Dnia środa, 26 maja 2010 o 04:32:51 paul.szabo@xxxxxxxxxxxxx napisał(a): > Dear Christopher, > > > Ghostscript_8.64 on openSuSE_11.2 executes all files matching > > ./Encoding/* on startup. This search is relative to the current > > directory so it is easy to poison Ghostscript and cause it to execute > > arbitrary PostScript code without user action or knowledge. > > > > Details: <URL:https://bugzilla.novell.com/show_bug.cgi?id=608071> > > Interesting! So if someone creates /tmp/Encoding then it is dangerous > to do > cd /tmp; gs any.ps > > I now used: > strace -omylog gs > grep '"\./' mylog | sort -u > and that shows that gs tries many files in currrent directory, > "protection" against just ./Encoding is not enough. What is in the file "any.ps"? You are exposed to the Encoding vulnerability without feeding *anything* to Ghostscript: cd /tmp gs Bang!
