| Summary: | .tempfile SAFER restrictions seem to be broken | ||
|---|---|---|---|
| Product: | Ghostscript | Reporter: | Tavis Ormandy <taviso> |
| Component: | Security (public) | Assignee: | Chris Liddell (chrisl) <chris.liddell> |
| Status: | NOTIFIED FIXED | ||
| Severity: | major | CC: | cbuissar, deekej, dr, jsmeix, scorneli, till.kamppeter |
| Priority: | P2 | ||
| Version: | unspecified | ||
| Hardware: | PC | ||
| OS: | Linux | ||
| Customer: | 501,641 | Word Size: | --- |
.tempfile permissions don't seem to work, I don't know when they broke. You're not supposed to be able to open files outside of the patterns in the PermitFileReading array, but that doesn't seem to work for me e.g.: $ strace -fefile gs -sDEVICE=ppmraw -dSAFER ... GS>(/proc/self/cwd/hello) (w) .tempfile open("/proc/self/cwd/hello26E8LQ", O_RDWR|O_CREAT|O_EXCL, 0600) = 3 GS<2>dup GS<3>(hello) writestring GS<2>closefile This means you can create a file in any directory (I don't think you can prevent the random suffix).