Re: Bug#584013: hyperlatex: Security bugs in ghostscript

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Bug#584013: hyperlatex: Security bugs in ghostscript

stigge-2
Hi,

On 06/01/2010 03:10 AM, Paul Szabo wrote:
> This package depends on ghostscript, and may be affected. Please
> evaluate the security of this package, and fix if needed.

There are several issues with this bug:

(1) If ghostscript has a bug, maybe it should be fixed there instead of
in all gs dependant packages?

(2) Mass bug filing (esp. RC/security) is generally not a great idea,
especially if

(3) You haven't checked the individual packages ("This package depends
on ghostscript, and may be affected").

(4) Please state clearly what's wrong with the package (hyperlatex in
this case). From the other bug reports I deduce that gs calls should be
extended with "-P- -dSAFER". This should be done in the hyperlatex
source package in bin/ps2image, for the record.

bye,
  Roland


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/4C04C54E.8090804@...

Reply | Threaded
Open this post in threaded view
|

Re: Bug#584013: hyperlatex: Security bugs in ghostscript

Vincent Danjean-3
  Hi,

On 01/06/2010 10:31, Roland Stigge wrote:

> Hi,
>
> On 06/01/2010 03:10 AM, Paul Szabo wrote:
>> This package depends on ghostscript, and may be affected. Please
>> evaluate the security of this package, and fix if needed.
>
> There are several issues with this bug:
>
> (1) If ghostscript has a bug, maybe it should be fixed there instead of
> in all gs dependant packages?
>
> (2) Mass bug filing (esp. RC/security) is generally not a great idea,
> especially if
>
> (3) You haven't checked the individual packages ("This package depends
> on ghostscript, and may be affected").
>
> (4) Please state clearly what's wrong with the package (hyperlatex in
> this case). From the other bug reports I deduce that gs calls should be
> extended with "-P- -dSAFER". This should be done in the hyperlatex
> source package in bin/ps2image, for the record.

  I agree on all points of this mail (replace "hyperlatex" by
"latex-make" in my case).
  I'm closing the bug for latex-make unless you come back with facts (or
that discussion on d-d agreeds that all package using gs must be changed).
I'm latex-make upstream, too. And I think that I depend on gs-common due
to calls to ps2ps/ps2pdf/... latex-make does not call gs directly.

  Please, take care when filling such amount of bugs with such severity
just before a release.

  Regards,
    Vincent


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/4C04E097.4070701@...

Reply | Threaded
Open this post in threaded view
|

Re: Bug#584013: hyperlatex: Security bugs in ghostscript

Paul Szabo
In reply to this post by stigge-2
Dear Roland,

> (1) If ghostscript has a bug, maybe it should be fixed there instead of
> in all gs dependant packages?

Yes, but gs says "cannot fix" and "please use -P-".

> (2) Mass bug filing (esp. RC/security) is generally not a great idea,
> especially if
> (3) You haven't checked the individual packages ("This package depends
> on ghostscript, and may be affected").

Sorry, I do my best but am only one.

> (4) Please state clearly what's wrong with the package (hyperlatex in
> this case). From the other bug reports I deduce that gs calls should be
> extended with "-P- -dSAFER". This should be done in the hyperlatex
> source package in bin/ps2image, for the record.

Yes, that probably should fix things. (Right now things are still unsafe
even with those options, but I expect gs to be able to fix the remaining
bugs.)

Thanks, Paul

Paul Szabo   [hidden email]   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/201006011110.o51BA52t015858@...

Reply | Threaded
Open this post in threaded view
|

Re: Bug#584013: hyperlatex: Security bugs in ghostscript

Paul Szabo
In reply to this post by Vincent Danjean-3
Dear Vincent,

> I agree on all points of [Roland Stigge] ...

Please read my reply to him.

> I'm closing the bug for latex-make unless you come back with facts (or
> that discussion on d-d agreeds that all package using gs must be changed).

Yes, all users of gs must use the two options -P- and -dSAFER.

> I'm latex-make upstream, too. And I think that I depend on gs-common due
> to calls to ps2ps/ps2pdf/... latex-make does not call gs directly.

In that case you are not (directly) vulnerable or responsible, and you
are right in closing the bug.

Thank you for investigating.

Cheers, Paul

Paul Szabo   [hidden email]   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/201006011117.o51BHNbG016056@...

Reply | Threaded
Open this post in threaded view
|

Re: Bug#584013: hyperlatex: Security bugs in ghostscript

Vincent Danjean-3
In reply to this post by Paul Szabo
On 01/06/2010 13:10, [hidden email] wrote:
>> (4) Please state clearly what's wrong with the package (hyperlatex in
>> this case). From the other bug reports I deduce that gs calls should be
>> extended with "-P- -dSAFER". This should be done in the hyperlatex
>> source package in bin/ps2image, for the record.
>
> Yes, that probably should fix things. (Right now things are still unsafe
> even with those options, but I expect gs to be able to fix the remaining
> bugs.)

Perhaps, gs should have these options enabled by default (and provide other
options to disable them if needed) instead of requiring to modify all
programs. It would secure home-made scripts, too.

  Regards,
    Vincent

--
Vincent Danjean       GPG key ID 0x9D025E87         [hidden email]
GPG key fingerprint: FC95 08A6 854D DB48 4B9A  8A94 0BF7 7867 9D02 5E87
Unofficial packages: http://moais.imag.fr/membres/vincent.danjean/deb.html
APT repo:  deb http://perso.debian.org/~vdanjean/debian unstable main


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/4C053638.8070603@...

Reply | Threaded
Open this post in threaded view
|

Re: Bug#584013: hyperlatex: Security bugs in ghostscript

Romain Beauxis-2
In reply to this post by Paul Szabo
severity 584021 normal
thanks

Le mardi 1 juin 2010 06:17:23, [hidden email] a écrit :
> > I agree on all points of [Roland Stigge] ...
>
> Please read my reply to him.

Well, I still fail to see why you need to fill RC bugs everywhere. If your
rational for filling bugs against all packages that depends on gs is that
upstream will not fix it, well at least you should have mentioned it in the
bugreports you filled..

I am not closing but downgrading for mediawiki, unless you prove that there is
a real security issue.


Romain


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/201006011212.23953.toots@...

Reply | Threaded
Open this post in threaded view
|

Re: Bug#584013: hyperlatex: Security bugs in ghostscript

Brian M. Carlson
In reply to this post by Vincent Danjean-3
On Tue, Jun 01, 2010 at 06:32:56PM +0200, Vincent Danjean wrote:
> Perhaps, gs should have these options enabled by default (and provide other
> options to disable them if needed) instead of requiring to modify all
> programs. It would secure home-made scripts, too.

I agree.  I've found (and reported) a couple of cases where people
calling gs did not use -dSAFER and as a result opened up an attack by
malicious documents that could delete files.  In general, there's no
need to be able to manipulate files from within most PostScript
documents.

--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

signature.asc (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Bug#584013: hyperlatex: Security bugs in ghostscript

Romain Beauxis-6
In reply to this post by Romain Beauxis-2
Le mardi 1 juin 2010 12:12:23, Romain Beauxis a écrit :
> I am not closing but downgrading for mediawiki, unless you prove that there
> is  a real security issue.

Ok, I have looked at the source code. We use dvips to generate the postscript
file.

Does the issue happen for dvips ?

Romain


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/201006011631.26961.romain.beauxis@...

Reply | Threaded
Open this post in threaded view
|

Re: Bug#584013: hyperlatex: Security bugs in ghostscript

Frank Küster
Romain Beauxis <[hidden email]> wrote:

> Le mardi 1 juin 2010 12:12:23, Romain Beauxis a écrit :
>> I am not closing but downgrading for mediawiki, unless you prove that there
>> is  a real security issue.
>
> Ok, I have looked at the source code. We use dvips to generate the postscript
> file.
>
> Does the issue happen for dvips ?

dvips does not use gs - it creates input for gs.

Regards, Frank

--
Dr. Frank Küster
Debian Developer (TeXLive)
VCD Aschaffenburg-Miltenberg, ADFC Miltenberg
B90/Grüne KV Miltenberg


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/87631zdej2.fsf@...