Erik Sj
Erik Sjölund has discovered several security relevant problems in enscript, a program to converts ASCII text to Postscript and other formats. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CAN-2004-1184 Unsanitised input can caues the execution of arbitrary commands via EPSF pipe support. This has been disabled, also upstream. CAN-2004-1185 Due to missing sanitising of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. CAN-2004-1186 Multiple buffer overflows can cause the program to crash.
Created attachment 48126 [details, diff] CAN-2004-1184.patch
Created attachment 48127 [details, diff] CAN-2004-1185.patch
Created attachment 48128 [details, diff] CAN-2004-1186.patch
Created attachment 48574 [details, diff] enscript-1.6.3-security.patch Compound patch without Debian-specific things in.
This has no maintainers. I cleaned the patch and checked it, looks ok. We should apply it and attach ebuild here so that we can call arch testing on it. Solar, would you do this ?
Comment on attachment 48574 [details, diff] enscript-1.6.3-security.patch rename patch
Created attachment 48577 [details] enscript-1.6.3-r2.ebuild requested ebuild. compile testing on x86
Solar please commit, open bug and call arches.
enscript-1.6.3-r2.ebuild (attachment #8574 [details] and attachment #48577 [details]) added to the tree. KEYWORDS="~x86 ~ppc ~sparc ~amd64 ~alpha ~mips ~ppc64" Arch maintainers please test and mark stable (gpg sign your Manifest's please) q/a: this package lacks a proper metadata.xml Note: mips never had any version marked as stable.
Back to ebuild status, patch needs to be redone. Sorry for the trouble. Note to solar: > /* Read more data. */ > - is->data_in_buf = fread (is->buf, 1, sizeof (is->buf), is->fp); > + memset (is->buf, 0, sizeof (is->buf)); > + is->data_in_buf = fread (is->buf, 1, sizeof (is->buf)-1, is->fp);
Koon please check the patch and call arches. 1.6.3-r2 has the fix already.
The comments on the upstream thread are unclear to me. The very end of the existing patch contains those lines already. Looking at deb http://www.debian.org/security/2005/dsa-654 in src/util.c the deb patches don't even seem to touch the function int is_getc (InputStream *is) http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3.diff.gz debs patch other bug fixes and enhancements but it also includes <paper.h> in main.c and thus fails to compile when I swap it out for our existing patch.
Martin Schulze seems to think we require this additional patch : --- enscript-1.6.3/src/util.c.old 2005-01-23 20:06:54.046729208 +0100 +++ enscript-1.6.3/src/util.c 2005-01-23 20:07:34.396193016 +0100 @@ -1998,7 +1998,7 @@ if (is->bufpos >= is->data_in_buf) { /* At the EOF? */ - if (is->nreads > 0 && is->data_in_buf < sizeof (is->buf)) + if (is->nreads > 0 && is->data_in_buf < (sizeof (is->buf)-1)) /* Yes. */ return EOF; The idea is that we must use "sizeof (is->buf)" at both locations or "sizeof (is->buf)-1" at both locations.
OK, here is the story : Debian committed the same patch we have first, but it broke things. You can see the original patch at http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.2.diff.gz They identified the problem as coming from this part of the patch : @@ -1996,7 +2003,8 @@ return EOF; /* Read more data. */ - is->data_in_buf = fread (is->buf, 1, sizeof (is->buf), is->fp); + memset (is->buf, 0, sizeof (is->buf)); + is->data_in_buf = fread (is->buf, 1, sizeof (is->buf)-1, is->fp); is->bufpos = 0; is->nreads++; The problem is that the use of sizeof must to be consistent with the logic a few lines above. So two solutions : Solution (1): Drop this part of our patch This is the solution Debian chose, and that's why it doesn't show up in their patch. "diff enscript_1.6.3-1.2.diff enscript_1.6.3-1.3.diff" proves this. Solution (2): Change the logic a few lines above This is the solution we could use, by applying the extra patch at comment #13. I am not sure what is best, but leaving it the way it is is clearly broken.
Solar please advise.
I'm opting for solution #1 testing now then will commit as -r3 while planning to remove -r2
Updated InCVS enscript-1.6.3-r3.ebuild KEYWORDS="~x86 ~ppc ~sparc ~amd64 ~alpha ~mips ~ppc64"
Arches, please test and mark enscript-1.6.3-r3 stable
stable on ppc64
sparc'd
stable on amd64.
Stable on ppc.
Stable on alpha.
btw, installed the patched version on x86, seems to be working well. Feel free to bump. (Busy at work or I would)
stable on x86.. Only ~mips remains before older ebuilds can be flushed
GLSA drafted
GLSA 200502-03
