Bugzilla Bug 201042

files/pdftops.pl uses insecurely created files in /tmp, same kind of issue than
bug #198231.

the offending line (90) is:

my $tmpfile = $ENV{TMPDIR} . "pdfin.$$.tmp";

remove leftover from cloning a bug

This problem lies not within CUPS' pdftops filter, but in our alternative
filter which is credited as follows. I'll try to contact the author about this.


# pdftops.pl - wrapper script for xpdf's pdftops utility to act as a CUPS
filter
#
==============================================================================
# 1.00 - 2004-10-05/Bl
#       Initial implementation
#
# Copyright: Helge Blischke / SRZ Berlin 2004
# This program is free seoftware and governed by the GNU Public License Version
2.

Upstream provided a new version.

Created an attachment (id=137630) [details]
pdftops-1.20

The temporary file is created when reading a PDF file from stdin. Does CUPS use
the filter this way, or is it handing over a local file?

On my cups installation, the cupsd saves PDF files to print in /var/spool/cups/
and calls pdftops with that file as a paramater:

22844 execve("/usr/libexec/cups/filter/pdftops", ["null"..., "18"..., "rbu"...,
"gentoo-bash.pdf"..., "1"..., "job-uuid=urn:uuid:d2f67463-b293-"...,
"/var/spool/cups/d00018-002"...], [/* 24 vars */] <unfinished ...>

Under what circumstances would it call the filter via stdin?

More details: Filename pattern $TMPDIR/pdfin.$$.tmp
privileges: "lp" user

This vulnerability appears when more than one filter is triggered in 
CUPS (i.e. you print an XML file and have an XML->PDF and PDF-PS 
converter), because if you only convert PDF to PS, cups will hand over 
the pdf file in "/var/spool" via filename, pdftops will not use its 
stdin code.

printing, please bump with the new version.

Created an attachment (id=137890) [details]
pdftops-1.10-1.20.patch

patch from 1.10 to 1.20

This will be GLSA'd with bug 201570.

GLSA 200712-14, thanks everyone.