[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#584015: ijsgutenprint: Security bugs in ghostscript

reassign 584015 foomatic-db-gutenprint

On 01/06/10 23:31, paul.szabo@sydney.edu.au wrote:
Dear Roger,

ijsgutenprint is a ghostscript IJS server driver.  It's invoked
/by/ ghostscript, so is not itself responsible for running
ghostscript.  One potential source of vulnerabilities is
actually in glue scripts such as Foomatic, so I think probably
should be reassigned to foomatic-db-gutenprint.  Note that
most/all of Foomatic and ancillary data packages such
as foomatic-db-gutenprint are packages you should probably
look at.

Speaking to the printconf maintainer in
he said that foomatic-filters is only affected. Maybe he knows, he is
also the foomatic maintainer...

In the case of foomatic-db-gutenprint (which is from the same source as ijsgutenprint; it contains the XML data for foomatic to tell it how to use ijsgutenprint), I checked and it contains parts of the gs command-line in its XML definitions:

% rgrep -- SAFER .
./ChangeLog: Security fix: s/-dSAFER/-dPARANOIDSAFER/ for the GhostScript command lines. ./src/foomatic/foomatic-templates-ijs/gutenprint.xml: <prototype>gs -q -dPARANOIDSAFER -dNOPAUSE -dBATCH -sDEVICE=ijs -sIjsServer=ijsgutenprint.@@STPREL@@ -dIjsUseOutputFD%A -sIjsParams=&quot;@@REMAP@@STP_VERSION=@@STPVER@@,%B&quot;%Z -sOutputFile=- -</prototype> ./src/foomatic/foomatic-db/gutenprint-ijs-simplified.5.2/driver/gutenprint-ijs-simplified.5.2.xml: <prototype>gs -q -dPARANOIDSAFER -dNOPAUSE -dBATCH -sDEVICE=ijs -sIjsServer=ijsgutenprint.5.2 -dIjsUseOutputFD%A -sIjsParams=&quot;STP_VERSION=,%B&quot;%Z -sOutputFile=- -</prototype> ./src/foomatic/foomatic-db/gutenprint-ijs.5.2/driver/gutenprint-ijs.5.2.xml: <prototype>gs -q -dPARANOIDSAFER -dNOPAUSE -dBATCH -sDEVICE=ijs -sIjsServer=ijsgutenprint.5.2 -dIjsUseOutputFD%A -sIjsParams=&quot;STP_VERSION=,%B&quot;%Z -sOutputFile=- -</prototype>

So any package /providing/ data to foomatic may well be equally vulnerable.

Have you considered a whole-archive search for e.g. -dSAFER in
the lintian lab? ...

Sorry, do not know how to do that search. Can you explain?

One of the Debian machines has the complete unpacked source trees for every package in Debian on it, used for running Lintian. You could simply run grep over the entire lot to identify all uses of -dSAFER in the tree with or without -P-.

If you're not a Debian developer, you won't have access, but you could ask someone to run it for you and send you the results. I don't have time to do this myself for you right now, but I'm sure you could ask someone on -devel; if you don't have any luck I can possibly try at the weekend.

... If a program is using -dSAFER, it should also
be using -P- in all likelihood.  It's probably better than
simply going off package dependencies.

Responses to the various bugs show that no-one was aware of -P-, many
still stubbornly say "I use -dSAFER thus am safe". I am not sure now if
there was anyone without -dSAFER.

I certainly was unaware. While some stubbornness is always going to occur, it's mainly just because this is a brand new issue which people will take more seriously once they are better aware of it. Given that it's a security issue, people should take notice.


Reply to: