SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Ghostscript Vendors:   Caldera/SCO
(Caldera Issues Fix for OpenLinux) Ghostscript PostScript Interpreter May Execute Arbitrary Shell Commands When Processing a Malicious PostScript File
SecurityTracker Alert ID:  1004519
SecurityTracker URL:  http://securitytracker.com/id/1004519
CVE Reference:   CVE-2002-0363   (Links to External Site)
Date:  Jun 12 2002
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.5.2 and prior versions
Description:   A vulnerability has been reported in the Ghostscript PostScript file interpreter. A malicious PostScript file could cause arbitrary shell commands to be executed by Ghostscript.

It is reported that a malicious PostScript file that users .locksafe or .setsafe to reset the current page device can cause Ghostscript to execute arbitrary shell commands due to insufficient input validation. The commands would run with the privileges of the Ghostscript process. Because Ghostscript is often used when printing documents (and is run as user 'lp' on many systems), this could allow a local user to gain elevated privileges on a system. The bug could also be exploited by a remote user to gain access to a system when a target (victim) user prints a PostScript file.

According to Ghostscript bug #516379, .setsafe or .locksafe will remove the ViewerPreProcess procedure from the current page device (if a hook for this was previously installed using setpagedevice). As a result, a file that sets /HWResolution will display incorrectly and could be made to execute arbitrary commands.

No further details were provided.

Impact:   A malicious PostScript file could cause arbitrary code to be executed on the system with the privileges of the Ghostscript process (which may be used by printers with 'lp' privileges on some systems).
Solution:   Caldera has released a fix for OpenLinux.

For OpenLinux 3.1.1 Server:

Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS

Packages

cfabdbccacd4de0268ce15d1dd6a0408 ghostscript-6.51-10.i386.rpm
f9bb38edc64d718f8b943d395de7c75a ghostscript-doc-6.51-10.i386.rpm
70a913d9427ce45367710498bab8e065 ghostscript-fonts-6.51-10.i386.rpm
9e2f736b44b9bfa60e51c24847637d48 ghostscript-fonts-cid-6.51-10.i386.rpm

Installation

rpm -Fvh ghostscript-6.51-10.i386.rpm
rpm -Fvh ghostscript-doc-6.51-10.i386.rpm
rpm -Fvh ghostscript-fonts-6.51-10.i386.rpm
rpm -Fvh ghostscript-fonts-cid-6.51-10.i386.rpm

Source Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS

Source Packages

dba70bda415835cca29139d565936b3f ghostscript-6.51-10.src.rpm


For OpenLinux 3.1.1 Workstation:

Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS

Packages

f8a0bf41a7dd801f6f98d50134143fbd ghostscript-6.51-10.i386.rpm
a2d8fbd76bc080146b1a1a964a218850 ghostscript-doc-6.51-10.i386.rpm
bccaab1b0a9005ea7d36173e296b444e ghostscript-fonts-6.51-10.i386.rpm
dadf94bb7c6091cfb32d650a61e8864d ghostscript-fonts-cid-6.51-10.i386.rpm

Installation

rpm -Fvh ghostscript-6.51-10.i386.rpm
rpm -Fvh ghostscript-doc-6.51-10.i386.rpm
rpm -Fvh ghostscript-fonts-6.51-10.i386.rpm
rpm -Fvh ghostscript-fonts-cid-6.51-10.i386.rpm

Source Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/SRPMS

Source Packages

38ebafe42e38f5eae8207c4f52bbb90d ghostscript-6.51-10.src.rpm


For OpenLinux 3.1 Server:

Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS

Packages

12aa5320c2331010736ce36a9fc1ef3d ghostscript-6.51-10.i386.rpm
1a40569d1a9598df507faae191e68c48 ghostscript-doc-6.51-10.i386.rpm
f44b0f45f4864d2b357b02642c4cd249 ghostscript-fonts-6.51-10.i386.rpm
e28affd61ec6bdc19e136c1355307e90 ghostscript-fonts-cid-6.51-10.i386.rpm

Installation

rpm -Fvh ghostscript-6.51-10.i386.rpm
rpm -Fvh ghostscript-doc-6.51-10.i386.rpm
rpm -Fvh ghostscript-fonts-6.51-10.i386.rpm
rpm -Fvh ghostscript-fonts-cid-6.51-10.i386.rpm

Source Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS

Source Packages

2e7ba1c536a23823a9c8072d793258af ghostscript-6.51-10.src.rpm


For OpenLinux 3.1 Workstation:

Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS

Packages

53145cdba14975c68766ba720977c5cc ghostscript-6.51-10.i386.rpm
d9712806f0f65fba2d806dcc17bd02f6 ghostscript-doc-6.51-10.i386.rpm
bbe1c3eea2309a42507c3e0cdab49cf0 ghostscript-fonts-6.51-10.i386.rpm
4eae26e3e44aa27c0c32df3be32bf622 ghostscript-fonts-cid-6.51-10.i386.rpm

Installation

rpm -Fvh ghostscript-6.51-10.i386.rpm
rpm -Fvh ghostscript-doc-6.51-10.i386.rpm
rpm -Fvh ghostscript-fonts-6.51-10.i386.rpm
rpm -Fvh ghostscript-fonts-cid-6.51-10.i386.rpm

Source Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS

Source Packages

a51ce17775efda0a93f8cf82781f50c5 ghostscript-6.51-10.src.rpm

Vendor URL:  www.ghostscript.com/doc/gnu/index.htm (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Caldera/SCO)
Underlying OS Comments:  OpenLinux 3.1, 3.1.1; Workstation and Server

Message History:   This archive entry is a follow-up to the message listed below.
Jun 4 2002 Ghostscript PostScript Interpreter May Execute Arbitrary Shell Commands When Processing a Malicious PostScript File



 Source Message Contents

Subject:  Security Update: [CSSA-2002-026.0] Linux: ghostscript arbitrary command execution


--cNdxnHkX5QqsyA0e
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com


______________________________________________________________________________

		Caldera International, Inc.  Security Advisory

Subject:		Linux: ghostscript arbitrary command execution
Advisory number: 	CSSA-2002-026.0
Issue date: 		2002 June 11
Cross reference:
______________________________________________________________________________


1. Problem Description

	An untrusted PostScript file that uses .locksafe or .setsafe to
	reset the current page device can force the ghostscript program
	to execute arbitrary commands.


2. Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------

	OpenLinux 3.1.1 Server		prior to ghostscript-6.51-10.i386.rpm
					prior to ghostscript-doc-6.51-10.i386.rpm
					prior to ghostscript-fonts-6.51-10.i386.rpm
					prior to ghostscript-fonts-cid-6.51-10.i386.rpm

	OpenLinux 3.1.1 Workstation	prior to ghostscript-6.51-10.i386.rpm
					prior to ghostscript-doc-6.51-10.i386.rpm
					prior to ghostscript-fonts-6.51-10.i386.rpm
					prior to ghostscript-fonts-cid-6.51-10.i386.rpm

	OpenLinux 3.1 Server		prior to ghostscript-6.51-10.i386.rpm
					prior to ghostscript-doc-6.51-10.i386.rpm
					prior to ghostscript-fonts-6.51-10.i386.rpm
					prior to ghostscript-fonts-cid-6.51-10.i386.rpm

	OpenLinux 3.1 Workstation	prior to ghostscript-6.51-10.i386.rpm
					prior to ghostscript-doc-6.51-10.i386.rpm
					prior to ghostscript-fonts-6.51-10.i386.rpm
					prior to ghostscript-fonts-cid-6.51-10.i386.rpm


3. Solution

	The proper solution is to install the latest packages.


4. OpenLinux 3.1.1 Server

	4.1 Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS

	4.2 Packages

	cfabdbccacd4de0268ce15d1dd6a0408	ghostscript-6.51-10.i386.rpm
	f9bb38edc64d718f8b943d395de7c75a	ghostscript-doc-6.51-10.i386.rpm
	70a913d9427ce45367710498bab8e065	ghostscript-fonts-6.51-10.i386.rpm
	9e2f736b44b9bfa60e51c24847637d48	ghostscript-fonts-cid-6.51-10.i386.rpm

	4.3 Installation

	rpm -Fvh ghostscript-6.51-10.i386.rpm
	rpm -Fvh ghostscript-doc-6.51-10.i386.rpm
	rpm -Fvh ghostscript-fonts-6.51-10.i386.rpm
	rpm -Fvh ghostscript-fonts-cid-6.51-10.i386.rpm

	4.4 Source Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS

	4.5 Source Packages

	dba70bda415835cca29139d565936b3f	ghostscript-6.51-10.src.rpm


5. OpenLinux 3.1.1 Workstation

	5.1 Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS

	5.2 Packages

	f8a0bf41a7dd801f6f98d50134143fbd	ghostscript-6.51-10.i386.rpm
	a2d8fbd76bc080146b1a1a964a218850	ghostscript-doc-6.51-10.i386.rpm
	bccaab1b0a9005ea7d36173e296b444e	ghostscript-fonts-6.51-10.i386.rpm
	dadf94bb7c6091cfb32d650a61e8864d	ghostscript-fonts-cid-6.51-10.i386.rpm

	5.3 Installation

	rpm -Fvh ghostscript-6.51-10.i386.rpm
	rpm -Fvh ghostscript-doc-6.51-10.i386.rpm
	rpm -Fvh ghostscript-fonts-6.51-10.i386.rpm
	rpm -Fvh ghostscript-fonts-cid-6.51-10.i386.rpm

	5.4 Source Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/SRPMS

	5.5 Source Packages

	38ebafe42e38f5eae8207c4f52bbb90d	ghostscript-6.51-10.src.rpm


6. OpenLinux 3.1 Server

	6.1 Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS

	6.2 Packages

	12aa5320c2331010736ce36a9fc1ef3d	ghostscript-6.51-10.i386.rpm
	1a40569d1a9598df507faae191e68c48	ghostscript-doc-6.51-10.i386.rpm
	f44b0f45f4864d2b357b02642c4cd249	ghostscript-fonts-6.51-10.i386.rpm
	e28affd61ec6bdc19e136c1355307e90	ghostscript-fonts-cid-6.51-10.i386.rpm

	6.3 Installation

	rpm -Fvh ghostscript-6.51-10.i386.rpm
	rpm -Fvh ghostscript-doc-6.51-10.i386.rpm
	rpm -Fvh ghostscript-fonts-6.51-10.i386.rpm
	rpm -Fvh ghostscript-fonts-cid-6.51-10.i386.rpm

	6.4 Source Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS

	6.5 Source Packages

	2e7ba1c536a23823a9c8072d793258af	ghostscript-6.51-10.src.rpm


7. OpenLinux 3.1 Workstation

	7.1 Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS

	7.2 Packages

	53145cdba14975c68766ba720977c5cc	ghostscript-6.51-10.i386.rpm
	d9712806f0f65fba2d806dcc17bd02f6	ghostscript-doc-6.51-10.i386.rpm
	bbe1c3eea2309a42507c3e0cdab49cf0	ghostscript-fonts-6.51-10.i386.rpm
	4eae26e3e44aa27c0c32df3be32bf622	ghostscript-fonts-cid-6.51-10.i386.rpm

	7.3 Installation

	rpm -Fvh ghostscript-6.51-10.i386.rpm
	rpm -Fvh ghostscript-doc-6.51-10.i386.rpm
	rpm -Fvh ghostscript-fonts-6.51-10.i386.rpm
	rpm -Fvh ghostscript-fonts-cid-6.51-10.i386.rpm

	7.4 Source Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS

	7.5 Source Packages

	a51ce17775efda0a93f8cf82781f50c5	ghostscript-6.51-10.src.rpm


8. References

	Specific references for this advisory:
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0363
		http://www.ghostscript.com/pipermail/gs-code-review/2002-January/001801.html
		http://www.ghostscript.com/pipermail/gs-code-review/2002-February/001900.html
		http://www.redhat.com/support/errata/RHSA-2002-083.html

	Caldera security resources:
		http://www.caldera.com/support/security

	This security fix closes Caldera incidents sr865431, fz521132,
	erg712067.


9. Disclaimer

	Caldera International, Inc. is not responsible for the misuse
	of any of the information we provide on this website and/or
	through our security advisories. Our advisories are a service
	to our customers intended to promote secure installation and
	use of Caldera products.

______________________________________________________________________________

--cNdxnHkX5QqsyA0e
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj0GoOoACgkQbluZssSXDTEsIwCfVceFi7uEr1oE7Pqu76pXaw1s
wT4AoMfywNneWmwN7S6rnM+6/Av3Fsfq
=zO1a
-----END PGP SIGNATURE-----

--cNdxnHkX5QqsyA0e--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC