Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 75784 - app-text/a2ps: insecure tempfile vuln in fixps and psmandup
Summary: app-text/a2ps: insecure tempfile vuln in fixps and psmandup
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/13641/
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2004-12-27 05:28 UTC by Luke Macken (RETIRED)
Modified: 2005-01-04 13:40 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
fixps.diff (fixps.diff,549 bytes, patch)
2004-12-28 03:10 UTC, Thierry Carrez (RETIRED)
no flags Details | Diff
psmandup.diff (psmandup.diff,569 bytes, patch)
2004-12-28 03:11 UTC, Thierry Carrez (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Luke Macken (RETIRED) gentoo-dev 2004-12-27 05:28:06 UTC
Description:
Javier Fern
Comment 1 Luke Macken (RETIRED) gentoo-dev 2004-12-27 05:28:06 UTC
Description:
Javier Fernández-Sanguino Peña has reported two vulnerabilities in GNU a2ps, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges.

The vulnerabilities are caused due to the fixps.in and psmandup.in scripts creating temporary files insecurely. This can be exploited via symlink attacks to overwrite arbitrary files with the privileges of the user running a vulnerable script.

The vulnerabilities have been reported in version 4.13b. Other versions may also be affected.

Solution:
Don't use the two vulnerable scripts.

Grant only trusted users access to affected systems.

Provided and/or discovered by:
Javier Fernández-Sanguino Peña
Comment 2 Luke Macken (RETIRED) gentoo-dev 2004-12-27 05:29:35 UTC
printing/cjk, please verify whether or not a2ps-4.13c-r1 is vulnerable to this.
Comment 3 Luke Macken (RETIRED) gentoo-dev 2004-12-27 05:36:25 UTC
I also sent an email upstream to verify this as well.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-12-28 02:44:25 UTC
Here is another one in a2ps :

--------------------------------------------------------------------------
Debian Security Advisory DSA 612-1
December 20th, 2004 

Package        : a2ps
Vulnerability  : unsanitised input
Problem-Type   : local
Debian-specific: no
CVE ID         : CAN-2004-1170
BugTraq ID     : 11025
Debian Bug     : 283134

Rudolf Polzer discovered a vulnerability in a2ps, a converter and
pretty-printer for many formats to PostScript.  The program did not
escape shell meta characters properly which could lead to the
execution of arbitrary commands as a privileged user if a2ps is
installed as a printer filter.
--------------------------------------------------------------------------
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-12-28 02:58:23 UTC
Forget about that last comment... was taken care of in bug 61500
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2004-12-28 03:10:18 UTC
Created attachment 47020 [details, diff]
fixps.diff

Patch from reporter on http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286385
Applies correctly and seems harmless, but please doublecheck it.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2004-12-28 03:11:01 UTC
Created attachment 47021 [details, diff]
psmandup.diff

Patch from reporter on http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286387
Applies correctly and seems harless but please double-check it.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2004-12-28 03:13:18 UTC
I can confirm that tempfile handling in a2ps could be enhanced (currently relies on $$). Applying the two patches above should improve it.
Comment 9 Mamoru KOMACHI (RETIRED) gentoo-dev 2005-01-01 22:10:07 UTC
I don't have time to look into this until 17 January.
Could someone from printing herd check these patches
(seems straightforward, though) and apply, please?
Comment 10 Heinrich Wendel (RETIRED) gentoo-dev 2005-01-03 08:41:06 UTC
verified and applied the patches. stable on all arches since it's only bash
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-01-03 08:57:32 UTC
Thanks Heinrich.
security: Please vote on GLSA need
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-01-04 01:35:42 UTC
I vote yes. It's used on more systems than I originally thought.
Comment 13 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-04 01:36:48 UTC
Seems like a2ps is somewhat popular so I tend to vote yes on this one.
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-01-04 13:40:56 UTC
GLSA 200501-02