[Secure-testing-team] Bug#538330: groff: pdfroff uses (and documents!) insecure temporary files

brian m. carlson sandals at crustytoothpaste.ath.cx
Fri Jul 24 21:15:37 UTC 2009 

Package: groff
Version: 1.20.1-4
Severity: grave
File: /usr/bin/pdfroff
Tags: security

According to pdfroff(1) (and my inspection of the source code), pdfroff
uses $$ (the current pid) to create temporary files.  This is extremely
easy to predict, and thus, insecure.

Please fix both the code and the documentation so that they securely
generate (or reference) temporary files.

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/zsh4

Versions of packages groff depends on:
ii  groff-base                    1.20.1-4   GNU troff text-formatting system (
ii  libc6                         2.9-21     GNU C Library: Shared libraries
ii  libgcc1                       1:4.4.1-1  GCC support library
ii  libice6                       2:1.0.5-1  X11 Inter-Client Exchange library
ii  libsm6                        2:1.1.0-2  X11 Session Management library
ii  libstdc++6                    4.4.1-1    The GNU Standard C++ Library v3
ii  libx11-6                      2:1.2.2-1  X11 client-side library
ii  libxaw7                       2:1.0.5-2  X11 Athena Widget library
ii  libxmu6                       2:1.0.4-1  X11 miscellaneous utility library
ii  libxt6                        1:1.0.5-3  X11 toolkit intrinsics library

Versions of packages groff recommends:
ii  ghostscript                8.64~dfsg-13  The GPL Ghostscript PostScript/PDF
ii  imagemagick                7:6.5.1.0-1.1 image manipulation programs
ii  libpaper1                  1.1.23+nmu1   library for handling paper charact
ii  netpbm                     2:10.0-12     Graphics conversion tools
ii  psutils                    1.17-26       A collection of PostScript documen

groff suggests no packages.

-- no debconf information

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090724/3475dbe9/attachment.pgp>

More information about the Secure-testing-team mailing list