Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 5 Oct 2016 09:54:07 -0700
From: Tavis Ormandy <taviso@...gle.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request - multiple ghostscript -dSAFER sandbox problems

On Wed, Oct 5, 2016 at 9:47 AM, Hanno Böck <hanno@...eck.de> wrote:
> On Wed, 5 Oct 2016 09:13:03 -0700
> Tavis Ormandy <taviso@...gle.com> wrote:
>
>> If you're using ImageMagick, I would recommend disabling the PS, EPS,
>> PDF and XPS coders in policy.xml. Applications like gimp, evince,
>> claws, and most other applications that generate thumbnails of PDF/PS
>> documents should probably not do so without a prompt (NOTE: A lot of
>> packages do this
>
> I was surprised to see evince in this list. It uses poppler for pdf and
> libspectre for postscript, so there seems to be no use of
> ghostscript (maybe in an older version).
> Also for claws the only use of ghostscript is in a plugin that's not
> enabled by default.

It might be an old version but the version I have on RHEL7 and Ubuntu
LTS both invoke gs by default.

$ evince --version
GNOME Document Viewer 3.14.2

> While I agree that avoiding parsing for things like thumbnails should
> be tried I still wonder what the overall solution to this is. Because
> even if we avoid non-prompted ps parsing we still want to be able to
> parse PS files without code execution.
> Do you feel dSAFER could be secured or is this a loosing battle?
>


As I understand it, there are also complicated licensing issues with
ghostscript that are going to impede progress.

The problem is a big mess.

> --
> Hanno Böck
> https://hboeck.de/
>
> mail/jabber: hanno@...eck.de
> GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ