Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
netpbm 'pstopnm' Lack of Ghostscript -dSAFER Option May Let Remote Users Cause Arbitrary Commands to Be Executed
|
|
SecurityTracker Alert ID: 1014752 |
|
SecurityTracker URL: http://securitytracker.com/id/1014752
|
|
CVE Reference:
CVE-2005-2471
(Links to External Site)
|
Updated: Jun 8 2008
|
Original Entry Date: Aug 22 2005
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 10.28 and prior versions
|
Description:
A vulnerability was reported in netpbm. A remote user can cause arbitrary commands to be executed by the target user.
The 'pstopnm' utility invokes the Ghostscript interpreter on user-supplied PostScript files without specifying the -dSAFER option when converting to PBM, PGM, or PNM files. As a result, a remote user can create a specially crafted PostScript file that, when processed by the target user with pstopnm, will execute arbitrary commands on the target system. The commands will run with the privileges of the target user.
The flaw resides in 'pstopnm.c'.
|
Impact:
A remote user can create a PostScript file that, when processed by the target user, will cause arbitrary commands to be executed by the target user.
|
Solution:
The vendor has issued a fixed version (10.29), available at:
http://sourceforge.net/project/showfiles.php?group_id=5128
|
Vendor URL: netpbm.sourceforge.net/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Sun, 24 Jul 2005 17:41:31 +0200
Subject: netpbm: arbitrary postscript code execution
|
Hi Andi,
we've already talked about this, I'm just filing it to keep track.
Please refer to message <20050602144046.GA16927@dp.roam.hinterhof.net>
(sent to maintainer and security team) for all details.
Quick description: pstopnm calls the ghostscript interpreter on
potentially untrusted postscript without specifying the -dSAFER option.
Not running under -dSAFER allows postscript code to do file IO and to
open pipes to arbitrary external programs, including /bin/sh.
I'm filing this as important bug since I'm not clear in which situations
users would run pstopnm on untrusted postscript. In principle, when that
happens, an attacker could have arbitrary shell commands executed with
the permissions of the user who runs pstopnm.
This bug affects oldstable, stable, testing and sid (as of 2:10.0-8)
cheers,
Max
--- netpbm-free-10.0/pnm/pstopnm.c~ 2005-06-02 16:20:03.205694176 +0200
+++ netpbm-free-10.0/pnm/pstopnm.c 2005-06-02 16:24:24.978262856 +0200
@@ -568,11 +568,11 @@
pm_message("execing '%s' with args '%s' (arg 0), "
"'%s', '%s', '%s', '%s', '%s', '%s', '%s'",
ghostscriptProg, arg0,
- deviceopt, outfileopt, gopt, ropt, "-q", "-dNOPAUSE", "-");
+ deviceopt, outfileopt, gopt, ropt, "-q", "-dNOPAUSE", "-dSAFER", "-");
}
execl(ghostscriptProg, arg0, deviceopt, outfileopt, gopt, ropt, "-q",
- "-dNOPAUSE", "-", NULL);
+ "-dNOPAUSE", "-dSAFER", "-", NULL);
pm_error("execl() of Ghostscript ('%s') failed, errno=%d (%s)",
ghostscriptProg, errno, strerror(errno));
|
|
Go to the Top of This SecurityTracker Archive Page
|
