From ${URL} : brian m. carlson reported that a2ps's fixps script does not invoke gs with the -dSAFER option. Running fixps on a malicious PostScript file could result in files being deleted or arbitrary commands being executed with the privileges of the user running fixps. A possible patch from Debian is available from the Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=12;filename=a2ps-4.14-1.3-nmu.diff;att=1;bug=742902 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2014-0466 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0466): The fixps script in a2ps 4.14 does not use the -dSAFER option when executing gs, which allows context-dependent attackers to delete arbitrary files or execute arbitrary commands via a crafted PostScript file.
@ Maintainer(s): Upstream didn't work on the project since 2007. So let's add Debian's patch to get rid of this vulnerability. I prepared https://github.com/gentoo/gentoo/pull/2898 -- Please comment/approve/decline.
Merged: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4a1d1e520fccdcff5c0ab5e69dfaf6df5abd0ff9 @maintainer(s), ready for stable?
@arches, please stabilize: =app-text/a2ps-4.14-r5
amd64 stable
x86 stable
Stable on alpha.
arm stable
sparc stable
ppc stable
ia64 stable
ppc64 stable
Stable for HPPA.
New GLSA request filed.
This issue was resolved and addressed in GLSA 201701-67 at https://security.gentoo.org/glsa/201701-67 by GLSA coordinator Thomas Deutschmann (whissi).
