Bug 56808

Summary: Security hole (-dPARANOIDSAFER not used) allows arbitrary command execution
Product: [Unmaintained] kghostview Reporter: Keith Winstein <keithw>
Component: generalAssignee: Wilco Greven <greven>
Status: RESOLVED DUPLICATE    
Severity: normal CC: rdieter
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Compiled Sources   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Keith Winstein 2003-04-03 21:02:42 UTC 
Version:            (using KDE Devel)
Installed from:    Compiled sources

This is a critical security hole in konquerer and kghostview.

kgvconfigdialog.cpp includes the default gs execution arguments, which do not include -dPARANOIDSAFER or -dSAFER (unlike gv, which uses -dSAFER by default.)

Because kghostview is run by konquerer to produce Postscript previews of a directory, this means that a malicious postscript file can cause arbitrary code to be executed merely by _opening the directory containing the file_ in konquerer.

Also, because the default configuration is copied to the home directory kghostviewrc on first execution, just adding -dPARANOIDSAFER to the arguments in kgvconfigdialog.cpp is not sufficient to fix the bug for existing users.

Please add -dPARANOIDSAFER to the default arguments and have kghostview add it to existing users' home-directory kghostviewrc, and please release a new KDE version incorporating the fixed kghostview quickly.
Comment 1 Luís Pedro Coelho 2003-04-03 23:00:23 UTC 
If you look at kpswidget.cpp you will see that -dSAFER is always included. 
 
You don't even have a chance to change that which is why it is not even included 
in the configuration widget. 
 
luis pedro coelho
Comment 2 Maksim Orlovich 2003-04-03 23:15:49 UTC 
Luis: unfortunately, it's not kghostivew that's used for thumbnails
Comment 3 Keith Winstein 2003-04-03 23:37:45 UTC 
Luis: Yes, you are right; I was misled by http://www.konqueror.org/features/viewer.php,
which says "Konqueror embeds components (parts) provided by other applications.
   The image-viewing part is KView, the text-viewing part is KWrite, the
   DVI viewer KDVI, the PostScript viewer KGhostview, and of course all
   KOffice documents are shown by their originating application."

So there remains a vulnerability that -dSAFER is not used when
previewing in konquerer (apparently just bug ID 53157 was not
fixed), leading to malicious postscript files being able to execute
arbitrary code on directory-open, but it's not kghostview's fault.
Comment 4 Maksim Orlovich 2003-04-03 23:41:42 UTC 
Keith: I forwarded your report to security@kde.org, they're looking into it.
Comment 5 Dirk Mueller 2003-04-09 21:09:25 UTC 
NOT invalid
Comment 6 Luís Pedro Coelho 2003-04-09 21:26:17 UTC 
Subject: Re:  Security hole (-dPARANOIDSAFER not used) allows arbitrary command execution

Le Mercredi 9 Avril 2003 21:09, Dirk Mueller a
Comment 7 Dirk Mueller 2003-04-09 23:10:20 UTC 

*** This bug has been marked as a duplicate of 53157 ***