Bug 155877 - CAN-2004-1170 a2ps File Name Command Execution Vulnerability
CAN-2004-1170 a2ps File Name Command Execution Vulnerability
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: a2ps (Show other bugs)
2.1
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tim Waugh
http://cve.mitre.org/cgi-bin/cvename....
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-04-25 05:03 EDT by Bastien Nocera
Modified: 2007-11-30 17:06 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-25 05:44:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Bastien Nocera 2005-04-25 05:03:01 EDT
+++ This bug was initially created as a clone of Bug #152870 +++

from http://archives.neohapsis.com/archives/fulldisclosure/2004-08/1026.html
===
[Full-Disclosure] a2ps executing shell commands from file name

From: Rudolf Polzer (divzerogmail.com)
Date: Tue Aug 24 2004 - 06:01:47 CDT


Severity: Medium
Short description: a2ps executes arbitrary shell commands from a given file name
Affected: GNU a2ps 4.13, a nice syntax-highlighting formatter from
source code to postscript
Operating systems: all systems where a2ps 4.13 compiles and which have
a bourne or C shell by default used by system(). On other systems the
patch might not work while the problem is probably still there.

Description:

a2ps can execute shell commands from file names. Not really severe,
unless you use a2ps with wildcards from a world-writable directory
like /tmp. I've also seen someone using a2ps in a pure-ftpd upload
script which is executed after successful upload of a file.

Workaround:

Do not use wildcards in a2ps command lines except if you do that in a
directory only you can create files in and where you know the
contents. This might also apply to other tools (I did not check them),
so be careful.

How to reproduce:

$ touch 'x`echo >&2 42`.c'
$ a2ps -o /dev/null *.c
42
[x`echo >&2 42`.c (C): 0 pages on 0 sheets]
[Total: 0 pages on 0 sheets] saved into the file `/dev/null'
$ a2ps -V
GNU a2ps 4.13
Written by Akim Demaille, Miguel Santana.

How I found it:

$ touch 'LAN (div0)'
$ a2ps -o /dev/null LAN*
sh: -c: line 1: syntax error near unexpected token `('
sh: -c: line 1: `/usr/bin/file -L LAN (div0)'
[LAN (div0) (plain): 0 pages on 0 sheets]
[Total: 0 pages on 0 sheets] saved into the file `/dev/null'

How I fixed it:

http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/print/a2ps-letter/files/patch-select.c?rev=1.1&content-type=text/plain

Patch status:

Except for FreeBSD, no distribution seems to currently have the patch
(I sent it in to the FreeBSD people, the Debian a2ps maintainer
"mhatta at debian dot org" and "bug-a2ps at gnu dot org" at the same
time using Cc:).

The patch might not work on Windows while the problem seemingly still
exists when command.com is used as shell interpreter (but it might
require a prepared floppy). The file name for exploiting it may be
different, however.

MS-DOS probably is safe. I cannot think of anything malicious that you
can do in eight characters. However, a prepared floppy could contain a
file named

a|foo|.txt

and a foo.bat containing "what you want". Well, anyway, I do not know
if a2ps runs on DOS at all.

-- 
          / --- Where bots rampage, I'm there to take them down! --- \
         / ------ Where trouble arises, I'm there to cause it! ------ \
         \ Where an enemy tries to frag me, victory will be mine!!!1! /
{{dup[exch{dup exec}fork =}loop}dup exec >> http://www.ccc-offenbach.org <<

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
===



------- Additional Comments From pekkas@netcore.fi 2004-12-21 09:19:49 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Packages have been created for RHL73, RHL9, and FC1, by taking the latest
packages, and adding the identical patch to each.  The patch was taken from
Debian, but it's the same as quoted here.

http://www.netcore.fi/pekkas/linux/a2ps-4.13b-19.1.legacy.src.rpm (RHL73)
http://www.netcore.fi/pekkas/linux/a2ps-4.13b-28.1.legacy.src.rpm (RHL9)
http://www.netcore.fi/pekkas/linux/a2ps-4.13b-30.1.legacy.src.rpm (FC1)

SHA1sums:
d126bfb504f7457d08815b59e331954b929518d1  a2ps-4.13b-19.1.legacy.src.rpm
5c230a5cb7d50e610201db9ac3f50406fce66967  a2ps-4.13b-28.1.legacy.src.rpm
9f2cd572a97212cf9dd4bdd2a5f2303d8a5be225  a2ps-4.13b-30.1.legacy.src.rpm
<snip>

The bug seems to affect all releases of RHEL. Tim, do you want a bug per
release, or would one do?
Comment 1 Mark J. Cox (Product Security) 2005-04-25 05:44:30 EDT
CAN-2005-1170 is of minimal security risk to Red Hat Enterprise Linux 2.1, 3
users.  We do not intend to issue security updates for this issue.
Comment 2 Bastien Nocera 2005-04-25 05:47:52 EDT
Mark, what about RHEL 4?
Comment 3 Bastien Nocera 2005-04-25 06:09:46 EDT
Tim told me RHEL4 only contains the fix.
Comment 4 Bastien Nocera 2005-04-25 06:50:51 EDT
*already* contains the fix. Sorry for the spam, it's still early for me.

Note You need to log in before you can comment on or make changes to this bug.