Comment 1 Luke Macken (RETIRED) 2004-12-27 05:28:06 UTC

Description:
Javier Fernández-Sanguino Peña has reported two vulnerabilities in GNU a2ps, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges.

The vulnerabilities are caused due to the fixps.in and psmandup.in scripts creating temporary files insecurely. This can be exploited via symlink attacks to overwrite arbitrary files with the privileges of the user running a vulnerable script.

The vulnerabilities have been reported in version 4.13b. Other versions may also be affected.

Solution:
Don't use the two vulnerable scripts.

Grant only trusted users access to affected systems.

Provided and/or discovered by:
Javier Fernández-Sanguino Peña

Comment 2 Luke Macken (RETIRED) 2004-12-27 05:29:35 UTC

printing/cjk, please verify whether or not a2ps-4.13c-r1 is vulnerable to this.

Comment 3 Luke Macken (RETIRED) 2004-12-27 05:36:25 UTC

I also sent an email upstream to verify this as well.

Comment 4 Thierry Carrez (RETIRED) 2004-12-28 02:44:25 UTC

Here is another one in a2ps :

--------------------------------------------------------------------------
Debian Security Advisory DSA 612-1
December 20th, 2004 

Package        : a2ps
Vulnerability  : unsanitised input
Problem-Type   : local
Debian-specific: no
CVE ID         : CAN-2004-1170
BugTraq ID     : 11025
Debian Bug     : 283134

Rudolf Polzer discovered a vulnerability in a2ps, a converter and
pretty-printer for many formats to PostScript.  The program did not
escape shell meta characters properly which could lead to the
execution of arbitrary commands as a privileged user if a2ps is
installed as a printer filter.
--------------------------------------------------------------------------

Comment 5 Thierry Carrez (RETIRED) 2004-12-28 02:58:23 UTC

Forget about that last comment... was taken care of in bug 61500

Comment 6 Thierry Carrez (RETIRED) 2004-12-28 03:10:18 UTC

Created attachment 47020 [details, diff]
fixps.diff

Patch from reporter on http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286385
Applies correctly and seems harmless, but please doublecheck it.

Comment 7 Thierry Carrez (RETIRED) 2004-12-28 03:11:01 UTC

Created attachment 47021 [details, diff]
psmandup.diff

Patch from reporter on http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286387
Applies correctly and seems harless but please double-check it.

Comment 8 Thierry Carrez (RETIRED) 2004-12-28 03:13:18 UTC

I can confirm that tempfile handling in a2ps could be enhanced (currently relies on $$). Applying the two patches above should improve it.

Comment 9 Mamoru KOMACHI (RETIRED) 2005-01-01 22:10:07 UTC

I don't have time to look into this until 17 January.
Could someone from printing herd check these patches
(seems straightforward, though) and apply, please?

Comment 10 Heinrich Wendel (RETIRED) 2005-01-03 08:41:06 UTC

verified and applied the patches. stable on all arches since it's only bash

Comment 11 Thierry Carrez (RETIRED) 2005-01-03 08:57:32 UTC

Thanks Heinrich.
security: Please vote on GLSA need

Comment 12 Thierry Carrez (RETIRED) 2005-01-04 01:35:42 UTC

I vote yes. It's used on more systems than I originally thought.

Comment 13 Sune Kloppenborg Jeppesen (RETIRED) 2005-01-04 01:36:48 UTC

Seems like a2ps is somewhat popular so I tend to vote yes on this one.

Comment 14 Thierry Carrez (RETIRED) 2005-01-04 13:40:56 UTC

GLSA 200501-02