We will try and keep these pages up to date
Copyright 1995 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the copyright statement is included.
A large portion of the technical content of this advisory was provided by the DFN-CERT and NASIRC response teams, and is used with their permission.
There is a vulnerability in older versions of ghostscript (gs) that enables users to execute commands and thus modify files. This problem involves the -dSAFER option and is present in all versions of ghostscript from 2.6 through 3.22 beta.
We recommend that you apply the solution in Section III below to fix the -dSAFER PostScript code or install the latest version of ghostscript (version 3.33). In both cases, we urge you to make -dSAFER the default mode for all versions of ghostscript starting with version 2.6.
As we receive additional information relating to this advisory, we will place it in ftp://info.cert.org/pub/cert_advisories/CA-95:10.README We encourage you to check our README files regularly for updates on advisories that relate to your site.
The PostScript language, which was designed for the expression of graphical data, is widely used for transferring images and preformatted text across the Internet. The language includes primitives for file operations, which were intended to be useful in the expression of images. Unfortunately the operations can be abused by people intentionally embedding commands within an otherwise harmless image so that when displaying that image the PostScript viewer may perform malicious file creations or deletions.
This is a potentially serious problem because many images transferred on the World Wide Web are sent in PostScript. For example, a malicious person could install a booby-trapped image on a web-page, buried among useful or interesting data.
The viewer "ghostscript," a PostScript interpreter, recognizes the command-line option: "-dSAFER". This option is intended to disable the file operations and the %pipe PostScript operator that could be abused to do damage. This option is intended to protect you from this type of sabotage when viewing images from untrusted sources.
Problems exist with the ghostscript program, which supports the kind of commands discussed above.
Older versions of ghostscript do not completely disable the pipe operator that can be used execute commands that can modify files. Therefore the option -dSAFER does not provide full protection.
This problem is present in all versions of ghostscript between 2.6 (when the %pipe operator was added) and 3.22beta (when a fix was made).
Attackers who have inserted malicious code into a PostScript file can cause commands to be executed and files to be modified on any system where that PostScript file is viewed with ghostscript.
We recommend either fixing the -dSAFER PostScript code or installing version 3.33 of ghostscript (see Sections IV.A and IV.B). In addition, we urge you to enable the -dSAFER option as the default (see Section IV.C).
The following fix is in the form of "diff" output, which is suitable for use with the GNU patch program. This patch brings the code into conformance with the version of gs_init.ps distributed with the latest version of ghostscript (3.33) and can be applied to the GNU versions 2.6, 2.6.1, and 2.6.2. The file to be patched is in the ghostscript library. As an example, gs_init.ps could be installed in: /usr/local/lib/ghostscript/gs_init.ps Here is the patch:
*** gs_init.ps.orig Fri Aug 25 10:42:51 1995
--- gs_init.ps Fri Aug 25 11:16:24 1995
***************
*** 302,308 ****
% If we want a "safer" system, disable some obvious ways to cause havoc.
SAFER not { (%END SAFER) .skipeof } if
/file
! { dup (r) eq
{ file }
{ /invalidfileaccess signalerror }
ifelse
--- 302,308 ----
% If we want a "safer" system, disable some obvious ways to cause havoc.
SAFER not { (%END SAFER) .skipeof } if
/file
! { dup (r) eq 2 index (%pipe*) .stringmatch not and
{ file }
{ /invalidfileaccess signalerror }
ifelse
The key is to change the line that says:
{ dup (r) eq
to one that says:
{ dup (r) eq 2 index (%pipe*) .stringmatch not and
Here are the relevant lines in the gs_init.ps file for version 2.6.2 of ghostscript before the patch:
302 % If we want a "safer" system, disable some obvious ways to cause havoc.
303 SAFER not { (%END SAFER) .skipeof } if
304 /file
305 { dup (r) eq
306 { file }
307 { /invalidfileaccess signalerror }
308 ifelse
309 } bind odef
310 /renamefile { /invalidfileaccess signalerror } odef
311 /deletefile { /invalidfileaccess signalerror } odef
312 %END SAFER
Here are the same lines after the patch has been applied:
302 % If we want a "safer" system, disable some obvious ways to cause havoc.
303 SAFER not { (%END SAFER) .skipeof } if
304 /file
305 { dup (r) eq 2 index (%pipe*) .stringmatch not and
306 { file }
307 { /invalidfileaccess signalerror }
308 ifelse
309 } bind odef
310 /renamefile { /invalidfileaccess signalerror } odef
311 /deletefile { /invalidfileaccess signalerror } odef
312 %END SAFER
You may wish to install Aladdin Ghostscript version 3.33. The latest version of ghostscript is version 3.33 and is available at the locations noted below.
This version of ghostscript is provided by Aladdin Enterprises and is subject to their licensing agreements. Please read the "Aladdin Ghostscript Free Public License" (included in the source code distribution) which differs from the "GNU Public License."
Please note that this version is not the GNU version. The latest GNU version, which is version 2.6.2, does not fix this problem.
ftp://ftp.cs.wisc.edu/pub/ghost/aladdin/ghostscript-3.33.tar.gz
MD5=28b78ab052dff21639c4b97051323e49
ftp://ftp.cs.wisc.edu/pub/ghost/aladdin/ghostscript-3.33jpeg.tar.gz
MD5=b7dd9064dd57db8fccc306f5e4528d99
Optionally, you may need the font files for this release. They are
available at these locations:
ftp://ftp.cs.wisc.edu/pub/aladdin/ghostscript-fonts-std-3.0.tar.gz
MD5=fe7377bb155496828a328624ae80149d
ftp://ftp.cs.wisc.edu/pub/aladdin/ghostscript-fonts-other-3.0.tar.gz
MD5=afe46faf7fde6518ae004a7e8d9a4af4
To make -dSAFER the default mode for ghostscript for all versions of ghostscript starting with version 2.6, the file gs_init.ps must again be changed. The PostScript commands which check the actual interpreted command are collected in one single if statement in the gs_init.ps file. By commenting out the begin and end lines of this if statement, the check is always applied meaning that the -dSAFER option is always enabled.
NOTE: If you make this change, all file and %pipe operations are disabled and cannot be re-enabled.
The lines which must be changed are:
303 SAFER not { (%END SAFER) .skipeof } if
and
312 %END SAFER
These two lines should be commented out and made to look like this:
303 % SAFER not { (%END SAFER) .skipeof } if
and
312 % %END SAFER
If you are using ghostscript 2.6.2, the code will look like the following when both patches noted above are installed:
302 % If we want a "safer" system, disable some obvious ways to cause havoc.
303 % SAFER not { (%END SAFER) .skipeof } if
304 /file
305 { dup (r) eq 2 index (%pipe*) .stringmatch not and
306 { file }
307 { /invalidfileaccess signalerror }
308 ifelse
309 } bind odef
310 /renamefile { /invalidfileaccess signalerror } odef
311 /deletefile { /invalidfileaccess signalerror } odef
312 % %END SAFER
The CERT Coordination Center staff thanks the DFN-CERT and NASIRC response teams for providing a large portion of the technical content of this advisory, and we thank Wolfgang Ley for his assistance.
If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST). If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise that the e-mail be encrypted. The CERT Coordination Center can support a shared DES key, PGP (public key available via anonymous FTP on info.cert.org), or PEM (contact CERT staff for details). Internet e-mail: cert@cert.org Telephone: +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax: +1 412-268-6989 Postal address: CERT Coordination Center , Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA 15213-3890, USA. CERT advisories and bulletins are posted on the USENET news group comp.security.announce. If you would like to have future advisories and bulletins mailed to you or to a mail exploder at your site, please send mail to cert-advisory-request@cert.org. Past CERT publications, information about FIRST representatives, and other information related to computer security are available by anonymous FTP from info.cert.org.
Thanks for visiting DataSure's CERT Advisory Pages. As the pages are developed further we hope to provide more, so please bear with us during the ongoing development process.
For more information on DataSure Services's products and services, please send e-mail to mackinnn@datasure.com phone us at ( 604) 598-6831, 1-800-598-6831, or FAX your request to (604) 598-6841. If you have problems or comments concerning our WWW service, please send e-mail to the above address.
This page has been accessed times.
Victoria, B.C. local time is Friday, 18-May-2012 12:07:20 PDT
This page last modified Thursday, 15-Nov-2001 17:04:56 PST
This page, and all contents, are Copyright (C) 1996 by DataSure Services , Victoria, Canada.