[NBLUG/talk] Security hole in Ghostscript?

Bill Kendrick nbs at sonic.net
Wed Aug 11 23:37:28 PDT 2004


On Wed, Aug 11, 2004 at 09:32:36PM -0700, Clay Carley wrote:
> Hi all,
> I am not very familiar with ghostscript, but I have noticed today that 
> my server was reacting slowly- it should not be, considering it's a dual 
> P-III machine that usually keeps up with my minimal web site.  I ran 
> top, and saw that user "lp" was running gs -dPARANOIDSAFE (or something 
> similar).  I looked it up, however I did not find that parameter for 
> running "gs".  I'm updating right now, but just curious if I should be 
> paranoid myself. 

Totally clueless myself, but curious. :^)  I did a "man gs" and saw:

  -dname  Define a name in "systemdict" with value=null.

(There's also a "-dname=token" variation.)


A littler further down, I see:

  -dSAFER
         Disables the "deletefile" and "renamefile" operators and the
         ability to open files in any mode other than read-only.  This
         may be desirable for spoolers or other sensitive environments
         where a badly written or malicious PostScript program must be
         prevented from changing important files.

So I'm guessing it's that, but even more safe. :^)

Googling for "dPARANOIDSAFE", "PARANOIDSAFE" and "PARANOID SAFE" came
up with very little, but "PARANOID ghostscript" did mention this:

  http://wwwrses.anu.edu.au/~andy/jpeg2eps/

It mentions:

   2. "invalidaccess", "invalidfileaccess", "ioerror", "undefinedfilename"
       errors: these usually arise from running GhostScript/GhostView in
       "safer" or "paranoid safer" mode, which prohibits file writing and
       reading. So don't use the -dSAFER or -dPARANOIDSAFER flags [...]

(ah, so I guess the term was actually "PARANOIDSAFER" ;^) )


Anyway, hope that leads you in the right direction.  Probably no hackers.
Probably a botched printjob.  (Or maybe hackers are stealing your ink.
I heard that stuff is 'spensive! ;^) )

Good luck!

-bill!
(feeling uber-useful tonight!)




More information about the talk mailing list