Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 77408 - app-text/enscript CAN-2004-118{4,5,6}: Multiple issues
Summary: app-text/enscript CAN-2004-118{4,5,6}: Multiple issues
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa] koon
Depends on:
Reported: 2005-01-10 13:09 UTC by Sune Kloppenborg Jeppesen
Modified: 2005-02-02 05:09 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

CAN-2004-1184.patch (CAN-2004-1184.patch,4.53 KB, patch)
2005-01-10 13:15 UTC, Sune Kloppenborg Jeppesen
no flags Details | Diff
CAN-2004-1185.patch (CAN-2004-1185.patch,1.46 KB, patch)
2005-01-10 13:16 UTC, Sune Kloppenborg Jeppesen
no flags Details | Diff
CAN-2004-1186.patch (CAN-2004-1186.patch,1.74 KB, patch)
2005-01-10 13:17 UTC, Sune Kloppenborg Jeppesen
no flags Details | Diff
enscript-1.6.3-security.patch (enscript-1.6.3-security.patch,5.90 KB, patch)
2005-01-15 12:56 UTC, Thierry Carrez (RETIRED)
no flags Details | Diff
enscript-1.6.3-r2.ebuild (enscript-1.6.3-r2.ebuild,925 bytes, text/plain)
2005-01-15 13:27 UTC, solar (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2005-01-10 13:09:58 UTC
Erik Sj
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-10 13:09:58 UTC
Erik Sjölund has discovered several security relevant problems in
enscript, a program to converts ASCII text to Postscript and other
formats.  The Common Vulnerabilities and Exposures project identifies
the following vulnerabilities:


    Unsanitised input can caues the execution of arbitrary commands
    via EPSF pipe support.  This has been disabled, also upstream.


    Due to missing sanitising of filenames it is possible that a
    specially crafted filename can cause arbitrary commands to be


    Multiple buffer overflows can cause the program to crash.
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-10 13:15:57 UTC
Created attachment 48126 [details, diff]
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-10 13:16:40 UTC
Created attachment 48127 [details, diff]
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-10 13:17:11 UTC
Created attachment 48128 [details, diff]
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-01-15 12:56:41 UTC
Created attachment 48574 [details, diff]

Compound patch without Debian-specific things in.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-01-15 12:59:30 UTC
This has no maintainers.
I cleaned the patch and checked it, looks ok. We should apply it and attach ebuild here so that we can call arch testing on it. Solar, would you do this ?
Comment 7 solar (RETIRED) gentoo-dev 2005-01-15 13:24:11 UTC
Comment on attachment 48574 [details, diff]

rename patch
Comment 8 solar (RETIRED) gentoo-dev 2005-01-15 13:27:38 UTC
Created attachment 48577 [details]

requested ebuild. compile testing on x86
Comment 9 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-21 06:17:23 UTC
Solar please commit, open bug and call arches.
Comment 10 solar (RETIRED) gentoo-dev 2005-01-21 06:33:11 UTC
enscript-1.6.3-r2.ebuild (attachment #8574 [details] and attachment #48577 [details]) added to the tree.

KEYWORDS="~x86 ~ppc ~sparc ~amd64 ~alpha ~mips ~ppc64"

Arch maintainers please test and mark stable (gpg sign your Manifest's please)

q/a: this package lacks a proper metadata.xml 
Note: mips never had any version marked as stable.
Comment 11 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-21 09:05:28 UTC
Back to ebuild status, patch needs to be redone. Sorry for the trouble.

Note to solar:

>        /* Read more data. */
> -      is->data_in_buf = fread (is->buf, 1, sizeof (is->buf), is->fp);
> +      memset (is->buf, 0, sizeof (is->buf));
> +      is->data_in_buf = fread (is->buf, 1, sizeof (is->buf)-1, is->fp);
Comment 12 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-22 06:52:38 UTC
Koon please check the patch and call arches. 1.6.3-r2 has the fix already.
Comment 13 solar (RETIRED) gentoo-dev 2005-01-22 08:09:27 UTC
The comments on the upstream thread are unclear to me. The very end of
the existing patch contains those lines already.

Looking at deb
in src/util.c the deb patches don't even seem to touch the function int is_getc (InputStream *is)
debs patch other bug fixes and enhancements but it also includes
<paper.h> in main.c and thus fails to compile when I swap it out for our
existing patch.
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-01-23 11:09:23 UTC
Martin Schulze seems to think we require this additional patch :

--- enscript-1.6.3/src/util.c.old       2005-01-23 20:06:54.046729208 +0100
+++ enscript-1.6.3/src/util.c   2005-01-23 20:07:34.396193016 +0100
@@ -1998,7 +1998,7 @@
   if (is->bufpos >= is->data_in_buf)
       /* At the EOF? */
-      if (is->nreads > 0 && is->data_in_buf < sizeof (is->buf))
+      if (is->nreads > 0 && is->data_in_buf < (sizeof (is->buf)-1))
        /* Yes. */
        return EOF;

The idea is that we must use "sizeof (is->buf)" at both locations or "sizeof (is->buf)-1" at both locations.
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2005-01-25 05:05:18 UTC
OK, here is the story :

Debian committed the same patch we have first, but it broke things. You can see the original patch at

They identified the problem as coming from this part of the patch :

@@ -1996,7 +2003,8 @@
      return EOF;
       /* Read more data. */
-      is->data_in_buf = fread (is->buf, 1, sizeof (is->buf), is->fp);
+      memset (is->buf, 0, sizeof (is->buf));
+      is->data_in_buf = fread (is->buf, 1, sizeof (is->buf)-1, is->fp);
       is->bufpos = 0;

The problem is that the use of sizeof must to be consistent with the logic a few lines above. So two solutions :

Solution (1): Drop this part of our patch
This is the solution Debian chose, and that's why it doesn't show up in their patch. "diff enscript_1.6.3-1.2.diff enscript_1.6.3-1.3.diff" proves this.

Solution (2): Change the logic a few lines above
This is the solution we could use, by applying the extra patch at comment #13.

I am not sure what is best, but leaving it the way it is is clearly broken.
Comment 16 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-27 04:18:48 UTC
Solar please advise.
Comment 17 solar (RETIRED) gentoo-dev 2005-01-27 07:54:54 UTC
I'm opting for solution #1
testing now then will commit as -r3 while planning to remove -r2
Comment 18 solar (RETIRED) gentoo-dev 2005-01-27 07:59:24 UTC
Updated InCVS

KEYWORDS="~x86 ~ppc ~sparc ~amd64 ~alpha ~mips ~ppc64"
Comment 19 Thierry Carrez (RETIRED) gentoo-dev 2005-01-27 08:17:52 UTC
Arches, please test and mark enscript-1.6.3-r3 stable
Comment 20 Markus Rothe (RETIRED) gentoo-dev 2005-01-27 10:58:30 UTC
stable on ppc64
Comment 21 Jason Wever (RETIRED) gentoo-dev 2005-01-27 18:08:04 UTC
Comment 22 Danny van Dyk (RETIRED) gentoo-dev 2005-01-28 13:12:10 UTC
stable on amd64.
Comment 23 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-01-28 13:42:02 UTC
Stable on ppc.
Comment 24 Bryan Østergaard (RETIRED) gentoo-dev 2005-01-30 11:26:13 UTC
Stable on alpha.
Comment 25 Lance Albertson (RETIRED) gentoo-dev 2005-02-01 08:12:11 UTC
btw, installed the patched version on x86, seems to be working well. Feel free to bump. (Busy at work or I would)
Comment 26 solar (RETIRED) gentoo-dev 2005-02-01 08:58:23 UTC
stable on x86.. Only ~mips remains before older ebuilds can be flushed
Comment 27 Thierry Carrez (RETIRED) gentoo-dev 2005-02-01 09:05:23 UTC
GLSA drafted
Comment 28 Thierry Carrez (RETIRED) gentoo-dev 2005-02-02 05:09:04 UTC
GLSA 200502-03