Bug 1283156 - (CVE-2015-8107) CVE-2015-8107 a2ps: output_file() format string flaw
CVE-2015-8107 a2ps: output_file() format string flaw
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20151116,reported=2...
: Security
Depends On: 1283158 1036979 1283157
Blocks: 1283160
  Show dependency treegraph
 
Reported: 2015-11-18 06:54 EST by Martin Prpič
Modified: 2015-11-24 06 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-24 06:13:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin Prpič 2015-11-18 06:54:40 EST
A flaw was found in a2sp:

When a user runs a2ps with malicious crafted pro(a2ps prologue) file, an attacker can execute arbitrary code. The function output_file processes the %Expand command in pro file. The variable `expansion' in the function output_file may hold a malicious input string, which can be used as a format argument of vsprintf. 

No upstream patch is available at this moment.

Original report:

http://seclists.org/oss-sec/2015/q4/284
Comment 1 Martin Prpič 2015-11-18 06:55:06 EST
Created a2ps tracking bugs for this issue:

Affects: fedora-all [bug 1283157]
Affects: epel-6 [bug 1283158]
Comment 2 Tomas Hoger 2015-11-24 06:13:30 EST
This issue is already fixed in Fedora, as this problem is also detected by GCC and causes build failure if compiled with -Werror=format-security.  For Fedora, it was previously reported via bug 1036979 and originally fixed via:

http://pkgs.fedoraproject.org/cgit/a2ps.git/commit/a2ps-format-security.patch?id=300aad29b81a8c9f75d0476f95807ffaf9cc843e

The patch later got extended to cover few other format string issues in the a2ps code.  Full patch currently applied to Fedora packages is:

http://pkgs.fedoraproject.org/cgit/a2ps.git/tree/a2ps-format-security.patch

The impact of this issue is also mitigated by the use of FORTIFY_SOURCE, which prevent exploitation of this issue for code execution.  Issue may still be used to crash the a2ps program (this has limited impact, as it's not a long running service / daemon) or possibly disclose portions of program's memory.  The a2ps packages in Red Hat Enterprise Linux 5, 6, and 7 are all compiled with FORTIFY_SOURCE and hence do not allow code execution.

In Red Hat Enterprise Linux 6 and 7, this package is only part of the unsupported Optional repository.

This issue is triggered by the use of malicious prologue file, which is lot less likely to come from an untrusted source than the file to be converted to PostScript.  The a2ps only searches specific locations for prologue files - ~/.a2ps, /etc/a2ps, and multiple directories under /usr/share.

Given all the mitigations documented above, and hence the very limited impact of this flaw, there's no plan to fix this in Red Hat Enterprise Linux 5, 6, and 7.

Note You need to log in before you can comment on or make changes to this bug.