Bug 466771 (CVE-2008-3863)

Summary: CVE-2008-3863 enscript: "setfilename" special escape buffer overflow
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: atkac, jlieskov, kreilly
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-12-19 17:39:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 473089, 473090, 473091, 473093, 473094, 473095, 833895    
Bug Blocks:    
Attachments:
Description Flags
Proposed patch from Kees Cook (Ubuntu) none

Description Tomas Hoger 2008-10-13 15:09:25 UTC 
Ulf Harnhammar of the Secunia Research discovered a buffer overflow in enscript:

The vulnerability is caused due to a boundary error within the
"read_special_escape()" function in src/psgen.c. This can be exploited
to cause a stack-based buffer overflow by tricking the user into
converting a malicious file.

Successful exploitation allows execution of arbitrary code, but requires
that special escapes processing is enabled with the "-e" option.

The vulnerability is confirmed in versions 1.6.1 and 1.6.4 (beta). Other
versions may also be affected.
Comment 3 Tomas Hoger 2008-10-22 16:31:35 UTC 
Public now via:
  http://secunia.com/secunia_research/2008-41/
Comment 4 Jan Lieskovsky 2008-10-24 15:21:31 UTC 
Additional references:

http://www.securityfocus.com/archive/1/archive/1/497647/100/0/threaded
http://www.securityfocus.com/bid/31858
http://secunia.com/advisories/32137
http://xforce.iss.net/xforce/xfdb/46026
Comment 5 Tomas Hoger 2008-10-31 08:59:45 UTC 
Created attachment 322029 [details]
Proposed patch from Kees Cook (Ubuntu)
Comment 6 Tomas Hoger 2008-10-31 09:09:16 UTC 
For alternate patch, see: https://bugzilla.redhat.com/show_bug.cgi?id=469311#c4
Comment 7 Fedora Update System 2008-11-06 04:04:17 UTC 
enscript-1.6.4-9.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2008-11-06 04:06:32 UTC 
enscript-1.6.4-10.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Red Hat Product Security 2008-12-19 17:39:49 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-1016.html
  http://rhn.redhat.com/errata/RHSA-2008-1021.html

Fedora:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-9351
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-9372