Bug 152840 - CAN-2004-0969 groff temporary file vulnerabilities in groffer script
CAN-2004-0969 groff temporary file vulnerabilities in groffer script
Status: CLOSED WONTFIX
Product: Fedora Legacy
Classification: Retired
Component: groff (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://bugzilla.redhat.com/bugzilla/s...
:
: 136314 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-08 18:41 EST by David Lawrence
Modified: 2007-04-18 13:22 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-08-13 08:49:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:29:17 EST
http://secunia.com/advisories/12974/

Temporary file vulnerability has been discovered in groffer script.
The vulnerability can be exploited by malicious, local users to perform certain
actions on a vulnerable system with escalated privileges.
The vulnerability affects groff 1.18 or later.

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0969

Red Hat Bugzilla: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136313



------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-05 19:36:29 ----

Looking at groff in FC1 and FC3, looks to me like it only affects 1.18.1.1 and
later.

We're not affected.







------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:29 -------

This bug previously known as bug 2256 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2256
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl@redhat.com.
   Previous reporter was fedora-legacy-bugzilla-2004@fumika.jp.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Matthew Miller 2005-04-12 01:06:48 EDT
FYI: see bug #152840, where the RH security team seems to believe that there is
(at least) a similar vulnerability in the FC2 version (1.18.1).
Comment 2 Marc Deslauriers 2005-04-20 19:10:23 EDT
See bug 136313 and bug 136314.

need confirmation that < 1.18.1.1 is not affected...
Comment 3 Pekka Savola 2005-09-05 03:53:16 EDT
*** Bug 136314 has been marked as a duplicate of this bug. ***
Comment 4 David Eisenstein 2005-09-06 04:17:12 EDT
Okay.  Did some work researching this bug on groffer script, part of the groff
package since groff-1.18.1.

BOTTOM LINE:  I truly believe none of {rh73, rh90, 1} in the Status White-
board are vulnerable to this groffer script vulnerability in typical circum-
stances.  And it's likely Fedora Core 2 is also not vulnerable.

  Reason:  Groffer is either not there or is broken.

  rh73:  Installs groff-1.17.2-12.i386.rpm.  Version 1.17.2 of groff
         does not include groffer.  No groffer = no vulnerability.

  rh90,  |  groffer comes from groff-1.18.1-20.src.rpm (no updates)
  fc1,   |  groffer comes from groff-1.18.1-29.src.rpm (no updates)
  fc2 :  |  groffer comes from groff-1.18.1-34.src.rpm (no updates)
         |
         |  It appears groffer was broken in version 1.18.1 of groff.  It
         |  certainly is broken on my FC1 machine.
         |
         |  The NEWS file in the sources of groff-1.18.1.1 (new upstream
         |  release of February, 2004) indicates this:
         |
         |     "VERSION 1.18.1.1
         |     ================
         |
         |     "This is the same as 1.18.1 but with an updated version of
         |     the `groffer' script (which was broken in 1.18.1)."
         |
         | --(<http://ftp.gnu.org/gnu/groff/groff-1.18.1-1.18.1.1.diff.gz>)

   My Fedora Core 1 version of groffer comes out of the box (.i386.rpm) broken
   in at least two ways, assuming the 'ash' shell is installed, that prevent
   it from running at all.  (The ash shell is installed by default when FC1
   is initially installed, but it is not a mandatory package.)

      1)  Line 49 of /usr/bin/groffer:

                _this='groffer.sh';

          For some reason (I don't know why), groffer wants to re-run itself
          under the "ash" shell rather than "bash".  When groffer attempts
          to re-run itself, it tries to re-run itself using this (line 110):

                exec ${_shell} "${_this}" "$@";

          Where ${_shell} = 'ash'.

          Well, there is no "groffer.sh" available for it to re-run, so it
          fails.

      2)  Even if you comment out line 49 and go in and manually (as root)
          change line 48 from:
                #_this="@BINDIR@/${_PROGRAM_NAME}";
          to:
                _this="/usr/bin/${_PROGRAM_NAME}";

          the script will run, but at line 3282, the script silently exits
          before it gets to any potentially vulnerable code (running in
          the ash shell), because ash evidently doesn't know how to handle
          this statement:
                  trap clean_up  2>/dev/null || true;
          
   Note that if you *don't* have ash shell installed, the script will *not*
   fail in either (1) or (2):  It will merely continue on running in the
   default shell in (1), and (2) doesn't burp.  So when ash is *not* in-
   stalled, there is a possible vulnerability, during the creation of a
   predictably named temporary file, that could be abused.

But it looks like Red Hat 9 installs the 'ash' shell by default, FC1 does, 
and RH7.3 is not vulnerable.  Can someone check & see if Fedora Core 2 also
installs ash by default?  If so, its groffer script is also most likely to
be broken and should present no threat.

Comment 5 David Eisenstein 2005-09-06 04:38:33 EDT
That all said, it turns out there ARE some vulnerabilities in the groff
packages of concern, at least in the RH9, FC1, and FC2 distributions.
CAN-2004-1296 -- temporary file handling vulnerabilities in pic2graph and
eqn2graph.

Am thinking about opening a new bug report for this, but it is not clear to
me if any other distros out there felt this was urgent enough to issue a
Security Alert with new packages.

I already have the needed patches in hand, obtained from Debian's patches of
groff-1.18.1.1.  (Since the only thing that changed from 1.18.1 to 1.18.1.1
is the groffer-script-related files, Debian's patches of pic2graph and 
eqn2graph apply without any back-porting needed.)

Anyone have any opinions?

(ps:  Could someone who has privileges change the Component name on this bug
from "Package Request" to "groff"?  Thanks!)
Comment 6 Pekka Savola 2005-09-09 00:56:16 EDT
Changed..  I guess pushing out the updates if the patches are trivial won't hurt..
Comment 7 David Lawrence 2006-08-09 16:40:39 EDT
Moving to NEW. UNCONFIRMED has been obsoleted.
Comment 8 Jesse Keating 2006-08-13 08:49:59 EDT
This will not be pushed out.  Only actual critical security fixes will be
released for these older releases.

Note You need to log in before you can comment on or make changes to this bug.