http://bugzilla.suse.com/show_bug.cgi?id=1134327
http://bugzilla.suse.com/show_bug.cgi?id=1134327#c16
--- Comment #16 from Johannes Meixner ---
In general it is insufficient to prevent execution
of arbitrary executables only for /usr/bin/gs
because actually it is /usr/lib64/libgs.so.9.*
that contains the actual Ghostscript functionality.
Accordingly all executables that can use /usr/lib64/libgs
(e.g. executables that link directly with libgs
or indirectly with libgs e.g. via libspectre)
would have to be protected.
I.e. the transitive closure of what can use /usr/lib64/libgs
needs to be determined.
E.g. an offhanded initial attemt on my openSUSE Leap 15.0 system:
-----------------------------------------------------------------------------
# rpm -e --test ghostscript 2>&1 | grep libgs
libgs.so.9()(64bit) is needed by ... graphviz-gnome-2.40.1-lp150.4.30.x86_64
libgs.so.9()(64bit) is needed by ... gimp-2.8.22-lp150.3.8.x86_64
libgs.so.9()(64bit) is needed by ... libspectre1-0.2.8-lp150.2.9.2.x86_64
# for f in $( rpm -ql graphviz-gnome ) ; \
do ldd $f 2>/dev/null | grep -q 'libgs\.so' && find $f -type f ; \
done
/usr/lib64/graphviz/libgvplugin_gs.so.6.0.0
# for f in $( rpm -ql gimp ) ; \
do ldd $f 2>/dev/null | grep -q 'libgs\.so' && find $f -type f ; \
done
/usr/lib64/gimp/2.0/plug-ins/file-ps
# for f in $( rpm -ql libspectre1 ) ; \
do ldd $f 2>/dev/null | grep -q 'libgsrpm\.so' && find $f -type f ; \
done
/usr/lib64/libspectre.so.1.1.8
...
-----------------------------------------------------------------------------
and then what executables need /usr/lib64/graphviz/libgvplugin_gs.so.6.0.0
or /usr/lib64/gimp/2.0/plug-ins/file-ps or /usr/lib64/libspectre.so.1.1.8
and so on ...
--
You are receiving this mail because:
You are on the CC list for the bug.