Bug 59220 (CVE-2004-1170) - VUL-0: CVE-2004-1170: a2ps: wrong file name handling
Summary: VUL-0: CVE-2004-1170: a2ps: wrong file name handling
Status: RESOLVED FIXED
Alias: CVE-2004-1170
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All Linux
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Thomas Biege
QA Contact: Security Team bot
URL:
Whiteboard: CVE-2004-1170: CVSS v2 Base Score: 10...
Keywords:
Depends on:
Blocks:
 
Reported: 2004-08-25 21:52 UTC by Thomas Biege
Modified: 2021-10-02 09:54 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
patchinfo.a2ps (602 bytes, text/plain)
2004-09-01 22:06 UTC, Thomas Biege 		Details
patchinfo-box.a2ps (686 bytes, text/plain)
2004-09-01 22:07 UTC, Thomas Biege 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Vogdt 2004-08-25 21:52:08 UTC 
This is a forwarded mail from feedback@suse.de (stts):

    Summary: (security) bug in a2ps file name handling
 Salutation: Mr.
   Language: english
       Name: Hansjoerg Lipp
       Mail: hjlipp@web.de
   Language: english
Packagename: a2ps
  Component: ConsoleApps
Productname: SUSE LINUX
Versionname: SUSE LINUX 9.0 professional
   Platform: i386
   Severity: Normal bug: Work is seriously hindered

Description hardware:



Description how to reproduce:

1. How to reproduce:

a2ps filename

with filename containing characters with a special meaning for the shell ($,`,...)

cd /tmp
echo '/* test */' > 'x`touch FOO.BAR`.c'
a2ps x*.c -o whatever
ls FOO.BAR
 
2. This is not working:

a2ps passes file names to the shell without escaping special characters. See also
 <news:slrncim2k0.dqc.divzero@message-id.durchnull.ath.cx> or
 <http://groups.google.com/groups?q=msgid%3Aslrncim2k0.dqc.divzero%40message-id.durchnull.ath.cx>

This is also a security problem. The patch from
 <http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/print/a2ps-letter/files/patch-select.c?rev=1.1&content-type=text/plain>
mentioned in that article does also work with the SuSE rpm. I'd have sent you a
working spec file, but the package maintainers are not interested in direct
feedback.




** This bugreport was generated by STTS-FB
** http://feedback.suse.de/cgi-bin/history.pl?&ticket=20040825990000034
Comment 1 Lars Vogdt 2004-08-25 21:52:08 UTC 
<!-- SBZ_reproduce  -->
...
Comment 2 Dr. Werner Fink 2004-08-25 23:36:02 UTC 
I've add this patch, nevertheless DO NEVER USE SPACES in filenames.
For security reaseons I'd like to know if we should release a2ps
for 8.1 upto 9.1:
Comment 3 Thomas Biege 2004-09-01 21:56:52 UTC 
Yes, we should make a full update. I'll attach the patchinfo files ASAP. 
Thanks.
Comment 4 Thomas Biege 2004-09-01 22:06:54 UTC 
Created attachment 23088 [details]
patchinfo.a2ps
Comment 5 Thomas Biege 2004-09-01 22:07:12 UTC 
Created attachment 23089 [details]
patchinfo-box.a2ps
Comment 6 Dr. Werner Fink 2004-09-02 00:24:31 UTC 
All done.
Comment 7 Thomas Biege 2004-09-02 01:10:03 UTC 
<!-- SBZ_reopen -->Reopened by thomas@suse.de at Wed Sep  1 19:10:03 2004, took initial reporter lrupp@suse.de to cc
Comment 8 Thomas Biege 2004-09-02 01:10:03 UTC 
reopened for tracking by sec-team. 
 
thx!
Comment 9 Thomas Biege 2004-09-13 22:57:13 UTC 
packages approved
Comment 10 Ludwig Nussel 2005-01-04 18:02:25 UTC 
CAN-2004-1170
Comment 11 Thomas Biege 2009-10-13 19:48:40 UTC 
CVE-2004-1170: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)