files/pdftops.pl uses insecurely created files in /tmp, same kind of issue than bug #198231. the offending line (90) is: my $tmpfile = $ENV{TMPDIR} . "pdfin.$$.tmp";
remove leftover from cloning a bug
This problem lies not within CUPS' pdftops filter, but in our alternative filter which is credited as follows. I'll try to contact the author about this. # pdftops.pl - wrapper script for xpdf's pdftops utility to act as a CUPS filter # ============================================================================== # 1.00 - 2004-10-05/Bl # Initial implementation # # Copyright: Helge Blischke / SRZ Berlin 2004 # This program is free seoftware and governed by the GNU Public License Version 2.
Upstream provided a new version.
Created attachment 137630 [details] pdftops-1.20
The temporary file is created when reading a PDF file from stdin. Does CUPS use the filter this way, or is it handing over a local file?
On my cups installation, the cupsd saves PDF files to print in /var/spool/cups/ and calls pdftops with that file as a paramater: 22844 execve("/usr/libexec/cups/filter/pdftops", ["null"..., "18"..., "rbu"..., "gentoo-bash.pdf"..., "1"..., "job-uuid=urn:uuid:d2f67463-b293-"..., "/var/spool/cups/d00018-002"...], [/* 24 vars */] <unfinished ...> Under what circumstances would it call the filter via stdin?
More details: Filename pattern $TMPDIR/pdfin.$$.tmp privileges: "lp" user This vulnerability appears when more than one filter is triggered in CUPS (i.e. you print an XML file and have an XML->PDF and PDF-PS converter), because if you only convert PDF to PS, cups will hand over the pdf file in "/var/spool" via filename, pdftops will not use its stdin code.
printing, please bump with the new version.
Created attachment 137890 [details, diff] pdftops-1.10-1.20.patch patch from 1.10 to 1.20
This will be GLSA'd with bug 201570.
GLSA 200712-14, thanks everyone.