
>
> If you think that an upload should be done, I will repare a fixed package
> over the weekend.
Thanks for getting in touch, but we should rather fix this in ghostscript
once and for all than changing lots of packages using ghostscript. I've
contacted Ghostscript maintainers a few hours ago on the approach to be
taken.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
