Bug 59220 (CVE-2004-1170)

Summary: VUL-0: CVE-2004-1170: a2ps: wrong file name handling
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Thomas Biege <thomas>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: lars.vogdt, patch-request, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-1170: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: patchinfo.a2ps
patchinfo-box.a2ps

Description Lars Vogdt 2004-08-25 21:52:08 UTC 
This is a forwarded mail from feedback@suse.de (stts):

    Summary: (security) bug in a2ps file name handling
 Salutation: Mr.
   Language: english
       Name: Hansjoerg Lipp
       Mail: hjlipp@web.de
   Language: english
Packagename: a2ps
  Component: ConsoleApps
Productname: SUSE LINUX
Versionname: SUSE LINUX 9.0 professional
   Platform: i386
   Severity: Normal bug: Work is seriously hindered

Description hardware:



Description how to reproduce:

1. How to reproduce:

a2ps filename

with filename containing characters with a special meaning for the shell ($,`,...)

cd /tmp
echo '/* test */' > 'x`touch FOO.BAR`.c'
a2ps x*.c -o whatever
ls FOO.BAR
 
2. This is not working:

a2ps passes file names to the shell without escaping special characters. See also
 <news:slrncim2k0.dqc.divzero@message-id.durchnull.ath.cx> or
 <http://groups.google.com/groups?q=msgid%3Aslrncim2k0.dqc.divzero%40message-id.durchnull.ath.cx>

This is also a security problem. The patch from
 <http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/print/a2ps-letter/files/patch-select.c?rev=1.1&content-type=text/plain>
mentioned in that article does also work with the SuSE rpm. I'd have sent you a
working spec file, but the package maintainers are not interested in direct
feedback.




** This bugreport was generated by STTS-FB
** http://feedback.suse.de/cgi-bin/history.pl?&ticket=20040825990000034
Comment 1 Lars Vogdt 2004-08-25 21:52:08 UTC 
<!-- SBZ_reproduce  -->
...
Comment 2 Dr. Werner Fink 2004-08-25 23:36:02 UTC 
I've add this patch, nevertheless DO NEVER USE SPACES in filenames.
For security reaseons I'd like to know if we should release a2ps
for 8.1 upto 9.1:
Comment 3 Thomas Biege 2004-09-01 21:56:52 UTC 
Yes, we should make a full update. I'll attach the patchinfo files ASAP. 
Thanks.
Comment 4 Thomas Biege 2004-09-01 22:06:54 UTC 
Created attachment 23088 [details]
patchinfo.a2ps
Comment 5 Thomas Biege 2004-09-01 22:07:12 UTC 
Created attachment 23089 [details]
patchinfo-box.a2ps
Comment 6 Dr. Werner Fink 2004-09-02 00:24:31 UTC 
All done.
Comment 7 Thomas Biege 2004-09-02 01:10:03 UTC 
<!-- SBZ_reopen -->Reopened by thomas@suse.de at Wed Sep  1 19:10:03 2004, took initial reporter lrupp@suse.de to cc
Comment 8 Thomas Biege 2004-09-02 01:10:03 UTC 
reopened for tracking by sec-team. 
 
thx!
Comment 9 Thomas Biege 2004-09-13 22:57:13 UTC 
packages approved
Comment 10 Ludwig Nussel 2005-01-04 18:02:25 UTC 
CAN-2004-1170
Comment 11 Thomas Biege 2009-10-13 19:48:40 UTC 
CVE-2004-1170: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)