Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 152840 - CAN-2004-0969 groff temporary file vulnerabilities in groffer script
Summary: CAN-2004-0969 groff temporary file vulnerabilities in groffer script
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: groff
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
URL: http://bugzilla.redhat.com/bugzilla/s...
: 136314 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2004-11-08 23:41 UTC by David Lawrence
Modified: 2007-04-18 17:22 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2006-08-13 12:49:59 UTC

Attachments (Terms of Use)

Description David Lawrence 2005-03-30 23:29:17 UTC

Temporary file vulnerability has been discovered in groffer script.
The vulnerability can be exploited by malicious, local users to perform certain
actions on a vulnerable system with escalated privileges.
The vulnerability affects groff 1.18 or later.

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0969

Red Hat Bugzilla: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136313

------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-05 19:36:29 ----

Looking at groff in FC1 and FC3, looks to me like it only affects and

We're not affected.

------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:29 -------

This bug previously known as bug 2256 at https://bugzilla.fedora.us/
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl@redhat.com.
   Previous reporter was fedora-legacy-bugzilla-2004@fumika.jp.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Matthew Miller 2005-04-12 05:06:48 UTC
FYI: see bug #152840, where the RH security team seems to believe that there is
(at least) a similar vulnerability in the FC2 version (1.18.1).

Comment 2 Marc Deslauriers 2005-04-20 23:10:23 UTC
See bug 136313 and bug 136314.

need confirmation that < is not affected...

Comment 3 Pekka Savola 2005-09-05 07:53:16 UTC
*** Bug 136314 has been marked as a duplicate of this bug. ***

Comment 4 David Eisenstein 2005-09-06 08:17:12 UTC
Okay.  Did some work researching this bug on groffer script, part of the groff
package since groff-1.18.1.

BOTTOM LINE:  I truly believe none of {rh73, rh90, 1} in the Status White-
board are vulnerable to this groffer script vulnerability in typical circum-
stances.  And it's likely Fedora Core 2 is also not vulnerable.

  Reason:  Groffer is either not there or is broken.

  rh73:  Installs groff-1.17.2-12.i386.rpm.  Version 1.17.2 of groff
         does not include groffer.  No groffer = no vulnerability.

  rh90,  |  groffer comes from groff-1.18.1-20.src.rpm (no updates)
  fc1,   |  groffer comes from groff-1.18.1-29.src.rpm (no updates)
  fc2 :  |  groffer comes from groff-1.18.1-34.src.rpm (no updates)
         |  It appears groffer was broken in version 1.18.1 of groff.  It
         |  certainly is broken on my FC1 machine.
         |  The NEWS file in the sources of groff- (new upstream
         |  release of February, 2004) indicates this:
         |     "VERSION
         |     ================
         |     "This is the same as 1.18.1 but with an updated version of
         |     the `groffer' script (which was broken in 1.18.1)."
         | --(<http://ftp.gnu.org/gnu/groff/groff-1.18.1->)

   My Fedora Core 1 version of groffer comes out of the box (.i386.rpm) broken
   in at least two ways, assuming the 'ash' shell is installed, that prevent
   it from running at all.  (The ash shell is installed by default when FC1
   is initially installed, but it is not a mandatory package.)

      1)  Line 49 of /usr/bin/groffer:


          For some reason (I don't know why), groffer wants to re-run itself
          under the "ash" shell rather than "bash".  When groffer attempts
          to re-run itself, it tries to re-run itself using this (line 110):

                exec ${_shell} "${_this}" "$@";

          Where ${_shell} = 'ash'.

          Well, there is no "groffer.sh" available for it to re-run, so it

      2)  Even if you comment out line 49 and go in and manually (as root)
          change line 48 from:

          the script will run, but at line 3282, the script silently exits
          before it gets to any potentially vulnerable code (running in
          the ash shell), because ash evidently doesn't know how to handle
          this statement:
                  trap clean_up  2>/dev/null || true;
   Note that if you *don't* have ash shell installed, the script will *not*
   fail in either (1) or (2):  It will merely continue on running in the
   default shell in (1), and (2) doesn't burp.  So when ash is *not* in-
   stalled, there is a possible vulnerability, during the creation of a
   predictably named temporary file, that could be abused.

But it looks like Red Hat 9 installs the 'ash' shell by default, FC1 does, 
and RH7.3 is not vulnerable.  Can someone check & see if Fedora Core 2 also
installs ash by default?  If so, its groffer script is also most likely to
be broken and should present no threat.

Comment 5 David Eisenstein 2005-09-06 08:38:33 UTC
That all said, it turns out there ARE some vulnerabilities in the groff
packages of concern, at least in the RH9, FC1, and FC2 distributions.
CAN-2004-1296 -- temporary file handling vulnerabilities in pic2graph and

Am thinking about opening a new bug report for this, but it is not clear to
me if any other distros out there felt this was urgent enough to issue a
Security Alert with new packages.

I already have the needed patches in hand, obtained from Debian's patches of
groff-  (Since the only thing that changed from 1.18.1 to
is the groffer-script-related files, Debian's patches of pic2graph and 
eqn2graph apply without any back-porting needed.)

Anyone have any opinions?

(ps:  Could someone who has privileges change the Component name on this bug
from "Package Request" to "groff"?  Thanks!)

Comment 6 Pekka Savola 2005-09-09 04:56:16 UTC
Changed..  I guess pushing out the updates if the patches are trivial won't hurt..

Comment 7 David Lawrence 2006-08-09 20:40:39 UTC
Moving to NEW. UNCONFIRMED has been obsoleted.

Comment 8 Jesse Keating 2006-08-13 12:49:59 UTC
This will not be pushed out.  Only actual critical security fixes will be
released for these older releases.

Note You need to log in before you can comment on or make changes to this bug.