blob: 5865f8edc564b3e6d182d9e5f312c2a585e142d7 [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200507-29">
<title>pstotext: Remote execution of arbitrary code</title>
pstotext contains a vulnerability which can potentially result in the
execution of arbitrary code.
<product type="ebuild">pstotext</product>
<announced>July 31, 2005</announced>
<revised>August 11, 2005: 02</revised>
<package name="app-text/pstotext" auto="yes" arch="*">
<unaffected range="ge">1.8g-r1</unaffected>
<vulnerable range="lt">1.8g-r1</vulnerable>
pstotext is a program that works with GhostScript to extract plain text
from PostScript and PDF files.
Max Vozeler reported that pstotext calls the GhostScript interpreter on
untrusted PostScript files without specifying the -dSAFER option.
<impact type="normal">
An attacker could craft a malicious PostScript file and entice a user
to run pstotext on it, resulting in the execution of arbitrary commands
with the permissions of the user running pstotext.
There is no known workaround at this time.
All pstotext users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=app-text/pstotext-1.8g-r1&quot;</code>
<uri link="">CAN-2005-2536</uri>
<uri link="">Secunia Advisory SA16183</uri>
<metadata tag="requester" timestamp="Sat, 30 Jul 2005 18:50:03 +0000">
<metadata tag="bugReady" timestamp="Sat, 30 Jul 2005 18:53:14 +0000">
<metadata tag="submitter" timestamp="Sat, 30 Jul 2005 19:15:41 +0000">