Jakub Wilk found that a2ps, a tool to convert text and other types of files to PostScript, insecurely used a temporary file in spy_user(). A local attacker could use this flaw to perform a symbolic link attack to modify an arbitrary file accessible to the user running a2ps. The original report in the Debian bug tracking system (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737385) notes the issue is in src/main.c: 559 tempname_ensure (job->tmp_filenames[0]); 560 spyname = job->tmp_filenames[0]; 561 spy = fopen (spyname, "w"); And also notes there are other calls to tempname_ensure().
CVE request: http://www.openwall.com/lists/oss-security/2014/02/03/9
There are currently no patches available for this issue.
Created a2ps tracking bugs for this issue: Affects: fedora-all [bug 1060632] Affects: epel-6 [bug 1060633]
Not affected. This has been fixed since 2001 due to a2ps-4.13-security.patch being applied. This patch changes tempname_ensure() so that mkstemp() is used rather than tempnam(). It looks like this was the original patch: * Fri Jan 05 2001 Preston Brown <pbrown> - security patch for tmpfile creation from Olaf Kirch <okir> followed the next month by a fix to that patch: * Mon Feb 12 2001 Tim Waugh <twaugh> - Fix tmpfile security patch so that it actually _works_ (bug #27155).
Here's the actual patch: http://pkgs.fedoraproject.org/cgit/a2ps.git/plain/a2ps-4.13-security.patch
Thanks Tim, apologies for missing that.
Already fixed in all Red Hat Enterprise Linux and Fedora a2ps packages.