Joined: 12 May 2004
|Posted: Sun Jul 31, 2005 4:08 pm Post subject: [ GLSA 200507-29 ] pstotext: Remote execution of arbitrary c
|Gentoo Linux Security Advisory
Title: pstotext: Remote execution of arbitrary code (GLSA 200507-29)
Date: July 31, 2005
Updated: August 11, 2005
pstotext contains a vulnerability which can potentially result in the execution of arbitrary code.
pstotext is a program that works with GhostScript to extract plain text from PostScript and PDF files.
Vulnerable: < 1.8g-r1
Unaffected: >= 1.8g-r1
Architectures: All supported architectures
Max Vozeler reported that pstotext calls the GhostScript interpreter on untrusted PostScript files without specifying the -dSAFER option.
An attacker could craft a malicious PostScript file and entice a user to run pstotext on it, resulting in the execution of arbitrary commands with the permissions of the user running pstotext.
There is no known workaround at this time.
All pstotext users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/pstotext-1.8g-r1"
Secunia Advisory SA16183
Last edited by GLSA on Sun May 07, 2006 4:58 pm; edited 1 time in total