Mailinglist Archive: opensuse-bugs (5379 mails)

< Previous Next >
[Bug 608071] VUL-0: ghostscript: executes random code on startup (does not verify ownership of sensitive files used)
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Wed, 2 Jun 2010 10:33:51 +0000
  • Message-id: <20100602103351.D47EFCC7D5@xxxxxxxxxxxxxxxxxxxxxx>
http://bugzilla.novell.com/show_bug.cgi?id=608071

http://bugzilla.novell.com/show_bug.cgi?id=608071#c26


--- Comment #26 from Johannes Meixner <jsmeix@xxxxxxxxxx> 2010-06-02 10:33:48
UTC ---
Created an attachment (id=366379)
--> (http://bugzilla.novell.com/attachment.cgi?id=366379)
fix-Use.htm-for-SEARCH_HERE_FIRST-0.patch

A proposal how to patch the documentation in Use.htm
for ghostscript-8.70 if SEARCH_HERE_FIRST=0 is used.

As far as I see it is sufficient to fix the documentation
in Use.htm because nowhere else is '-P-' mentioned
(in particular not in "man gs") and furthermore "gs -h"
points to Use.htm (below the "Search path" output).

By the way:

According to
http://www.ghostscript.com/doc/7.07/Use.htm#Finding_files
the Ghostscript authors already agree that "trying the
current directory first is a very bad idea" because it
"opens serious security loopholes" but they didn't fix
the security bug only because some users complained :-(

I also agree that a parameter that makes gs safer does not matter
as long as it is not the default (see comment #12).

I think that at least all Linux distributions should fix
Ghostscript accordingly regardless if some users might
then complain that they must use the -P (or -I) switch
if they need the current directory.

--
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

< Previous Next >