The GPL Ghostscript Version 8.62 (GS) allows files in the same directory to be opened and read by PostScript files being processed by GS. When GS is used by the LPRng, CUPS, or legacy LPR printing system to process print files the current directory is set to the 'spool queue' directory. A carefully crafted PostScript print job could open, read, and print files submitted by other users. While GPL GhostScript has a '-dPARNOID' option that eliminates other security issues, it appears that this one has been missed. In previous versions of Ghostscript -dPARANOIDSAFER prevented this problem. However, the current version of GPL Ghostscript Version 8.62 (GS) allows files in the 'Search path' to be read. The current search path is: #> gs --help GPL Ghostscript 8.62 (2008-02-29) Copyright (C) 2008 Artifex Software, Inc. All rights reserved. Usage: gs [switches] [file1.ps file2.ps ...] Most frequently used switches: (you can use # in place of =) -dNOPAUSE no pause after page | -q `quiet', fewer messages -g<width>x<height> page size in pixels | -r<res> pixels/inch resolution -sDEVICE=<devname> select device | -dBATCH exit after last file -sOutputFile=<file> select output file: - for stdout, |command for pipe, embed %d or %ld for page # Input formats: PostScript PostScriptLevel1 PostScriptLevel2 PostScriptLevel3 PDF Default output device: x11alpha Available devices: alc1900 alc1900 alc2000 alc2000 alc4000 alc4000 alc4100 alc4100 alc8500 .... Search path: -> . : /install/root/.fonts : /usr/local/share/ghostscript/8.62/lib : /usr/local/share/ghostscript/8.62/Resource : /usr/local/share/ghostscript/fonts : /usr/local/share/fonts/default/ghostscript : /usr/local/share/fonts/default/Type1 : /usr/local/share/fonts/default/TrueType : /usr/lib/DPS/outline/base : /usr/openwin/lib/X11/fonts/Type1 : /usr/openwin/lib/X11/fonts/TrueType For more information, see /usr/local/share/ghostscript/8.62/doc/Use.htm. Please report bugs to bugs.ghostscript.com. -> shows that '.' is in the search path. Save the following to 'gs_security_check' and run the shell script: #!/bin/sh GS=gs tmpdir=/tmp cat <<EOF >$tmpdir/gsQuit quit EOF cat <<EOF >$tmpdir/gsTest ($tmpdir/gsQuit) (r) file quit EOF cat <<EOF >$tmpdir/gsTestSameDir (gsQuit) (r) file quit EOF echo "checking GhostScript -dSAFER and -dPARANOIDSAFER option" if ! $GS -q -dBATCH -dNOPAUSE -dSAFER -dPARANOIDSAFER -sDEVICE=nullpage -sOutputFile=- $tmpdir/gsQuit ; then echo ERROR exit 1 fi if $GS -q -dBATCH -dNOPAUSE -dSAFER -dPARANOIDSAFER -sDEVICE=nullpage -sOutputFile=- $tmpdir/gsTest 1>/dev/null 2>/dev/null ; then cat <<EOF WARNING: '($GS) -dSAFER -dPARANOIDSAFER ' allows files to be read Please read README.GhostScriptSecurityProblem and fix your distribution of GhostScript EOF exit 1 fi cd $tmpdir if $GS -q -dBATCH -dNOPAUSE -dSAFER -dPARANOIDSAFER -sDEVICE=nullpage -sOutputFile=- gsTestSameDir 1>/dev/null 2>/dev/null ; then cat <<EOF; WARNING: '($GS) -dSAFER -dPARANOIDSAFER ' allows files in same directory to be read. Please read README.GhostScriptSecurityProblem and fix your distribution of GhostScript EOF exit 1 fi If test_i386: {69} # ./gs_security_check checking GhostScript -dSAFER and -dPARANOIDSAFER option WARNING: '(gs) -dSAFER -dPARANOIDSAFER ' allows files in same directory to be read. Please read README.GhostSand fix your distribution of GhostScript Fix: Modify GPL Ghostscript 8.62 (2008-02-29) so that the -dPARANOIDSAFER option removes the '.' from the search path and fix your distribution of GhostScript
the -P- removes . from the search path. Simply use this along with the -dPARANOIDSAFER if that is the desire. Note that Ghostscript can also be built with SEARCH_HERE_FIRST=0 to make -P- the default condition. Changing the behavior of options is generally a problem for backward compatibility.