Date: Wed, 5 Oct 2016 09:54:07 -0700 From: Tavis Ormandy <taviso@...gle.com> To: oss-security@...ts.openwall.com Subject: Re: CVE Request - multiple ghostscript -dSAFER sandbox problems On Wed, Oct 5, 2016 at 9:47 AM, Hanno Böck <hanno@...eck.de> wrote: > On Wed, 5 Oct 2016 09:13:03 -0700 > Tavis Ormandy <taviso@...gle.com> wrote: > >> If you're using ImageMagick, I would recommend disabling the PS, EPS, >> PDF and XPS coders in policy.xml. Applications like gimp, evince, >> claws, and most other applications that generate thumbnails of PDF/PS >> documents should probably not do so without a prompt (NOTE: A lot of >> packages do this > > I was surprised to see evince in this list. It uses poppler for pdf and > libspectre for postscript, so there seems to be no use of > ghostscript (maybe in an older version). > Also for claws the only use of ghostscript is in a plugin that's not > enabled by default. It might be an old version but the version I have on RHEL7 and Ubuntu LTS both invoke gs by default. $ evince --version GNOME Document Viewer 3.14.2 > While I agree that avoiding parsing for things like thumbnails should > be tried I still wonder what the overall solution to this is. Because > even if we avoid non-prompted ps parsing we still want to be able to > parse PS files without code execution. > Do you feel dSAFER could be secured or is this a loosing battle? > As I understand it, there are also complicated licensing issues with ghostscript that are going to impede progress. The problem is a big mess. > -- > Hanno Böck > https://hboeck.de/ > > mail/jabber: hanno@...eck.de > GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ