Joined: 12 May 2004
|Posted: Sun Jul 31, 2005 4:08 pm Post subject: [ GLSA 200507-29 ] pstotext: Remote execution of arbitrary c
|Gentoo Linux Security Advisory
Title: pstotext: Remote execution of arbitrary code (GLSA 200507-29)
Date: July 31, 2005
Updated: August 11, 2005
pstotext contains a vulnerability which can potentially result in the
execution of arbitrary code.
pstotext is a program that works with GhostScript to extract plain text
from PostScript and PDF files.
Vulnerable: < 1.8g-r1
Unaffected: >= 1.8g-r1
Architectures: All supported architectures
Max Vozeler reported that pstotext calls the GhostScript interpreter on
untrusted PostScript files without specifying the -dSAFER option.
An attacker could craft a malicious PostScript file and entice a user
to run pstotext on it, resulting in the execution of arbitrary commands
with the permissions of the user running pstotext.
There is no known workaround at this time.
All pstotext users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/pstotext-1.8g-r1"
Secunia Advisory SA16183
Last edited by GLSA on Tue Aug 19, 2014 4:20 am; edited 3 times in total