Re: Bug#262402: Severity of bug #259993
On Sat, 31 Jul 2004, Matt Zimmerman wrote:
> > > > [Florian]
> > > > l.s 69, 409 and 416:
> > > > gs invoked this way allows any file operations
> > [Upstream]
> > True, but call is managed by the cups-pdf binary. I.e. as long as no bug
> > allows insertion of malicious code into the system call, gs will do
> > exactly as intended.
>
> The problem is that the _input_ to gs is being trusted here, and that (as I
> understand it) is under the control of the user who submitted the print job.
> That is, an attacker could submit a print job containing PostScript commands
> which, when interpreted by gs, would open files, etc. with the privileges of
> cups-pdf (apparently, root).
My question here, since Volker's time is currently limitted because of his work
on his thesis is, will using -dSAFER fix this particular problem, as previously
suggested, yes or no? If yes, then I could fix that part on my own and include
the file permission fix from 1.4.1 as well.
> At least the gs issue seems like a genuine concern and justifies Severity:
> grave, so I have changed the severity of that bug. cups-pdf should not be
> released with sarge unless that bug is fixed.
Agreed.
--
Martin-Éric Racine, ICT Consultant
http://www.iki.fi/q-funk/
Reply to: