251316 – (CVE-2008-5377) net-print/cups pstopdf symlink attack (CVE-2008-5377)

Bug 251316 (CVE-2008-5377) - net-print/cups pstopdf symlink attack (CVE-2008-5377)

Summary: net-print/cups pstopdf symlink attack (CVE-2008-5377)

Status:	RESOLVED INVALID

Alias:	CVE-2008-5377

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://dev.gentoo.org/~rbu/security/d...
Whiteboard:	B3 [ebuild]
Keywords:

Depends on:
Blocks:	debian-tempfile
	Show dependency tree

Reported:	2008-12-17 15:48 UTC by Robert Buchholz (RETIRED)
Modified:	2009-01-22 15:38 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2008-12-17 15:48:44 UTC

CVE-2008-5377 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5377):
  pstopdf in CUPS 1.3.8 allows local users to overwrite arbitrary files
  via a symlink attack on the /tmp/pstopdf.log temporary file, a
  different vulnerability than CVE-2001-1333.

Comment 1 Timo Gurr (RETIRED) gentoo-dev

2009-01-21 23:30:57 UTC

"Affected script is not part of the upstream CUPS distribution" - We also do not ship it as an additional optional filter with CUPS, so our CUPS version(s) are not affected by this issue.

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2009-01-22 15:38:31 UTC

Does not affect us, we only have a pdftops filter and that was fixed per bug 201042.