GLSA-200608-22 : fbida: Arbitrary command execution
Medium Nessus Plugin ID 22284
SynopsisThe remote Gentoo host is missing one or more security-related patches.
DescriptionThe remote host is affected by the vulnerability described in GLSA-200608-22 (fbida: Arbitrary command execution)
Toth Andras has discovered a typographic mistake in the 'fbgs' script, shipped with fbida if the 'fbcon' and 'pdf' USE flags are both enabled.
This script runs 'gs' without the -dSAFER option, thus allowing a PostScript file to execute, delete or create any kind of file on the system.
A remote attacker can entice a vulnerable user to view a malicious PostScript or PDF file with fbgs, which may result with the execution of arbitrary code.
There is no known workaround at this time.
SolutionAll fbida users with the 'fbcon' and 'pdf' USE flags both enabled should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=media-gfx/fbida-2.03-r4'