Ulf Harnhammar of the Secunia Research discovered a buffer overflow in enscript: The vulnerability is caused due to a boundary error within the "read_special_escape()" function in src/psgen.c. This can be exploited to cause a stack-based buffer overflow by tricking the user into converting a malicious file. Successful exploitation allows execution of arbitrary code, but requires that special escapes processing is enabled with the "-e" option. The vulnerability is confirmed in versions 1.6.1 and 1.6.4 (beta). Other versions may also be affected.
Public now via: http://secunia.com/secunia_research/2008-41/
Additional references: http://www.securityfocus.com/archive/1/archive/1/497647/100/0/threaded http://www.securityfocus.com/bid/31858 http://secunia.com/advisories/32137 http://xforce.iss.net/xforce/xfdb/46026
Created attachment 322029 [details] Proposed patch from Kees Cook (Ubuntu)
For alternate patch, see: https://bugzilla.redhat.com/show_bug.cgi?id=469311#c4
enscript-1.6.4-9.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
enscript-1.6.4-10.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-1016.html http://rhn.redhat.com/errata/RHSA-2008-1021.html Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-9351 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-9372