Bug 64680 (CVE-2004-1186)

Summary: VUL-0: CVE-2004-1186: Multiple problems in enscript
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Ludwig Nussel <lnussel>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: security-team, werner
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-1186: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2004-1184:4.6:(AV:L/AC:L/Au:N/C:P/I:P/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: patch.CAN-2004-1184
patch.CAN-2004-1185
patch.CAN-2004-1186

Description Ludwig Nussel 2005-01-10 17:53:53 UTC 
We received the following report via vendor-sec.
This issue is not public yet, please keep any information about it inside SUSE.

Date: Fri, 7 Jan 2005 18:47:15 +0100
From: Martin Schulze <joey@infodrom.org>
To: vendor-sec@lst.de
Subject: [vendor-sec] CAN-2004-118{4,5,6}: Multiple problems in enscript

Erik Sjölund has discovered several security relevant problems in
enscript, a program to converts ASCII text to Postscript and other
formats.  The Common Vulnerabilities and Exposures project identifies
the following vulnerabilities:

CAN-2004-1184

    Unsanitised input can caues the execution of arbitrary commands
    via EPSF pipe support.  This has been disabled, also upstream.

CAN-2004-1185

    Due to missing sanitising of filenames it is possible that a
    specially crafted filename can cause arbitrary commands to be
    executed.

CAN-2004-1186

    Multiple buffer overflows can cause the program to crash.

I'm attaching the patches for discussion and updates.

I propose a coordinated disclosure in connection with a new upstream
version or fix to correct all three problems at the same time.  I'm
already in touch with the upstream author. I propose an embargo of
two weeks:

Disclosure date: January 20th, 2005

Please let me know if this is not ok for you.

Regards,

	Joey
Comment 1 Ludwig Nussel 2005-01-10 17:55:08 UTC 
Created attachment 27495 [details]
patch.CAN-2004-1184
Comment 2 Ludwig Nussel 2005-01-10 17:55:23 UTC 
Created attachment 27496 [details]
patch.CAN-2004-1185
Comment 3 Ludwig Nussel 2005-01-10 17:55:44 UTC 
Created attachment 27497 [details]
patch.CAN-2004-1186
Comment 4 Dr. Werner Fink 2005-02-01 20:51:43 UTC 
done for STABLE
Comment 5 Dr. Werner Fink 2005-02-01 23:28:15 UTC 
Submitted for 8.1, 8.2, 9.0, 9.1, 9.2
Also provided a patchinfo for SuSE LIUNX and SLES
Comment 6 Ludwig Nussel 2005-02-01 23:32:16 UTC 
<!-- SBZ_reopen -->Reopened by lnussel@suse.de at Tue Feb  1 16:32:16 2005
Comment 7 Ludwig Nussel 2005-02-01 23:32:16 UTC 
reopen for reassign
Comment 8 Marcus Meissner 2005-02-01 23:35:51 UTC 
master swampid: 285
Comment 9 Marcus Meissner 2005-02-07 23:07:18 UTC 
From: Heiko Rommel <rommel@suse.de> 
To: qa@suse.de 
Cc: security-team@suse.de 
Subject: [security-team] FAILED: enscript, patch-9848, 
        c6bd23b042714be008e6e22058ae03e2 
 
enscript 
********* 
 
SUMMARY: FAILED 
 
comment: 
 
The update brakes the kprinter filter option (see at the bottom of this page 
for examples). 
 
The fixes to "Bugzilla Bug 64680 - VUL-0: Multiple problems in enscript" have 
not been tested (upstream, not exploits available). 
 
 
test1: PDB component test 
------------------------- 
 
kprinter /usr/share/rug/rcmain.py 
(use /usr/lib/mailman/Mailman/Utils.py on SLES8) 
 
select Printer "Print to File (PostScript)" 
then Properties -> Filters 
 
Add an "Enscript Text Filter" and set 
        Number of columns: 2 
        Landscape mode: Yes 
        Syntax highlighting: Enabled 
        Use colors: Yes 
 
(in short: a useful output format if you ever wanted to print source code) 
 
unfixed: 
-------- 
3 sheets (5 pages) of colored PostScript are produced (GOOD) 
filesize: 482527 
 
fixed: 
------ 
1 sheet (1 page) of colored PostScript is produced (BAD) 
filesize: 453231
Comment 10 Dr. Werner Fink 2005-02-07 23:18:38 UTC 
What do you want -- security or kprinter?
Comment 11 Ludwig Nussel 2005-02-07 23:46:35 UTC 
<!-- SBZ_reopen -->Reopened by lnussel@suse.de at Mon Feb  7 16:46:35 2005
Comment 12 Ludwig Nussel 2005-02-07 23:46:35 UTC 
It's not that easy. People ask questions if stuff doesn't work anymore after a 
security update and blame us for that. So we need to determine whether it's a 
bug in the security patch for enscript, a bug in kprinter or neither in which 
case we need to mention the change in an advisory.
Comment 13 Dr. Werner Fink 2005-02-07 23:49:36 UTC 
Give me a patch or leave.   You've to change

        attachment (id=19496)

in such a way that it is secure and does not disable the
option.  Don't know how you wnat todo this with such
a pipe.
Comment 14 Ludwig Nussel 2005-02-10 17:40:09 UTC 
patch.CAN-2004-1186 is broken :(
Comment 15 Ludwig Nussel 2005-02-10 17:57:38 UTC 
new packages and patchinfos submitted
Comment 16 Marcus Meissner 2005-02-15 00:23:53 UTC 
fixed packages approved
Comment 17 Thomas Biege 2009-10-13 20:10:19 UTC 
CVE-2004-1186: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)