Package: ghostscript Version: 8.62.dfsg.1-3.2 Severity: grave Tags: security
If http://bugs.debian.org/584663 is fixed and not closed as wontfix, then this is only wishlist. As long as http://bugs.debian.org/584653 is not fixed, this opens no new security holes and fixing this has no effect. Ghostscript comes with a number of helper scripts in /usr/bin, which call gs with a number of options. As they do not change to a secure working directory and call gs without -P-, gs will use files from the current directory instead of the files it ships, allowing other people with write access to the current directory to execute code as the user calling this script. For example if a user does: cd /tmp pstopdf test.ps anyone with write access to /tmp could for example replace the users ~/.ssh/authorized_keys file with content of their chosing by creating a /tmp/gs_init.ps file. This issue would be fixed by making -P- the default as suggested in http://bugs.debian.org/584663. But even if ghostscript is fixed that way it would be nice to have those scripts fixed so people copying stuff from there also get safe scripts elsewhere. I think this http://bugs.ghostscript.com/show_bug.cgi?id=691355 so it might already be fixed for future versions. Remember that until http://bugs.debian.org/584653 is fixed, -P- will make no difference, so testing this is hard... Bernhard R. Link -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
