GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Sun Jul 31, 2005 4:08 pm Post subject: [ GLSA 200507-29 ] pstotext: Remote execution of arbitrary c |
|
|
Gentoo Linux Security Advisory
Title: pstotext: Remote execution of arbitrary code (GLSA 200507-29)
Severity: normal
Exploitable: remote
Date: July 31, 2005
Updated: August 11, 2005
Bug(s): #100245
ID: 200507-29
Synopsis
pstotext contains a vulnerability which can potentially result in the
execution of arbitrary code.
Background
pstotext is a program that works with GhostScript to extract plain text
from PostScript and PDF files.
Affected Packages
Package: app-text/pstotext
Vulnerable: < 1.8g-r1
Unaffected: >= 1.8g-r1
Architectures: All supported architectures
Description
Max Vozeler reported that pstotext calls the GhostScript interpreter on
untrusted PostScript files without specifying the -dSAFER option.
Impact
An attacker could craft a malicious PostScript file and entice a user
to run pstotext on it, resulting in the execution of arbitrary commands
with the permissions of the user running pstotext.
Workaround
There is no known workaround at this time.
Resolution
All pstotext users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/pstotext-1.8g-r1" |
References
CAN-2005-2536
Secunia Advisory SA16183
Last edited by GLSA on Tue Aug 19, 2014 4:20 am; edited 3 times in total |
|