The (1) pj-gs.sh, (2) ps2epsi, (3) pv.sh, and (4) sysvlp.sh scripts in the ESP Ghostscript (espgs) package in Trustix Secure Linux 1.5 through 2.1, and other operating systems, allow local users to overwrite files via a symlink attack on temporary files.

Updated ghostscript packages that fix a PDF output issue and a temporary file security bug are now available.

This update has been rated as having low security impact by the Red Hat Security Response Team.

Ghostscript is a program for displaying PostScript files or printing them to non-PostScript printers.

A bug was found in the way several of Ghostscript's utility scripts created temporary files. A local user could cause these utilities to overwrite files that the victim running the utility has write access to. The Common Vulnerabilities and Exposures project assigned the name CVE-2004-0967 to this issue.

Additionally, this update addresses the following issue :

A problem has been identified in the PDF output driver, which can cause output to be delayed indefinitely on some systems. The fix has been backported from GhostScript 7.07.

All users of ghostscript should upgrade to these updated packages, which contain backported patches to resolve these issues.

Ghostscript is affected by an insecure temporary file creation vulnerability. This issue is likely due to a design error that causes the application to fail to verify the existence of a file before writing to it.

An attacker may leverage this issue to overwrite arbitrary files with the privileges of an unsuspecting user that activates the vulnerable application. Reportedly this issue is unlikely to facilitate privilege escalation.

Recently, Trustix Secure Linux discovered some vulnerabilities in the gs-common package. The utilities 'pv.sh' and 'ps2epsi' created temporary files in an insecure way, which allowed a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-200410-18 (Ghostscript: Insecure temporary file use in multiple scripts)

    The pj-gs.sh, ps2epsi, pv.sh and sysvlp.sh scripts create temporary files     in world-writeable directories with predictable names.
  Impact :

    A local attacker could create symbolic links in the temporary files     directory, pointing to a valid file somewhere on the filesystem. When an     affected script is called, this would result in the file to be overwritten     with the rights of the user running the script, which could be the root     user.
  Workaround :

    There is no known workaround at this time.

ID	Name	Product	Family	Severity
21797	CentOS 3 : ghostscript (CESA-2005:081)	Nessus	CentOS Local Security Checks	high
21404	FreeBSD : ghostscript -- insecure temporary file creation vulnerability (27a70a01-5f6c-11da-8d54-000cf18bbe54)	Nessus	FreeBSD Local Security Checks	high
20645	Ubuntu 4.10 : GhostScript utility script vulnerabilities (USN-3-1)	Nessus	Ubuntu Local Security Checks	high
19827	RHEL 3 : ghostscript (RHSA-2005:081)	Nessus	Red Hat Local Security Checks	high
15527	GLSA-200410-18 : Ghostscript: Insecure temporary file use in multiple scripts	Nessus	Gentoo Local Security Checks	high

Detections

Analytics

CVE-2004-0967

medium

Tenable Plugins

high

high

high

high

high