Security fix: several shell scripts included in the Ghostscript package

allow local users to overwrite files via a symlink attack on temporary files. Security: CAN-2004-0967
svn path=/head/; revision=149682
2025-07-17 09:19:15 -04:00 · 2005-11-27 17:57:19 +00:00 · 2005-11-27 17:57:19 +00:00 · ceed13510d · 2021-03-31 03:12:20 +00:00
commit ceed13510d
parent 0018c9fcdc
14 changed files with 265 additions and 3 deletions
--- a/print/ghostscript-afpl/Makefile.inc
+++ b/print/ghostscript-afpl/Makefile.inc
@ -1,5 +1,5 @@
 # $FreeBSD$
 GS_VERSION=	8.53
-GS_REVISION=	0
+GS_REVISION=	1
 GS_EPOCH=	1
--- a/print/ghostscript-afpl/files/patch-lib:ps2epsi.CAN-2004-0967
+++ b/print/ghostscript-afpl/files/patch-lib:ps2epsi.CAN-2004-0967
@ -0,0 +1,12 @@
 --- lib/ps2epsi.orig	Mon Nov 28 02:17:38 2005
 +++ lib/ps2epsi	Mon Nov 28 02:17:45 2005
@@ -1,7 +1,8 @@
 #!/bin/sh
 # $Id: ps2epsi,v 1.7.2.1 2002/04/22 20:18:24 giles Exp $
 -tmpfile=/tmp/ps2epsi$$
 +tmpfile=`mktemp -t ps2epsi.XXXXXX || exit 1`
 +trap "rm -rf $tmpfile" 0 1 2 3 7 13 15
 export outfile
--- a/print/ghostscript-afpl/files/patch-lib:pv.sh.CAN-2004-0967
+++ b/print/ghostscript-afpl/files/patch-lib:pv.sh.CAN-2004-0967
@ -0,0 +1,16 @@
 --- lib/pv.sh.orig	Mon Nov 28 02:18:26 2005
 +++ lib/pv.sh	Mon Nov 28 02:18:59 2005
@@ -29,9 +29,10 @@
 PAGE=$1
 shift
 FILE=$1
 +TEMPFILE=`mktemp -t ${FILE}XXXXXX` || exit 1
 shift
 -trap "rm -rf $TEMPDIR/$FILE.$$.pv" 0 1 2 15
 +trap "rm -rf $TEMPFILE" 0 1 2 15
 #dvips -D$RESOLUTION -p $PAGE -n 1 $FILE $* -o $FILE.$$.pv
 -dvips -p $PAGE -n 1 $FILE $* -o $FILE.$$.pv
 -gs $FILE.$$.pv
 +dvips -p $PAGE -n 1 $FILE $* -o $TEMPFILE
 +gs $TEMPFILE
 exit 0
--- a/print/ghostscript-gnu/Makefile.inc
+++ b/print/ghostscript-gnu/Makefile.inc
@ -1,5 +1,5 @@
 # $FreeBSD$
 GS_VERSION=	7.07
-GS_REVISION=	13
+GS_REVISION=	14
 GS_EPOCH=	0
--- a/print/ghostscript-gnu/files/patch-lib:pj-gs.sh.CAN-2004-0967
+++ b/print/ghostscript-gnu/files/patch-lib:pj-gs.sh.CAN-2004-0967
@ -0,0 +1,40 @@
 --- lib/pj-gs.sh.orig	Thu Mar  9 17:40:40 2000
 +++ lib/pj-gs.sh	Mon Nov 28 02:22:20 2005
@@ -241,6 +241,7 @@
 			then
 				/usr/lib/lprcat $Nofilter $Nolabel $file PCL1 $user $dev
 			else
 +				TEMPFILE=`mktemp -t pjXXXXXX` || exit 1
 				type=`file $file | sed 's/^[^:]*..//'`
 				case "$type" in
 				postscript*)
@@ -251,22 +252,22 @@
 #
 #					gs -q -sDEVICE=paintjet -r180 -sOutputFile=- -dDISKFONTS -dNOPAUSE - < $file 2>/tmp/sh$$
 -					gs -q -sDEVICE=paintjet -r180 -sOutputFile=/tmp/pj$$ -dDISKFONTS -dNOPAUSE - < $file 1>2
 -					cat /tmp/pj$$
 -					rm /tmp/pj$$
 +					gs -q -sDEVICE=paintjet -r180 -sOutputFile=$TEMPFILE -dDISKFONTS -dNOPAUSE - < $file 1>2
 +					cat $TEMPFILE
 +					rm $TEMPFILE
 					needff=
 					;;
 -				*)	cat "$file" 2>/tmp/sh$$
 +				*)	cat "$file" 2>$TEMPFILE
 					needff=1
 					;;
 				esac
 -				if [ -s /tmp/sh$$ ]
 +				if [ -s $TEMPFILE ]
 				then
 #				    cat /tmp/sh$$	# output any errors
 -				    cat /tmp/sh$$ 1>2	# output any errors
 +				    cat $TEMPFILE 1>2	# output any errors
 				fi
 -				rm -f /tmp/sh$$
 +				rm -f $TEMPFILE
 				if [ $needff ]; then echo "\014\r\c"; fi
 			fi
--- a/print/ghostscript-gnu/files/patch-lib:ps2epsi.CAN-2004-0967
+++ b/print/ghostscript-gnu/files/patch-lib:ps2epsi.CAN-2004-0967
@ -0,0 +1,12 @@
 --- lib/ps2epsi.orig	Mon Nov 28 02:17:38 2005
 +++ lib/ps2epsi	Mon Nov 28 02:17:45 2005
@@ -1,7 +1,8 @@
 #!/bin/sh
 # $Id: ps2epsi,v 1.7.2.1 2002/04/22 20:18:24 giles Exp $
 -tmpfile=/tmp/ps2epsi$$
 +tmpfile=`mktemp -t ps2epsi.XXXXXX || exit 1`
 +trap "rm -rf $tmpfile" 0 1 2 3 7 13 15
 export outfile
--- a/print/ghostscript-gnu/files/patch-lib:pv.sh.CAN-2004-0967
+++ b/print/ghostscript-gnu/files/patch-lib:pv.sh.CAN-2004-0967
@ -0,0 +1,16 @@
 --- lib/pv.sh.orig	Mon Nov 28 02:18:26 2005
 +++ lib/pv.sh	Mon Nov 28 02:18:59 2005
@@ -29,9 +29,10 @@
 PAGE=$1
 shift
 FILE=$1
 +TEMPFILE=`mktemp -t ${FILE}XXXXXX` || exit 1
 shift
 -trap "rm -rf $TEMPDIR/$FILE.$$.pv" 0 1 2 15
 +trap "rm -rf $TEMPFILE" 0 1 2 15
 #dvips -D$RESOLUTION -p $PAGE -n 1 $FILE $* -o $FILE.$$.pv
 -dvips -p $PAGE -n 1 $FILE $* -o $FILE.$$.pv
 -gs $FILE.$$.pv
 +dvips -p $PAGE -n 1 $FILE $* -o $TEMPFILE
 +gs $TEMPFILE
 exit 0
--- a/print/ghostscript-gnu/files/patch-lib:sysvlp.sh.CAN-2004-0967
+++ b/print/ghostscript-gnu/files/patch-lib:sysvlp.sh.CAN-2004-0967
@ -0,0 +1,29 @@
 --- lib/sysvlp.sh.orig	Thu Mar  9 17:40:40 2000
 +++ lib/sysvlp.sh	Mon Nov 28 02:22:42 2005
@@ -27,20 +27,23 @@
 # Brother HL-4: switch to HP laserjet II+ emulation
 # echo "\033\015H\c"
 +TEMPDIR=`mktemp -td sysvlp.XXXXXX` || exit 1
 +
 i=1
 while [ $i -le $copies ]
 do
 	for file in $files
 	do
 		$GSHOME/gs \
 -			-sOUTPUTFILE=/tmp/psp$$.%02d \
 +			-sOUTPUTFILE=$TEMPDIR/psp$$.%02d \
 			-sDEVICE=$DEVICE \
 			$EHANDLER $file \
 			< /dev/null >> /usr/tmp/ps_log 2>&1
 -		cat /tmp/psp$$.* 2>> /usr/tmp/ps_log
 -		rm -f /tmp/psp$$.*
 +		cat $TEMPDIR/psp$$.* 2>> /usr/tmp/ps_log
 +		rm -f $TEMPDIR/psp$$.*
 	done
 	i=`expr $i + 1`
 done
 +rmdir $TEMPDIR
 exit 0
--- a/print/ghostscript7/Makefile.inc
+++ b/print/ghostscript7/Makefile.inc
@ -1,5 +1,5 @@
 # $FreeBSD$
 GS_VERSION=	7.07
-GS_REVISION=	13
+GS_REVISION=	14
 GS_EPOCH=	0
--- a/print/ghostscript7/files/patch-lib:pj-gs.sh.CAN-2004-0967
+++ b/print/ghostscript7/files/patch-lib:pj-gs.sh.CAN-2004-0967
@ -0,0 +1,40 @@
 --- lib/pj-gs.sh.orig	Thu Mar  9 17:40:40 2000
 +++ lib/pj-gs.sh	Mon Nov 28 02:22:20 2005
@@ -241,6 +241,7 @@
 			then
 				/usr/lib/lprcat $Nofilter $Nolabel $file PCL1 $user $dev
 			else
 +				TEMPFILE=`mktemp -t pjXXXXXX` || exit 1
 				type=`file $file | sed 's/^[^:]*..//'`
 				case "$type" in
 				postscript*)
@@ -251,22 +252,22 @@
 #
 #					gs -q -sDEVICE=paintjet -r180 -sOutputFile=- -dDISKFONTS -dNOPAUSE - < $file 2>/tmp/sh$$
 -					gs -q -sDEVICE=paintjet -r180 -sOutputFile=/tmp/pj$$ -dDISKFONTS -dNOPAUSE - < $file 1>2
 -					cat /tmp/pj$$
 -					rm /tmp/pj$$
 +					gs -q -sDEVICE=paintjet -r180 -sOutputFile=$TEMPFILE -dDISKFONTS -dNOPAUSE - < $file 1>2
 +					cat $TEMPFILE
 +					rm $TEMPFILE
 					needff=
 					;;
 -				*)	cat "$file" 2>/tmp/sh$$
 +				*)	cat "$file" 2>$TEMPFILE
 					needff=1
 					;;
 				esac
 -				if [ -s /tmp/sh$$ ]
 +				if [ -s $TEMPFILE ]
 				then
 #				    cat /tmp/sh$$	# output any errors
 -				    cat /tmp/sh$$ 1>2	# output any errors
 +				    cat $TEMPFILE 1>2	# output any errors
 				fi
 -				rm -f /tmp/sh$$
 +				rm -f $TEMPFILE
 				if [ $needff ]; then echo "\014\r\c"; fi
 			fi
--- a/print/ghostscript7/files/patch-lib:ps2epsi.CAN-2004-0967
+++ b/print/ghostscript7/files/patch-lib:ps2epsi.CAN-2004-0967
@ -0,0 +1,12 @@
 --- lib/ps2epsi.orig	Mon Nov 28 02:17:38 2005
 +++ lib/ps2epsi	Mon Nov 28 02:17:45 2005
@@ -1,7 +1,8 @@
 #!/bin/sh
 # $Id: ps2epsi,v 1.7.2.1 2002/04/22 20:18:24 giles Exp $
 -tmpfile=/tmp/ps2epsi$$
 +tmpfile=`mktemp -t ps2epsi.XXXXXX || exit 1`
 +trap "rm -rf $tmpfile" 0 1 2 3 7 13 15
 export outfile
--- a/print/ghostscript7/files/patch-lib:pv.sh.CAN-2004-0967
+++ b/print/ghostscript7/files/patch-lib:pv.sh.CAN-2004-0967
@ -0,0 +1,16 @@
 --- lib/pv.sh.orig	Mon Nov 28 02:18:26 2005
 +++ lib/pv.sh	Mon Nov 28 02:18:59 2005
@@ -29,9 +29,10 @@
 PAGE=$1
 shift
 FILE=$1
 +TEMPFILE=`mktemp -t ${FILE}XXXXXX` || exit 1
 shift
 -trap "rm -rf $TEMPDIR/$FILE.$$.pv" 0 1 2 15
 +trap "rm -rf $TEMPFILE" 0 1 2 15
 #dvips -D$RESOLUTION -p $PAGE -n 1 $FILE $* -o $FILE.$$.pv
 -dvips -p $PAGE -n 1 $FILE $* -o $FILE.$$.pv
 -gs $FILE.$$.pv
 +dvips -p $PAGE -n 1 $FILE $* -o $TEMPFILE
 +gs $TEMPFILE
 exit 0
--- a/print/ghostscript7/files/patch-lib:sysvlp.sh.CAN-2004-0967
+++ b/print/ghostscript7/files/patch-lib:sysvlp.sh.CAN-2004-0967
@ -0,0 +1,29 @@
 --- lib/sysvlp.sh.orig	Thu Mar  9 17:40:40 2000
 +++ lib/sysvlp.sh	Mon Nov 28 02:22:42 2005
@@ -27,20 +27,23 @@
 # Brother HL-4: switch to HP laserjet II+ emulation
 # echo "\033\015H\c"
 +TEMPDIR=`mktemp -td sysvlp.XXXXXX` || exit 1
 +
 i=1
 while [ $i -le $copies ]
 do
 	for file in $files
 	do
 		$GSHOME/gs \
 -			-sOUTPUTFILE=/tmp/psp$$.%02d \
 +			-sOUTPUTFILE=$TEMPDIR/psp$$.%02d \
 			-sDEVICE=$DEVICE \
 			$EHANDLER $file \
 			< /dev/null >> /usr/tmp/ps_log 2>&1
 -		cat /tmp/psp$$.* 2>> /usr/tmp/ps_log
 -		rm -f /tmp/psp$$.*
 +		cat $TEMPDIR/psp$$.* 2>> /usr/tmp/ps_log
 +		rm -f $TEMPDIR/psp$$.*
 	done
 	i=`expr $i + 1`
 done
 +rmdir $TEMPDIR
 exit 0
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@ -35,6 +35,46 @@ Note:  Please add new entries to the beginning of this file.
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
  <vuln vid="27a70a01-5f6c-11da-8d54-000cf18bbe54">
    <topic>ghostscript -- insecure temporary file creation vulnerability</topic>
    <affects>
      <package>
 	<name>ghostscript-gnu</name>
 	<name>ghostscript-gnu-nox11</name>
 	<range><lt>7.07_14</lt></range>
      </package>
      <package>
 	<name>ghostscript-afpl</name>
 	<name>ghostscript-afpl-nox11</name>
 	<range><lt>8.53_1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
 	<blockquote cite="http://www.securityfocus.com/bid/11285/discuss">
 	  <p>Ghostscript is affected by an insecure temporary file
 	    creation vulnerability. This issue is likely due
 	    to a design error that causes the application to fail
 	    to verify the existence of a file before writing to it.</p>
 	  <p>An attacker may leverage this issue to overwrite
 	    arbitrary files with the privileges of an unsuspecting
 	    user that activates the vulnerable application.
 	    Reportedly this issue is unlikely to facilitate
 	    privilege escalation.</p>
 	</blockquote>
      </body>
    </description>
    <references>
      <bid>11285</bid>
      <cvename>CVE-2004-0967</cvename>
    </references>
    <dates>
      <discovery>2004-10-19</discovery>
      <entry>2005-11-27</entry>
    </dates>
  </vuln>
  <vuln vid="873a6542-5b8d-11da-b96e-000fb586ba73">
    <topic>horde -- Cross site scripting vulnerabilities in MIME viewers.</topic>
    <affects>