691356 – Relative filenames in scripts

Bug 691356 - Relative filenames in scripts

Summary: Relative filenames in scripts

Status:	RESOLVED DUPLICATE of bug 691355

Alias:	None

Product:	Ghostscript
Classification:	Unclassified
Component:	General (show other bugs)
Version:	8.64
Hardware:	PC Linux

Importance:	P3 critical
Assignee:	Default assignee

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-05-31 22:23 UTC by Paul Szabo
Modified:	2010-06-03 02:23 UTC (History)
CC List:	1 user (show)

See Also:
Customer:
Word Size:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Paul Szabo 2010-05-31 22:23:47 UTC

Many gs scripts use "auxiliary" PS files. No absolute pathnames are
used, and thus are tried from "current directory" first, leading to
unsafe code execution. Scripts in in /usr/bin:

  bdftops dumphint dvipdf eps2eps font2c gsbj gsdj gsdj500 gslj gslp
  gsnd pdf2dsc pdf2ps pdfopt pf2afm pfbtopfa printafm ps2ascii ps2epsi
  ps2pdf ps2pdf12 ps2pdf13 ps2pdf14 ps2pdfwr ps2ps ps2ps2 wftopfa

See also
  http://bugs.ghostscript.com/show_bug.cgi?id=691339
Shame that GS developers do not know how to use GS safely.

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

Comment 3 Ray Johnston 2010-06-01 23:54:53 UTC

We have already mentioned (several times) that P1 (and P2) priority are ONLY
for Artifex customer issues.

This issue is a duplicate because the scripts _should_ rely on the LIBPATH
method to open the file. Simply having a 'naked' name on the command line
of the script does _NOT_ imply that the current directory is to be searched.

If the bug 691355 is fixed to NOT search the CWD when -P- is fixed and
the scripts are changed to use -P- then (AFAICT) the hole is plugged.

Consider the effective part of 'ps2ascii':

OPTIONS="-q -dNODISPLAY -dSAFER -dDELAYBIND -dWRITESYSTEMDICT -dSIMPLE"
if ( test $# -eq 0 ) then
	$GS_EXECUTABLE $OPTIONS -c save -f ps2ascii.ps - -c quit
...
fi

If the above is changed to:

OPTIONS="-P- -q -dNODISPLAY -dSAFER -dDELAYBIND -dWRITESYSTEMDICT -dSIMPLE"
if ( test $# -eq 0 ) then
	$GS_EXECUTABLE $OPTIONS -c save -f ps2ascii.ps - -c quit...
...
fi

then the file 'ps2ascii.ps' will NOT be found on the current directory,
unless the system admin or user has added the path using the -I option
to the ps2ascii invocation or has a GS_LIB environment variable that includes
an unsafe path.

Since this bug is linked to 691355, please do not re-open this bug, or
change priorities.

NOTE: you are welcome to comment on this bug even if it is resolved as a
duplicate since that will capture your comments and all of the support
folks will see the comment (although they may not like it).

*** This bug has been marked as a duplicate of bug 691355 ***

Comment 5 Hin-Tak Leung 2010-06-03 00:47:58 UTC

Verified Ray's comment 3 as correct, r11351 (fix to bug 691355) in combination with the fix to bug 691350 (currently under review), ps2ascii.ps, etc in CWD is ignored, even though they appear on the 'naked' in the scripts.