Summary: | <app-text/a2ps-4.14-r5: fixps does not invoke gs with -dSAFER (CVE-2014-0466) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | cjk, printing |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1082410 | ||
Whiteboard: | B2 [glsa cve] | ||
Package list: |
=app-text/a2ps-4.14-r5
|
Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-03-31 09:42:42 UTC
CVE-2014-0466 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0466): The fixps script in a2ps 4.14 does not use the -dSAFER option when executing gs, which allows context-dependent attackers to delete arbitrary files or execute arbitrary commands via a crafted PostScript file. CVE-2014-0466 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0466): The fixps script in a2ps 4.14 does not use the -dSAFER option when executing gs, which allows context-dependent attackers to delete arbitrary files or execute arbitrary commands via a crafted PostScript file. @ Maintainer(s): Upstream didn't work on the project since 2007. So let's add Debian's patch to get rid of this vulnerability. I prepared https://github.com/gentoo/gentoo/pull/2898 -- Please comment/approve/decline. Merged: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4a1d1e520fccdcff5c0ab5e69dfaf6df5abd0ff9 @maintainer(s), ready for stable? @arches, please stabilize: =app-text/a2ps-4.14-r5 amd64 stable x86 stable Stable on alpha. arm stable sparc stable ppc stable ia64 stable ppc64 stable Stable for HPPA. New GLSA request filed. This issue was resolved and addressed in GLSA 201701-67 at https://security.gentoo.org/glsa/201701-67 by GLSA coordinator Thomas Deutschmann (whissi). |