Bug 469311 (CVE-2008-4306)
| Summary: | CVE-2008-4306 enscript: "font" special escape buffer overflows | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | |||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | medium | ||||||||||
| Version: | unspecified | CC: | atkac, kreilly | ||||||||
| Target Milestone: | --- | Keywords: | Security | ||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2008-12-19 17:39:39 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | 473089, 473090, 473091, 473093, 473094, 473095, 833895 | ||||||||||
| Bug Blocks: | |||||||||||
| Attachments: |
|
||||||||||
Created attachment 322030 [details]
Proposed patch from Kees Cook (Ubuntu)
Created attachment 322031 [details]
Escape array indexing typo
While testing this, another minor typo was discovered in the escapes array indexing in the error code path. This can result in enscript crash (oob read), but does not seem to have any security implications.
Created attachment 322032 [details] Alternate patch proposed by Werner Fink (SuSE) For both CVE-2008-3863 and CVE-2008-4306. enscript-1.6.4-9.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. enscript-1.6.4-10.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-1016.html http://rhn.redhat.com/errata/RHSA-2008-1021.html Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-9351 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-9372 |
Kees Cook and Tomas Hoger discovered multiple buffer overflows in enscript related to handling of the font{} special escape caused by an unsafe use of strcpy(). This can be exploited to cause a stack-based buffer overflow by tricking the user into converting a malicious file, , but requires that special escapes processing is enabled with the "-e" option (not enabled by default). Issue is similar to recently reported setfilename{} special escape handling buffer overflow known as CVE-2008-3863.