Page MenuHomePhabricator

PdfHandler extension doesn't use -dSAFER option of ghostscript
Closed, ResolvedPublic

Description

When working on adding firejail to the image scalers I noticed that the PdfHandler extension shells out to ghostscript in the PdfHandler_body.php without using the -dSAFER option. The lack of -dSAFER is one the traditional pitfalls when dealing with PostScript files. Some examples:
https://lists.debian.org/debian-security-announce/2003/msg00016.html
https://lists.debian.org/debian-security-announce/2005/msg00180.html
https://lists.debian.org/debian-security-announce/2006/msg00102.html

Quoting from the ghostscript manpage:

-dSAFER
       Restricts file operations the job can perform.  Strongly recommended for spoolers, conversion scripts or other sensitive environments where a badly written or malicious PostScript program code must be prevented from changing important files.

(Now why is such an option not the default? I don't know, but it's been like that for a long time, so people have probably just gotten used to it)

From what I can tell PdfHandler operates only on PDF files and I'm not sure whether the subset of PostScript used in PDFs is affected by the traditional attacks around commands like "deletefile", but at least the official docs from GhostScript also use -dSAFER when operating on PDFs, e.g. Chapter 2 of http://ghostscript.com/doc/8.54/Use.htm so I think it would we should add it just to be sure.

Details

Related Gerrit Patches:
mediawiki/extensions/PdfHandler : REL1_27SECURITY: Add -dSAFER to ghostscript as a hardening measure
mediawiki/extensions/PdfHandler : masterSECURITY: Add -dSAFER to ghostscript as a hardening measure
mediawiki/extensions/PdfHandler : REL1_26SECURITY: Add -dSAFER to ghostscript as a hardening measure
mediawiki/extensions/PdfHandler : REL1_23SECURITY: Add -dSAFER to ghostscript as a hardening measure

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 27 2016, 12:11 PM

There's also appearently the -DPARANOIDSAFER option, which we might want to look into

There's also appearently the -DPARANOIDSAFER option, which we might want to look into

I looked into this, but turns our PARANOIDSAFER isn't parsed in the ghostscript code anymore and -dSAFER should be enough:
The release notes for 7.20 (released in 2002) mention that -dSAFER is now equilvalent to -dSAFER -dPARANOIDSAVER in ghostscript 7.04), so I presume the option was dropped entirely after the 7.20 release.

Bawolff claimed this task.May 31 2016, 8:02 PM
Bawolff triaged this task as Low priority.May 31 2016, 8:05 PM

Not sure how code review works for security patches in the absence of gerrit, but that patch looks good to me.

Bawolff closed this task as Resolved.Jul 18 2016, 10:22 PM

bawolff !log Deployed patch for T136402 on php-1.28.0-wmf.10

demon changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 23 2016, 1:25 AM
demon changed Security from Software security bug to None.

Change 306142 had a related patch set uploaded (by Chad):
SECURITY: Add -dSAFER to ghostscript as a hardening measure

https://gerrit.wikimedia.org/r/306142

Change 306143 had a related patch set uploaded (by Chad):
Add -dSAFER to ghostscript as a hardening measure

https://gerrit.wikimedia.org/r/306143

Change 306144 had a related patch set uploaded (by Chad):
Add -dSAFER to ghostscript as a hardening measure

https://gerrit.wikimedia.org/r/306144

Change 306145 had a related patch set uploaded (by Chad):
Add -dSAFER to ghostscript as a hardening measure

https://gerrit.wikimedia.org/r/306145

Change 306143 merged by jenkins-bot:
SECURITY: Add -dSAFER to ghostscript as a hardening measure

https://gerrit.wikimedia.org/r/306143

Change 306145 merged by jenkins-bot:
SECURITY: Add -dSAFER to ghostscript as a hardening measure

https://gerrit.wikimedia.org/r/306145

Change 306144 merged by jenkins-bot:
SECURITY: Add -dSAFER to ghostscript as a hardening measure

https://gerrit.wikimedia.org/r/306144

Change 306142 merged by Chad:
SECURITY: Add -dSAFER to ghostscript as a hardening measure

https://gerrit.wikimedia.org/r/306142