Description: Javier Fern
Description: Javier Fernández-Sanguino Peña has reported two vulnerabilities in GNU a2ps, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. The vulnerabilities are caused due to the fixps.in and psmandup.in scripts creating temporary files insecurely. This can be exploited via symlink attacks to overwrite arbitrary files with the privileges of the user running a vulnerable script. The vulnerabilities have been reported in version 4.13b. Other versions may also be affected. Solution: Don't use the two vulnerable scripts. Grant only trusted users access to affected systems. Provided and/or discovered by: Javier Fernández-Sanguino Peña
printing/cjk, please verify whether or not a2ps-4.13c-r1 is vulnerable to this.
I also sent an email upstream to verify this as well.
Here is another one in a2ps : -------------------------------------------------------------------------- Debian Security Advisory DSA 612-1 December 20th, 2004 Package : a2ps Vulnerability : unsanitised input Problem-Type : local Debian-specific: no CVE ID : CAN-2004-1170 BugTraq ID : 11025 Debian Bug : 283134 Rudolf Polzer discovered a vulnerability in a2ps, a converter and pretty-printer for many formats to PostScript. The program did not escape shell meta characters properly which could lead to the execution of arbitrary commands as a privileged user if a2ps is installed as a printer filter. --------------------------------------------------------------------------
Forget about that last comment... was taken care of in bug 61500
Created attachment 47020 [details, diff] fixps.diff Patch from reporter on http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286385 Applies correctly and seems harmless, but please doublecheck it.
Created attachment 47021 [details, diff] psmandup.diff Patch from reporter on http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286387 Applies correctly and seems harless but please double-check it.
I can confirm that tempfile handling in a2ps could be enhanced (currently relies on $$). Applying the two patches above should improve it.
I don't have time to look into this until 17 January. Could someone from printing herd check these patches (seems straightforward, though) and apply, please?
verified and applied the patches. stable on all arches since it's only bash
Thanks Heinrich. security: Please vote on GLSA need
I vote yes. It's used on more systems than I originally thought.
Seems like a2ps is somewhat popular so I tend to vote yes on this one.
GLSA 200501-02