enscript security update
Security Advisory: Low
An updated enscript package that fixes several security issues is now
available.
GNU enscript converts ASCII files to PostScript.
Enscript has the ability to interpret special escape sequences. A flaw was
found in the handling of the epsf command used to insert inline EPS files
into a document. An attacker could create a carefully crafted ASCII file
which made use of the epsf pipe command in such a way that it could execute
arbitrary commands if the file was opened with enscript by a victim. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2004-1184 to this issue.
Additional flaws in Enscript were also discovered which can only be
triggered by executing enscript with carefully crafted command line
arguments. These flaws therefore only have a security impact if enscript
is executed by other programs and passed untrusted data from remote users.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CAN-2004-1185 and CAN-2004-1186 to these issues.
All users of enscript should upgrade to these updated packages, which
resolve these issues.
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:
up2date
For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:
http://www.redhat.com/docs/manuals/enterprise/
(none)