From owner-freebsd-ports-bugs@FreeBSD.ORG Tue Nov 18 11:30:01 2008 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B201F1065675; Tue, 18 Nov 2008 11:30:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 8DB448FC1A; Tue, 18 Nov 2008 11:30:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAIBU1Lg013684; Tue, 18 Nov 2008 11:30:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAIBU16X013681; Tue, 18 Nov 2008 11:30:01 GMT (envelope-from gnats) Resent-Date: Tue, 18 Nov 2008 11:30:01 GMT Resent-Message-Id: <200811181130.mAIBU16X013681@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@freebsd.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Cc: freebsd-security@freebsd.org, rafan@freebsd.org Resent-Reply-To: FreeBSD-gnats-submit@freebsd.org, Eygene Ryabinkin Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 16CFB106564A for ; Tue, 18 Nov 2008 11:21:48 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id BE7F68FC16 for ; Tue, 18 Nov 2008 11:21:47 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from shadow.codelabs.ru (shadow.codelabs.ru [144.206.177.8]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1L2OeQ-0004BU-Do for FreeBSD-gnats-submit@freebsd.org; Tue, 18 Nov 2008 14:21:46 +0300 Received: by shadow.codelabs.ru (Postfix, from userid 1001) id 35CA917115; Tue, 18 Nov 2008 14:21:46 +0300 (MSK) Message-Id: <20081118112146.35CA917115@shadow.codelabs.ru> Date: Tue, 18 Nov 2008 14:21:46 +0300 (MSK) From: Eygene Ryabinkin To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 X-GNATS-Notify: freebsd-security@freebsd.org, rafan@freebsd.org Cc: Subject: ports/128958: [vuxml] [patch] fix CVE-2008-3863 in print/enscript-letter X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Nov 2008 11:30:01 -0000 >Number: 128958 >Category: ports >Synopsis: [vuxml] [patch] fix CVE-2008-3863 in print/enscript-letter >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Nov 18 11:30:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE amd64 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE amd64 >Description: There is a stack-based overflow in the enscript escape codes handling code. Citing by the Secunia's report: ----- The vulnerability is caused due to a boundary error within the "read_special_escape()" function in src/psgen.c. This can be exploited to cause a stack-based buffer overflow by tricking the user into converting a malicious file. Successful exploitation allows execution of arbitrary code, but requires that special escapes processing is enabled with the "-e" option. ----- >How-To-Repeat: http://secunia.com/secunia_research/2008-41/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3863 >Fix: The following patch should introduce the fix to the FreeBSD port: --- 1.6.4_1-to-1.6.4_2-fix-CVE-2008-4306.diff begins here --- diff -urN ./Makefile ../enscript-letter/Makefile --- ./Makefile 2008-11-18 13:57:48.000000000 +0300 +++ ../enscript-letter/Makefile 2008-11-18 13:58:02.000000000 +0300 @@ -7,7 +7,7 @@ PORTNAME= enscript PORTVERSION= 1.6.4 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES+= print MASTER_SITES= http://www.codento.com/people/mtr/genscript/ PKGNAMESUFFIX= -${PAPERSIZE} diff -urN ./files/patch-CVE-2008-3863-and-4306 ../enscript-letter/files/patch-CVE-2008-3863-and-4306 --- ./files/patch-CVE-2008-3863-and-4306 1970-01-01 03:00:00.000000000 +0300 +++ ../enscript-letter/files/patch-CVE-2008-3863-and-4306 2008-11-18 13:57:08.000000000 +0300 @@ -0,0 +1,94 @@ +Patch for CVE-2008-3863 and CVE-2008-4306 + +Obtained from: http://cvs.fedoraproject.org/viewvc/devel/enscript/enscript-CVE-2008-3863%2BCVE-2008-4306.patch?revision=1.1 + +--- src/psgen.c ++++ src/psgen.c 2008-10-29 10:43:08.512598143 +0100 +@@ -24,6 +24,7 @@ + * Boston, MA 02111-1307, USA. + */ + ++#include + #include "gsint.h" + + /* +@@ -124,7 +125,7 @@ struct gs_token_st + double xscale; + double yscale; + int llx, lly, urx, ury; /* Bounding box. */ +- char filename[512]; ++ char filename[PATH_MAX]; + char *skipbuf; + unsigned int skipbuf_len; + unsigned int skipbuf_pos; +@@ -135,11 +136,11 @@ struct gs_token_st + Color bgcolor; + struct + { +- char name[512]; ++ char name[PATH_MAX]; + FontPoint size; + InputEncoding encoding; + } font; +- char filename[512]; ++ char filename[PATH_MAX]; + } u; + }; + +@@ -248,7 +249,7 @@ static int do_print = 1; + static int user_fontp = 0; + + /* The user ^@font{}-defined font. */ +-static char user_font_name[256]; ++static char user_font_name[PATH_MAX]; + static FontPoint user_font_pt; + static InputEncoding user_font_encoding; + +@@ -978,7 +979,8 @@ large for page\n"), + FATAL ((stderr, + _("user font encoding can be only the system's default or `ps'"))); + +- strcpy (user_font_name, token.u.font.name); ++ memset (user_font_name, 0, sizeof(user_font_name)); ++ strncpy (user_font_name, token.u.font.name, sizeof(user_font_name) - 1); + user_font_pt.w = token.u.font.size.w; + user_font_pt.h = token.u.font.size.h; + user_font_encoding = token.u.font.encoding; +@@ -1444,7 +1446,7 @@ read_special_escape (InputStream *is, To + buf[i] = ch; + if (i + 1 >= sizeof (buf)) + FATAL ((stderr, _("too long argument for %s escape:\n%.*s"), +- escapes[i].name, i, buf)); ++ escapes[e].name, i, buf)); + } + buf[i] = '\0'; + +@@ -1452,7 +1454,8 @@ read_special_escape (InputStream *is, To + switch (escapes[e].escape) + { + case ESC_FONT: +- strcpy (token->u.font.name, buf); ++ memset (token->u.font.name, 0, sizeof(token->u.font.name)); ++ strncpy (token->u.font.name, buf, sizeof(token->u.font.name) - 1); + + /* Check for the default font. */ + if (strcmp (token->u.font.name, "default") == 0) +@@ -1465,7 +1468,8 @@ read_special_escape (InputStream *is, To + FATAL ((stderr, _("malformed font spec for ^@font escape: %s"), + token->u.font.name)); + +- strcpy (token->u.font.name, cp); ++ memset (token->u.font.name, 0, sizeof(token->u.font.name)); ++ strncpy (token->u.font.name, cp, sizeof(token->u.font.name) - 1); + xfree (cp); + } + token->type = tFONT; +@@ -1544,7 +1548,8 @@ read_special_escape (InputStream *is, To + break; + + case ESC_SETFILENAME: +- strcpy (token->u.filename, buf); ++ memset (token->u.filename, 0, sizeof(token->u.font.name)); ++ strncpy (token->u.filename, buf, sizeof(token->u.filename) - 1); + token->type = tSETFILENAME; + break; --- 1.6.4_1-to-1.6.4_2-fix-CVE-2008-4306.diff ends here --- The following VuXML entry should be added: --- vuln.xml begins here --- GNU enscript -- multiple vulnerabilities enscript-letter enscript-letterdj enscript-a4 1.6.4_2

Ulf Harnhammar from Secunia Research had discovered stack-based buffer overflow vulnerability in the GNU enscript code:

Stack-based buffer overflow in the read_special_escape function in src/psgen.c in GNU Enscript 1.6.1 and 1.6.4 beta, when the -e (aka special escapes processing) option is enabled, allows user-assisted remote attackers to execute arbitrary code via a crafted ASCII file, related to the setfilename command.

CVE-2008-4306 is a Ubuntu-specific mirror issue for this vulnerability.

 CVE-2008-3863 CVE-2008-4306 http://secunia.com/secunia_research/2008-41/ http://cvs.fedoraproject.org/viewvc//devel/enscript/enscript-CVE-2008-3863+CVE-2008-4306.patch https://launchpad.net/ubuntu/intrepid/+source/enscript/1.6.4-12ubuntu0.8.10.1 2008-10-22 --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted: