There is a stack-based overflow in the enscript escape codes handling code. Citing by the Secunia's report: ----- The vulnerability is caused due to a boundary error within the "read_special_escape()" function in src/psgen.c. This can be exploited to cause a stack-based buffer overflow by tricking the user into converting a malicious file. Successful exploitation allows execution of arbitrary code, but requires that special escapes processing is enabled with the "-e" option. ----- Fix: The following patch should introduce the fix to the FreeBSD port: The following VuXML entry should be added: <vuln vid=""> <topic>GNU enscript -- multiple vulnerabilities</topic> <affects> <package> <name>enscript-letter</name> <name>enscript-letterdj</name> <name>enscript-a4</name> <range><lt>1.6.4_2</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Ulf Harnhammar from Secunia Research had discovered stack-based buffer overflow vulnerability in the GNU enscript code:</p> <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3863"> <p>Stack-based buffer overflow in the read_special_escape function in src/psgen.c in GNU Enscript 1.6.1 and 1.6.4 beta, when the -e (aka special escapes processing) option is enabled, allows user-assisted remote attackers to execute arbitrary code via a crafted ASCII file, related to the setfilename command.</p> </blockquote> <p>CVE-2008-4306 is a Ubuntu-specific mirror issue for this vulnerability.</p> </body> </description> <references> <cvename>CVE-2008-3863</cvename> <cvename>CVE-2008-4306</cvename> <url>http://secunia.com/secunia_research/2008-41/</url> <url>http://cvs.fedoraproject.org/viewvc//devel/enscript/enscript-CVE-2008-3863+CVE-2008-4306.patch</url> <url>https://launchpad.net/ubuntu/intrepid/+source/enscript/1.6.4-12ubuntu0.8.10.1</url> </references> <dates> <discovery>2008-10-22</discovery> </dates> </vuln> --- vuln.xml ends here -----NWA7oKVPlv3DwxusaBZUiK9wQ3Z6aI3G0Ul2KM0oU1dNAPTW Content-Type: text/plain; name="1.6.4_1-to-1.6.4_2-fix-CVE-2008-4306.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="1.6.4_1-to-1.6.4_2-fix-CVE-2008-4306.diff" diff -urN ./Makefile ../enscript-letter/Makefile --- ./Makefile 2008-11-18 13:57:48.000000000 +0300 +++ ../enscript-letter/Makefile 2008-11-18 13:58:02.000000000 +0300 @@ -7,7 +7,7 @@ PORTNAME= enscript PORTVERSION= 1.6.4 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES+= print MASTER_SITES= http://www.codento.com/people/mtr/genscript/ PKGNAMESUFFIX= -${PAPERSIZE} diff -urN ./files/patch-CVE-2008-3863-and-4306 ../enscript-letter/files/patch-CVE-2008-3863-and-4306 --- ./files/patch-CVE-2008-3863-and-4306 1970-01-01 03:00:00.000000000 +0300 +++ ../enscript-letter/files/patch-CVE-2008-3863-and-4306 2008-11-18 13:57:08.000000000 +0300 @@ -0,0 +1,94 @@ +Patch for CVE-2008-3863 and CVE-2008-4306 + +Obtained from: http://cvs.fedoraproject.org/viewvc/devel/enscript/enscript-CVE-2008-3863%2BCVE-2008-4306.patch?revision=1.1 + +--- src/psgen.c ++++ src/psgen.c 2008-10-29 10:43:08.512598143 +0100 +@@ -24,6 +24,7 @@ + * Boston, MA 02111-1307, USA. + */ + ++#include <limits.h> + #include "gsint.h" + + /* +@@ -124,7 +125,7 @@ struct gs_token_st + double xscale; + double yscale; + int llx, lly, urx, ury; /* Bounding box. */ +- char filename[512]; ++ char filename[PATH_MAX]; + char *skipbuf; + unsigned int skipbuf_len; + unsigned int skipbuf_pos; +@@ -135,11 +136,11 @@ struct gs_token_st + Color bgcolor; + struct + { +- char name[512]; ++ char name[PATH_MAX]; + FontPoint size; + InputEncoding encoding; + } font; +- char filename[512]; ++ char filename[PATH_MAX]; + } u; + }; + +@@ -248,7 +249,7 @@ static int do_print = 1; + static int user_fontp = 0; + + /* The user ^@font{}-defined font. */ +-static char user_font_name[256]; ++static char user_font_name[PATH_MAX]; + static FontPoint user_font_pt; + static InputEncoding user_font_encoding; + +@@ -978,7 +979,8 @@ large for page\n"), + FATAL ((stderr, + _("user font encoding can be only the system's default or `ps'"))); + +- strcpy (user_font_name, token.u.font.name); ++ memset (user_font_name, 0, sizeof(user_font_name)); ++ strncpy (user_font_name, token.u.font.name, sizeof(user_font_name) - 1); + user_font_pt.w = token.u.font.size.w; + user_font_pt.h = token.u.font.size.h; + user_font_encoding = token.u.font.encoding; +@@ -1444,7 +1446,7 @@ read_special_escape (InputStream *is, To + buf[i] = ch; + if (i + 1 >= sizeof (buf)) + FATAL ((stderr, _("too long argument for %s escape:\n%.*s"), +- escapes[i].name, i, buf)); ++ escapes[e].name, i, buf)); + } + buf[i] = '\0'; + +@@ -1452,7 +1454,8 @@ read_special_escape (InputStream *is, To + switch (escapes[e].escape) + { + case ESC_FONT: +- strcpy (token->u.font.name, buf); ++ memset (token->u.font.name, 0, sizeof(token->u.font.name)); ++ strncpy (token->u.font.name, buf, sizeof(token->u.font.name) - 1); + + /* Check for the default font. */ + if (strcmp (token->u.font.name, "default") == 0) +@@ -1465,7 +1468,8 @@ read_special_escape (InputStream *is, To + FATAL ((stderr, _("malformed font spec for ^@font escape: %s"), + token->u.font.name)); + +- strcpy (token->u.font.name, cp); ++ memset (token->u.font.name, 0, sizeof(token->u.font.name)); ++ strncpy (token->u.font.name, cp, sizeof(token->u.font.name) - 1); + xfree (cp); + } + token->type = tFONT; +@@ -1544,7 +1548,8 @@ read_special_escape (InputStream *is, To + break; + + case ESC_SETFILENAME: +- strcpy (token->u.filename, buf); ++ memset (token->u.filename, 0, sizeof(token->u.font.name)); ++ strncpy (token->u.filename, buf, sizeof(token->u.filename) - 1); + token->type = tSETFILENAME; + break; How-To-Repeat: http://secunia.com/secunia_research/2008-41/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3863
Responsible Changed From-To: freebsd-ports-bugs->rafan Over to maintainer (via the GNATS Auto Assign Tool)
rafan 2008-11-18 14:20:01 UTC FreeBSD ports repository Modified files: print/enscript-letter Makefile Added files: print/enscript-letter/files patch-CVE-2008-3863-and-4306 Log: - Fix CVE 2008-3863, 2008-4306 PR: ports/128958 Submitted by: Eygene Ryabinkin <rea-fbsd at codelabs.ru> Obtained from: http://cvs.fedoraproject.org/viewvc/devel/enscript/ Revision Changes Path 1.31 +1 -1 ports/print/enscript-letter/Makefile 1.1 +94 -0 ports/print/enscript-letter/files/patch-CVE-2008-3863-and-4306 (new) _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
rafan 2008-11-18 15:33:34 UTC FreeBSD ports repository Modified files: security/vuxml vuln.xml Log: - Add an entry for print/enscript and its slave ports PR: ports/128958 Submitted by: Eygene Ryabinkin <rea-fbsd at codelabs.ru> (based on) Reviewed by: stas@ Revision Changes Path 1.1754 +34 -1 ports/security/vuxml/vuln.xml _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed Committed, with minor changes. Thanks!