Bug 698290 - VUL-0: groff: insecure temporary file handling in pdfroff
VUL-0: groff: insecure temporary file handling in pdfroff
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
.
:
Depends on: 668254 682913 683857
Blocks:
  Show dependency treegraph
 
Reported: 2011-06-06 15:55 UTC by Thomas Biege
Modified: 2011-06-20 08:43 UTC (History)
1 user (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2011-06-06 15:55:19 UTC
Hi.
There is a security bug in package 'groff'.

This bug is public.

There is no coordinated release date (CRD) set.

More information can be found here:
	https://bugzilla.redhat.com/show_bug.cgi?id=709413

CVE number: CVE-2009-5044
CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5044
CVSS v2 Base Score: 1.9 (low) (AV:L/AC:M/Au:N/C:N/I:P/A:N)


Original posting:



https://bugzilla.redhat.com/show_bug.cgi?id=709413

CVE-2009-5044

Vincent Danen 2011-05-31 12:32:47 EDT

A Debian bug report [1] indicated that the pdfroff utility uses $$ (the current
process's PID) to create predictable temporary files.

pdfroff is not included in older versions of groff as provided with Red Hat
Enterprise Linux 6 or earlier (1.18.1), but is included in 1.20 and higher, so
Fedora 14 and higher are affected.

As well, older groff includes the groff-1.18.1.4-sectmp.patch patch which fixes
other temporary file issues, however Fedora 14 and higher do not include a
similar patch.  Recommend using the Openwall patch [2] in Fedora 14 and higher
to secure this flaw and other temporary file issues that had previously been
protected with the aforementioned patch.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538330
[2]
http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff?rev=1.2;content-type=text%2Fplain


Statement:

Not vulnerable. This issue did not affect the versions of groff as shipped with
Red Hat Enterprise Linux 4, 5, or 6.
Comment 1 Michal Vyskocil 2011-06-08 09:50:59 UTC
We don't ship groff-1.20 on any SLES, the only one product is openSUSE 11.4, where the /usr/bin/pdfroff uses $$, so I'm going to fix it.

I would like to join this security update with few ones in Factory or M17N:
 * 683857 - use ASCII - for hyphenation
 * 668254 - let have gxditview installed with groff
 * 682913 - device X100 is missing
Comment 2 Swamp Workflow Management 2011-06-08 12:26:03 UTC
The SWAMPID for this issue is 41460.
This issue was rated as low.
Please submit fixed packages until 2011-07-06.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 3 Ludwig Nussel 2011-06-08 12:28:50 UTC
sure, thanks. please go ahead.
Comment 4 Michal Vyskocil 2011-06-09 09:47:18 UTC
submitted fixed packages:

  11.4 - 73067
  factory - 73070
Comment 5 Swamp Workflow Management 2011-06-16 07:36:00 UTC
Update released for: groff, groff-debuginfo, groff-doc
Products:
openSUSE 11.4 (debug, i586, x86_64)
Comment 6 Ludwig Nussel 2011-06-20 08:43:10 UTC
released