Bug 691339 - Insecure gs initialization
Summary: Insecure gs initialization
Status: RESOLVED WONTFIX
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: General (show other bugs)
Version: 8.62
Hardware: All Linux
: P3 critical
Assignee: Default assignee
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-05-26 03:27 UTC by Paul Szabo
Modified: 2010-06-01 15:45 UTC (History)
4 users (show)

See Also:
Customer:
Word Size: ---


Attachments
security wrapper (489 bytes, application/octet-stream)
2010-05-26 03:27 UTC, Paul Szabo
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Paul Szabo 2010-05-26 03:27:29 UTC
Created attachment 6321 [details]
security wrapper

Referring to:
  http://bugs.ghostscript.com/show_bug.cgi?id=691316
  http://www.securityfocus.com/archive/1/511433

I see that at gs tries many files in (under) current directory
at startup, so it is dangerous to do e.g.
  cd /tmp; gs any.ps

To see list of files that gs tries, use:
  strace -omylog gs; grep '"\./' mylog | sort -u

I now use a security wrapper (attached), to protect.

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia
Comment 1 Hin-Tak Leung 2010-05-26 22:53:54 UTC
AFAIK this is as documented. See doc/Use.htm on the '-P' , '-P-' switches for turning this behavior on and off. This is not new and changing it would upset other people.
Comment 10 Ray Johnston 2010-05-27 20:51:19 UTC
Ghostscript makefiles have a macro to make -P- the default.

Set SEARCH_HERE_FIRST=0 on your make line and voila!

See the comments in:

# Define whether or not searching for initialization files should always
# look in the current directory first.  This leads to well-known security
# and confusion problems, but users insist on it.
# NOTE: this also affects searching for files named on the command line:
# see the "File searching" section of Use.htm for full details.
# Because of this, setting SEARCH_HERE_FIRST to 0 is not recommended.

This comment, and the build macro and -P- flag date back to at least 1997
(the oldest I have readily available -- version 5.03) so this issue, and
our cautionary note have been known since then.

The number of ghostscript users has grown, so changing the way that ghostscript
finds files at this point would be painful for many users, and unless the
comments relate to a way to make this 'painless' for existing users, please
cease comments on this bug. The issue is CLOSED !!!

Also, PLEASE make sure you have contacted the maintainers of the clients of
ghostscript (gv, cups, etc). to let them know that in your opinion they should
be using -P- along with -dSAFER. That way they can also address the need to
explicitly specify paths on files they provide as input.