Bug 64680 - (CVE-2004-1186) VUL-0: CVE-2004-1186: Multiple problems in enscript
(CVE-2004-1186)
VUL-0: CVE-2004-1186: Multiple problems in enscript
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
All Linux
: P3 - Medium : Major
: ---
Assigned To: Ludwig Nussel
Security Team bot
CVE-2004-1186: CVSS v2 Base Score: 5....
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-01-10 17:53 UTC by Ludwig Nussel
Modified: 2021-10-27 15:40 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
patch.CAN-2004-1184 (4.53 KB, patch)
2005-01-10 17:55 UTC, Ludwig Nussel
Details | Diff
patch.CAN-2004-1185 (1.46 KB, patch)
2005-01-10 17:55 UTC, Ludwig Nussel
Details | Diff
patch.CAN-2004-1186 (1.74 KB, patch)
2005-01-10 17:55 UTC, Ludwig Nussel
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2005-01-10 17:53:53 UTC
We received the following report via vendor-sec.
This issue is not public yet, please keep any information about it inside SUSE.

Date: Fri, 7 Jan 2005 18:47:15 +0100
From: Martin Schulze <joey@infodrom.org>
To: vendor-sec@lst.de
Subject: [vendor-sec] CAN-2004-118{4,5,6}: Multiple problems in enscript

Erik Sjölund has discovered several security relevant problems in
enscript, a program to converts ASCII text to Postscript and other
formats.  The Common Vulnerabilities and Exposures project identifies
the following vulnerabilities:

CAN-2004-1184

    Unsanitised input can caues the execution of arbitrary commands
    via EPSF pipe support.  This has been disabled, also upstream.

CAN-2004-1185

    Due to missing sanitising of filenames it is possible that a
    specially crafted filename can cause arbitrary commands to be
    executed.

CAN-2004-1186

    Multiple buffer overflows can cause the program to crash.

I'm attaching the patches for discussion and updates.

I propose a coordinated disclosure in connection with a new upstream
version or fix to correct all three problems at the same time.  I'm
already in touch with the upstream author. I propose an embargo of
two weeks:

Disclosure date: January 20th, 2005

Please let me know if this is not ok for you.

Regards,

	Joey
Comment 1 Ludwig Nussel 2005-01-10 17:55:08 UTC
Created attachment 27495 [details]
patch.CAN-2004-1184
Comment 2 Ludwig Nussel 2005-01-10 17:55:23 UTC
Created attachment 27496 [details]
patch.CAN-2004-1185
Comment 3 Ludwig Nussel 2005-01-10 17:55:44 UTC
Created attachment 27497 [details]
patch.CAN-2004-1186
Comment 4 Dr. Werner Fink 2005-02-01 20:51:43 UTC
done for STABLE
Comment 5 Dr. Werner Fink 2005-02-01 23:28:15 UTC
Submitted for 8.1, 8.2, 9.0, 9.1, 9.2
Also provided a patchinfo for SuSE LIUNX and SLES
Comment 6 Ludwig Nussel 2005-02-01 23:32:16 UTC
<!-- SBZ_reopen -->Reopened by lnussel@suse.de at Tue Feb  1 16:32:16 2005
Comment 7 Ludwig Nussel 2005-02-01 23:32:16 UTC
reopen for reassign 
Comment 8 Marcus Meissner 2005-02-01 23:35:51 UTC
master swampid: 285 
Comment 9 Marcus Meissner 2005-02-07 23:07:18 UTC
From: Heiko Rommel <rommel@suse.de> 
To: qa@suse.de 
Cc: security-team@suse.de 
Subject: [security-team] FAILED: enscript, patch-9848, 
        c6bd23b042714be008e6e22058ae03e2 
 
enscript 
********* 
 
SUMMARY: FAILED 
 
comment: 
 
The update brakes the kprinter filter option (see at the bottom of this page 
for examples). 
 
The fixes to "Bugzilla Bug 64680 - VUL-0: Multiple problems in enscript" have 
not been tested (upstream, not exploits available). 
 
 
test1: PDB component test 
------------------------- 
 
kprinter /usr/share/rug/rcmain.py 
(use /usr/lib/mailman/Mailman/Utils.py on SLES8) 
 
select Printer "Print to File (PostScript)" 
then Properties -> Filters 
 
Add an "Enscript Text Filter" and set 
        Number of columns: 2 
        Landscape mode: Yes 
        Syntax highlighting: Enabled 
        Use colors: Yes 
 
(in short: a useful output format if you ever wanted to print source code) 
 
unfixed: 
-------- 
3 sheets (5 pages) of colored PostScript are produced (GOOD) 
filesize: 482527 
 
fixed: 
------ 
1 sheet (1 page) of colored PostScript is produced (BAD) 
filesize: 453231 
 
Comment 10 Dr. Werner Fink 2005-02-07 23:18:38 UTC
What do you want -- security or kprinter?
Comment 11 Ludwig Nussel 2005-02-07 23:46:35 UTC
<!-- SBZ_reopen -->Reopened by lnussel@suse.de at Mon Feb  7 16:46:35 2005
Comment 12 Ludwig Nussel 2005-02-07 23:46:35 UTC
It's not that easy. People ask questions if stuff doesn't work anymore after a 
security update and blame us for that. So we need to determine whether it's a 
bug in the security patch for enscript, a bug in kprinter or neither in which 
case we need to mention the change in an advisory. 
Comment 13 Dr. Werner Fink 2005-02-07 23:49:36 UTC
Give me a patch or leave.   You've to change

        attachment (id=19496)

in such a way that it is secure and does not disable the
option.  Don't know how you wnat todo this with such
a pipe.
Comment 14 Ludwig Nussel 2005-02-10 17:40:09 UTC
patch.CAN-2004-1186 is broken :( 
Comment 15 Ludwig Nussel 2005-02-10 17:57:38 UTC
new packages and patchinfos submitted 
Comment 16 Marcus Meissner 2005-02-15 00:23:53 UTC
fixed packages approved 
Comment 17 Thomas Biege 2009-10-13 20:10:19 UTC
CVE-2004-1186: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)