Bug#584015: ijsgutenprint: Security bugs in ghostscript
reassign 584015 foomatic-db-gutenprint
thanks
On 01/06/10 23:31, paul.szabo@sydney.edu.au wrote:
Dear Roger,
ijsgutenprint is a ghostscript IJS server driver. It's invoked
/by/ ghostscript, so is not itself responsible for running
ghostscript. One potential source of vulnerabilities is
actually in glue scripts such as Foomatic, so I think probably
should be reassigned to foomatic-db-gutenprint. Note that
most/all of Foomatic and ancillary data packages such
as foomatic-db-gutenprint are packages you should probably
look at.
Speaking to the printconf maintainer in
http://bugs.debian.org/584026
he said that foomatic-filters is only affected. Maybe he knows, he is
also the foomatic maintainer...
In the case of foomatic-db-gutenprint (which is from the same source as
ijsgutenprint; it contains the XML data for foomatic to tell it how to
use ijsgutenprint), I checked and it contains parts of the gs
command-line in its XML definitions:
% rgrep -- SAFER .
./ChangeLog: Security fix: s/-dSAFER/-dPARANOIDSAFER/ for the
GhostScript command lines.
./src/foomatic/foomatic-templates-ijs/gutenprint.xml: <prototype>gs -q
-dPARANOIDSAFER -dNOPAUSE -dBATCH -sDEVICE=ijs
-sIjsServer=ijsgutenprint.@@STPREL@@ -dIjsUseOutputFD%A
-sIjsParams="@@REMAP@@STP_VERSION=@@STPVER@@,%B"%Z
-sOutputFile=- -</prototype>
./src/foomatic/foomatic-db/gutenprint-ijs-simplified.5.2/driver/gutenprint-ijs-simplified.5.2.xml:
<prototype>gs -q -dPARANOIDSAFER -dNOPAUSE -dBATCH -sDEVICE=ijs
-sIjsServer=ijsgutenprint.5.2 -dIjsUseOutputFD%A
-sIjsParams="STP_VERSION=5.2.3.99.1,%B"%Z -sOutputFile=-
-</prototype>
./src/foomatic/foomatic-db/gutenprint-ijs.5.2/driver/gutenprint-ijs.5.2.xml:
<prototype>gs -q -dPARANOIDSAFER -dNOPAUSE -dBATCH -sDEVICE=ijs
-sIjsServer=ijsgutenprint.5.2 -dIjsUseOutputFD%A
-sIjsParams="STP_VERSION=5.2.3.99.1,%B"%Z -sOutputFile=-
-</prototype>
So any package /providing/ data to foomatic may well be equally vulnerable.
Have you considered a whole-archive search for e.g. -dSAFER in
the lintian lab? ...
Sorry, do not know how to do that search. Can you explain?
One of the Debian machines has the complete unpacked source trees for
every package in Debian on it, used for running Lintian. You could
simply run grep over the entire lot to identify all uses of -dSAFER in
the tree with or without -P-.
If you're not a Debian developer, you won't have access, but you could
ask someone to run it for you and send you the results. I don't have
time to do this myself for you right now, but I'm sure you could ask
someone on -devel; if you don't have any luck I can possibly try at the
weekend.
... If a program is using -dSAFER, it should also
be using -P- in all likelihood. It's probably better than
simply going off package dependencies.
Responses to the various bugs show that no-one was aware of -P-, many
still stubbornly say "I use -dSAFER thus am safe". I am not sure now if
there was anyone without -dSAFER.
I certainly was unaware. While some stubbornness is always going to
occur, it's mainly just because this is a brand new issue which people
will take more seriously once they are better aware of it. Given that
it's a security issue, people should take notice.
Regards,
Roger
Reply to: