oss-security - Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default?

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Tue, 21 Aug 2018 07:48:22 -0700
From: Tavis Ormandy <taviso@...gle.com>
To: oss-security@...ts.openwall.com
Subject: Re: More Ghostscript Issues: Should we disable PS coders in
 policy.xml by default?

On Tue, Aug 21, 2018 at 5:46 AM Tavis Ormandy <taviso@...gle.com> wrote:

>
> $ convert input.jpg output.gif
> uid=1000(taviso) gid=1000(taviso) groups=1000(taviso),10(wheel)
> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>
>
>
My colleague Jann Horn pointed out evince (which uses libgs, which is
affected with some tweaks to the PoC) is used to generate previews in
Nautilus, which means previews can trigger code execution (see
/usr/share/thumbnailers/evince.thumbnailer). I think it's possible to
trigger that via file automatic download in a browser just by visiting a
URL, but I haven't tested it.

I think those thumbnails should be disabled, but you've probably noticed I
think everything related to untrusted ghostscript should be disabled :-)

Tavis.

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.