> From: paul.sz...@sydney.edu.au [mailto:paul.sz...@sydney.edu.au]
> Sent: Sunday, 30 May, 2010 06:50
>
> I also see no -P- and no absolute paths for the ps files mentioned in
> many "gs scripts" e.g. /usr/bin/pdf2dsc or /usr/bin/ps2ascii . Also,
> crappy coding for "GS_EXECUTABLE=gs". Am not sure
Someone pointed out that even with -P-, gs will read gs_init.ps from
current directory:
http://bugs.ghostscript.com/show_bug.cgi?id=691350
Still, they do not regard this with any urgency.
I also see no -P- and no absolute paths for the ps files mentioned in
many "gs scripts" e.g. /usr/bin/pdf2ds
I guess this issue can be exploited remotely.
If /etc/mailcap uses gs, then we are done: neither -P- nor -dSAFER are
defaults.
My Debian /etc/mailcap uses gv, and gv knows to use -dSAFER. First
"feed" the victim a "bad" PS file named gs_res.ps or pdf_base.ps or
similar. No harm done yet. Then "fe
The ghostscript people in
http://bugs.ghostscript.com/show_bug.cgi?id=691339
told me to use the -P- switch, and marked it "RESOLVED WONTFIX".
I guess -P- should be the default, as well as -dSAFER should be.
The way gv invokes gs is "wrong". For example, using command
gv /tmp/any.ps
will do:
Dear Krzysztof,
>> ... it is dangerous to do
>> cd /tmp; gs any.ps
>
> What is in the file "any.ps"?
> You are exposed ... without feeding *anything* to Ghostscript ...
Yes, precisely: that is why I called it any.ps.
Cheers, Paul
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu
Dnia środa, 26 maja 2010 o 04:32:51 paul.sz...@sydney.edu.au napisał(a):
> Dear Christopher,
>
> > Ghostscript_8.64 on openSuSE_11.2 executes all files matching
> > ./Encoding/* on startup. This search is relative to the current
> > directory so it is easy to poison Ghostscript and cause it to ex
Dear Christopher,
> Ghostscript_8.64 on openSuSE_11.2 executes all files matching
> ./Encoding/* on startup. This search is relative to the current
> directory so it is easy to poison Ghostscript and cause it to execute
> arbitrary PostScript code without user action or knowledge.
>
> Details: ht
