Re: Severity of bug #259993
severity 262402 grave
thanks
On Sun, Aug 01, 2004 at 05:07:52AM +0200, Florian Zumbiehl wrote:
> I recently (well, two weeks ago, that is) reported a number of security
> problems in cups-pdf, originally filed under #259993. Please read the BTS
> entry for details on the development up to the current situation: The
> maintainer of cups-pdf, Martin-Éric Racine, has degraded all the bugs to
> important, thus making them non-release-critical.
Certainly, a genuine security vulnerability should be release-critical. We
must not release software with known security vulnerabilities.
It sounds like the upstream author may have misunderstood your report, which
led to further misunderstanding on the part of the Debian maintainer.
For example:
> > > [Florian]
> > > l.s 69, 409 and 416:
> > > gs invoked this way allows any file operations
> [Upstream]
> True, but call is managed by the cups-pdf binary. I.e. as long as no bug
> allows insertion of malicious code into the system call, gs will do
> exactly as intended.
The problem is that the _input_ to gs is being trusted here, and that (as I
understand it) is under the control of the user who submitted the print job.
That is, an attacker could submit a print job containing PostScript commands
which, when interpreted by gs, would open files, etc. with the privileges of
cups-pdf (apparently, root).
Also, there seems to be some confusion about the symlink attack (#259933),
specifically where the output is actually written. I don't know anything
about cups-pdf, so I don't know who is correct here.
At least the gs issue seems like a genuine concern and justifies Severity:
grave, so I have changed the severity of that bug. cups-pdf should not be
released with sarge unless that bug is fixed.
> [Upstream]
> Of course, CPGS should point to the full path of gs to avoid an attack by
> another program 'gs' in another path.
This is a common security myth; this does not improve security and causes
other, real problems.
--
- mdz
Reply to: