CA-95:10.README
Issue date: August 31, 1995
Date of last revision: November 8, 1995

This file is a supplement to CERT advisory CA-95:10, "ghostscript
Vulnerability," distributed on August 31, 1995.  We will update this
file as additional information becomes available.

Note: After we publish checksums in advisories and READMEs, files are
sometimes updated at individual locations because of system upgrades or patch
installation. For current MD5 checksum values, we recommend that you check
with your vendor.

\\\\\\\\\\\\\\\\
Added November 8, 1995

1) We have received information that converting Postscript to pnm
   with the pstopnm PostScript conversion breaks the patch provided in
   the advisory. 

   a) The patch below is applied to the original gs_init.ps file and
      will solve this problem.

                        Begin Patch
----------------------------------------------------------------------------
*** gs_init.ps  	Fri Aug 25 10:42:51 1995
--- gs_init.ps.fixed	Fri Oct 20 13:54:13 1995
***************
*** 302,308 ****
  % If we want a "safer" system, disable some obvious ways to cause havoc.
  SAFER not { (%END SAFER) .skipeof } if
  /file
!  { dup (r) eq
      { file }
      { /invalidfileaccess signalerror }
     ifelse
--- 302,308 ----
  % If we want a "safer" system, disable some obvious ways to cause havoc.
  SAFER not { (%END SAFER) .skipeof } if
  /file
! { dup (r) eq 2 index (%pipe*) .stringmatch not and
      { file }
      { /invalidfileaccess signalerror }
     ifelse
------------------------------------------------------------------------------
                           End Patch

   Note that this script needs the /file directive that SAFER
   disables. To this end, there is a fix from Joern Tellkamp 
   (tellkamp@informatik.uni-hamburg.de), provided by DFN-CERT
   that defines an UNSAFER option to ghostscript. By default,
   ghostscript with the suggested fixes sets the SAFER option.  
   Included below are patches for either choice (SAFER and UNSAFER).

   b) The following patch turns on SAFER in all cases.  SAFER cannot be
      turned off once this patch is installed.  This patch is applied to 
      the original gs_init.ps file.

			Begin SAFER Patch
------------------------------------------------------------------------------
*** gs_init.ps  	Fri Aug 25 10:42:51 1995
--- gs_init.ps.safer	Fri Oct 20 13:54:57 1995
***************
*** 300,308 ****
  /run /run0 load def
  
  % If we want a "safer" system, disable some obvious ways to cause havoc.
! SAFER not { (%END SAFER) .skipeof } if
  /file
!  { dup (r) eq
      { file }
      { /invalidfileaccess signalerror }
     ifelse
- --- 300,308 ----
  /run /run0 load def
  
  % If we want a "safer" system, disable some obvious ways to cause havoc.
! % SAFER not { (%END SAFER) .skipeof } if
  /file
! { dup (r) eq 2 index (%pipe*) .stringmatch not and
      { file }
      { /invalidfileaccess signalerror }
     ifelse
***************
*** 309,315 ****
   } bind odef
  /renamefile { /invalidfileaccess signalerror } odef
  /deletefile { /invalidfileaccess signalerror } odef
! %END SAFER
  
  % Create the error handling machinery.
  % The interpreter has created the ErrorNames array.
- --- 309,315 ----
   } bind odef
  /renamefile { /invalidfileaccess signalerror } odef
  /deletefile { /invalidfileaccess signalerror } odef
! % %END SAFER
  
  % Create the error handling machinery.
  % The interpreter has created the ErrorNames array.
------------------------------------------------------------------------------
			End SAFER Patch


  c) The following patch changes the SAFER option to the UNSAFER
     option.  By default, SAFER is on but it can be turned off with the
     -dUNSAFER option to the gs command.  This, too, is applied to the
     original gs_init.ps file.

			Begin UNSAFER Patch
------------------------------------------------------------------------------

*** gs_init.ps  	Fri Aug 25 10:42:51 1995
--- gs_init.ps.unsafer	Fri Oct 20 13:57:37 1995
***************
*** 66,72 ****
     currentdict /OUTPUTFILE undef
   } if
  currentdict /QUIET known   /QUIET exch def
! currentdict /SAFER known   /SAFER exch def
  currentdict /WRITESYSTEMDICT known   /WRITESYSTEMDICT exch def
  
  % Acquire environment variables.
--- 66,72 ----
     currentdict /OUTPUTFILE undef
   } if
  currentdict /QUIET known   /QUIET exch def
! currentdict /UNSAFER known /UNSAFER exch def
  currentdict /WRITESYSTEMDICT known   /WRITESYSTEMDICT exch def
  
  % Acquire environment variables.
***************
*** 299,308 ****
  /.run /run load def
  /run /run0 load def
  
! % If we want a "safer" system, disable some obvious ways to cause havoc.
! SAFER not { (%END SAFER) .skipeof } if
  /file
!  { dup (r) eq
      { file }
      { /invalidfileaccess signalerror }
     ifelse
--- 299,308 ----
  /.run /run load def
  /run /run0 load def
  
! % If we want an "unsafer" system, enable some obvious ways to cause havoc.
! UNSAFER { (%END UNSAFER) .skipeof } if
  /file
! { dup (r) eq 2 index (%pipe*) .stringmatch not and
      { file }
      { /invalidfileaccess signalerror }
     ifelse
***************
*** 309,315 ****
   } bind odef
  /renamefile { /invalidfileaccess signalerror } odef
  /deletefile { /invalidfileaccess signalerror } odef
! %END SAFER
  
  % Create the error handling machinery.
  % The interpreter has created the ErrorNames array.
--- 309,315 ----
   } bind odef
  /renamefile { /invalidfileaccess signalerror } odef
  /deletefile { /invalidfileaccess signalerror } odef
! %END UNSAFER
  
  % Create the error handling machinery.
  % The interpreter has created the ErrorNames array.
------------------------------------------------------------------------------
			End SAFER Patch

2) We received a report that adding any of the above-mentioned patches
   may cause the gs interpreter to fail (in version 2.6.0). Should this
   be the case, changing '.stringmatch' to 'stringmatch' fixes this problem
   (see below).  Upgrading to ghostscript version   2.6.1 also will address
    the problem. 

	The above patches read

	     ! { dup (r) eq 2 index (%pipe*) .stringmatch not and

	Should the problem exist, change to:

	     ! { dup (r) eq 2 index (%pipe*) stringmatch not and


3) Since it is unknown at this time whether the Macintosh and DOS/Windows
   versions of ghostscript are vulnerable, we suggest that you apply the
   patch. 
   
4) Version 3.33 with appropriate patches will address the vulnerabilities
   outlined in advisory CA-95:10 and README. As of this update, the most
   recent release of ghostscript is Version 3.51.

\\\\\\\\\\\\\\\\





