Bugzilla – Bug 64680
VUL-0: CVE-2004-1186: Multiple problems in enscript
Last modified: 2021-10-27 15:40:25 UTC
We received the following report via vendor-sec. This issue is not public yet, please keep any information about it inside SUSE. Date: Fri, 7 Jan 2005 18:47:15 +0100 From: Martin Schulze <joey@infodrom.org> To: vendor-sec@lst.de Subject: [vendor-sec] CAN-2004-118{4,5,6}: Multiple problems in enscript Erik Sjölund has discovered several security relevant problems in enscript, a program to converts ASCII text to Postscript and other formats. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CAN-2004-1184 Unsanitised input can caues the execution of arbitrary commands via EPSF pipe support. This has been disabled, also upstream. CAN-2004-1185 Due to missing sanitising of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. CAN-2004-1186 Multiple buffer overflows can cause the program to crash. I'm attaching the patches for discussion and updates. I propose a coordinated disclosure in connection with a new upstream version or fix to correct all three problems at the same time. I'm already in touch with the upstream author. I propose an embargo of two weeks: Disclosure date: January 20th, 2005 Please let me know if this is not ok for you. Regards, Joey
Created attachment 27495 [details] patch.CAN-2004-1184
Created attachment 27496 [details] patch.CAN-2004-1185
Created attachment 27497 [details] patch.CAN-2004-1186
done for STABLE
Submitted for 8.1, 8.2, 9.0, 9.1, 9.2 Also provided a patchinfo for SuSE LIUNX and SLES
<!-- SBZ_reopen -->Reopened by lnussel@suse.de at Tue Feb 1 16:32:16 2005
reopen for reassign
master swampid: 285
From: Heiko Rommel <rommel@suse.de> To: qa@suse.de Cc: security-team@suse.de Subject: [security-team] FAILED: enscript, patch-9848, c6bd23b042714be008e6e22058ae03e2 enscript ********* SUMMARY: FAILED comment: The update brakes the kprinter filter option (see at the bottom of this page for examples). The fixes to "Bugzilla Bug 64680 - VUL-0: Multiple problems in enscript" have not been tested (upstream, not exploits available). test1: PDB component test ------------------------- kprinter /usr/share/rug/rcmain.py (use /usr/lib/mailman/Mailman/Utils.py on SLES8) select Printer "Print to File (PostScript)" then Properties -> Filters Add an "Enscript Text Filter" and set Number of columns: 2 Landscape mode: Yes Syntax highlighting: Enabled Use colors: Yes (in short: a useful output format if you ever wanted to print source code) unfixed: -------- 3 sheets (5 pages) of colored PostScript are produced (GOOD) filesize: 482527 fixed: ------ 1 sheet (1 page) of colored PostScript is produced (BAD) filesize: 453231
What do you want -- security or kprinter?
<!-- SBZ_reopen -->Reopened by lnussel@suse.de at Mon Feb 7 16:46:35 2005
It's not that easy. People ask questions if stuff doesn't work anymore after a security update and blame us for that. So we need to determine whether it's a bug in the security patch for enscript, a bug in kprinter or neither in which case we need to mention the change in an advisory.
Give me a patch or leave. You've to change attachment (id=19496) in such a way that it is secure and does not disable the option. Don't know how you wnat todo this with such a pipe.
patch.CAN-2004-1186 is broken :(
new packages and patchinfos submitted
fixed packages approved
CVE-2004-1186: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)