Red Hat Bugzilla – Bug 466771
CVE-2008-3863 enscript: "setfilename" special escape buffer overflow
Last modified: 2012-06-20 10:06:47 EDT
Ulf Harnhammar of the Secunia Research discovered a buffer overflow in enscript:
The vulnerability is caused due to a boundary error within the
"read_special_escape()" function in src/psgen.c. This can be exploited
to cause a stack-based buffer overflow by tricking the user into
converting a malicious file.
Successful exploitation allows execution of arbitrary code, but requires
that special escapes processing is enabled with the "-e" option.
The vulnerability is confirmed in versions 1.6.1 and 1.6.4 (beta). Other
versions may also be affected.
Public now via:
Created attachment 322029 [details]
Proposed patch from Kees Cook (Ubuntu)
For alternate patch, see: https://bugzilla.redhat.com/show_bug.cgi?id=469311#c4
enscript-1.6.4-9.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
enscript-1.6.4-10.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in:
Red Hat Enterprise Linux: