Bug 56808 - Security hole (-dPARANOIDSAFER not used) allows arbitrary command execution
Summary: Security hole (-dPARANOIDSAFER not used) allows arbitrary command execution
Status: RESOLVED DUPLICATE of bug 53157
Alias: None
Product: kghostview
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Platform: Compiled Sources Linux
: NOR normal (vote)
Target Milestone: ---
Assignee: Wilco Greven
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-04-03 21:02 UTC by Keith Winstein
Modified: 2003-04-09 23:10 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Keith Winstein 2003-04-03 21:02:42 UTC
Version:            (using KDE Devel)
Installed from:    Compiled sources

This is a critical security hole in konquerer and kghostview.

kgvconfigdialog.cpp includes the default gs execution arguments, which do not include -dPARANOIDSAFER or -dSAFER (unlike gv, which uses -dSAFER by default.)

Because kghostview is run by konquerer to produce Postscript previews of a directory, this means that a malicious postscript file can cause arbitrary code to be executed merely by _opening the directory containing the file_ in konquerer.

Also, because the default configuration is copied to the home directory kghostviewrc on first execution, just adding -dPARANOIDSAFER to the arguments in kgvconfigdialog.cpp is not sufficient to fix the bug for existing users.

Please add -dPARANOIDSAFER to the default arguments and have kghostview add it to existing users' home-directory kghostviewrc, and please release a new KDE version incorporating the fixed kghostview quickly.
Comment 1 Luís Pedro Coelho 2003-04-03 23:00:23 UTC
If you look at kpswidget.cpp you will see that -dSAFER is always included. 
 
You don't even have a chance to change that which is why it is not even included 
in the configuration widget. 
 
luis pedro coelho 
Comment 2 Maksim Orlovich 2003-04-03 23:15:49 UTC
Luis: unfortunately, it's not kghostivew that's used for thumbnails 
 
Comment 3 Keith Winstein 2003-04-03 23:37:45 UTC
Luis: Yes, you are right; I was misled by http://www.konqueror.org/features/viewer.php,
which says "Konqueror embeds components (parts) provided by other applications.
   The image-viewing part is KView, the text-viewing part is KWrite, the
   DVI viewer KDVI, the PostScript viewer KGhostview, and of course all
   KOffice documents are shown by their originating application."

So there remains a vulnerability that -dSAFER is not used when
previewing in konquerer (apparently just bug ID 53157 was not
fixed), leading to malicious postscript files being able to execute
arbitrary code on directory-open, but it's not kghostview's fault.
Comment 4 Maksim Orlovich 2003-04-03 23:41:42 UTC
Keith: I forwarded your report to security@kde.org, they're looking into it.  
 
Comment 5 Dirk Mueller 2003-04-09 21:09:25 UTC
NOT invalid 
Comment 6 Luís Pedro Coelho 2003-04-09 21:26:17 UTC
Subject: Re:  Security hole (-dPARANOIDSAFER not used) allows arbitrary command execution

Le Mercredi 9 Avril 2003 21:09, Dirk Mueller a 
Comment 7 Dirk Mueller 2003-04-09 23:10:20 UTC

*** This bug has been marked as a duplicate of 53157 ***