From FD: Severity: Medium Short description: a2ps executes arbitrary shell commands from a given file name Affected: GNU a2ps 4.13, a nice syntax-highlighting formatter from source code to postscript Operating systems: all systems where a2ps 4.13 compiles and which have a bourne or C shell by default used by system(). On other systems the patch might not work while the problem is probably still there. Description: a2ps can execute shell commands from file names. Not really severe, unless you use a2ps with wildcards from a world-writable directory like /tmp. I've also seen someone using a2ps in a pure-ftpd upload script which is executed after successful upload of a file. Workaround: Do not use wildcards in a2ps command lines except if you do that in a directory only you can create files in and where you know the contents. This might also apply to other tools (I did not check them), so be careful. How to reproduce: $ touch 'x`echo >&2 42`.c' $ a2ps -o /dev/null *.c 42 [x`echo >&2 42`.c (C): 0 pages on 0 sheets] [Total: 0 pages on 0 sheets] saved into the file `/dev/null' $ a2ps -V GNU a2ps 4.13 Written by Akim Demaille, Miguel Santana. How I found it: $ touch 'LAN (div0)' $ a2ps -o /dev/null LAN* sh: -c: line 1: syntax error near unexpected token `(' sh: -c: line 1: `/usr/bin/file -L LAN (div0)' [LAN (div0) (plain): 0 pages on 0 sheets] [Total: 0 pages on 0 sheets] saved into the file `/dev/null' How I fixed it: http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/print/a2ps-letter/files/patch-select.c?rev=1.1&content-type=text/plain Patch status: Except for FreeBSD, no distribution seems to currently have the patch (I sent it in to the FreeBSD people, the Debian a2ps maintainer "mhatta at debian dot org" and "bug-a2ps at gnu dot org" at the same time using Cc:). [... (windows stuff)] ------- Tried it with a2ps-4.13c : $ touch 'x`uptime >&2`.c' $ a2ps -o /dev/null *.c 14:00:20 up 1 day, 4:14, 5 users, load average: 0.76, 0.95, 0.51 [x`uptime >&2`.c (C): 0 pages on 0 sheets] [Total: 0 pages on 0 sheets] saved into the file `/dev/null'
Please verify and bump. Freebsd patch here: http://www.freebsd.org/cgi/query-pr.cgi?pr=70618
Verified and applied. Thanks.
Thanks for the swift reaction usata. Arches please mark stable.
jaervosz: I just tested the patch on x86 and bumped them to stable on all existing arches since it is a security fix. Should I put it back to ~arch except x86? (I asked ruby to be marked stable because 1.8.2_pre2 is another release that needs some testing)
Sorry arches already marked stable -> GLSA status. Security please draft.
Now with Remove selected CCs selected. Sorry for the spam:-(
Closing without GLSA.
