Original issue date: August 31, 1995<BR>
Last revised: September 23, 1997<BR>
Updated copyright information

<P>A complete revision history is at the end of this file.

<P>A large portion of the technical content of this
advisory was provided by the DFN-CERT and NASIRC
response teams, and is used with their permission.

<P>There is a vulnerability in older versions of ghostscript (gs) that enables
users to execute commands and thus modify files. This problem involves the
-dSAFER option and is present in all versions of ghostscript from 2.6 through
3.22 beta.

<P>We recommend that you apply the solution in Section III below to fix the
-dSAFER PostScript code or install the latest version of ghostscript (version
4.01). In both cases, we urge you to make -dSAFER the default mode for
all versions of ghostscript starting with version 2.6.

<P>We will update this advisory as we receive additional information.
Please check advisory files regularly for updates that relate to your site.

<P><HR>

<P>
<H2>I.   Background</H2>

<P>The PostScript language, which was designed for the expression of
graphical data, is widely used for transferring images and preformatted
text across the Internet. The language includes primitives for file
operations, which were intended to be useful in the expression of images.
Unfortunately the operations can be abused by people intentionally
embedding commands within an otherwise harmless image so that when
displaying that image the PostScript viewer may perform malicious
file creations or deletions.

<P>This is a potentially serious problem because many images transferred
on the World Wide Web are sent in PostScript. For example, a malicious
person could install a booby-trapped image on a web-page, buried among
useful or interesting data.

<P>The viewer &quot;ghostscript,&quot; a PostScript interpreter, recognizes the
command-line option: &quot;-dSAFER&quot;. This option is intended to disable
the file operations and the %pipe PostScript operator that could be
abused to do damage. This option is intended to protect you from this
type of sabotage when viewing images from untrusted sources.

<P>
<H2>II.  Problem Description</H2>

<P>Problems exist with the ghostscript program, which supports the kind
of commands discussed above.

<P>Older versions of ghostscript do not completely disable the pipe operator
that can be used execute commands that can modify files. Therefore the
option -dSAFER does not provide full protection.

<P>This problem is present in all versions of ghostscript between
2.6 (when the %pipe operator was added) and 3.22beta (when a fix
was made).

<P>
<H2>III. Impact</H2>

<P>Attackers who have inserted malicious code into a PostScript file can
cause commands to be executed and files to be modified on any system
where that PostScript file is viewed with ghostscript.

<P>
<H2>IV. Solutions</H2>

<P>We recommend either fixing the -dSAFER PostScript code or installing
version 4.01 of ghostscript (see Sections IV.A and IV.B). In addition,
we urge you to enable the -dSAFER option as the default (see Section
IV.C).

<P>
<H3>A. Fixing the -dSAFER PostScript code</H3>

<P>The following fix is in the form of &quot;diff&quot; output, which is
suitable for use with the GNU patch program.  This patch brings the
code into conformance with the version of gs_init.ps distributed
with the latest version of ghostscript (4.01) and can be
applied to the GNU versions 2.6, 2.6.1, and 2.6.2.  The file
to be patched is in the ghostscript library. As an example,
gs_init.ps could be installed in:
<PRE>
/usr/local/lib/ghostscript/gs_init.ps
</PRE>
Here is the patch. Please see the Updates section at the end of this
file for cautions and for corrections to be applied in some situations.

<P>
<PRE>
--------------------------------cut here--------------------------------------

*** gs_init.ps.orig     Fri Aug 25 10:42:51 1995
--- gs_init.ps  Fri Aug 25 11:16:24 1995
***************
*** 302,308 ****
% If we want a &quot;safer&quot; system, disable some obvious ways to cause havoc.
  SAFER not { (%END SAFER) .skipeof } if
  /file
!  { dup (r) eq
      { file }
      { /invalidfileaccess signalerror }
     ifelse
--- 302,308 ----
% If we want a &quot;safer&quot; system, disable some obvious ways to cause havoc.
  SAFER not { (%END SAFER) .skipeof } if
  /file
! { dup (r) eq 2 index (%pipe*) .stringmatch not and
      { file }
      { /invalidfileaccess signalerror }
     ifelse
--------------------------------cut here--------------------------------------
</PRE>
The key is to change the line that says:
<PRE>
{ dup (r) eq
</PRE>
to one that says:
<PRE>
{ dup (r) eq 2 index (%pipe*) .stringmatch not and
</PRE>
Here are the relevant lines in the gs_init.ps file for version 2.6.2
of ghostscript before the patch:
<PRE>
302  % If we want a &quot;safer&quot; system, disable some obvious ways to cause havoc.
303  SAFER not { (%END SAFER) .skipeof } if
304  /file
305   { dup (r) eq
306      { file }
307      { /invalidfileaccess signalerror }
308     ifelse
309   } bind odef
310  /renamefile { /invalidfileaccess signalerror } odef
311  /deletefile { /invalidfileaccess signalerror } odef
312  %END SAFER
</PRE>
Here are the same lines after the patch has been applied:
<PRE>
302  % If we want a &quot;safer&quot; system, disable some obvious ways to cause havoc.
303  SAFER not { (%END SAFER) .skipeof } if
304  /file
305  { dup (r) eq 2 index (%pipe*) .stringmatch not and
306      { file }
307      { /invalidfileaccess signalerror }
308     ifelse
309   } bind odef
310  /renamefile { /invalidfileaccess signalerror } odef
311  /deletefile { /invalidfileaccess signalerror } odef
312  %END SAFER
</PRE>

<P>
<H3>B. Installing version 4.01</H3>

<P>You may wish to install Aladdin Ghostscript version 4.01.
The latest version of ghostscript is version 4.01 and
is available at the locations noted below.

<P>This version of ghostscript is provided by Aladdin Enterprises and
is subject to their licensing agreements.  Please read the &quot;Aladdin
Ghostscript Free Public License&quot; (included in the source code
distribution) which differs from the &quot;GNU Public License.&quot;

<P>Please note that this version is not the GNU version.  The latest GNU
version, which is version 2.6.2, does not fix this problem.

<P>
<A HREF=ftp://ftp.cs.wisc.edu/ghost/aladdin/ghostscript-4.01.tar.gz>ftp://ftp.cs.wisc.edu/ghost/aladdin/ghostscript-4.01.tar.gz</A>
<BR>
MD5=21a0fe505bbaf75e2e6aeb4e07689fb6

<P>
<A HREF=ftp://ftp.cs.wisc.edu/ghost/aladdin/ghostscript-4.01jpeg.tar.gz>ftp://ftp.cs.wisc.edu/ghost/aladdin/ghostscript-4.01jpeg.tar.gz</A>
<BR>
MD5=5360e0aa47b415daa44623196f7e6160

<P>
<A HREF=ftp://ftp.cs.wisc.edu/ghost/aladdin/ghostscript-4.01zlib.tar.gz>ftp://ftp.cs.wisc.edu/ghost/aladdin/ghostscript-4.01zlib.tar.gz</A>
<BR>
MD5=8eb230a39275b0759f06fa100250fc00

<P>Optionally, you may need the font files for this release.  They are
available at these locations:

<P>
<A HREF=ftp://ftp.cs.wisc.edu/pub/aladdin/ghostscript-fonts-std-4.01.tar.gz>ftp://ftp.cs.wisc.edu/pub/aladdin/ghostscript-fonts-std-4.01.tar.gz</A>
<BR>
MD5=1e0fe2149affd80deaaae144227049b9

<P>
<A HREF=ftp://ftp.cs.wisc.edu/pub/aladdin/ghostscript-fonts-other-4.01.tar.gz>ftp://ftp.cs.wisc.edu/pub/aladdin/ghostscript-fonts-other-4.01.tar.gz</A>
<BR>
MD5=afe46faf7fde6518ae004a7e8d9a4af4

<P>
<H3>C. Making -dSAFER the default</H3>

<P>To make -dSAFER the default mode for ghostscript for all versions
of ghostscript starting with version 2.6, the file gs_init.ps must
again be changed.  The PostScript commands which check the actual
interpreted command are collected in one single if statement in the
gs_init.ps file. By commenting out the begin and end lines of this
if statement, the check is always applied meaning that the -dSAFER
option is always enabled.

<P>
<B>NOTE:</B> If you make this change, all file and %pipe operations are
disabled and cannot be re-enabled.

<P>The lines which must be changed are:
<PRE>
  303  SAFER not { (%END SAFER) .skipeof } if
</PRE>
and
<PRE>
  312  %END SAFER
</PRE>
These two lines should be commented out and made to look like this:
<PRE>
  303  % SAFER not { (%END SAFER) .skipeof } if
</PRE>
and
<PRE>
   312  % %END SAFER
</PRE>
If you are using ghostscript 2.6.2, the code will look like the
following when both patches noted above are installed:

<P><PRE>
302  % If we want a &quot;safer&quot; system, disable some obvious ways to cause havoc.
303  % SAFER not { (%END SAFER) .skipeof } if
304  /file
305  { dup (r) eq 2 index (%pipe*) .stringmatch not and
306      { file }
307      { /invalidfileaccess signalerror }
308     ifelse
309   } bind odef
310  /renamefile { /invalidfileaccess signalerror } odef
311  /deletefile { /invalidfileaccess signalerror } odef
312  % %END SAFER
</PRE>

<P><HR>
The CERT Coordination Center staff thanks the DFN-CERT and NASIRC response
teams for providing a large portion of the technical content of this advisory,
and we thank Wolfgang Ley for his assistance.
<HR>

<P>
<H2>UPDATES</H2>

<P>
<OL>
<LI>We have received information that some tools that convert PostScript to
other formats break when the SAFER option is the default, as recommended
in Section III.C above.

<P>The problem is that these tools need the PostScript /file directive
that is disabled when the SAFER option is made the default.  To this end,
there is a fix from Joern Tellkamp <A HREF=mailto:(tellkamp@informatik.uni-hamburg.de>(tellkamp@informatik.uni-hamburg.de</A> 
),
provided by DFN-CERT that defines an UNSAFER option to ghostscript.
By default, ghostscript with the fixes listed in Section III.C above
sets the SAFER option.

<P>The following patch changes the SAFER option to the UNSAFER option.  By
default, SAFER is on but it can be turned off with the -dUNSAFER option to
ghostscript.  This, too, is applied to the original gs_init.ps file.

<P><HR>
<CENTER><B>Begin UNSAFER Patch</B></CENTER>
<PRE>
 
*** gs_init.ps          Fri Aug 25 10:42:51 1995
- --- gs_init.ps.unsafer  Fri Oct 20 13:57:37 1995
***************
*** 66,72 ****
     currentdict /OUTPUTFILE undef
   } if
  currentdict /QUIET known   /QUIET exch def
! currentdict /SAFER known   /SAFER exch def
  currentdict /WRITESYSTEMDICT known   /WRITESYSTEMDICT exch def
 
  % Acquire environment variables.
- --- 66,72 ----
     currentdict /OUTPUTFILE undef
   } if
  currentdict /QUIET known   /QUIET exch def
! currentdict /UNSAFER known /UNSAFER exch def
  currentdict /WRITESYSTEMDICT known   /WRITESYSTEMDICT exch def
 
  % Acquire environment variables.
***************
*** 299,308 ****
  /.run /run load def
  /run /run0 load def
 
! % If we want a "safer" system, disable some obvious ways to cause havoc.
! SAFER not { (%END SAFER) .skipeof } if
  /file
!  { dup (r) eq
      { file }
      { /invalidfileaccess signalerror }
     ifelse
- --- 299,308 ----
  /.run /run load def
  /run /run0 load def
 
! % If we want an "unsafer" system, enable some obvious ways to cause havoc.
! UNSAFER { (%END UNSAFER) .skipeof } if
  /file
! { dup (r) eq 2 index (%pipe*) .stringmatch not and
      { file }
      { /invalidfileaccess signalerror }
     ifelse
***************
*** 309,315 ****
   } bind odef
  /renamefile { /invalidfileaccess signalerror } odef
  /deletefile { /invalidfileaccess signalerror } odef
! %END SAFER
 
  % Create the error handling machinery.
  % The interpreter has created the ErrorNames array.
- --- 309,315 ----
   } bind odef
  /renamefile { /invalidfileaccess signalerror } odef
  /deletefile { /invalidfileaccess signalerror } odef
! %END UNSAFER
 
  % Create the error handling machinery.
  % The interpreter has created the ErrorNames array.
</PRE>

<P>
<CENTER><B>End UNSAFER Patch</B></CENTER>
<HR>

<P>Once applied, all of the aforementioned tools need to be changed to add the
-dUNSAFER option to the rest of the arguments given to gs, the ghostscript
interpreter.

<LI><P>We received a report that adding any of the above-mentioned patches
may cause the gs interpreter to fail (in version 2.6.0). Should this
be the case, changing '.stringmatch' to 'stringmatch' fixes this problem
(see below).  Upgrading to ghostscript version   2.6.1 also will address
the problem.

<P>If you have a problem with
<PRE>
! { dup (r) eq 2 index (%pipe*) .stringmatch not and
</PRE>
change to
<PRE>
! { dup (r) eq 2 index (%pipe*) stringmatch not and
</PRE>
<LI>Since it is unknown at this time whether the Macintosh and DOS/Windows
versions of ghostscript are vulnerable, we suggest that you apply the
patch.

<LI><P>Version 3.33 with appropriate patches will address the vulnerabilities
outlined in advisory CA-95.10. As of Nov. 8, 1995, the most recent release
of ghostscript is Version 3.51.
</OL>

<P><HR>

<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 1995, 1996 Carnegie Mellon University.</P>

<HR>

Revision History
<PRE>
Sep. 23, 1997  Updated copyright statement
Aug. 30, 1996  Information previously in the README was inserted
                into the advisory, with editing in the Updates section.
Nov. 08, 1995  Updates section - added SAFER and UNSAFER patches and
                instructions for applying them. Included a note for Macintosh
                and DOS/Windows users. Noted a recent release of ghostscript
                version 3.51.
</PRE>