LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

pstotext: remote execution of arbitrary code

Package(s):pstotext netpbm CVE #(s):CAN-2005-2471
Created:August 1, 2005 Updated:March 28, 2006
Description: Max Vozeler reported that pstotext calls the GhostScript interpreter on untrusted PostScript files without specifying the -dSAFER option. An attacker could craft a malicious PostScript file and entice a user to run pstotext on it, resulting in the execution of arbitrary commands with the permissions of the user running pstotext. See this Secunia advisory for more information.
Alerts:
Debian DSA-1021-1 2006-03-28
Debian DSA-792-1 2005-08-31
Red Hat RHSA-2005:743-01 2005-08-22
Fedora FEDORA-2005-728 2005-08-17
Fedora FEDORA-2005-727 2005-08-17
Ubuntu USN-164-1 2005-08-11
Mandriva MDKSA-2005:133 2005-08-09
Gentoo 200508-04 2005-08-05
Gentoo 200507-29 2005-07-31
(Log in to post comments)

pstotext: remote execution of arbitrary code

Posted Mar 30, 2006 10:11 UTC (Thu) by nix (subscriber, #2304) [Link]

If that's a remote execution vulnerability, then so is *anything*.

I'd rather that 'remote execution' be reserved for cases where the vulnerable application is directly involved in reception of messages from remote sources. It's widely-known that once you've got in via some other attack vector (e.g. the social-engineering attack mentioned here), then local vulnerabilities become significant, but that doesn't make all local vulnerabilities remote ones as well.

pstotext: remote execution of arbitrary code

Posted Mar 30, 2006 13:58 UTC (Thu) by mv (subscriber, #17258) [Link]

I can't say for other distributions, but in the case of Debian and pstotext this vulnerability can actually be exploited from remote with only little user input. pstotext is listed in mailcap and gets invoked by various programs when the user chooses to display the postscript. Like, I send you an email with a .ps attached, you read the mail in mutt and press 'v' + enter to display the postscript. If $DISPLAY is not set or there are no other viewers installed, pstotext will be invoked and happily execute an embedded shellscript, do file IO, etc.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=319758

Not that I disagree with your point, though.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds