-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
>>                                                      CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl.  Links  <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>>                                                                           <<
>> CERT-NL also has stopped the CERT-CC-Mirror service.  Due to this the     <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the  <<
>> complete CERT-CC advisory texts:                     http://www.cert.org  <<
===============================================================================
===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : Don Stikvoort                               Index  :    S-95-17
Distribution  : World                                       Page   :          1
Classification: External                                    Version:          1
Subject       : ghostscript vulnerability                   Date   :  29-Sep-95
===============================================================================

By courtesy of CERT Coordination Center we received the following information 
about a ghostscript vulnerability.

If this applies to you, we advise you to upgrade your ghostscript version.

(Originally CA-95:10 of Aug 31 1995: shortened.)

===============================================================================

There is a vulnerability in older versions of ghostscript (gs) that enables
users to execute commands and thus modify files. This problem involves the
- - -dSAFER option and is present in all versions of ghostscript from 2.6 through
3.22 beta.

We recommend that you apply the solution in Section III below to fix the
- - -dSAFER PostScript code or install the latest version of ghostscript (version
3.33). In both cases, we urge you to make -dSAFER the default mode for
all versions of ghostscript starting with version 2.6.

- - -----------------------------------------------------------------------------

I.   Background    

     The PostScript language, which was designed for the expression of 
     graphical data, is widely used for transferring images and preformatted
     text across the Internet. The language includes primitives for file 
     operations, which were intended to be useful in the expression of images.
     Unfortunately the operations can be abused by people intentionally 
     embedding commands within an otherwise harmless image so that when 
     displaying that image the PostScript viewer may perform malicious
     file creations or deletions.
    
     This is a potentially serious problem because many images transferred
     on the World Wide Web are sent in PostScript. For example, a malicious
     person could install a booby-trapped image on a web-page, buried among
     useful or interesting data.
    
     The viewer "ghostscript," a PostScript interpreter, recognizes the
     command-line option: "-dSAFER". This option is intended to disable
     the file operations and the %pipe PostScript operator that could be 
     abused to do damage. This option is intended to protect you from this 
     type of sabotage when viewing images from untrusted sources.

II.  Problem Description

     Problems exist with the ghostscript program, which supports the kind
     of commands discussed above. 

     Older versions of ghostscript do not completely disable the pipe operator
     that can be used execute commands that can modify files. Therefore the
     option -dSAFER does not provide full protection.
     
     This problem is present in all versions of ghostscript between
     2.6 (when the %pipe operator was added) and 3.22beta (when a fix
     was made). 

III. Impact

     Attackers who have inserted malicious code into a PostScript file can 
     cause commands to be executed and files to be modified on any system 
     where that PostScript file is viewed with ghostscript.

IV. Solutions

     We recommend either fixing the -dSAFER PostScript code or installing
     version 3.33 of ghostscript (see Sections IV.A and IV.B). In addition, 
     we urge you to enable the -dSAFER option as the default (see Section
     IV.C). 

     A. Fixing the -dSAFER PostScript code

        The following fix is in the form of "diff" output, which is
        suitable for use with the GNU patch program.  This patch brings the
        code into conformance with the version of gs_init.ps distributed
        with the latest version of ghostscript (3.33) and can be
        applied to the GNU versions 2.6, 2.6.1, and 2.6.2.  The file
        to be patched is in the ghostscript library. As an example, 
        gs_init.ps could be installed in:

          /usr/local/lib/ghostscript/gs_init.ps
    
        Here is the patch:
- - --------------------------------cut here--------------------------------------

*** gs_init.ps.orig     Fri Aug 25 10:42:51 1995
- - --- gs_init.ps  Fri Aug 25 11:16:24 1995
***************
*** 302,308 ****
  % If we want a "safer" system, disable some obvious ways to cause havoc.
  SAFER not { (%END SAFER) .skipeof } if
  /file
!  { dup (r) eq
      { file }
      { /invalidfileaccess signalerror }
     ifelse
- - --- 302,308 ----
  % If we want a "safer" system, disable some obvious ways to cause havoc.
  SAFER not { (%END SAFER) .skipeof } if
  /file
! { dup (r) eq 2 index (%pipe*) .stringmatch not and
      { file }
      { /invalidfileaccess signalerror }
     ifelse
- - --------------------------------cut here--------------------------------------

        The key is to change the line that says:

          { dup (r) eq

        to one that says:

          { dup (r) eq 2 index (%pipe*) .stringmatch not and

        Here are the relevant lines in the gs_init.ps file for version 2.6.2
        of ghostscript before the patch:

302  % If we want a "safer" system, disable some obvious ways to cause havoc. 
303  SAFER not { (%END SAFER) .skipeof } if
304  /file
305   { dup (r) eq
306      { file }
307      { /invalidfileaccess signalerror }
308     ifelse
309   } bind odef
310  /renamefile { /invalidfileaccess signalerror } odef
311  /deletefile { /invalidfileaccess signalerror } odef
312  %END SAFER

        Here are the same lines after the patch has been applied:

302  % If we want a "safer" system, disable some obvious ways to cause havoc.
303  SAFER not { (%END SAFER) .skipeof } if
304  /file
305  { dup (r) eq 2 index (%pipe*) .stringmatch not and
306      { file }
307      { /invalidfileaccess signalerror }
308     ifelse
309   } bind odef
310  /renamefile { /invalidfileaccess signalerror } odef
311  /deletefile { /invalidfileaccess signalerror } odef
312  %END SAFER


     B. Installing version 3.33
  
        You may wish to install Aladdin Ghostscript version 3.33.
        The latest version of ghostscript is version 3.33 and
        is available at the locations noted below.  

        This version of ghostscript is provided by Aladdin Enterprises and 
        is subject to their licensing agreements.  Please read the "Aladdin
        Ghostscript Free Public License" (included in the source code
        distribution) which differs from the "GNU Public License."

        Please note that this version is not the GNU version.  The latest GNU
        version, which is version 2.6.2, does not fix this problem.
             
          ftp://ftp.cs.wisc.edu/pub/ghost/aladdin/ghostscript-3.33.tar.gz
                MD5=28b78ab052dff21639c4b97051323e49

          ftp://ftp.cs.wisc.edu/pub/ghost/aladdin/ghostscript-3.33jpeg.tar.gz
                MD5=b7dd9064dd57db8fccc306f5e4528d99

        Optionally, you may need the font files for this release.  They are
        available at these locations:
     
         ftp://ftp.cs.wisc.edu/pub/aladdin/ghostscript-fonts-std-3.0.tar.gz
                MD5=fe7377bb155496828a328624ae80149d

         ftp://ftp.cs.wisc.edu/pub/aladdin/ghostscript-fonts-other-3.0.tar.gz
                MD5=afe46faf7fde6518ae004a7e8d9a4af4

     C. Making -dSAFER the default
     
        To make -dSAFER the default mode for ghostscript for all versions
        of ghostscript starting with version 2.6, the file gs_init.ps must
        again be changed.  The PostScript commands which check the actual
        interpreted command are collected in one single if statement in the
        gs_init.ps file. By commenting out the begin and end lines of this
        if statement, the check is always applied meaning that the -dSAFER
        option is always enabled.

        NOTE: If you make this change, all file and %pipe operations are
        disabled and cannot be re-enabled.

        The lines which must be changed are:

              303  SAFER not { (%END SAFER) .skipeof } if
        and
              312  %END SAFER

        These two lines should be commented out and made to look like this:

              303  % SAFER not { (%END SAFER) .skipeof } if
        and
              312  % %END SAFER

        If you are using ghostscript 2.6.2, the code will look like the
        following when both patches noted above are installed:

302  % If we want a "safer" system, disable some obvious ways to cause havoc.
303  % SAFER not { (%END SAFER) .skipeof } if
304  /file
305  { dup (r) eq 2 index (%pipe*) .stringmatch not and
306      { file }
307      { /invalidfileaccess signalerror }
308     ifelse
309   } bind odef
310  /renamefile { /invalidfileaccess signalerror } odef
311  /deletefile { /invalidfileaccess signalerror } odef
312  % %END SAFER

- - ---------------------------------------------------------------------------
The CERT Coordination Center staff thanks the DFN-CERT and NASIRC response
teams for providing a large portion of the technical content of this advisory,
and we thank Wolfgang Ley for his assistance.
- - ---------------------------------------------------------------------------
==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://cert.surfnet.nl/

In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 22 92 35 64      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOL6IFzSYjBqwfc9jEQL6hgCeNzfsXnCStrjvDUImTaRttVlPrxUAn3an
IDJ8t5O+/JVhVTIdHV711aBF
=iaLU
-----END PGP SIGNATURE-----