Debian Bug report logs -
#742902
a2ps: CVE-2014-0466: does not invoke gs with -dSAFER
Reported by: "brian m. carlson" <sandals@crustytoothpaste.net>
Date: Fri, 28 Mar 2014 20:06:02 UTC
Severity: grave
Tags: patch, security
Found in versions a2ps/1:4.14-1.2, a2ps/1:4.14-1
Fixed in versions a2ps/1:4.14-1.3, a2ps/1:4.14-1.1+deb7u1, a2ps/1:4.14-1.1+deb6u1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Masayuki Hatta (mhatta) <mhatta@debian.org>:
Bug#742902; Package a2ps.
(Fri, 28 Mar 2014 20:06:06 GMT) (full text, mbox, link).
Acknowledgement sent
to "brian m. carlson" <sandals@crustytoothpaste.net>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Masayuki Hatta (mhatta) <mhatta@debian.org>.
(Fri, 28 Mar 2014 20:06:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: a2ps
Version: 1:4.14-1.2
Severity: grave
Tags: security
fixps does not invoke gs with -dSAFER. As a consequence, a malicious
PostScript file could delete files with the privileges of the invoking
user.
I have provided a test script that can be invoked as such:
./test-wrapper-fixps fixps
This was reported to the Debian Security Team, who assigned this
CVE-2014-0466. It was also reported to upstream, who has not provided
an update or issued a fixed version. This is being reported publicly as
over 45 days has elapsed and neither upstream nor the security team has
requested a delay or issued an advisory.
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.14-rc7-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages a2ps depends on:
ii file 1:5.17-1
ii libc6 2.18-4
ii libpaper1 1.1.24+nmu2
ii psutils 1.17.dfsg-1
Versions of packages a2ps recommends:
ii bzip2 1.0.6-5
ii cups-bsd [lpr] 1.7.1-10
ii wdiff 1.2.1-2
Versions of packages a2ps suggests:
pn emacsen-common <none>
ii ghostscript 9.05~dfsg-8+b1
ii groff 1.22.2-5
pn gv <none>
pn html2ps <none>
ii imagemagick 8:6.7.7.10+dfsg-1
pn t1-cyrillic <none>
ii texlive-binaries [texlive-base-bin] 2013.20130729.30972-2+b2
-- no debconf information
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
[test-wrapper-fixps (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Marked as found in versions a2ps/1:4.14-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 28 Mar 2014 21:00:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Masayuki Hatta (mhatta) <mhatta@debian.org>:
Bug#742902; Package a2ps.
(Sun, 30 Mar 2014 10:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Masayuki Hatta (mhatta) <mhatta@debian.org>.
(Sun, 30 Mar 2014 10:12:04 GMT) (full text, mbox, link).
Message #12 received at 742902@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 742902 + patch
tags 742902 + pending
thanks
Dear maintainer,
I've prepared an NMU for a2ps (versioned as 1:4.14-1.3) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
[a2ps-4.14-1.3-nmu.diff (text/x-diff, attachment)]
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 30 Mar 2014 10:12:16 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 30 Mar 2014 10:12:17 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Tue, 01 Apr 2014 10:24:08 GMT) (full text, mbox, link).
Notification sent
to "brian m. carlson" <sandals@crustytoothpaste.net>:
Bug acknowledged by developer.
(Tue, 01 Apr 2014 10:24:08 GMT) (full text, mbox, link).
Message #21 received at 742902-close@bugs.debian.org (full text, mbox, reply):
Source: a2ps
Source-Version: 1:4.14-1.3
We believe that the bug you reported is fixed in the latest version of
a2ps, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 742902@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated a2ps package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 30 Mar 2014 09:09:07 +0200
Source: a2ps
Binary: a2ps
Architecture: source amd64
Version: 1:4.14-1.3
Distribution: unstable
Urgency: high
Maintainer: Masayuki Hatta (mhatta) <mhatta@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
a2ps - GNU a2ps - 'Anything to PostScript' converter and pretty-printer
Closes: 742902
Changes:
a2ps (1:4.14-1.3) unstable; urgency=high
.
* Non-maintainer upload.
* Add CVE-2014-0466.diff patch.
CVE-2014-0466: fixps does not invoke gs with -dSAFER. A malicious
PostScript file could delete files with the privileges of the invoking
user.
Thanks to brian m. carlson <sandals@crustytoothpaste.net> (Closes: #742902)
Checksums-Sha1:
fa09dd2c0745f0a0871fc5d22615dded65676a5f 1836 a2ps_4.14-1.3.dsc
16d6b0abe0f00f0d68687216149b8bfb98dde08c 26544 a2ps_4.14-1.3.debian.tar.xz
5de4d649ff4b5a4658b935a61a81a73c0a45816b 631830 a2ps_4.14-1.3_amd64.deb
Checksums-Sha256:
c3648ba4a10c22beb5d8fe5b00ae3facea8a6bc43274d51c80c5cba9d9d9144e 1836 a2ps_4.14-1.3.dsc
abacda0083d79bd45d051d14a187d3af72ccc880ebe59b45a6dd51bbcb975f06 26544 a2ps_4.14-1.3.debian.tar.xz
e515392bebd3ccb8c6874128171a279b0f108f521ff1cf38352b98cb0819c320 631830 a2ps_4.14-1.3_amd64.deb
Files:
9c14d317505015b3128cc093b8e2c4a8 1836 text optional a2ps_4.14-1.3.dsc
cfd63b437bd3df22489dbe62dd4fa0f5 26544 text optional a2ps_4.14-1.3.debian.tar.xz
5951cb6c5aa9b01a0badd1fa473ed545 631830 text optional a2ps_4.14-1.3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJTN8SvAAoJEAVMuPMTQ89EFysP/idnNyP/7JqITcyMHIMXhARE
nJ81tz4mQNYlfQ2OR6oVGbGv2MQegw6HwqQHQfbZpzmJjRt9ObzSEzjQyF5GJCVJ
wJVfHjlm9qNfcbZ24HeQ1bcFZGqXc27dSaHB9EmlKpcLqR3uACIRLufE+Yi7EEjk
GvaYfP78Lx/QK78d4qIeAveaubbAM6B7aCoOzlSDBXFI6LYa2IQs7wZUfAUhocbq
0SKFbcnVd+wauSA9lKPp4MWOAm044h4Cwk2Qm2tv99285UsDYt5DVylXO+wmajwj
P7sHwT5cZlj07Q0rIthy7zgGlFd3IZCLlTxhqNBLmWy+xigUi62x+CWDnsUsAiOT
+KIefXUDdGDaGzWPUFvAydGmdMGhqxZshIKavavHnjQtV+J2e6pyCWiAeIqbEiGz
BBocJOvU+kk+uS/cTnxnv+sXRWWcAAmUB+sL67HkdVu9pPY7s+xdS2j16VIPQCAC
o0qwQPH/bSHjLOmtS+Oft9LsFfjHp66PSTi087PP225qqVexEt6dWXsdVQzZgvpK
jmVJvrACRCgS2Qcj6c6afTjrU4guksjSitXmblpRLePDra2koHhnOP76GdLQet2t
tE0dMVmAc0UgRRiQ24zCgZXzYCayWC/SrdPWGGrV2UJaKaMcW0HMRQxBIg1o3914
dR8eHmyq+mAWYGx8jL53
=UEBE
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Tue, 01 Apr 2014 21:21:35 GMT) (full text, mbox, link).
Notification sent
to "brian m. carlson" <sandals@crustytoothpaste.net>:
Bug acknowledged by developer.
(Tue, 01 Apr 2014 21:21:35 GMT) (full text, mbox, link).
Message #26 received at 742902-close@bugs.debian.org (full text, mbox, reply):
Source: a2ps
Source-Version: 1:4.14-1.1+deb7u1
We believe that the bug you reported is fixed in the latest version of
a2ps, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 742902@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated a2ps package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 30 Mar 2014 12:43:56 +0200
Source: a2ps
Binary: a2ps
Architecture: source amd64
Version: 1:4.14-1.1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Masayuki Hatta (mhatta) <mhatta@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
a2ps - GNU a2ps - 'Anything to PostScript' converter and pretty-printer
Closes: 737385 742902
Changes:
a2ps (1:4.14-1.1+deb7u1) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add 09_CVE-2001-1593.dpatch patch.
CVE-2011-1593: Fix insecure use of /tmp
Thanks to Jakub Wilk <jwilk@debian.org> (Closes: #737385)
* Add 10_CVE-2014-0466.dpatch patch.
CVE-2014-0466: fixps does not invoke gs with -dSAFER. A malicious
PostScript file could delete files with the privileges of the invoking
user.
Thanks to brian m. carlson <sandals@crustytoothpaste.net> (Closes: #742902)
Checksums-Sha1:
51a294add4a723aff8d3dd7fb0526cd707995ff1 1846 a2ps_4.14-1.1+deb7u1.dsc
365abbbe4b7128bf70dad16d06e23c5701874852 2552507 a2ps_4.14.orig.tar.gz
7c84421d97e746c242358b0410a5d44912fff690 30059 a2ps_4.14-1.1+deb7u1.diff.gz
54ec39ed0ea16591d16b0ec4a82b13654b1c75fd 956298 a2ps_4.14-1.1+deb7u1_amd64.deb
Checksums-Sha256:
d9c245a2c56378f75842842e1e53c00a5d53ebcd5dad0bb0b15ce3055ad5b3a6 1846 a2ps_4.14-1.1+deb7u1.dsc
f3ae8d3d4564a41b6e2a21f237d2f2b104f48108591e8b83497500182a3ab3a4 2552507 a2ps_4.14.orig.tar.gz
d3e42c0a9abd326d86881be9e4693cf970cfd59a808838a79ba2105a792e8363 30059 a2ps_4.14-1.1+deb7u1.diff.gz
e47d7fe9adb7aa62421108debf425830f4e2385e98151c5cb359d3eb8688eea8 956298 a2ps_4.14-1.1+deb7u1_amd64.deb
Files:
a7aa5a7ad06420950b945a0bca42a8bd 1846 text optional a2ps_4.14-1.1+deb7u1.dsc
781ac3d9b213fa3e1ed0d79f986dc8c7 2552507 text optional a2ps_4.14.orig.tar.gz
fc4b04279150786111ecd7c159f52af5 30059 text optional a2ps_4.14-1.1+deb7u1.diff.gz
b557a599dafd687611119264203ef2aa 956298 text optional a2ps_4.14-1.1+deb7u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJTOEHNAAoJEAVMuPMTQ89EQ1oP/A6lL3Qo3RQ/On+EZBf+Mr/J
zKVK1+5kODEi1buYttVE10iBZgPnx3JZmfnSJYphLwsSb0nzys31Vp0IpaNQcLuy
7JxQaISNk4rc7KbhjC2j2ClrFJ1UltxipyRVYkApnP7UaNrIQb3TXqRVfWkYxCMB
N/CFVhmEZzFeVlnscaEbu2aRAiW93ipD7giH2PTkBjKVFziGMIQOSVVnRUmmPLlw
U3p1hhp350CpRQdKnmqThnhckqG/IayGbRr0yOTeg9v1/7ZIi5Nn3gqKlQ5GmTcp
OcM3hH/0g8LUxiGiwzsrPrIsAULWJHHO4vQ3TFGNyYRsdpRNU6D+X7Acw1mqNUi7
hyQ9X/JQTO+G3+BAhZKR02ll4GJIBNobeWiCu5wBUWiukQGEnMPV24UyRlteCU+2
X934YWFo3Tia3sKJq323VU1E5DAZJMm5jsn1UMuOfpWew1ptOc1ri5L7YCOMBmzw
wN2QmkvGScj/x/E0zNCpSmPv3uVa9MUPa9RfplnPJmVcLtTZjv8kqXL+VF6PGZCO
B6OB21wNGsQhmmHfp6Mlaq5EiKXkPKR7zLik1uvm1mpIMycfDTUTVJct9Er2NswA
QRiLGufqHtXrRL+qrJ+CDkGrvUJVBSRa5YNXg8a2fveq7nCtoRAJotB1em2WsYjg
xyF0gv1N6dw6gbCySXon
=abrz
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Tue, 01 Apr 2014 21:21:39 GMT) (full text, mbox, link).
Notification sent
to "brian m. carlson" <sandals@crustytoothpaste.net>:
Bug acknowledged by developer.
(Tue, 01 Apr 2014 21:21:39 GMT) (full text, mbox, link).
Message #31 received at 742902-close@bugs.debian.org (full text, mbox, reply):
Source: a2ps
Source-Version: 1:4.14-1.1+deb6u1
We believe that the bug you reported is fixed in the latest version of
a2ps, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 742902@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated a2ps package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 30 Mar 2014 18:14:06 +0200
Source: a2ps
Binary: a2ps
Architecture: source amd64
Version: 1:4.14-1.1+deb6u1
Distribution: squeeze-security
Urgency: high
Maintainer: Masayuki Hatta (mhatta) <mhatta@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
a2ps - GNU a2ps - 'Anything to PostScript' converter and pretty-printer
Closes: 737385 742902
Changes:
a2ps (1:4.14-1.1+deb6u1) squeeze-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add 09_CVE-2001-1593.dpatch patch.
CVE-2011-1593: Fix insecure use of /tmp
Thanks to Jakub Wilk <jwilk@debian.org> (Closes: #737385)
* Add 10_CVE-2014-0466.dpatch patch.
CVE-2014-0466: fixps does not invoke gs with -dSAFER. A malicious
PostScript file could delete files with the privileges of the invoking
user.
Thanks to brian m. carlson <sandals@crustytoothpaste.net> (Closes: #742902)
Checksums-Sha1:
3a1f0f57f47b67682d403a3014381d78edfc4eb9 1807 a2ps_4.14-1.1+deb6u1.dsc
0db14668fe17c04672a7df818106d8faa3dbdcbc 30454 a2ps_4.14-1.1+deb6u1.diff.gz
b860924feffd922c9751930f0321d03784765c0f 955130 a2ps_4.14-1.1+deb6u1_amd64.deb
Checksums-Sha256:
7e72e708e7b688d63d5c0b99b93793ad5f10f0ea30fbacd906fb187b09867dbd 1807 a2ps_4.14-1.1+deb6u1.dsc
9030794fbf3e926ad523929af3a5d13bd71c3aeea1f83c5760d2782130adb1d1 30454 a2ps_4.14-1.1+deb6u1.diff.gz
1f080767d758d6693034e8c8a0f0dd4ac12e357ff0281a64707e34aff07e544b 955130 a2ps_4.14-1.1+deb6u1_amd64.deb
Files:
8600d0862387e87074cc8f2738c3a6fe 1807 text optional a2ps_4.14-1.1+deb6u1.dsc
5a06d4d72c9a82b52f51396c4a258fef 30454 text optional a2ps_4.14-1.1+deb6u1.diff.gz
aaae4242cdd5ae3d5c2904efc210e0d3 955130 text optional a2ps_4.14-1.1+deb6u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJTOEV9AAoJEAVMuPMTQ89E4xcQAIWnQUskiILVtE5jIRloyq1e
Ng9FouyBs/0ur075b7k34eQuDtrFFE8XtOTKlPboOZdrk3Sq8Bm/Q6V4vbKmFqfj
NReU2uoQxkITO3ZYlrJXHLNx0LRsMwBU+ryDhLmH9U8Raxnlmjks36068CzLYfAg
V1ZrTXxrhfYKpxmva2DmXp3euN3pkaBYSyuXRzzIhwAUmL2HnhDFOAck0VEk3vkB
siZJdye970MPS44jfAt/2P3pnpHJoDYRvU5uLZo0BZIKWV4mOsJ3WGT6acifAZ72
O+sBrqJjIqnLsukPSCQOV484hZCwO3wvbs9qdj5LxF2bhxlLehhphDY6ltOJav/g
3CpPU1ngl6qzccT84V7a1iIEjdqRIE6uF7OmUbixgF6xjIu2yka7bb37PlAVdmk+
gJewZzp3fzRElinUZW01N7W7HUPCewO+59HkxjJz7+99hCTdLgySZYUzGY918lRT
/gkccLp1Z+LwtY6Zpo5vc192NtcGZ3L7foYRJky2kHq6It3KEJpLbrFP3N/sADR8
+rWeyoOHQpOecKaPfo+PgtmqP1++qdpE7SQcB3JskpWN117viZzaBLhtmDWC5tB6
i+bIXYNpm4ucSNggmGJ6h7rZFXgEKGVl8Es2L5RaQNPuyL24ekbLY7/jBk0lbWf9
kWjEN4k3Gs9nTh/79MO3
=EewD
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 02 May 2014 07:25:13 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:46:54 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon