56808 – Security hole (-dPARANOIDSAFER not used) allows arbitrary command execution

Bug 56808 - Security hole (-dPARANOIDSAFER not used) allows arbitrary command execution

Summary: Security hole (-dPARANOIDSAFER not used) allows arbitrary command execution

Status:	RESOLVED DUPLICATE of bug 53157

Alias:	None

Product:	kghostview
Classification:	Applications
Component:	general (show other bugs)
Version:	unspecified
Platform:	Compiled Sources Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Wilco Greven

URL:
Keywords:

Depends on:
Blocks:

Reported:	2003-04-03 21:02 UTC by Keith Winstein
Modified:	2003-04-09 23:10 UTC (History)
CC List:	1 user (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Keith Winstein 2003-04-03 21:02:42 UTC

Version:            (using KDE Devel)
Installed from:    Compiled sources

This is a critical security hole in konquerer and kghostview.

kgvconfigdialog.cpp includes the default gs execution arguments, which do not include -dPARANOIDSAFER or -dSAFER (unlike gv, which uses -dSAFER by default.)

Because kghostview is run by konquerer to produce Postscript previews of a directory, this means that a malicious postscript file can cause arbitrary code to be executed merely by _opening the directory containing the file_ in konquerer.

Also, because the default configuration is copied to the home directory kghostviewrc on first execution, just adding -dPARANOIDSAFER to the arguments in kgvconfigdialog.cpp is not sufficient to fix the bug for existing users.

Please add -dPARANOIDSAFER to the default arguments and have kghostview add it to existing users' home-directory kghostviewrc, and please release a new KDE version incorporating the fixed kghostview quickly.

Comment 1 Luís Pedro Coelho 2003-04-03 23:00:23 UTC

If you look at kpswidget.cpp you will see that -dSAFER is always included. 
 
You don't even have a chance to change that which is why it is not even included 
in the configuration widget. 
 
luis pedro coelho

Comment 2 Maksim Orlovich 2003-04-03 23:15:49 UTC

Luis: unfortunately, it's not kghostivew that's used for thumbnails

Comment 3 Keith Winstein 2003-04-03 23:37:45 UTC

Luis: Yes, you are right; I was misled by http://www.konqueror.org/features/viewer.php,
which says "Konqueror embeds components (parts) provided by other applications.
   The image-viewing part is KView, the text-viewing part is KWrite, the
   DVI viewer KDVI, the PostScript viewer KGhostview, and of course all
   KOffice documents are shown by their originating application."

So there remains a vulnerability that -dSAFER is not used when
previewing in konquerer (apparently just bug ID 53157 was not
fixed), leading to malicious postscript files being able to execute
arbitrary code on directory-open, but it's not kghostview's fault.

Comment 4 Maksim Orlovich 2003-04-03 23:41:42 UTC

Keith: I forwarded your report to security@kde.org, they're looking into it.

Comment 5 Dirk Mueller 2003-04-09 21:09:25 UTC

NOT invalid

Comment 6 Luís Pedro Coelho 2003-04-09 21:26:17 UTC

Subject: Re:  Security hole (-dPARANOIDSAFER not used) allows arbitrary command execution

Le Mercredi 9 Avril 2003 21:09, Dirk Mueller a

Comment 7 Dirk Mueller 2003-04-09 23:10:20 UTC


*** This bug has been marked as a duplicate of 53157 ***