Bug 699657 - .tempfile SAFER restrictions seem to be broken
Summary: .tempfile SAFER restrictions seem to be broken
Status: NOTIFIED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: Security (public) (show other bugs)
Version: unspecified
Hardware: PC Linux
: P2 major
Assignee: Chris Liddell (chrisl)
QA Contact: gs-security
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-21 17:59 UTC by Tavis Ormandy
Modified: 2019-05-08 13:34 UTC (History)
6 users (show)

See Also:
Customer: 501,641
Word Size: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tavis Ormandy 2018-08-21 17:59:21 UTC
.tempfile permissions don't seem to work, I don't know when they broke. You're not supposed to be able to open files outside of the patterns in the  PermitFileReading array, but that doesn't seem to work for me e.g.:

$ strace -fefile gs -sDEVICE=ppmraw -dSAFER
...
GS>(/proc/self/cwd/hello) (w) .tempfile
open("/proc/self/cwd/hello26E8LQ", O_RDWR|O_CREAT|O_EXCL, 0600) = 3
GS<2>dup
GS<3>(hello) writestring
GS<2>closefile

This means you can create a file in any directory (I don't think you can prevent the random suffix).
Comment 1 Chris Liddell (chrisl) 2018-08-23 11:43:05 UTC
Fixed in:

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d3901189f