75784 2004-12-27 05:28 0000 app-text/a2ps: insecure tempfile vuln in fixps and psmandup 2005-01-04 13:40:56 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED http://secunia.com/advisories/13641/ B3 [glsa] P2 minor --- 1 lewk@gentoo.org security@gentoo.org cjk@gentoo.org printing@gentoo.org lewk@gentoo.org 2004-12-27 05:28:06 0000 Description: Javier Fern lewk@gentoo.org 2004-12-27 05:28:06 0000 Description: Javier Fernández-Sanguino Peña has reported two vulnerabilities in GNU a2ps, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. The vulnerabilities are caused due to the fixps.in and psmandup.in scripts creating temporary files insecurely. This can be exploited via symlink attacks to overwrite arbitrary files with the privileges of the user running a vulnerable script. The vulnerabilities have been reported in version 4.13b. Other versions may also be affected. Solution: Don't use the two vulnerable scripts. Grant only trusted users access to affected systems. Provided and/or discovered by: Javier Fernández-Sanguino Peña lewk@gentoo.org 2004-12-27 05:29:35 0000 printing/cjk, please verify whether or not a2ps-4.13c-r1 is vulnerable to this. lewk@gentoo.org 2004-12-27 05:36:25 0000 I also sent an email upstream to verify this as well. koon@gentoo.org 2004-12-28 02:44:25 0000 Here is another one in a2ps : -------------------------------------------------------------------------- Debian Security Advisory DSA 612-1 December 20th, 2004 Package : a2ps Vulnerability : unsanitised input Problem-Type : local Debian-specific: no CVE ID : CAN-2004-1170 BugTraq ID : 11025 Debian Bug : 283134 Rudolf Polzer discovered a vulnerability in a2ps, a converter and pretty-printer for many formats to PostScript. The program did not escape shell meta characters properly which could lead to the execution of arbitrary commands as a privileged user if a2ps is installed as a printer filter. -------------------------------------------------------------------------- koon@gentoo.org 2004-12-28 02:58:23 0000 Forget about that last comment... was taken care of in bug 61500 koon@gentoo.org 2004-12-28 03:10:18 0000 Created an attachment (id=47020) fixps.diff Patch from reporter on http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286385 Applies correctly and seems harmless, but please doublecheck it. koon@gentoo.org 2004-12-28 03:11:01 0000 Created an attachment (id=47021) psmandup.diff Patch from reporter on http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286387 Applies correctly and seems harless but please double-check it. koon@gentoo.org 2004-12-28 03:13:18 0000 I can confirm that tempfile handling in a2ps could be enhanced (currently relies on $$). Applying the two patches above should improve it. usata@gentoo.org 2005-01-01 22:10:07 0000 I don't have time to look into this until 17 January. Could someone from printing herd check these patches (seems straightforward, though) and apply, please? lanius@gentoo.org 2005-01-03 08:41:06 0000 verified and applied the patches. stable on all arches since it's only bash koon@gentoo.org 2005-01-03 08:57:32 0000 Thanks Heinrich. security: Please vote on GLSA need koon@gentoo.org 2005-01-04 01:35:42 0000 I vote yes. It's used on more systems than I originally thought. jaervosz@gentoo.org 2005-01-04 01:36:48 0000 Seems like a2ps is somewhat popular so I tend to vote yes on this one. koon@gentoo.org 2005-01-04 13:40:56 0000 GLSA 200501-02 47020 2004-12-28 03:10 0000 fixps.diff fixps.diff text/plain LS0tIGNvbnRyaWIvZml4cHMuaW4ub3JpZwkyMDA0LTEyLTIwIDAwOjExOjQwLjAwMDAwMDAwMCAr MDEwMAorKysgY29udHJpYi9maXhwcy5pbgkyMDA0LTEyLTIwIDAwOjE0OjEyLjAwMDAwMDAwMCAr MDEwMApAQCAtMzgsNyArMzgsNyBAQAogcnVuX2dzPTAKICMgV2hhdCBhY3Rpb24gdG8gcGVyZm9y bTogZml4cHMsIGNhdCwgY2hlY2ssIGFuZCBncwogdGFzaz1maXhwcwotdG1wZGlyPS90bXAvJHBy b2dyYW0uJCQKK3RtcGRpcj1gbWt0ZW1wIC1kIC10IGZpeHBzLlhYWFhYWGAgfHwgeyBlY2hvICIk cHJvZ3JhbTogQ2Fubm90IGNyZWF0ZSB0ZW1wb3JhcnkgZGlyISIgPiYyIDsgZXhpdCAxOyB9CiB2 ZXJib3NlPWVjaG8KIAogIyBUaGUgdmVyc2lvbi91c2FnZSBzdHJpbmdzCkBAIC0xOTEsNyArMTkx LDYgQEAKICAgdHJhcCAiL2Jpbi9ybSAtcmYgJHRtcGRpciIgMCAxIDIgMyAxMyAxNQogZmkKIAot bWtkaXIgJHRtcGRpcgogZml4cHNfc2VkPSR0bXBkaXIvZml4cHMuc2VkCiAKICMgSWYgcHJpbnRp bmcgZnJvbSBzdGRpbiwgc2F2ZSBpbnRvIGEgdG1wIGZpbGUK 47021 2004-12-28 03:11 0000 psmandup.diff psmandup.diff text/plain LS0tIGNvbnRyaWIvcHNtYW5kdXAuaW4ub3JpZwkyMDA0LTEyLTIwIDAwOjE2OjA3LjAwMDAwMDAw MCArMDEwMAorKysgY29udHJpYi9wc21hbmR1cC5pbgkyMDA0LTEyLTIwIDAwOjE2OjM5LjAwMDAw MDAwMCArMDEwMApAQCAtMzYsNyArMzYsNyBAQAogbWVzc2FnZT0KIHBzc2VsZWN0PSR7UFNTRUxF Q1Q6LXBzc2VsZWN0fQogcHNzZXQ9JHtQU1NFVDotcHNzZXR9Ci10bXBkaXI9L3RtcC8kcHJvZ3Jh bS4kJAordG1wZGlyPWBta3RlbXAgLWQgLXQgZml4cHMuWFhYWFhYYCB8fCB7IGVjaG8gIiRwcm9n cmFtOiBDYW5ub3QgY3JlYXRlIHRlbXBvcmFyeSBkaXIhIiA+JjIgOyBleGl0IDE7IH0KIAogIyBU aGVzZSB0d28gbXVzdCBiZSBrZXB0IGluIHN5bmNoLiAgVGhleSBhcmUgb3Bwb3NlZC4KIHZlcmJv c2U9ZWNobwpAQCAtMTg1LDcgKzE4NSw2IEBACiAgIHRyYXAgIi9iaW4vcm0gLXJmICR0bXBkaXIi IDAgMSAyIDMgMTMgMTUKIGZpCiAKLW1rZGlyICR0bXBkaXIKIAogIyBJZiBwcmludGluZyBmcm9t IHN0ZGluLCBzYXZlIGludG8gYSB0bXAgZmlsZQogaWYgdGVzdCAkZmlsZSA9ICctJzsgdGhlbgo=