Version: (using KDE Devel)
Installed from: Compiled sources
This is a critical security hole in konquerer and kghostview.
kgvconfigdialog.cpp includes the default gs execution arguments, which do not include -dPARANOIDSAFER or -dSAFER (unlike gv, which uses -dSAFER by default.)
Because kghostview is run by konquerer to produce Postscript previews of a directory, this means that a malicious postscript file can cause arbitrary code to be executed merely by _opening the directory containing the file_ in konquerer.
Also, because the default configuration is copied to the home directory kghostviewrc on first execution, just adding -dPARANOIDSAFER to the arguments in kgvconfigdialog.cpp is not sufficient to fix the bug for existing users.
Please add -dPARANOIDSAFER to the default arguments and have kghostview add it to existing users' home-directory kghostviewrc, and please release a new KDE version incorporating the fixed kghostview quickly.
If you look at kpswidget.cpp you will see that -dSAFER is always included.
You don't even have a chance to change that which is why it is not even included
in the configuration widget.
luis pedro coelho
Luis: unfortunately, it's not kghostivew that's used for thumbnails
Luis: Yes, you are right; I was misled by http://www.konqueror.org/features/viewer.php,
which says "Konqueror embeds components (parts) provided by other applications.
The image-viewing part is KView, the text-viewing part is KWrite, the
DVI viewer KDVI, the PostScript viewer KGhostview, and of course all
KOffice documents are shown by their originating application."
So there remains a vulnerability that -dSAFER is not used when
previewing in konquerer (apparently just bug ID 53157 was not
fixed), leading to malicious postscript files being able to execute
arbitrary code on directory-open, but it's not kghostview's fault.
Keith: I forwarded your report to email@example.com, they're looking into it.
Subject: Re: Security hole (-dPARANOIDSAFER not used) allows arbitrary command execution
Le Mercredi 9 Avril 2003 21:09, Dirk Mueller a
*** This bug has been marked as a duplicate of 53157 ***