Security fix: several shell scripts included in the Ghostscript package

allow local users to overwrite files via a symlink attack on temporary files. Security: CAN-2004-0967
svn path=/head/; revision=149682
2025-06-01 19:06:28 -04:00 · 2005-11-27 17:57:19 +00:00 · 2005-11-27 17:57:19 +00:00 · ceed13510d · 2021-03-31 03:12:20 +00:00
commit ceed13510d
parent 0018c9fcdc
14 changed files with 265 additions and 3 deletions
--- a/print/ghostscript-afpl/Makefile.inc
+++ b/print/ghostscript-afpl/Makefile.inc
@ -1,5 +1,5 @@
 # $FreeBSD$

 GS_VERSION=	8.53
-GS_REVISION=	0
+GS_REVISION=	1
 GS_EPOCH=	1
--- a/print/ghostscript-afpl/files/patch-lib:ps2epsi.CAN-2004-0967
+++ b/print/ghostscript-afpl/files/patch-lib:ps2epsi.CAN-2004-0967
@ -0,0 +1,12 @@
+--- lib/ps2epsi.orig	Mon Nov 28 02:17:38 2005
+++ lib/ps2epsi	Mon Nov 28 02:17:45 2005
+@@ -1,7 +1,8 @@
+ #!/bin/sh
+ # $Id: ps2epsi,v 1.7.2.1 2002/04/22 20:18:24 giles Exp $
+ 
+-tmpfile=/tmp/ps2epsi$$
+tmpfile=`mktemp -t ps2epsi.XXXXXX || exit 1`
+trap "rm -rf $tmpfile" 0 1 2 3 7 13 15
+ 
+ export outfile
+ 
--- a/print/ghostscript-afpl/files/patch-lib:pv.sh.CAN-2004-0967
+++ b/print/ghostscript-afpl/files/patch-lib:pv.sh.CAN-2004-0967
@ -0,0 +1,16 @@
+--- lib/pv.sh.orig	Mon Nov 28 02:18:26 2005
+++ lib/pv.sh	Mon Nov 28 02:18:59 2005
+@@ -29,9 +29,10 @@
+ PAGE=$1
+ shift
+ FILE=$1
+TEMPFILE=`mktemp -t ${FILE}XXXXXX` || exit 1
+ shift
+-trap "rm -rf $TEMPDIR/$FILE.$$.pv" 0 1 2 15
+trap "rm -rf $TEMPFILE" 0 1 2 15
+ #dvips -D$RESOLUTION -p $PAGE -n 1 $FILE $* -o $FILE.$$.pv
+-dvips -p $PAGE -n 1 $FILE $* -o $FILE.$$.pv
+-gs $FILE.$$.pv
+dvips -p $PAGE -n 1 $FILE $* -o $TEMPFILE
+gs $TEMPFILE
+ exit 0
--- a/print/ghostscript-gnu/Makefile.inc
+++ b/print/ghostscript-gnu/Makefile.inc
@ -1,5 +1,5 @@
 # $FreeBSD$

 GS_VERSION=	7.07
-GS_REVISION=	13
+GS_REVISION=	14
 GS_EPOCH=	0
--- a/print/ghostscript-gnu/files/patch-lib:pj-gs.sh.CAN-2004-0967
+++ b/print/ghostscript-gnu/files/patch-lib:pj-gs.sh.CAN-2004-0967
@ -0,0 +1,40 @@
+--- lib/pj-gs.sh.orig	Thu Mar  9 17:40:40 2000
+++ lib/pj-gs.sh	Mon Nov 28 02:22:20 2005
+@@ -241,6 +241,7 @@
+ 			then
+ 				/usr/lib/lprcat $Nofilter $Nolabel $file PCL1 $user $dev
+ 			else
+				TEMPFILE=`mktemp -t pjXXXXXX` || exit 1
+ 				type=`file $file | sed 's/^[^:]*..//'`
+ 				case "$type" in
+ 				postscript*)
+@@ -251,22 +252,22 @@
+ #
+ #					gs -q -sDEVICE=paintjet -r180 -sOutputFile=- -dDISKFONTS -dNOPAUSE - < $file 2>/tmp/sh$$
+ 
+-					gs -q -sDEVICE=paintjet -r180 -sOutputFile=/tmp/pj$$ -dDISKFONTS -dNOPAUSE - < $file 1>2
+-					cat /tmp/pj$$
+-					rm /tmp/pj$$
+					gs -q -sDEVICE=paintjet -r180 -sOutputFile=$TEMPFILE -dDISKFONTS -dNOPAUSE - < $file 1>2
+					cat $TEMPFILE
+					rm $TEMPFILE
+ 					needff=
+ 					;;
+-				*)	cat "$file" 2>/tmp/sh$$
+				*)	cat "$file" 2>$TEMPFILE
+ 					needff=1
+ 					;;
+ 				esac
+ 
+-				if [ -s /tmp/sh$$ ]
+				if [ -s $TEMPFILE ]
+ 				then
+ #				    cat /tmp/sh$$	# output any errors
+-				    cat /tmp/sh$$ 1>2	# output any errors
+				    cat $TEMPFILE 1>2	# output any errors
+ 				fi
+-				rm -f /tmp/sh$$
+				rm -f $TEMPFILE
+ 				if [ $needff ]; then echo "\014\r\c"; fi
+ 			fi
+ 
--- a/print/ghostscript-gnu/files/patch-lib:ps2epsi.CAN-2004-0967
+++ b/print/ghostscript-gnu/files/patch-lib:ps2epsi.CAN-2004-0967
@ -0,0 +1,12 @@
+--- lib/ps2epsi.orig	Mon Nov 28 02:17:38 2005
+++ lib/ps2epsi	Mon Nov 28 02:17:45 2005
+@@ -1,7 +1,8 @@
+ #!/bin/sh
+ # $Id: ps2epsi,v 1.7.2.1 2002/04/22 20:18:24 giles Exp $
+ 
+-tmpfile=/tmp/ps2epsi$$
+tmpfile=`mktemp -t ps2epsi.XXXXXX || exit 1`
+trap "rm -rf $tmpfile" 0 1 2 3 7 13 15
+ 
+ export outfile
+ 
--- a/print/ghostscript-gnu/files/patch-lib:pv.sh.CAN-2004-0967
+++ b/print/ghostscript-gnu/files/patch-lib:pv.sh.CAN-2004-0967
@ -0,0 +1,16 @@
+--- lib/pv.sh.orig	Mon Nov 28 02:18:26 2005
+++ lib/pv.sh	Mon Nov 28 02:18:59 2005
+@@ -29,9 +29,10 @@
+ PAGE=$1
+ shift
+ FILE=$1
+TEMPFILE=`mktemp -t ${FILE}XXXXXX` || exit 1
+ shift
+-trap "rm -rf $TEMPDIR/$FILE.$$.pv" 0 1 2 15
+trap "rm -rf $TEMPFILE" 0 1 2 15
+ #dvips -D$RESOLUTION -p $PAGE -n 1 $FILE $* -o $FILE.$$.pv
+-dvips -p $PAGE -n 1 $FILE $* -o $FILE.$$.pv
+-gs $FILE.$$.pv
+dvips -p $PAGE -n 1 $FILE $* -o $TEMPFILE
+gs $TEMPFILE
+ exit 0
--- a/print/ghostscript-gnu/files/patch-lib:sysvlp.sh.CAN-2004-0967
+++ b/print/ghostscript-gnu/files/patch-lib:sysvlp.sh.CAN-2004-0967
@ -0,0 +1,29 @@
+--- lib/sysvlp.sh.orig	Thu Mar  9 17:40:40 2000
+++ lib/sysvlp.sh	Mon Nov 28 02:22:42 2005
+@@ -27,20 +27,23 @@
+ # Brother HL-4: switch to HP laserjet II+ emulation
+ # echo "\033\015H\c"
+ 
+TEMPDIR=`mktemp -td sysvlp.XXXXXX` || exit 1
+
+ i=1
+ while [ $i -le $copies ]
+ do
+ 	for file in $files
+ 	do
+ 		$GSHOME/gs \
+-			-sOUTPUTFILE=/tmp/psp$$.%02d \
+			-sOUTPUTFILE=$TEMPDIR/psp$$.%02d \
+ 			-sDEVICE=$DEVICE \
+ 			$EHANDLER $file \
+ 			< /dev/null >> /usr/tmp/ps_log 2>&1
+ 
+-		cat /tmp/psp$$.* 2>> /usr/tmp/ps_log
+-		rm -f /tmp/psp$$.*
+		cat $TEMPDIR/psp$$.* 2>> /usr/tmp/ps_log
+		rm -f $TEMPDIR/psp$$.*
+ 	done
+ 	i=`expr $i + 1`
+ done
+rmdir $TEMPDIR
+ exit 0
--- a/print/ghostscript7/Makefile.inc
+++ b/print/ghostscript7/Makefile.inc
@ -1,5 +1,5 @@
 # $FreeBSD$

 GS_VERSION=	7.07
-GS_REVISION=	13
+GS_REVISION=	14
 GS_EPOCH=	0
--- a/print/ghostscript7/files/patch-lib:pj-gs.sh.CAN-2004-0967
+++ b/print/ghostscript7/files/patch-lib:pj-gs.sh.CAN-2004-0967
@ -0,0 +1,40 @@
+--- lib/pj-gs.sh.orig	Thu Mar  9 17:40:40 2000
+++ lib/pj-gs.sh	Mon Nov 28 02:22:20 2005
+@@ -241,6 +241,7 @@
+ 			then
+ 				/usr/lib/lprcat $Nofilter $Nolabel $file PCL1 $user $dev
+ 			else
+				TEMPFILE=`mktemp -t pjXXXXXX` || exit 1
+ 				type=`file $file | sed 's/^[^:]*..//'`
+ 				case "$type" in
+ 				postscript*)
+@@ -251,22 +252,22 @@
+ #
+ #					gs -q -sDEVICE=paintjet -r180 -sOutputFile=- -dDISKFONTS -dNOPAUSE - < $file 2>/tmp/sh$$
+ 
+-					gs -q -sDEVICE=paintjet -r180 -sOutputFile=/tmp/pj$$ -dDISKFONTS -dNOPAUSE - < $file 1>2
+-					cat /tmp/pj$$
+-					rm /tmp/pj$$
+					gs -q -sDEVICE=paintjet -r180 -sOutputFile=$TEMPFILE -dDISKFONTS -dNOPAUSE - < $file 1>2
+					cat $TEMPFILE
+					rm $TEMPFILE
+ 					needff=
+ 					;;
+-				*)	cat "$file" 2>/tmp/sh$$
+				*)	cat "$file" 2>$TEMPFILE
+ 					needff=1
+ 					;;
+ 				esac
+ 
+-				if [ -s /tmp/sh$$ ]
+				if [ -s $TEMPFILE ]
+ 				then
+ #				    cat /tmp/sh$$	# output any errors
+-				    cat /tmp/sh$$ 1>2	# output any errors
+				    cat $TEMPFILE 1>2	# output any errors
+ 				fi
+-				rm -f /tmp/sh$$
+				rm -f $TEMPFILE
+ 				if [ $needff ]; then echo "\014\r\c"; fi
+ 			fi
+ 
--- a/print/ghostscript7/files/patch-lib:ps2epsi.CAN-2004-0967
+++ b/print/ghostscript7/files/patch-lib:ps2epsi.CAN-2004-0967
@ -0,0 +1,12 @@
+--- lib/ps2epsi.orig	Mon Nov 28 02:17:38 2005
+++ lib/ps2epsi	Mon Nov 28 02:17:45 2005
+@@ -1,7 +1,8 @@
+ #!/bin/sh
+ # $Id: ps2epsi,v 1.7.2.1 2002/04/22 20:18:24 giles Exp $
+ 
+-tmpfile=/tmp/ps2epsi$$
+tmpfile=`mktemp -t ps2epsi.XXXXXX || exit 1`
+trap "rm -rf $tmpfile" 0 1 2 3 7 13 15
+ 
+ export outfile
+ 
--- a/print/ghostscript7/files/patch-lib:pv.sh.CAN-2004-0967
+++ b/print/ghostscript7/files/patch-lib:pv.sh.CAN-2004-0967
@ -0,0 +1,16 @@
+--- lib/pv.sh.orig	Mon Nov 28 02:18:26 2005
+++ lib/pv.sh	Mon Nov 28 02:18:59 2005
+@@ -29,9 +29,10 @@
+ PAGE=$1
+ shift
+ FILE=$1
+TEMPFILE=`mktemp -t ${FILE}XXXXXX` || exit 1
+ shift
+-trap "rm -rf $TEMPDIR/$FILE.$$.pv" 0 1 2 15
+trap "rm -rf $TEMPFILE" 0 1 2 15
+ #dvips -D$RESOLUTION -p $PAGE -n 1 $FILE $* -o $FILE.$$.pv
+-dvips -p $PAGE -n 1 $FILE $* -o $FILE.$$.pv
+-gs $FILE.$$.pv
+dvips -p $PAGE -n 1 $FILE $* -o $TEMPFILE
+gs $TEMPFILE
+ exit 0
--- a/print/ghostscript7/files/patch-lib:sysvlp.sh.CAN-2004-0967
+++ b/print/ghostscript7/files/patch-lib:sysvlp.sh.CAN-2004-0967
@ -0,0 +1,29 @@
+--- lib/sysvlp.sh.orig	Thu Mar  9 17:40:40 2000
+++ lib/sysvlp.sh	Mon Nov 28 02:22:42 2005
+@@ -27,20 +27,23 @@
+ # Brother HL-4: switch to HP laserjet II+ emulation
+ # echo "\033\015H\c"
+ 
+TEMPDIR=`mktemp -td sysvlp.XXXXXX` || exit 1
+
+ i=1
+ while [ $i -le $copies ]
+ do
+ 	for file in $files
+ 	do
+ 		$GSHOME/gs \
+-			-sOUTPUTFILE=/tmp/psp$$.%02d \
+			-sOUTPUTFILE=$TEMPDIR/psp$$.%02d \
+ 			-sDEVICE=$DEVICE \
+ 			$EHANDLER $file \
+ 			< /dev/null >> /usr/tmp/ps_log 2>&1
+ 
+-		cat /tmp/psp$$.* 2>> /usr/tmp/ps_log
+-		rm -f /tmp/psp$$.*
+		cat $TEMPDIR/psp$$.* 2>> /usr/tmp/ps_log
+		rm -f $TEMPDIR/psp$$.*
+ 	done
+ 	i=`expr $i + 1`
+ done
+rmdir $TEMPDIR
+ exit 0
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@ -35,6 +35,46 @@ Note:  Please add new entries to the beginning of this file.
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">

+  <vuln vid="27a70a01-5f6c-11da-8d54-000cf18bbe54">
+    <topic>ghostscript -- insecure temporary file creation vulnerability</topic>
+    <affects>
+      <package>
+	<name>ghostscript-gnu</name>
+	<name>ghostscript-gnu-nox11</name>
+	<range><lt>7.07_14</lt></range>
+      </package>
+      <package>
+	<name>ghostscript-afpl</name>
+	<name>ghostscript-afpl-nox11</name>
+	<range><lt>8.53_1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<blockquote cite="http://www.securityfocus.com/bid/11285/discuss">
+	  <p>Ghostscript is affected by an insecure temporary file
+	    creation vulnerability. This issue is likely due
+	    to a design error that causes the application to fail
+	    to verify the existence of a file before writing to it.</p>
+
+	  <p>An attacker may leverage this issue to overwrite
+	    arbitrary files with the privileges of an unsuspecting
+	    user that activates the vulnerable application.
+	    Reportedly this issue is unlikely to facilitate
+	    privilege escalation.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <bid>11285</bid>
+      <cvename>CVE-2004-0967</cvename>
+    </references>
+    <dates>
+      <discovery>2004-10-19</discovery>
+      <entry>2005-11-27</entry>
+    </dates>
+  </vuln>
+
  <vuln vid="873a6542-5b8d-11da-b96e-000fb586ba73">
    <topic>horde -- Cross site scripting vulnerabilities in MIME viewers.</topic>
    <affects>