Bug#742902: marked as done (a2ps: CVE-2014-0466: does not invoke gs with -dSAFER)

Debian Bug Tracking System Tue, 01 Apr 2014 14:22:15 -0700

Your message dated Tue, 01 Apr 2014 21:17:59 +0000
with message-id <e1wv64f-0003fp...@franck.debian.org>
and subject line Bug#742902: fixed in a2ps 1:4.14-1.1+deb6u1
has caused the Debian Bug report #742902,
regarding a2ps: CVE-2014-0466: does not invoke gs with -dSAFER
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
742902: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742902
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: a2ps
Version: 1:4.14-1.2
Severity: grave
Tags: security

fixps does not invoke gs with -dSAFER.  As a consequence, a malicious
PostScript file could delete files with the privileges of the invoking
user.

I have provided a test script that can be invoked as such:

  ./test-wrapper-fixps fixps

This was reported to the Debian Security Team, who assigned this
CVE-2014-0466.  It was also reported to upstream, who has not provided
an update or issued a fixed version.  This is being reported publicly as
over 45 days has elapsed and neither upstream nor the security team has
requested a delay or issued an advisory.

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.14-rc7-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages a2ps depends on:
ii  file       1:5.17-1
ii  libc6      2.18-4
ii  libpaper1  1.1.24+nmu2
ii  psutils    1.17.dfsg-1

Versions of packages a2ps recommends:
ii  bzip2           1.0.6-5
ii  cups-bsd [lpr]  1.7.1-10
ii  wdiff           1.2.1-2

Versions of packages a2ps suggests:
pn  emacsen-common                       <none>
ii  ghostscript                          9.05~dfsg-8+b1
ii  groff                                1.22.2-5
pn  gv                                   <none>
pn  html2ps                              <none>
ii  imagemagick                          8:6.7.7.10+dfsg-1
pn  t1-cyrillic                          <none>
ii  texlive-binaries [texlive-base-bin]  2013.20130729.30972-2+b2

-- no debconf information

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

#!/bin/sh
# test-wrapper: test if a program is running gs without -dSAFER
#
# Usage: test-wrapper program --option --option2

TEMPDIR=`mktemp -d`

[ -n "$TEMPDIR" ] || exit 1

touch "$TEMPDIR/remove-me"
groff -Tps <<EOM | sed -e '/%%Pages/d' >"$TEMPDIR/exploit.ps"
Text
\X'ps: exec ($TEMPDIR/remove-me) deletefile'
More text.
EOM

"$@" "$TEMPDIR/exploit.ps" >/dev/null

if [ -e "$TEMPDIR/remove-me" ]
then
        printf "Program is not vulnerable.\n"
else
        printf "Program is VULNERABLE!\n"
fi
rm -r -- "$TEMPDIR"

signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

Source: a2ps
Source-Version: 1:4.14-1.1+deb6u1

We believe that the bug you reported is fixed in the latest version of
a2ps, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 742...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated a2ps package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 30 Mar 2014 18:14:06 +0200
Source: a2ps
Binary: a2ps
Architecture: source amd64
Version: 1:4.14-1.1+deb6u1
Distribution: squeeze-security
Urgency: high
Maintainer: Masayuki Hatta (mhatta) <mha...@debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Description: 
 a2ps       - GNU a2ps - 'Anything to PostScript' converter and pretty-printer
Closes: 737385 742902
Changes: 
 a2ps (1:4.14-1.1+deb6u1) squeeze-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add 09_CVE-2001-1593.dpatch patch.
     CVE-2011-1593: Fix insecure use of /tmp
     Thanks to Jakub Wilk <jw...@debian.org> (Closes: #737385)
   * Add 10_CVE-2014-0466.dpatch patch.
     CVE-2014-0466: fixps does not invoke gs with -dSAFER. A malicious
     PostScript file could delete files with the privileges of the invoking
     user.
     Thanks to brian m. carlson <sand...@crustytoothpaste.net> (Closes: #742902)
Checksums-Sha1: 
 3a1f0f57f47b67682d403a3014381d78edfc4eb9 1807 a2ps_4.14-1.1+deb6u1.dsc
 0db14668fe17c04672a7df818106d8faa3dbdcbc 30454 a2ps_4.14-1.1+deb6u1.diff.gz
 b860924feffd922c9751930f0321d03784765c0f 955130 a2ps_4.14-1.1+deb6u1_amd64.deb
Checksums-Sha256: 
 7e72e708e7b688d63d5c0b99b93793ad5f10f0ea30fbacd906fb187b09867dbd 1807 
a2ps_4.14-1.1+deb6u1.dsc
 9030794fbf3e926ad523929af3a5d13bd71c3aeea1f83c5760d2782130adb1d1 30454 
a2ps_4.14-1.1+deb6u1.diff.gz
 1f080767d758d6693034e8c8a0f0dd4ac12e357ff0281a64707e34aff07e544b 955130 
a2ps_4.14-1.1+deb6u1_amd64.deb
Files: 
 8600d0862387e87074cc8f2738c3a6fe 1807 text optional a2ps_4.14-1.1+deb6u1.dsc
 5a06d4d72c9a82b52f51396c4a258fef 30454 text optional 
a2ps_4.14-1.1+deb6u1.diff.gz
 aaae4242cdd5ae3d5c2904efc210e0d3 955130 text optional 
a2ps_4.14-1.1+deb6u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJTOEV9AAoJEAVMuPMTQ89E4xcQAIWnQUskiILVtE5jIRloyq1e
Ng9FouyBs/0ur075b7k34eQuDtrFFE8XtOTKlPboOZdrk3Sq8Bm/Q6V4vbKmFqfj
NReU2uoQxkITO3ZYlrJXHLNx0LRsMwBU+ryDhLmH9U8Raxnlmjks36068CzLYfAg
V1ZrTXxrhfYKpxmva2DmXp3euN3pkaBYSyuXRzzIhwAUmL2HnhDFOAck0VEk3vkB
siZJdye970MPS44jfAt/2P3pnpHJoDYRvU5uLZo0BZIKWV4mOsJ3WGT6acifAZ72
O+sBrqJjIqnLsukPSCQOV484hZCwO3wvbs9qdj5LxF2bhxlLehhphDY6ltOJav/g
3CpPU1ngl6qzccT84V7a1iIEjdqRIE6uF7OmUbixgF6xjIu2yka7bb37PlAVdmk+
gJewZzp3fzRElinUZW01N7W7HUPCewO+59HkxjJz7+99hCTdLgySZYUzGY918lRT
/gkccLp1Z+LwtY6Zpo5vc192NtcGZ3L7foYRJky2kHq6It3KEJpLbrFP3N/sADR8
+rWeyoOHQpOecKaPfo+PgtmqP1++qdpE7SQcB3JskpWN117viZzaBLhtmDWC5tB6
i+bIXYNpm4ucSNggmGJ6h7rZFXgEKGVl8Es2L5RaQNPuyL24ekbLY7/jBk0lbWf9
kWjEN4k3Gs9nTh/79MO3
=EewD
-----END PGP SIGNATURE-----

--- End Message ---

Bug#742902: marked as done (a2ps: CVE-2014-0466: does not invoke gs with -dSAFER)

Reply via email to