Bug#584653: marked as done (ghostscript: does not honor -P- option)

Mon, 15 Nov 2010 23:03:37 -0800 

Your message dated Tue, 16 Nov 2010 07:59:40 +0100
with message-id <20101116065940.gf5...@jones.dk>
and subject line Re: Bug#584653: Ghostscript 9.0 does not seem to have the 
problem
has caused the Debian Bug report #584653,
regarding ghostscript: does not honor -P- option
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
584653: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584653
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: ghostscript
Version: 8.62.dfsg.1-3.2
Severity: grave
Tags: security

This is a different issue than ghostscript defaulting -P and not -P-,
for which I'll file an other bug report.

Ghostscript does not honor -P- for postscript system libraries.

As gs_init.ps is such an file that is also responsible for all -dSAFER
options, having such a file in the current directory means the contents
of that file are executed with full privileges.

$ ls doh
ls: cannot access doh: No such file or directory
$ cat gs_init.ps
862
(doh) (w) file
$ /usr/bin/gs -P- -dSAFER
$ ls doh
doh

(Note that for different versions of gs you need to change the number in
the first line).

See also
http://bugs.ghostscript.com/show_bug.cgi?id=691350
and
http://www.openwall.com/lists/oss-security/2010/05/29/2

        Bernhard R. Link

--- End Message ---
--- Begin Message --- 
Version: 9.00~dfsg-1

On Mon, Nov 15, 2010 at 11:38:30PM -0500, Asheesh Laroia wrote:

I used the "doh" recipe to reproduce the bug on sid. That works fine.
I just installed ghostscript 9.0 from Jonas's repositories. That recipe no longer reproduces the bug. 

This is great news.

Thanks a lot for your help testing this!
For completeness sake, could you please tell on which version of Debian (squeeze, sid) you tested this? 


 - Jonas

--
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Attachment: signature.asc
Description: Digital signature


--- End Message ---

Reply via email to