SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Netpbm Vendors:   netpbm.sourceforge.net
netpbm 'pstopnm' Lack of Ghostscript -dSAFER Option May Let Remote Users Cause Arbitrary Commands to Be Executed
SecurityTracker Alert ID:  1014752
SecurityTracker URL:  http://securitytracker.com/id/1014752
CVE Reference:   CVE-2005-2471   (Links to External Site)
Updated:  Jun 8 2008
Original Entry Date:  Aug 22 2005
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 10.28 and prior versions
Description:   A vulnerability was reported in netpbm. A remote user can cause arbitrary commands to be executed by the target user.

The 'pstopnm' utility invokes the Ghostscript interpreter on user-supplied PostScript files without specifying the -dSAFER option when converting to PBM, PGM, or PNM files. As a result, a remote user can create a specially crafted PostScript file that, when processed by the target user with pstopnm, will execute arbitrary commands on the target system. The commands will run with the privileges of the target user.

The flaw resides in 'pstopnm.c'.

Impact:   A remote user can create a PostScript file that, when processed by the target user, will cause arbitrary commands to be executed by the target user.
Solution:   The vendor has issued a fixed version (10.29), available at:

http://sourceforge.net/project/showfiles.php?group_id=5128

Vendor URL:  netpbm.sourceforge.net/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 22 2005 (Red Hat Issues Fix) netpbm 'pstopnm' Lack of Ghostscript -dSAFER Option May Let Remote Users Cause Arbitrary Commands to Be Executed
Red Hat has released a fix.



 Source Message Contents

Subject:  netpbm: arbitrary postscript code execution

Hi Andi,

we've already talked about this, I'm just filing it to keep track.
Please refer to message <20050602144046.GA16927@dp.roam.hinterhof.net>
(sent to maintainer and security team) for all details.

Quick description: pstopnm calls the ghostscript interpreter on                
potentially untrusted postscript without specifying the -dSAFER option.
Not running under -dSAFER allows postscript code to do file IO and to
open pipes to arbitrary external programs, including /bin/sh.

I'm filing this as important bug since I'm not clear in which situations
users would run pstopnm on untrusted postscript. In principle, when that
happens, an attacker could have arbitrary shell commands executed with
the permissions of the user who runs pstopnm.

This bug affects oldstable, stable, testing and sid (as of 2:10.0-8)

cheers,
Max


--- netpbm-free-10.0/pnm/pstopnm.c~	2005-06-02 16:20:03.205694176 +0200
+++ netpbm-free-10.0/pnm/pstopnm.c	2005-06-02 16:24:24.978262856 +0200
@@ -568,11 +568,11 @@
         pm_message("execing '%s' with args '%s' (arg 0), "
                    "'%s', '%s', '%s', '%s', '%s', '%s', '%s'",
                    ghostscriptProg, arg0,
-                   deviceopt, outfileopt, gopt, ropt, "-q", "-dNOPAUSE", "-");
+                   deviceopt, outfileopt, gopt, ropt, "-q", "-dNOPAUSE", "-dSAFER",  "-");
     }
 
     execl(ghostscriptProg, arg0, deviceopt, outfileopt, gopt, ropt, "-q",
-          "-dNOPAUSE", "-", NULL);
+          "-dNOPAUSE", "-dSAFER", "-", NULL);
     
     pm_error("execl() of Ghostscript ('%s') failed, errno=%d (%s)",
              ghostscriptProg, errno, strerror(errno));
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC