Jakub Wilk found that a2ps, a tool to convert text and other types of files to PostScript, insecurely used a temporary file in spy_user(). A local attacker could use this flaw to perform a symbolic link attack to modify an arbitrary file accessible to the user running a2ps.
The original report in the Debian bug tracking system (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737385) notes the issue is in src/main.c:
559 tempname_ensure (job->tmp_filenames);
560 spyname = job->tmp_filenames;
561 spy = fopen (spyname, "w");
And also notes there are other calls to tempname_ensure().
CVE request: http://www.openwall.com/lists/oss-security/2014/02/03/9
There are currently no patches available for this issue.
Created a2ps tracking bugs for this issue:
Affects: fedora-all [bug 1060632]
Affects: epel-6 [bug 1060633]
Not affected. This has been fixed since 2001 due to a2ps-4.13-security.patch being applied. This patch changes tempname_ensure() so that mkstemp() is used rather than tempnam().
It looks like this was the original patch:
* Fri Jan 05 2001 Preston Brown <email@example.com>
- security patch for tmpfile creation from Olaf Kirch <firstname.lastname@example.org>
followed the next month by a fix to that patch:
* Mon Feb 12 2001 Tim Waugh <email@example.com>
- Fix tmpfile security patch so that it actually _works_ (bug #27155).
Here's the actual patch:
Thanks Tim, apologies for missing that.
Already fixed in all Red Hat Enterprise Linux and Fedora a2ps packages.