oss-sec mailing list archives

CVE id request: groff (pdfroff)

From: Nico Golde <oss-security+ml () ngolde de>
Date: Sun, 9 Aug 2009 15:48:17 +0200

Hi,
We got two bug reports in our BTS for groff with security 
impact which need CVE ids.

First one:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538330
pdfroff tool of groff is creating files in a insecure manner 
in the /tmp directory.

Second:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538338
pdfroff tool of groff is calling ghostscript with the 
-dSAFER command line option. From the manpage:

       -dSAFER
              Disables  the  "deletefile"  and  "renamefile" operators and the
              ability to open files in any mode other  than  read-only.   This
              strongly  recommended  for spoolers, conversion scripts or other
              sensitive  environments  where  a  badly  written  or  malicious
              PostScript  program  code must be prevented from changing impor-
              tant files.

This allows an attacker to delete or rename arbitrary victim owned files.

Can you allocate CVE ids for that?

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: _bin
Description:

Current thread:

CVE id request: groff (pdfroff) Nico Golde (Aug 09)
- Re: CVE id request: groff (pdfroff) Tomas Hoger (Aug 10)
- Re: CVE id request: groff (pdfroff) Solar Designer (Aug 14)
  - Re: CVE id request: groff (pdfroff) Nico Golde (Aug 14)