cups-base problem

Roland Smith rsmith at xs4all.nl
Sat Nov 10 23:44:14 PST 2007 

On Sat, Nov 10, 2007 at 09:41:43PM -0500, Chuck Robey wrote:
> Reko Turja wrote:
>>> Dear all,
>>> 
>>> Today I saw a security notice:
>> ..snip...
>>> cat distinfo
>>> MD5 (cups-1.3.3-source.tar.bz2) = d4911e68b6979d16bc7a55f68d16cc53
>>> SHA256 (cups-1.3.3-source.tar.bz2) = 
>>> 5e9e5670777055293e309cb0cbb2758df9c1275bf648df70478b7389c2d804de
>>> SIZE (cups-1.3.3-source.tar.bz2) = 4077262
>> Update your ports and INDEX file as it seems that you are installing a 
>> vulnerable version of cups-base. The VuXML report says:
>> Affects:
>> cups-base <1.3.4
>> so the cups-1.3.3 still has the vulnerability mentioned in the report.
> 
> Actually, I think the worst security problem I've seen is one I don't 
> personally care to fix right now, but I guess I will soon.  It's the fact 
> that postscript is actually a language, one that's more general purpose in 
> limitations than many people realize.  Isn't that true?  I think this means 
> that my postscript interpreter (which is, for me, and I think for most, is 
> ghostscript) should have some security controls on it, to limit 
> postscript's direct access to local machine capabilities.

When using ghostscript you should always call it with the -dSAFER
option, so it can only open files read-only.

Or you could buy a postscript capable printer.

> I think that the options in gs for security are too little.  It'd be pretty 
> easy to write a really nasty worm.  I remember laughing at my Windows 
> friends, back when that Philappines worm hit, but we could get pretty 
> easily hit on gs, or am I all wet?

It's not as easy as it seems.

It would be possible to write a postscript program that mails itself to
other addresses. But no UNIX mail client that I know of automatically
opens and renders postscript code, let alone with root privileges, which
you need to do _real_ damage instead of just annoy people. So you'd need
user intervention to spread the virus.

And gathering addresses isn't straightforward either. Every mail
program has it's own file for storing those. And there are usually
multiple places where mail can be stored, and that can be in at least
two formats (mbox and maildir).

Roland
-- 
R.F.Smith                                   http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20071111/21a55374/attachment.pgp

More information about the freebsd-questions mailing list