Bug#506261: marked as done (enscript: Buffer overflows)

Debian Bug Tracking System Thu, 20 Nov 2008 15:58:04 -0800

Your message dated Thu, 20 Nov 2008 23:32:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#506261: fixed in enscript 1.6.4-13
has caused the Debian Bug report #506261,
regarding enscript: Buffer overflows
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
506261: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506261
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems

--- Begin Message ---

Package: enscript
Version: 1.6.4-12
Severity: grave
Tags: security
Justification: user security hole

Hi, 
buffer overflows have been discovered in enscript:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3863
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4306

I'm attaching a patch by Werner Fink of SuSE covering these
issues.

Cheers,
        Moritz

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages enscript depends on:
ii  libc6                        2.7-15      GNU C Library: Shared libraries
ii  libpaper1                    1.1.23+nmu1 library for handling paper charact

enscript recommends no packages.

Versions of packages enscript suggests:
ii  ghostscript [postscript- 8.62.dfsg.1-3.1 The GPL Ghostscript PostScript/PDF
ii  lpr                      1:2008.05.17    BSD lpr/lpd line printer spooling 

-- no debconf information

--- src/psgen.c
+++ src/psgen.c	2008-10-29 10:43:08.512598143 +0100
@@ -24,6 +24,7 @@
  * Boston, MA 02111-1307, USA.
  */
 
+#include <limits.h>
 #include "gsint.h"
 
 /*
@@ -124,7 +125,7 @@ struct gs_token_st
 	  double xscale;
 	  double yscale;
 	  int llx, lly, urx, ury; /* Bounding box. */
-	  char filename[512];
+	  char filename[PATH_MAX];
 	  char *skipbuf;
 	  unsigned int skipbuf_len;
 	  unsigned int skipbuf_pos;
@@ -135,11 +136,11 @@ struct gs_token_st
       Color bgcolor;
       struct
 	{
-	  char name[512];
+	  char name[PATH_MAX];
 	  FontPoint size;
 	  InputEncoding encoding;
 	} font;
-      char filename[512];
+      char filename[PATH_MAX];
     } u;
 };
 
@@ -248,7 +249,7 @@ static int do_print = 1;
 static int user_fontp = 0;
 
 /* The user [EMAIL PROTECTED] font. */
-static char user_font_name[256];
+static char user_font_name[PATH_MAX];
 static FontPoint user_font_pt;
 static InputEncoding user_font_encoding;
 
@@ -978,7 +979,8 @@ large for page\n"),
 			FATAL ((stderr,
 				_("user font encoding can be only the system's default or `ps'")));
 
-		      strcpy (user_font_name, token.u.font.name);
+		      memset  (user_font_name, 0, sizeof(user_font_name));
+		      strncpy (user_font_name, token.u.font.name, sizeof(user_font_name) - 1);
 		      user_font_pt.w = token.u.font.size.w;
 		      user_font_pt.h = token.u.font.size.h;
 		      user_font_encoding = token.u.font.encoding;
@@ -1444,7 +1446,7 @@ read_special_escape (InputStream *is, To
 	  buf[i] = ch;
 	  if (i + 1 >= sizeof (buf))
 	    FATAL ((stderr, _("too long argument for %s escape:\n%.*s"),
-		    escapes[i].name, i, buf));
+		    escapes[e].name, i, buf));
 	}
       buf[i] = '\0';
 
@@ -1452,7 +1454,8 @@ read_special_escape (InputStream *is, To
       switch (escapes[e].escape)
 	{
 	case ESC_FONT:
-	  strcpy (token->u.font.name, buf);
+	  memset  (token->u.font.name, 0, sizeof(token->u.font.name));
+	  strncpy (token->u.font.name, buf, sizeof(token->u.font.name) - 1);
 
 	  /* Check for the default font. */
 	  if (strcmp (token->u.font.name, "default") == 0)
@@ -1465,7 +1468,8 @@ read_special_escape (InputStream *is, To
 		FATAL ((stderr, _("malformed font spec for [EMAIL PROTECTED] escape: %s"),
 			token->u.font.name));
 
-	      strcpy (token->u.font.name, cp);
+	      memset  (token->u.font.name, 0, sizeof(token->u.font.name));
+	      strncpy (token->u.font.name, cp, sizeof(token->u.font.name) - 1);
 	      xfree (cp);
 	    }
 	  token->type = tFONT;
@@ -1544,7 +1548,8 @@ read_special_escape (InputStream *is, To
 	  break;
 
 	case ESC_SETFILENAME:
-	  strcpy (token->u.filename, buf);
+	  memset  (token->u.filename, 0, sizeof(token->u.font.name));
+	  strncpy (token->u.filename, buf, sizeof(token->u.filename) - 1);
 	  token->type = tSETFILENAME;
 	  break;

--- End Message ---

--- Begin Message ---

Source: enscript
Source-Version: 1.6.4-13

We believe that the bug you reported is fixed in the latest version of
enscript, which is due to be installed in the Debian FTP archive:

enscript_1.6.4-13.diff.gz
  to pool/main/e/enscript/enscript_1.6.4-13.diff.gz
enscript_1.6.4-13.dsc
  to pool/main/e/enscript/enscript_1.6.4-13.dsc
enscript_1.6.4-13_amd64.deb
  to pool/main/e/enscript/enscript_1.6.4-13_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tim Retout <[EMAIL PROTECTED]> (supplier of updated enscript package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 19 Nov 2008 22:45:35 +0000
Source: enscript
Binary: enscript
Architecture: source amd64
Version: 1.6.4-13
Distribution: unstable
Urgency: high
Maintainer: Tim Retout <[EMAIL PROTECTED]>
Changed-By: Tim Retout <[EMAIL PROTECTED]>
Description: 
 enscript   - Converts ASCII text to Postscript, HTML, RTF or Pretty-Print
Closes: 506261
Changes: 
 enscript (1.6.4-13) unstable; urgency=high
 .
   * debian/patches/506261-buffer-overflows: New patch by Werner Fink to fix
     buffer overflows: CVE-2008-3863, CVE-2008-4306. (Closes: #506261)
   * Urgency set to "high" for RC security bugfix.
Checksums-Sha1: 
 b426e990a686dce46781fc3f8cce27016352f1c4 1010 enscript_1.6.4-13.dsc
 024a1cf82af439963f71974947333a75ac090b26 93092 enscript_1.6.4-13.diff.gz
 f7878a4a6155de1740eea8eb1c75afe37557783a 536804 enscript_1.6.4-13_amd64.deb
Checksums-Sha256: 
 a09d3f6db4ddf87bfdd9a65d149700b8abc1e999766978db80e8459aef7791c2 1010 
enscript_1.6.4-13.dsc
 b9721fe5435d6f1fa6113313738a549e580dd59d2319ad1d8d4af52d62a89892 93092 
enscript_1.6.4-13.diff.gz
 dc59c254b96540e9fb631ad72cb716827e81505dc6554c430a1243623d46a93e 536804 
enscript_1.6.4-13_amd64.deb
Files: 
 47bc977491f403de90ff249249d339e9 1010 text optional enscript_1.6.4-13.dsc
 45124974a746d0bef4cbf0b6e9523257 93092 text optional enscript_1.6.4-13.diff.gz
 ef9291593d4dd06bb305602e624f6057 536804 text optional 
enscript_1.6.4-13_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkl8OQACgkQ5/8uW2NPmiAOUgCfUfql//D6kC/rw0L/YZJEYHKw
srsAn3iziP+l+OdrCfe4cjXyh2nHXSkF
=7hpo
-----END PGP SIGNATURE-----

--- End Message ---

Bug#506261: marked as done (enscript: Buffer overflows)

Reply via email to