Attachment #48126 for bug #77408




enscript (1.6.3-1.2) stable-security; urgency=high

  * Non-maintainer upload by the Security Team
  * Corrected handling of user supplied input (filename, title) when
    executing shell commands [src/gsint.h, src/main.c, src/util.c,
    CAN-2004-1184]

 --

enscript (1.6.3-1.1) unstable; urgency=low

  * Non maintainer upload

Lines 701-704 FILE printer_open ___P ((char cmd, cha Link Here

(-)orig/enscript-1.6.3/src/gsint.h (+5 lines)
701	*/	701	*/
702	void printer_close ___P ((void *context));	702	void printer_close ___P ((void *context));
703		703
		704	/*
		705	* Escape filenames for shell usage
		706	*/
		707	char shell_escape ___P ((const char fn));
		708
704	#endif /* not GSINT_H */	709	#endif /* not GSINT_H */

Lines 1555-1563 name width\theight\tllx\tlly Link Here

(-)orig/enscript-1.6.3/src/main.c (-6 / +16 lines)
1555	buffer_append (&cmd, intbuf);	1555	buffer_append (&cmd, intbuf);
1556	buffer_append (&cmd, " ");	1556	buffer_append (&cmd, " ");
1557		1557
1558	buffer_append (&cmd, "-Ddocument_title=\"");	1558	buffer_append (&cmd, "-Ddocument_title=\'");
1559	buffer_append (&cmd, title);	1559	if ((cp = shell_escape (title)) != NULL)
1560	buffer_append (&cmd, "\" ");	1560	{
		1561	buffer_append (&cmd, cp);
		1562	free (cp);
		1563	}
		1564	buffer_append (&cmd, "\' ");
1561		1565
1562	buffer_append (&cmd, "-Dtoc=");	1566	buffer_append (&cmd, "-Dtoc=");
1563	buffer_append (&cmd, toc ? "1" : "0");	1567	buffer_append (&cmd, toc ? "1" : "0");
Lines 1574-1581 name width\theight\tllx\tlly Link Here
1574	/* Append input files. */	1578	/* Append input files. */
1575	for (i = optind; i < argc; i++)	1579	for (i = optind; i < argc; i++)
1576	{	1580	{
1577	buffer_append (&cmd, " ");	1581	char *cp;
1578	buffer_append (&cmd, argv[i]);	1582	if ((cp = shell_escape (argv[i])) != NULL)
		1583	{
		1584	buffer_append (&cmd, " \'");
		1585	buffer_append (&cmd, cp);
		1586	buffer_append (&cmd, "\'");
		1587	free (cp);
		1588	}
1579	}	1589	}
1580		1590
1581	/* And do the job. */	1591	/* And do the job. */
Lines 1636-1642 name width\theight\tllx\tlly Link Here
1636	buffer_ptr (opts), buffer_len (opts));	1645	buffer_ptr (opts), buffer_len (opts));
1637	}	1646	}
1638		1647
1639	buffer_append (&buffer, " \"%s\"");	1648	buffer_append (&buffer, " \'%s\'");
1640		1649
1641	input_filter = buffer_copy (&buffer);	1650	input_filter = buffer_copy (&buffer);
1642	input_filter_stdin = "-";	1651	input_filter_stdin = "-";

Lines 1239-1244 escape_string (char *string) Link Here

(-)orig/enscript-1.6.3/src/util.c (-5 / +45 lines)
1239		1239
1240	/* Create result. */	1240	/* Create result. */
1241	cp = xmalloc (len + 1);	1241	cp = xmalloc (len + 1);
		1242	if (cp == NULL)
		1243	return NULL;
1242	for (i = 0, j = 0; string[i]; i++)	1244	for (i = 0, j = 0; string[i]; i++)
1243	switch (string[i])	1245	switch (string[i])
1244	{	1246	{
Lines 1879-1884 is_open (InputStream is, FILE fp, char Link Here
1879	char *cmd = NULL;	1881	char *cmd = NULL;
1880	int cmdlen;	1882	int cmdlen;
1881	int i, pos;	1883	int i, pos;
		1884	char *cp;
1882		1885
1883	is->is_pipe = 1;	1886	is->is_pipe = 1;
1884		1887
Lines 1902-1913 is_open (InputStream is, FILE fp, char Link Here
1902	{	1905	{
1903	case 's':	1906	case 's':
1904	/* Expand cmd-buffer. */	1907	/* Expand cmd-buffer. */
1905	cmdlen += strlen (fname);	1908	if ((cp = shell_escape (fname)) != NULL)
1906	cmd = xrealloc (cmd, cmdlen);	1909	{
		1910	cmdlen += strlen (cp);
		1911	cmd = xrealloc (cmd, cmdlen);
1907		1912
1908	/* Paste filename. */	1913	/* Paste filename. */
1909	strcpy (cmd + pos, fname);	1914	strcpy (cmd + pos, cp);
1910	pos += strlen (fname);	1915	pos += strlen (cp);
		1916	free (cp);
		1917	}
1911		1918
1912	i++;	1919	i++;
1913	break;	1920	break;
Lines 2116-2118 buffer_len (Buffer *buffer) Link Here
2116	{	2123	{
2117	return buffer->len;	2124	return buffer->len;
2118	}	2125	}
		2126
		2127	/*
		2128	* Escapes the name of a file so that the shell groks it in 'single'
		2129	* quotation marks. The resulting pointer has to be free()ed when not
		2130	* longer used.
		2131	*/
		2132	char *
		2133	shell_escape(const char *fn)
		2134	{
		2135	size_t len = 0;
		2136	const char *inp;
		2137	char retval, outp;
		2138
		2139	for(inp = fn; *inp; ++inp)
		2140	switch(*inp)
		2141	{
		2142	case '\'': len += 4; break;
		2143	default: len += 1; break;
		2144	}
		2145
		2146	outp = retval = malloc(len + 1);
		2147	if(!outp)
		2148	return NULL; /* perhaps one should do better error handling here */
		2149	for(inp = fn; *inp; ++inp)
		2150	switch(*inp)
		2151	{
		2152	case '\'': outp++ = '\''; outp++ = '\\'; outp++ = '\'', outp++ = '\''; break;
		2153	default: outp++ = inp; break;
		2154	}
		2155	*outp = 0;
		2156
		2157	return retval;
		2158	}

Return to bug 77408

Lines 1-3 Link Here

(-)orig/enscript-1.6.3/debian/changelog (+9 lines)
		1	enscript (1.6.3-1.2) stable-security; urgency=high
		2
		3	* Non-maintainer upload by the Security Team
		4	* Corrected handling of user supplied input (filename, title) when
		5	executing shell commands [src/gsint.h, src/main.c, src/util.c,
		6	CAN-2004-1184]
		7
		8	--
		9
1	enscript (1.6.3-1.1) unstable; urgency=low	10	enscript (1.6.3-1.1) unstable; urgency=low
2		11
3	* Non maintainer upload	12	* Non maintainer upload