Bug 251316 (CVE-2008-5377)

Summary:	net-print/cups pstopdf symlink attack (CVE-2008-5377)
Product:	Gentoo Security	Reporter:	Robert Buchholz (RETIRED) <rbu>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	minor	CC:	printing
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://dev.gentoo.org/~rbu/security/debiantemp/cups
Whiteboard:	B3 [ebuild]
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	235770

Description Robert Buchholz (RETIRED) gentoo-dev

2008-12-17 15:48:44 UTC

CVE-2008-5377 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5377):
  pstopdf in CUPS 1.3.8 allows local users to overwrite arbitrary files
  via a symlink attack on the /tmp/pstopdf.log temporary file, a
  different vulnerability than CVE-2001-1333.

Comment 1 Timo Gurr (RETIRED) gentoo-dev

2009-01-21 23:30:57 UTC

"Affected script is not part of the upstream CUPS distribution" - We also do not ship it as an additional optional filter with CUPS, so our CUPS version(s) are not affected by this issue.

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2009-01-22 15:38:31 UTC

Does not affect us, we only have a pdftops filter and that was fixed per bug 201042.