GLSA
Veteran
Joined: 12 May 2004
Posts: 1303
|
 Posted: Sun Jul 31, 2005 4:08 pm Post subject: [ GLSA 200507-29 ] pstotext: Remote execution of arbitrary c |
 |
|
Gentoo Linux Security Advisory
Title: pstotext: Remote execution of arbitrary code (GLSA 200507-29)
Severity: normal
Exploitable: remote
Date: July 31, 2005
Updated: August 11, 2005
Bug(s): #100245
ID: 200507-29
Synopsis
pstotext contains a vulnerability which can potentially result in the execution of arbitrary code.
Background
pstotext is a program that works with GhostScript to extract plain text from PostScript and PDF files.
Affected Packages
Package: app-text/pstotext
Vulnerable: < 1.8g-r1
Unaffected: >= 1.8g-r1
Architectures: All supported architectures
Description
Max Vozeler reported that pstotext calls the GhostScript interpreter on untrusted PostScript files without specifying the -dSAFER option.
Impact
An attacker could craft a malicious PostScript file and entice a user to run pstotext on it, resulting in the execution of arbitrary commands with the permissions of the user running pstotext.
Workaround
There is no known workaround at this time.
Resolution
All pstotext users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/pstotext-1.8g-r1" |
References
CAN-2005-2536
Secunia Advisory SA16183
Last edited by GLSA on Sun May 07, 2006 4:58 pm; edited 1 time in total |
|
News & Announcements
