Bug#584002: marked as done (cups: Security bugs in ghostscript)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Tue, 1 Jun 2010 07:24:29 +0200
with message-id <20100601052429.GC2063@piware.de>
and subject line Re: [Pkg-cups-devel] Bug#584002: cups: Security bugs in ghostscript
has caused the Debian Bug report #584002,
regarding cups: Security bugs in ghostscript
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
584002: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584002
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: cups: Security bugs in ghostscript
• From: Paul Szabo <paul.szabo@sydney.edu.au>
• Date: Tue, 01 Jun 2010 11:05:43 +1000
• Message-id: <[🔎] 20100601010543.16910.5658.reportbug@bari.maths.usyd.edu.au>

Package: cups
Severity: grave
Tags: security
Justification: user security hole


Please note remote execute-any-code security bugs in ghostscript:

  http://bugs.debian.org/583183

This package depends on ghostscript, and may be affected. Please
evaluate the security of this package, and fix if needed.

Thanks,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia


-- System Information:
Debian Release: 5.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-pk03.17-svr (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

--- End Message ---

--- Begin Message ---

• To: Paul Szabo <paul.szabo@sydney.edu.au>, 584002-done@bugs.debian.org
• Subject: Re: [Pkg-cups-devel] Bug#584002: cups: Security bugs in ghostscript
• From: Martin Pitt <mpitt@debian.org>
• Date: Tue, 1 Jun 2010 07:24:29 +0200
• Message-id: <20100601052429.GC2063@piware.de>
• In-reply-to: <[🔎] 20100601010543.16910.5658.reportbug@bari.maths.usyd.edu.au>
• References: <[🔎] 20100601010543.16910.5658.reportbug@bari.maths.usyd.edu.au>

Hello Paul,

Paul Szabo [2010-06-01 11:05 +1000]:
> Please note remote execute-any-code security bugs in ghostscript:
> 
>   http://bugs.debian.org/583183

Thanks for notifying us about this problem.

cups has one or two filters which call ghostscript. They do use
-dSAFER, but none of those use -P- (which, as you already determined,
is not documented at all in the manpage and --help output, and really
ought to be the default!) Also, out there in the world exist millions
of PPD files (i. e. printer drivers/filters) can specify arbitrary
ghostscript command lines, and we can't possibly fix them all.

However, the cups daemon chdirs to / at startup, and keeps this
directory when it runs filters. I believe this to be safe, users or
malicious programs really should not be able to write crafted .ps
files into / (if they are, you have a worse problem).

> This package depends on ghostscript, and may be affected. Please
> evaluate the security of this package, and fix if needed.

I believe no action is necessary for cups due to the safe environment
the filters get run in. Therefore I close this bug.

Thanks for your investigations!

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

Attachment: signature.asc
Description: Digital signature

--- End Message ---