/usr/share/doc/mgetty/contrib/gs-security.fix is in mgetty-docs 1.1.36-2ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 | From owner-mgetty Thu Aug 24 11:13:35 1995
Return-Path: <owner-mgetty>
Received: by greenie.muc.de (/\==/\ Smail3.1.24.1 #24.2)
id <m0slYLu-0004cxC@greenie.muc.de>; Thu, 24 Aug 95 11:13 MEST
Return-Path: <l-mgetty-owner@muc.de>
Received: by greenie.muc.de (/\==/\ Smail3.1.24.1 #24.2)
id <m0slYLt-0000srC@greenie.muc.de>; Thu, 24 Aug 95 11:13 MEST
Received: from tarsier.cv.nrao.edu ([192.33.115.50]) by vogon.muc.de with SMTP id <93325-1>; Thu, 24 Aug 1995 11:13:04 +0200
Received: (from juphoff@localhost) by tarsier.cv.nrao.edu (8.6.12/8.6.9) id FAA07826; Thu, 24 Aug 1995 05:12:23 -0400
Date: Thu, 24 Aug 1995 11:12:23 +0200
Message-Id: <199508240912.FAA07826@tarsier.cv.nrao.edu>
From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
To: mgetty@muc.de
Subject: Ghostscript problem.
X-Spook: Mossad NORML Mossad
X-Mailer: VM 5.94 (beta); GNU Emacs 19.29.1
X-Attribution: Up
Status: RO
Here's the description of the hole that I mentioned in my previous
e-mail, which was a CC of a message that I was posting to the Linux
security list.
I CC'd the 'mgetty' list because we were discussing, and trying to
compile a list of, software that calls Ghostscript (both "safely" and
"unsafely") and I had mentioned that 'faxspool' calls it (safely) to do
file-conversions. Since there may be people out there FAXing files that
they have received from the outside--thus opening themselves up to this
vulnerability--this is of interest here as well.
(Any users of the WWW that view remote Postscript files are of course
*very* vulnerable!)
The easiest way to demonstrate the problem is to view the following
Postscript file with either Ghostview or Ghostscript. Even the
"-dSAFER" option (which Ghostview v1.5 passes to Ghostscript by default)
does not prevent the file-write:
%!PS-
(%pipe%echo hacker@rogue.site >> /tmp/foo) (r) file
quit
Replace /tmp/foo with /.rhosts (or use Postscript's getenv capabilites
to write to ~/.rhosts) and you quickly see the dangers...
One fix (thanks go out to Olaf Kirch for this) is to patch the
gs_init.ps file in your Ghostscript library area in the following
manner:
--- gs_init.ps.orig Sun Aug 20 23:22:01 1995
+++ gs_init.ps Sun Aug 20 23:22:46 1995
@@ -302,7 +302,8 @@
% If we want a "safer" system, disable some obvious ways to cause havoc.
SAFER not { (%END SAFER) .skipeof } if
/file
- { dup (r) eq
+ { exch dup /..fname exch def exch
+ dup (r) eq ..fname (%pipe%*) .stringmatch not and
{ file }
{ /invalidfileaccess signalerror }
ifelse
--Up.
--
Jeff Uphoff - systems/network admin. | juphoff@nrao.edu
National Radio Astronomy Observatory | jeff.uphoff@linux.org
Charlottesville, VA, USA | http://linux.nrao.edu/~juphoff/
|