[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#262402: Severity of bug #259993



On Sat, 31 Jul 2004, Matt Zimmerman wrote:

> > > > [Florian]
> > > > l.s 69, 409 and 416:
> > > > 	gs invoked this way allows any file operations
> > [Upstream]
> > True, but call is managed by the cups-pdf binary. I.e. as long as no bug
> > allows insertion of malicious code into the system call, gs will do
> > exactly as intended.
> 
> The problem is that the _input_ to gs is being trusted here, and that (as I
> understand it) is under the control of the user who submitted the print job.
> That is, an attacker could submit a print job containing PostScript commands
> which, when interpreted by gs, would open files, etc. with the privileges of
> cups-pdf (apparently, root).

My question here, since Volker's time is currently limitted because of his work
on his thesis is, will using -dSAFER fix this particular problem, as previously
suggested, yes or no? If yes, then I could fix that part on my own and include
the file permission fix from 1.4.1 as well.

> At least the gs issue seems like a genuine concern and justifies Severity:
> grave, so I have changed the severity of that bug.  cups-pdf should not be
> released with sarge unless that bug is fixed.

Agreed.

-- 
Martin-Éric Racine, ICT Consultant
http://www.iki.fi/q-funk/



Reply to: