Bug 152870 - CAN-2004-1170 a2ps File Name Command Execution Vulnerability
CAN-2004-1170 a2ps File Name Command Execution Vulnerability
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: a2ps (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://cve.mitre.org/cgi-bin/cvename....
1, LEGACY, QA, rh73, rh90
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-12-12 14:54 EST by David Lawrence
Modified: 2007-04-18 13:22 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-12-18 00:04:14 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:30:21 EST
from http://archives.neohapsis.com/archives/fulldisclosure/2004-08/1026.html
===
[Full-Disclosure] a2ps executing shell commands from file name

From: Rudolf Polzer (divzerogmail.com)
Date: Tue Aug 24 2004 - 06:01:47 CDT


Severity: Medium
Short description: a2ps executes arbitrary shell commands from a given file name
Affected: GNU a2ps 4.13, a nice syntax-highlighting formatter from
source code to postscript
Operating systems: all systems where a2ps 4.13 compiles and which have
a bourne or C shell by default used by system(). On other systems the
patch might not work while the problem is probably still there.

Description:

a2ps can execute shell commands from file names. Not really severe,
unless you use a2ps with wildcards from a world-writable directory
like /tmp. I've also seen someone using a2ps in a pure-ftpd upload
script which is executed after successful upload of a file.

Workaround:

Do not use wildcards in a2ps command lines except if you do that in a
directory only you can create files in and where you know the
contents. This might also apply to other tools (I did not check them),
so be careful.

How to reproduce:

$ touch 'x`echo >&2 42`.c'
$ a2ps -o /dev/null *.c
42
[x`echo >&2 42`.c (C): 0 pages on 0 sheets]
[Total: 0 pages on 0 sheets] saved into the file `/dev/null'
$ a2ps -V
GNU a2ps 4.13
Written by Akim Demaille, Miguel Santana.

How I found it:

$ touch 'LAN (div0)'
$ a2ps -o /dev/null LAN*
sh: -c: line 1: syntax error near unexpected token `('
sh: -c: line 1: `/usr/bin/file -L LAN (div0)'
[LAN (div0) (plain): 0 pages on 0 sheets]
[Total: 0 pages on 0 sheets] saved into the file `/dev/null'

How I fixed it:

http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/print/a2ps-letter/files/patch-select.c?rev=1.1&content-type=text/plain

Patch status:

Except for FreeBSD, no distribution seems to currently have the patch
(I sent it in to the FreeBSD people, the Debian a2ps maintainer
"mhatta at debian dot org" and "bug-a2ps at gnu dot org" at the same
time using Cc:).

The patch might not work on Windows while the problem seemingly still
exists when command.com is used as shell interpreter (but it might
require a prepared floppy). The file name for exploiting it may be
different, however.

MS-DOS probably is safe. I cannot think of anything malicious that you
can do in eight characters. However, a prepared floppy could contain a
file named

a|foo|.txt

and a foo.bat containing "what you want". Well, anyway, I do not know
if a2ps runs on DOS at all.

-- 
          / --- Where bots rampage, I'm there to take them down! --- \
         / ------ Where trouble arises, I'm there to cause it! ------ \
         \ Where an enemy tries to frag me, victory will be mine!!!1! /
{{dup[exch{dup exec}fork =}loop}dup exec >> http://www.ccc-offenbach.org <<

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
===



------- Additional Comments From pekkas@netcore.fi 2004-12-21 09:19:49 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Packages have been created for RHL73, RHL9, and FC1, by taking the latest
packages, and adding the identical patch to each.  The patch was taken from
Debian, but it's the same as quoted here.

http://www.netcore.fi/pekkas/linux/a2ps-4.13b-19.1.legacy.src.rpm (RHL73)
http://www.netcore.fi/pekkas/linux/a2ps-4.13b-28.1.legacy.src.rpm (RHL9)
http://www.netcore.fi/pekkas/linux/a2ps-4.13b-30.1.legacy.src.rpm (FC1)

SHA1sums:
d126bfb504f7457d08815b59e331954b929518d1  a2ps-4.13b-19.1.legacy.src.rpm
5c230a5cb7d50e610201db9ac3f50406fce66967  a2ps-4.13b-28.1.legacy.src.rpm
9f2cd572a97212cf9dd4bdd2a5f2303d8a5be225  a2ps-4.13b-30.1.legacy.src.rpm

Changelog:
* Tue Dec 21 2004 Pekka Savola <pekkas@netcore.fi 4.13b-28.1.legacy
- - Fix CAN-2004-1170 (#2338) w/ patch from Debian.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFByHclGHbTkzxSL7QRAkyzAJ9fFwexR7kWRFKrD/KSno/GXtKEOwCfRrN9
DeneOIit18znvzJyUi8nIeI=
=+bMU
-----END PGP SIGNATURE-----



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:30 -------

This bug previously known as bug 2338 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2338
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Unknown operating system Windows XP. Setting to default OS "Linux".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl@redhat.com.
   Previous reporter was bugzilla.fedora.us@beej.org.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Matthew Miller 2005-05-04 14:56:30 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for a2ps-4.13b-28.1.legacy.src.rpm for RHL9:

* only change to spec file is the addition of the one
  patch to fix this issue.
* patch is identical to FreeBSD patch mentioned above
* package build and installs fine
* seems to run fine

+PUBLISH

(Am I supposed to *remove* "publish-rhl9" from the
whiteboard now? Sorry, I'm confused.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFCeRrEz8vebpLJCdYRAhqLAJ4mQQSvFy+yjVv0cyNNlhvzMoFO7QCfVqd/
xRofzpDg18D4smkaSqSjTQA=
=sCcA
-----END PGP SIGNATURE-----
Comment 2 Pekka Savola 2005-05-04 15:10:02 EDT
Yes, that obviates the need for anyone else to do so :)
Comment 3 Matthew Miller 2005-05-04 15:11:58 EDT
Okay -- just wanted to be sure that one "vote" was sufficient, and that the
whiteboard tags are actually inverse from what makes sense to me. :)
Comment 4 Eric Jon Rostetter 2005-09-23 14:25:19 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
++PUBLISH for RHL 7.3
 
RHL 7.3 Packages: 2ps-4.13b-19.1.legacy.src.rpm
SHA1 hecksums verify okay.
 
* I downloaded the src.rpm file, verified the sha1 checksum.
* Verified changelogs match except for CAN-2004-1170 fix and redhat rebuild.
* Verified changes with rpmlint/rpmdiff.  Only changes are U+G ownership
  changes on the patch files, addition of a patch for CAN-2004-1170,
  and changes to the spec file.
* Unpacked the rpms, and did a "diff -uNr" on the original and new contents.
  Verified spec file changes are as expected, and only other changes are
  the patch.  DID NOT VERIFY CONTENTS OF THE PATCH.  Only verified contents
  of the spec file, and that nothing else changed.
* Rebuilt package (no problems) on two machines (double the checks!)
* Tested the exploit to see that it worked with the old package.
* Installed the new package.
* Tested the exploit to see that it now fails.
 
Vote for pushing to updates-testing for RHL 7.3. ++PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFDNEh94jZRbknHoPIRAg6KAJ4nuTJ/dEuD1zu2qEgCMyXliS61vgCeNIwb
8YbPjeH5zR+oYH2O3Tc+Alg=
=dQkg
-----END PGP SIGNATURE-----
Comment 5 Pekka Savola 2005-09-23 15:05:33 EDT
Publish for FC1 is still needed..
Comment 6 Pekka Savola 2005-09-23 15:09:15 EDT
Oops, and the patch contents still need to be reviewed.  (The update proposer
could otherwise inject e.g., root exploits or whatever in the patches!).
Comment 7 Eric Jon Rostetter 2005-10-19 15:33:27 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
++PUBLISH for RHL 7.3
 
This is a _second_ (updated) PUBLISH vote for me (only count them as
_one_ vote, since they are duplicates) since last time I didn't verify
the patch contents (and this time I did).
 
RHL 7.3 Packages: enscript-1.6.1-19.73.1.legacy.src.rpm
SHA1 hecksums verify okay.
 
* Verified changelogs match except for bug fix and redhat rebuild.
* Verified changes with rpmlint/rpmdiff.  Only changes are addition of
  the patch, changing of spec file, and the changing of user/group on files.
* Unpacked the rpms, and did a "diff -uNr" on the original and new contents.
  Verified spec file changes are as expected, and only other change is
  the new patch.  Verified the patch is the same as the one pointed to
  in this bug entry.
* Rebuilt package (no problems) on two RHL 7.3 machines without problems.
* Tested the exploit to see that it worked with the old package.
* Installed the new package without problems.
* Tested the exploit to see that it now fails (it does).
 
Vote for pushing to updates-testing for RHL 7.3. ++PUBLISH
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFDVp+G4jZRbknHoPIRAhOqAJ4sqmiJ5oOLKT/bglx/bX296mCQXwCgrJ9o
8vJovcakb9PugOdVkQgUGuE=
=KGy0
-----END PGP SIGNATURE-----
Comment 8 Eric Jon Rostetter 2005-10-19 16:02:00 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
++PUBLISH for FC 1
 
FC 1 Packages: a2ps-4.13b-30.1.legacy.src.rpm
SHA1 hecksum 9f2cd572a97212cf9dd4bdd2a5f2303d8a5be225 verifies okay.
 
* Verified changelogs match except for bug fix addition.
* Verified changes with rpmlint/rpmdiff.  Only changes are addition of
  the patch, changing of spec file, and the changing of user/group on files.
* Unpacked the rpms, and did a "diff -uNr" on the original and new contents.
  Verified spec file changes are as expected, and only other change is
  the new patch.
* Verified the patch is the same as the one pointed to in this bug entry.
 
Package looks okay.  All changes to the package are as expected.  Did not
try to build or run the package though as I don't run FC1.
 
Vote for pushing to updates-testing for FC 1. ++PUBLISH
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFDVqW04jZRbknHoPIRArJMAKCQAlhpn1IBcX79C9GmFPUOrjGt8ACeJ3TH
QdbIXRNpjI3TNPLEX9ideRk=
=YOMo
-----END PGP SIGNATURE-----
Comment 9 Pekka Savola 2005-10-20 00:34:35 EDT
Thanks!
Comment 10 Marc Deslauriers 2005-11-14 23:57:39 EST
pushed to updates-testing
Comment 11 Pekka Savola 2005-11-16 06:00:35 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA for RHL9. Signatures OK, installs OK.  This and previous version generate
identical .ps file out of a text.  rpm-build-compare.sh on the binaries
looks sane.
 
+VERIFY RHL9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFDexHMGHbTkzxSL7QRAtoLAJ9KJHFvHBrqOoNY80z82YxDqJNQWQCglwzs
XAYEnozv1gPaSQRSKt6jF6w=
=6t/K
-----END PGP SIGNATURE-----

Timeout in 4 weeks.
Comment 12 Eric Jon Rostetter 2005-11-18 14:33:26 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
++VERIFY for RHL 7.3
 
Package: a2ps-4.13b-19.2.legacy.i386.rpm
SHA1 hecksum b0ebb139fd78a887831f8528458d969c42841283 verifies okay.
 
Installed fine. Properly saved /usr/share/a2ps/afm/fonts.map.rpmsave.
Printed file properly.  All looks good.
 
Vote for release for RHL 7.3  ++VERIFY
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFDfiv94jZRbknHoPIRAkoyAJ9EY+S7EvgPbMnPhFcJV6FDq0sC7gCgt/4o
+NtLZ/SGVQwcB0l4yEoJQts=
=lgcC
-----END PGP SIGNATURE-----
Comment 13 Pekka Savola 2005-11-18 14:46:28 EST
Awesome :)
Comment 14 Pekka Savola 2005-11-30 14:08:34 EST
Timeout over.
Comment 15 Marc Deslauriers 2005-12-18 00:04:14 EST
Packages were released.

Note You need to log in before you can comment on or make changes to this bug.