Bugzilla – Bug 691339
Insecure gs initialization
Last modified: 2010-06-01 15:45:18 PDT
Created attachment 6321 [details]
I see that at gs tries many files in (under) current directory
at startup, so it is dangerous to do e.g.
cd /tmp; gs any.ps
To see list of files that gs tries, use:
strace -omylog gs; grep '"\./' mylog | sort -u
I now use a security wrapper (attached), to protect.
Paul Szabo email@example.com http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
AFAIK this is as documented. See doc/Use.htm on the '-P' , '-P-' switches for turning this behavior on and off. This is not new and changing it would upset other people.
Ghostscript makefiles have a macro to make -P- the default.
Set SEARCH_HERE_FIRST=0 on your make line and voila!
See the comments in:
# Define whether or not searching for initialization files should always
# look in the current directory first. This leads to well-known security
# and confusion problems, but users insist on it.
# NOTE: this also affects searching for files named on the command line:
# see the "File searching" section of Use.htm for full details.
# Because of this, setting SEARCH_HERE_FIRST to 0 is not recommended.
This comment, and the build macro and -P- flag date back to at least 1997
(the oldest I have readily available -- version 5.03) so this issue, and
our cautionary note have been known since then.
The number of ghostscript users has grown, so changing the way that ghostscript
finds files at this point would be painful for many users, and unless the
comments relate to a way to make this 'painless' for existing users, please
cease comments on this bug. The issue is CLOSED !!!
Also, PLEASE make sure you have contacted the maintainers of the clients of
ghostscript (gv, cups, etc). to let them know that in your opinion they should
be using -P- along with -dSAFER. That way they can also address the need to
explicitly specify paths on files they provide as input.