Kees Cook and Tomas Hoger discovered multiple buffer overflows in enscript related to handling of the font{} special escape caused by an unsafe use of strcpy(). This can be exploited to cause a stack-based buffer overflow by tricking the user into converting a malicious file, , but requires that special escapes processing is enabled with the "-e" option (not enabled by default). Issue is similar to recently reported setfilename{} special escape handling buffer overflow known as CVE-2008-3863.
Created attachment 322030 [details] Proposed patch from Kees Cook (Ubuntu)
Created attachment 322031 [details] Escape array indexing typo While testing this, another minor typo was discovered in the escapes array indexing in the error code path. This can result in enscript crash (oob read), but does not seem to have any security implications.
Created attachment 322032 [details] Alternate patch proposed by Werner Fink (SuSE) For both CVE-2008-3863 and CVE-2008-4306.
enscript-1.6.4-9.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
enscript-1.6.4-10.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-1016.html http://rhn.redhat.com/errata/RHSA-2008-1021.html Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-9351 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-9372