Your message dated Tue, 1 Jun 2010 07:24:29 +0200 with message-id <20100601052429.GC2063@piware.de> and subject line Re: [Pkg-cups-devel] Bug#584002: cups: Security bugs in ghostscript has caused the Debian Bug report #584002, regarding cups: Security bugs in ghostscript to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 584002: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584002 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: cups: Security bugs in ghostscript
- From: Paul Szabo <paul.szabo@sydney.edu.au>
- Date: Tue, 01 Jun 2010 11:05:43 +1000
- Message-id: <[🔎] 20100601010543.16910.5658.reportbug@bari.maths.usyd.edu.au>
Package: cups Severity: grave Tags: security Justification: user security hole Please note remote execute-any-code security bugs in ghostscript: http://bugs.debian.org/583183 This package depends on ghostscript, and may be affected. Please evaluate the security of this package, and fix if needed. Thanks, Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia -- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-pk03.17-svr (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---
- To: Paul Szabo <paul.szabo@sydney.edu.au>, 584002-done@bugs.debian.org
- Subject: Re: [Pkg-cups-devel] Bug#584002: cups: Security bugs in ghostscript
- From: Martin Pitt <mpitt@debian.org>
- Date: Tue, 1 Jun 2010 07:24:29 +0200
- Message-id: <20100601052429.GC2063@piware.de>
- In-reply-to: <[🔎] 20100601010543.16910.5658.reportbug@bari.maths.usyd.edu.au>
- References: <[🔎] 20100601010543.16910.5658.reportbug@bari.maths.usyd.edu.au>
Hello Paul, Paul Szabo [2010-06-01 11:05 +1000]: > Please note remote execute-any-code security bugs in ghostscript: > > http://bugs.debian.org/583183 Thanks for notifying us about this problem. cups has one or two filters which call ghostscript. They do use -dSAFER, but none of those use -P- (which, as you already determined, is not documented at all in the manpage and --help output, and really ought to be the default!) Also, out there in the world exist millions of PPD files (i. e. printer drivers/filters) can specify arbitrary ghostscript command lines, and we can't possibly fix them all. However, the cups daemon chdirs to / at startup, and keeps this directory when it runs filters. I believe this to be safe, users or malicious programs really should not be able to write crafted .ps files into / (if they are, you have a worse problem). > This package depends on ghostscript, and may be affected. Please > evaluate the security of this package, and fix if needed. I believe no action is necessary for cups due to the safe environment the filters get run in. Therefore I close this bug. Thanks for your investigations! Martin -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)Attachment: signature.asc
Description: Digital signature
--- End Message ---