Bug 152892 - enscript - CAN-2004-118{4,5,6} vulnerabilities
enscript - CAN-2004-118{4,5,6} vulnerabilities
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: enscript (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
1, LEGACY, rh73, rh90
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-02-03 14:58 EST by Michal Jaegermann
Modified: 2007-04-18 13:22 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-12-18 00:04:33 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:31:11 EST
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=144683
identifies the following:

CAN-2004-1184

    Unsanitised input can caues the execution of arbitrary commands
    via EPSF pipe support.  This has been disabled, also upstream.

CAN-2004-1185

    Due to missing sanitising of filenames it is possible that a
    specially crafted filename can cause arbitrary commands to be
    executed.

CAN-2004-1186

    Multiple buffer overflows can cause the program to crash.


OTOH everything from RH7.3 up to FC3 is using basically the same enscript
so this is really a no-brainer.  It is enough to grab three patches from
any published source updates, to apply them on the top of an enscript
version from a given distro and recompile.

For a reference attached below are changes to a spec file I used with RH7.3



------- Additional Comments From michal@harddata.com 2005-02-03 14:59:12 ----

Created an attachment (id=985)
example of a spec modification for RH7.3




------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-10 14:10:00 ----

Red Hat's advisory:
https://rhn.redhat.com/errata/RHSA-2005-039.html



------- Additional Comments From michal@harddata.com 2005-02-10 14:51:41 ----

FEDORA-2005-015 and FEDORA-2005-016,
http://www.redhat.com/archives/fedora-announce-list/2005-January/msg00091.html
http://www.redhat.com/archives/fedora-announce-list/2005-January/msg00096.html
are really the same thing.  This is really an identical source code all over the
place.



------- Additional Comments From dwb7@ccmr.cornell.edu 2005-02-14 09:57:11 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Built RH7.3 enscript rpms for testing.

Download from:
http://cf.ccmr.cornell.edu/publicdownloads/fedoralegacy-testing/enscript

sha1sum -b *
90c093803b83e90333f97992ca3d300942f73949
*enscript-1.6.1-19.73.1.legacy.i386.rpm
73432dd5e07aa3d545575946b94c2e5877ed16b7 *enscript-1.6.1-19.73.1.legacy.src.rpm

- -DWB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFCEQJ5SY7s7uPf/IURAmoLAJwP4IFYuXxDiVv4wj0eTK0Im3cCpwCg0HD7
dpBFRk3cYyKZUykWxq7t3Cc=
=akya
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas@netcore.fi 2005-02-15 08:29:07 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA of Dave's RHL73 package:
 - source integrity good
 - patches verified to come from RHEL
 - spec file changes OK
 - I'd have renamed s/1.6.1-19.73.1/1.6.1-19.1.73/ but no matter

+PUBLISH RHL73

73432dd5e07aa3d545575946b94c2e5877ed16b7  enscript-1.6.1-19.73.1.legacy.src.rpm

...

I've created RPMs for RHL9 and FC1, based on the same set:

http://www.netcore.fi/pekkas/linux/enscript-1.6.1-24.1.legacy.src.rpm (RHL9)
http://www.netcore.fi/pekkas/linux/enscript-1.6.1-25.1.legacy.src.rpm (FC1)

b359e3187f80e2572bd57d3cee37c3fe1038ac97  enscript-1.6.1-24.1.legacy.src.rpm
3264854b1ccae577557b815454f50fe85b2aa490  enscript-1.6.1-25.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCEj9XGHbTkzxSL7QRAv7PAJ92bKZWrGOQraf2l74wBGWd4j5djgCgxfIr
pvM757/M+TQyi8iBkizMbiA=
=Y9ZG
-----END PGP SIGNATURE-----



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:31 -------

This bug previously known as bug 2409 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2409
Originally filed under the Fedora Legacy product and General component.

Attachments:
example of a spec modification for RH7.3
https://bugzilla.fedora.us/attachment.cgi?action=view&id=985

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Matthew Miller 2005-05-04 15:10:45 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for enscript-1.6.1-24.1.legacy.src.rpm for RHL9:

* only change to spec file is the addition of the
  three patches to fix these issues.
* verified that these patches are bit-for-bit
  identical to the patches in the RHEL updates
* package build and installs fine
* seems to run fine

As a general note: I think it'd be nice if changelog
entries spelled out entire CAN numbers rather than
using constructs like CAN-2004-118[456] -- this'll
save us work in the future if we have to track down
what's already known to be fixed.

+PUBLISH RHL9

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFCeR3zz8vebpLJCdYRArmGAJ9Ncv5fgV/9ELbm/NSZEmGQgP9m0gCfZ4Q+
Rc5D7lM/WlJDNt3H2cwkctY=
=SDLm
-----END PGP SIGNATURE-----
Comment 2 mschout 2005-05-11 15:50:19 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for enscript-1.6.1-25.1.legacy.src.rpm for FC1

- - source integrity good.
- - ran through rpm-build-compare.sh.  Looks good.
- - Only change to .spec file is addition of 3 patches to fix CAN-2004-1184,
  CAN-2004-1185, CAN-2004-1186
- - compared patches to RHEL patches.  They are bit-for-bit identical to the
  RHEL3 patches.
- - package builds fine.

I get warnings when installing the .src.rpm:

warning: user psavola does not exist - using root
warning: group csc does not exist - using root

however, I assume this will go away when the updates-testing packages are
built.

+PUBLISH FC1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQFCgmGw+CqvSzp9LOwRAqytAJ0bJqr+Q0GU9FWPtlpjJV85MTP/VgCePl3z
00Ibu+1o0j/vBVUjbuRH/3I=
=bDpd
-----END PGP SIGNATURE-----
Comment 3 Pekka Savola 2005-07-08 14:53:20 EDT
Sigh.. RHL73 publish still missing..
Comment 4 Eric Jon Rostetter 2005-09-23 14:43:59 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
++PUBLISH for RHL 7.3
 
RHL 7.3 Packages: enscript-1.6.1-19.73.1.legacy.src.rpm
SHA1 hecksums verify okay.
 
* I downloaded the src.rpm file, verified the sha1 checksum.
* Verified changelogs match except for bug fixes intended.
* Verified changes with rpmlint/rpmdiff.  Only changes are addition of
  three patches, and changing of spec file, as expected.
* Unpacked the rpms, and did a "diff -uNr" on the original and new contents.
  Verified spec file changes are as expected, and only other changes are
  the new patches.  DID NOT VERIFY CONTENTS OF THE PATCHES.  Only verified
  contents of the spec file, and that nothing else changed except as mentioned
  here.
* Rebuilt package (no problems) on RHL 7.3 machine without problems.
* Installed the new package without problems.
* Ran enscript over the spec file without to a ps file.  Viewed the ps file
  in ghostscript to make sure it was valid ps file.
 
Vote for pushing to updates-testing for RHL 7.3. ++PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFDNEzf4jZRbknHoPIRAhoVAJ4yOMj8ACsdTqEoVyGq2x+89JnuVACgtx/n
XfKAXOjZP5fKdzS1/E7j9xU=
=oBq1
-----END PGP SIGNATURE-----
Comment 5 Pekka Savola 2005-09-23 15:07:56 EDT
Thanks.  The (new) patches need to be verified though -- or basically just
verifying that they are identical to an already-QA'd source (like RHEL, Debian,
whathaveyou)..  Could you check the new patches?
Comment 6 Eric Jon Rostetter 2005-09-28 12:06:22 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
++PUBLISH for RHL 7.3
 
RHL 7.3 Packages: enscript-1.6.1-19.73.1.legacy.src.rpm
SHA1 hecksums verify okay.
 
* I downloaded the src.rpm file, verified the sha1 checksum.
* Verified changelogs match except for bug fixes intended.
* Verified changes with rpmlint/rpmdiff.  Only changes are addition of
  three patches, and changing of spec file, as expected.
* Unpacked the rpms, and did a "diff -uNr" on the original and new contents.
  Verified spec file changes are as expected, and only other changes are
  the new patches.
* Rebuilt package (no problems) on RHL 7.3 machine without problems.
* Installed the new package without problems.
* Ran enscript over the spec file without to a ps file.  Viewed the ps file
  in ghostscript to make sure it was valid ps file.
* Downloaded the RHEL AS2.1 package, extracted their patches.
* Compared their patches to the ones in the legacy package; exact match,
  no changes.
 
Vote for pushing to updates-testing for RHL 7.3. ++PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFDOr9j4jZRbknHoPIRAntdAJ9BV7+Ci3oBO6fJp1f/T3nrZDRfSQCgheRU
WOi33+rBNmBvnl4bBn4WSFk=
=YUV0
-----END PGP SIGNATURE-----
Comment 7 Pekka Savola 2005-09-29 00:47:34 EDT
Great, THANKS!
Comment 8 Marc Deslauriers 2005-11-14 23:58:11 EST
pushed to updates-testing
Comment 9 Pekka Savola 2005-11-16 06:03:04 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA for RHL9. Signatures OK, installs OK.  This and previous version generate
identical .ps file out of a text.  rpm-build-compare.sh on the binaries
looks sane.
 
+VERIFY RHL9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFDexHMGHbTkzxSL7QRAtoLAJ9KJHFvHBrqOoNY80z82YxDqJNQWQCglwzs
XAYEnozv1gPaSQRSKt6jF6w=
=6t/K
-----END PGP SIGNATURE-----

Timeout in 4 weeks.
Comment 10 Eric Jon Rostetter 2005-11-18 14:41:16 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
++VERIFY for RHL 7.3
 
Package: enscript-1.6.1-19.73.2.legacy.i386.rpm
SHA1 hecksum ac29cc61b638a8a4a6e70642a48d4d4e7985a94c verifies okay.
 
Installed fine.  Printed file properly.  All looks good.
 
Vote for release for RHL 7.3  ++VERIFY
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFDfi274jZRbknHoPIRAjO5AJwJnu0SZSIE68gd5wod2QxULGEsgQCfUHie
ikn0s50Bx7e92D49kH+MBhU=
=FEA7
-----END PGP SIGNATURE-----
Comment 11 Pekka Savola 2005-11-18 14:46:55 EST
Thanks!
Comment 12 Pekka Savola 2005-11-30 14:08:19 EST
Timeout over.
Comment 13 Marc Deslauriers 2005-12-18 00:04:33 EST
Packages were released.

Note You need to log in before you can comment on or make changes to this bug.