466771 – (CVE-2008-3863) CVE-2008-3863 enscript: "setfilename" special escape buffer overflow

Bug 466771 (CVE-2008-3863) - CVE-2008-3863 enscript: "setfilename" special escape buffer overflow

Summary: CVE-2008-3863 enscript: "setfilename" special escape buffer overflow

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2008-3863
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	473089 473090 473091 473093 473094 473095 833895
Blocks:
TreeView+	depends on / blocked

Reported:	2008-10-13 15:09 UTC by Tomas Hoger
Modified:	2019-09-29 12:26 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-12-19 17:39:49 UTC
Embargoed:

Attachments	(Terms of Use)
Proposed patch from Kees Cook (Ubuntu) (520 bytes, patch) 2008-10-31 08:59 UTC, Tomas Hoger	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2008:1016	0	normal	SHIPPED_LIVE	Moderate: enscript security update	2008-12-15 12:51:49 UTC
Red Hat Product Errata	RHSA-2008:1021	0	normal	SHIPPED_LIVE	Moderate: enscript security update	2008-12-15 15:01:29 UTC

Description Tomas Hoger 2008-10-13 15:09:25 UTC

Ulf Harnhammar of the Secunia Research discovered a buffer overflow in enscript:

The vulnerability is caused due to a boundary error within the
"read_special_escape()" function in src/psgen.c. This can be exploited
to cause a stack-based buffer overflow by tricking the user into
converting a malicious file.

Successful exploitation allows execution of arbitrary code, but requires
that special escapes processing is enabled with the "-e" option.

The vulnerability is confirmed in versions 1.6.1 and 1.6.4 (beta). Other
versions may also be affected.

Comment 3 Tomas Hoger 2008-10-22 16:31:35 UTC

Public now via:
  http://secunia.com/secunia_research/2008-41/

Comment 4 Jan Lieskovsky 2008-10-24 15:21:31 UTC

Additional references:

http://www.securityfocus.com/archive/1/archive/1/497647/100/0/threaded
http://www.securityfocus.com/bid/31858
http://secunia.com/advisories/32137
http://xforce.iss.net/xforce/xfdb/46026

Comment 5 Tomas Hoger 2008-10-31 08:59:45 UTC

Created attachment 322029 [details]
Proposed patch from Kees Cook (Ubuntu)

Comment 6 Tomas Hoger 2008-10-31 09:09:16 UTC

For alternate patch, see: https://bugzilla.redhat.com/show_bug.cgi?id=469311#c4

Comment 7 Fedora Update System 2008-11-06 04:04:17 UTC

enscript-1.6.4-9.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2008-11-06 04:06:32 UTC

enscript-1.6.4-10.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Red Hat Product Security 2008-12-19 17:39:49 UTC

This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-1016.html
  http://rhn.redhat.com/errata/RHSA-2008-1021.html

Fedora:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-9351
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-9372

Note You need to log in before you can comment on or make changes to this bug.