Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

[ GLSA 200410-18 ] Ghostscript: Insecure temporary file use in multiple scripts
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Moderator
Moderator


Joined: 13 Jun 2003
Posts: 4074
Location: Barcelona, Spain
PostPosted: Wed Oct 20, 2004 9:20 pm    Post subject: [ GLSA 200410-18 ] Ghostscript: Insecure temporary file use Reply with quote
Gentoo Linux Security Advisory

Title: Ghostscript: Insecure temporary file use in multiple scripts (GLSA 200410-18)
Severity: normal
Exploitable: local
Date: October 20, 2004
Updated: December 30, 2007
Bug(s): #66357
ID: 200410-18

Synopsis

Multiple scripts in the Ghostscript package are vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files with the rights of the user running the script.

Background

Ghostscript is a software package providing an interpreter for the PostScript language and the PDF file format. It also provides output drivers for various file formats and printers.

Affected Packages

Package: app-text/ghostscript-esp
Vulnerable: < 7.07.1-r7
Unaffected: >= 7.07.1-r7
Unaffected: >= 7.05.6-r2 < 7.05.7
Architectures: All supported architectures


Description

The pj-gs.sh, ps2epsi, pv.sh and sysvlp.sh scripts create temporary files in world-writeable directories with predictable names.

Impact

A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When an affected script is called, this would result in the file to be overwritten with the rights of the user running the script, which could be the root user.

Workaround

There is no known workaround at this time.

Resolution

Ghostscript users on all architectures except PPC should upgrade to the latest version:
Code:
# emerge sync
# emerge -pv ">=app-text/ghostscript-esp-7.07.1-r7"
# emerge ">=app-text/ghostscript-esp-7.07.1-r7"
Ghostscript users on the PPC architecture should upgrade to the latest stable version on their architecture:
Code:
# emerge sync
# emerge -pv ">=app-text/ghostscript-esp-7.05.6-r2"
# emerge ">=app-text/ghostscript-esp-7.05.6-r2"


References

CAN-2004-0967

Last edited by GLSA on Mon Dec 31, 2007 4:16 am; edited 4 times in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2013 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p9 © 2001, 2002 phpBB Group