Bug 469311 - (CVE-2008-4306) CVE-2008-4306 enscript: "font" special escape buffer overflows
CVE-2008-4306 enscript: "font" special escape buffer overflows
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
source=vendorsec,reported=20081028,pu...
: Security
Depends On: 473089 473090 473091 473093 473094 473095 833895
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-31 04:59 EDT by Tomas Hoger
Modified: 2012-06-20 10:06 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-12-19 12:39:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed patch from Kees Cook (Ubuntu) (1.24 KB, patch)
2008-10-31 05:04 EDT, Tomas Hoger
no flags Details | Diff
Escape array indexing typo (474 bytes, patch)
2008-10-31 05:06 EDT, Tomas Hoger
no flags Details | Diff
Alternate patch proposed by Werner Fink (SuSE) (2.73 KB, patch)
2008-10-31 05:08 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2008-10-31 04:59:42 EDT
Kees Cook and Tomas Hoger discovered multiple buffer overflows in enscript related to handling of the font{} special escape caused by an unsafe use of strcpy().  This can be exploited to cause a stack-based buffer overflow by tricking the user into converting a malicious file, , but requires that special escapes processing is enabled with the "-e" option (not enabled by default).

Issue is similar to recently reported setfilename{} special escape handling buffer overflow known as CVE-2008-3863.
Comment 2 Tomas Hoger 2008-10-31 05:04:28 EDT
Created attachment 322030 [details]
Proposed patch from Kees Cook (Ubuntu)
Comment 3 Tomas Hoger 2008-10-31 05:06:28 EDT
Created attachment 322031 [details]
Escape array indexing typo

While testing this, another minor typo was discovered in the escapes array indexing in the error code path.  This can result in enscript crash (oob read), but does not seem to have any security implications.
Comment 4 Tomas Hoger 2008-10-31 05:08:12 EDT
Created attachment 322032 [details]
Alternate patch proposed by Werner Fink (SuSE)

For both CVE-2008-3863 and CVE-2008-4306.
Comment 5 Fedora Update System 2008-11-05 23:04:20 EST
enscript-1.6.4-9.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2008-11-05 23:06:35 EST
enscript-1.6.4-10.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.