Actu
Vigil@nce: Ghostscript, execution of PostScript code
May 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
When Ghostscript is run from a writable directory, it can run
malicious PostScript code.
– Severity: 1/4
– Creation date: 27/05/2010
– Revision date: 28/05/2010
DESCRIPTION OF THE VULNERABILITY
The Ghostscript (gs) program manages PostScript or PDF documents.
A PostScript page can contain dangerous features, which can for
example be used to execute shell commands. The "-dSAFER" option of
Ghostscript disables these features.
When Ghostscript starts, it automatically loads several PostScript
files located in the current directory, or in the ./Encoding
subdirectory. This default behavior can be disabled by the "-P-"
option.
An attacker can thus for example create a malicious PostScript
file named /tmp/Encoding/attacker.ps, and invite the victim to
open a file from the /tmp directory, without the "-dSAFER" and
"-P-" options, in order to execute code with his privileges.
When Ghostscript is run from a writable directory, it can
therefore run malicious PostScript code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Ghostscript-execution-of-PostScript-code-9669
