Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 77408 - app-text/enscript CAN-2004-118{4,5,6}: Multiple issues
Summary: app-text/enscript CAN-2004-118{4,5,6}: Multiple issues
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa] koon
Keywords:
Depends on:
Blocks:
 
Reported: 2005-01-10 13:09 UTC by Sune Kloppenborg Jeppesen
Modified: 2005-02-02 05:09 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments
CAN-2004-1184.patch (CAN-2004-1184.patch,4.53 KB, patch)
2005-01-10 13:15 UTC, Sune Kloppenborg Jeppesen
no flags Details | Diff
CAN-2004-1185.patch (CAN-2004-1185.patch,1.46 KB, patch)
2005-01-10 13:16 UTC, Sune Kloppenborg Jeppesen
no flags Details | Diff
CAN-2004-1186.patch (CAN-2004-1186.patch,1.74 KB, patch)
2005-01-10 13:17 UTC, Sune Kloppenborg Jeppesen
no flags Details | Diff
enscript-1.6.3-security.patch (enscript-1.6.3-security.patch,5.90 KB, patch)
2005-01-15 12:56 UTC, Thierry Carrez (RETIRED)
no flags Details | Diff
enscript-1.6.3-r2.ebuild (enscript-1.6.3-r2.ebuild,925 bytes, text/plain)
2005-01-15 13:27 UTC, solar (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2005-01-10 13:09:58 UTC
Erik Sj
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-10 13:09:58 UTC
Erik Sjölund has discovered several security relevant problems in
enscript, a program to converts ASCII text to Postscript and other
formats.  The Common Vulnerabilities and Exposures project identifies
the following vulnerabilities:

CAN-2004-1184

    Unsanitised input can caues the execution of arbitrary commands
    via EPSF pipe support.  This has been disabled, also upstream.

CAN-2004-1185

    Due to missing sanitising of filenames it is possible that a
    specially crafted filename can cause arbitrary commands to be
    executed.

CAN-2004-1186

    Multiple buffer overflows can cause the program to crash.
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-10 13:15:57 UTC
Created attachment 48126 [details, diff]
CAN-2004-1184.patch
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-10 13:16:40 UTC
Created attachment 48127 [details, diff]
CAN-2004-1185.patch
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-10 13:17:11 UTC
Created attachment 48128 [details, diff]
CAN-2004-1186.patch
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-01-15 12:56:41 UTC
Created attachment 48574 [details, diff]
enscript-1.6.3-security.patch

Compound patch without Debian-specific things in.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-01-15 12:59:30 UTC
This has no maintainers.
I cleaned the patch and checked it, looks ok. We should apply it and attach ebuild here so that we can call arch testing on it. Solar, would you do this ?
Comment 7 solar (RETIRED) gentoo-dev 2005-01-15 13:24:11 UTC
Comment on attachment 48574 [details, diff]
enscript-1.6.3-security.patch

rename patch
Comment 8 solar (RETIRED) gentoo-dev 2005-01-15 13:27:38 UTC
Created attachment 48577 [details]
enscript-1.6.3-r2.ebuild

requested ebuild. compile testing on x86
Comment 9 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-21 06:17:23 UTC
Solar please commit, open bug and call arches.
Comment 10 solar (RETIRED) gentoo-dev 2005-01-21 06:33:11 UTC
enscript-1.6.3-r2.ebuild (attachment #8574 [details] and attachment #48577 [details]) added to the tree.

KEYWORDS="~x86 ~ppc ~sparc ~amd64 ~alpha ~mips ~ppc64"

Arch maintainers please test and mark stable (gpg sign your Manifest's please)

q/a: this package lacks a proper metadata.xml 
Note: mips never had any version marked as stable.
Comment 11 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-21 09:05:28 UTC
Back to ebuild status, patch needs to be redone. Sorry for the trouble.

Note to solar:

>        /* Read more data. */
> -      is->data_in_buf = fread (is->buf, 1, sizeof (is->buf), is->fp);
> +      memset (is->buf, 0, sizeof (is->buf));
> +      is->data_in_buf = fread (is->buf, 1, sizeof (is->buf)-1, is->fp);
Comment 12 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-22 06:52:38 UTC
Koon please check the patch and call arches. 1.6.3-r2 has the fix already.
Comment 13 solar (RETIRED) gentoo-dev 2005-01-22 08:09:27 UTC
The comments on the upstream thread are unclear to me. The very end of
the existing patch contains those lines already.

Looking at deb http://www.debian.org/security/2005/dsa-654
in src/util.c the deb patches don't even seem to touch the function int is_getc (InputStream *is)
http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3.diff.gz
debs patch other bug fixes and enhancements but it also includes
<paper.h> in main.c and thus fails to compile when I swap it out for our
existing patch.
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-01-23 11:09:23 UTC
Martin Schulze seems to think we require this additional patch :

--- enscript-1.6.3/src/util.c.old       2005-01-23 20:06:54.046729208 +0100
+++ enscript-1.6.3/src/util.c   2005-01-23 20:07:34.396193016 +0100
@@ -1998,7 +1998,7 @@
   if (is->bufpos >= is->data_in_buf)
     {
       /* At the EOF? */
-      if (is->nreads > 0 && is->data_in_buf < sizeof (is->buf))
+      if (is->nreads > 0 && is->data_in_buf < (sizeof (is->buf)-1))
        /* Yes. */
        return EOF;

The idea is that we must use "sizeof (is->buf)" at both locations or "sizeof (is->buf)-1" at both locations.
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2005-01-25 05:05:18 UTC
OK, here is the story :

Debian committed the same patch we have first, but it broke things. You can see the original patch at http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.2.diff.gz

They identified the problem as coming from this part of the patch :

@@ -1996,7 +2003,8 @@
      return EOF;
       /* Read more data. */
-      is->data_in_buf = fread (is->buf, 1, sizeof (is->buf), is->fp);
+      memset (is->buf, 0, sizeof (is->buf));
+      is->data_in_buf = fread (is->buf, 1, sizeof (is->buf)-1, is->fp);
       is->bufpos = 0;
       is->nreads++;

The problem is that the use of sizeof must to be consistent with the logic a few lines above. So two solutions :

Solution (1): Drop this part of our patch
This is the solution Debian chose, and that's why it doesn't show up in their patch. "diff enscript_1.6.3-1.2.diff enscript_1.6.3-1.3.diff" proves this.

Solution (2): Change the logic a few lines above
This is the solution we could use, by applying the extra patch at comment #13.

I am not sure what is best, but leaving it the way it is is clearly broken.
Comment 16 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-27 04:18:48 UTC
Solar please advise.
Comment 17 solar (RETIRED) gentoo-dev 2005-01-27 07:54:54 UTC
I'm opting for solution #1
testing now then will commit as -r3 while planning to remove -r2
Comment 18 solar (RETIRED) gentoo-dev 2005-01-27 07:59:24 UTC
Updated InCVS

enscript-1.6.3-r3.ebuild
KEYWORDS="~x86 ~ppc ~sparc ~amd64 ~alpha ~mips ~ppc64"
Comment 19 Thierry Carrez (RETIRED) gentoo-dev 2005-01-27 08:17:52 UTC
Arches, please test and mark enscript-1.6.3-r3 stable
Comment 20 Markus Rothe (RETIRED) gentoo-dev 2005-01-27 10:58:30 UTC
stable on ppc64
Comment 21 Jason Wever (RETIRED) gentoo-dev 2005-01-27 18:08:04 UTC
sparc'd
Comment 22 Danny van Dyk (RETIRED) gentoo-dev 2005-01-28 13:12:10 UTC
stable on amd64.
Comment 23 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-01-28 13:42:02 UTC
Stable on ppc.
Comment 24 Bryan Østergaard (RETIRED) gentoo-dev 2005-01-30 11:26:13 UTC
Stable on alpha.
Comment 25 Lance Albertson (RETIRED) gentoo-dev 2005-02-01 08:12:11 UTC
btw, installed the patched version on x86, seems to be working well. Feel free to bump. (Busy at work or I would)
Comment 26 solar (RETIRED) gentoo-dev 2005-02-01 08:58:23 UTC
stable on x86.. Only ~mips remains before older ebuilds can be flushed
Comment 27 Thierry Carrez (RETIRED) gentoo-dev 2005-02-01 09:05:23 UTC
GLSA drafted
Comment 28 Thierry Carrez (RETIRED) gentoo-dev 2005-02-02 05:09:04 UTC
GLSA 200502-03