Bug#506261: marked as done (enscript: Buffer overflows)

Debian Bug Tracking System Wed, 17 Dec 2008 13:34:17 -0800

Your message dated Wed, 17 Dec 2008 21:02:56 +0000
with message-id <e1ld3xk-0006fd...@ries.debian.org>
and subject line Bug#506261: fixed in enscript 1.6.4-11.1
has caused the Debian Bug report #506261,
regarding enscript: Buffer overflows
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
506261: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506261
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: enscript
Version: 1.6.4-12
Severity: grave
Tags: security
Justification: user security hole

Hi, 
buffer overflows have been discovered in enscript:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3863
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4306

I'm attaching a patch by Werner Fink of SuSE covering these
issues.

Cheers,
        Moritz

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages enscript depends on:
ii  libc6                        2.7-15      GNU C Library: Shared libraries
ii  libpaper1                    1.1.23+nmu1 library for handling paper charact

enscript recommends no packages.

Versions of packages enscript suggests:
ii  ghostscript [postscript- 8.62.dfsg.1-3.1 The GPL Ghostscript PostScript/PDF
ii  lpr                      1:2008.05.17    BSD lpr/lpd line printer spooling 

-- no debconf information

--- src/psgen.c
+++ src/psgen.c	2008-10-29 10:43:08.512598143 +0100
@@ -24,6 +24,7 @@
  * Boston, MA 02111-1307, USA.
  */
 
+#include <limits.h>
 #include "gsint.h"
 
 /*
@@ -124,7 +125,7 @@ struct gs_token_st
 	  double xscale;
 	  double yscale;
 	  int llx, lly, urx, ury; /* Bounding box. */
-	  char filename[512];
+	  char filename[PATH_MAX];
 	  char *skipbuf;
 	  unsigned int skipbuf_len;
 	  unsigned int skipbuf_pos;
@@ -135,11 +136,11 @@ struct gs_token_st
       Color bgcolor;
       struct
 	{
-	  char name[512];
+	  char name[PATH_MAX];
 	  FontPoint size;
 	  InputEncoding encoding;
 	} font;
-      char filename[512];
+      char filename[PATH_MAX];
     } u;
 };
 
@@ -248,7 +249,7 @@ static int do_print = 1;
 static int user_fontp = 0;
 
 /* The user ^...@font{}-defined font. */
-static char user_font_name[256];
+static char user_font_name[PATH_MAX];
 static FontPoint user_font_pt;
 static InputEncoding user_font_encoding;
 
@@ -978,7 +979,8 @@ large for page\n"),
 			FATAL ((stderr,
 				_("user font encoding can be only the system's default or `ps'")));
 
-		      strcpy (user_font_name, token.u.font.name);
+		      memset  (user_font_name, 0, sizeof(user_font_name));
+		      strncpy (user_font_name, token.u.font.name, sizeof(user_font_name) - 1);
 		      user_font_pt.w = token.u.font.size.w;
 		      user_font_pt.h = token.u.font.size.h;
 		      user_font_encoding = token.u.font.encoding;
@@ -1444,7 +1446,7 @@ read_special_escape (InputStream *is, To
 	  buf[i] = ch;
 	  if (i + 1 >= sizeof (buf))
 	    FATAL ((stderr, _("too long argument for %s escape:\n%.*s"),
-		    escapes[i].name, i, buf));
+		    escapes[e].name, i, buf));
 	}
       buf[i] = '\0';
 
@@ -1452,7 +1454,8 @@ read_special_escape (InputStream *is, To
       switch (escapes[e].escape)
 	{
 	case ESC_FONT:
-	  strcpy (token->u.font.name, buf);
+	  memset  (token->u.font.name, 0, sizeof(token->u.font.name));
+	  strncpy (token->u.font.name, buf, sizeof(token->u.font.name) - 1);
 
 	  /* Check for the default font. */
 	  if (strcmp (token->u.font.name, "default") == 0)
@@ -1465,7 +1468,8 @@ read_special_escape (InputStream *is, To
 		FATAL ((stderr, _("malformed font spec for ^...@font escape: %s"),
 			token->u.font.name));
 
-	      strcpy (token->u.font.name, cp);
+	      memset  (token->u.font.name, 0, sizeof(token->u.font.name));
+	      strncpy (token->u.font.name, cp, sizeof(token->u.font.name) - 1);
 	      xfree (cp);
 	    }
 	  token->type = tFONT;
@@ -1544,7 +1548,8 @@ read_special_escape (InputStream *is, To
 	  break;
 
 	case ESC_SETFILENAME:
-	  strcpy (token->u.filename, buf);
+	  memset  (token->u.filename, 0, sizeof(token->u.font.name));
+	  strncpy (token->u.filename, buf, sizeof(token->u.filename) - 1);
 	  token->type = tSETFILENAME;
 	  break;

--- End Message ---

--- Begin Message ---

Source: enscript
Source-Version: 1.6.4-11.1

We believe that the bug you reported is fixed in the latest version of
enscript, which is due to be installed in the Debian FTP archive:

enscript_1.6.4-11.1.diff.gz
  to pool/main/e/enscript/enscript_1.6.4-11.1.diff.gz
enscript_1.6.4-11.1.dsc
  to pool/main/e/enscript/enscript_1.6.4-11.1.dsc
enscript_1.6.4-11.1_i386.deb
  to pool/main/e/enscript/enscript_1.6.4-11.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 506...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tim Retout <t...@retout.co.uk> (supplier of updated enscript package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 23 Nov 2008 18:10:35 +0000
Source: enscript
Binary: enscript
Architecture: source i386
Version: 1.6.4-11.1
Distribution: stable-security
Urgency: high
Maintainer: Christoph Berg <m...@debian.org>
Changed-By: Tim Retout <t...@retout.co.uk>
Description: 
 enscript   - Converts ASCII text to Postscript, HTML, RTF or Pretty-Print
Closes: 506261
Changes: 
 enscript (1.6.4-11.1) stable-security; urgency=high
 .
   * debian/patches/506261-buffer-overflows: New patch by Werner Fink to fix
     buffer overflows: CVE-2008-3863, CVE-2008-4306. (Closes: #506261)
   * Urgency set to "high" for RC security bugfix.
Files: 
 b5e8009c5ef20c0bf2089e3c43881daf 631 text optional enscript_1.6.4-11.1.dsc
 b5174b59e4a050fb462af5dbf28ebba3 1036734 text optional 
enscript_1.6.4.orig.tar.gz
 87e85119b278fa214b29f84eda3944a4 91162 text optional 
enscript_1.6.4-11.1.diff.gz
 a2d60b314df3903c55d427f6c30aa0b4 487696 text optional 
enscript_1.6.4-11.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkpvtsACgkQXm3vHE4uylrWzQCeLrwrvtf9tFcIOI5ibcDoHJUg
eWkAoJ6cr1Hk/DRLVb+UBMpDzhZD2UDn
=65V2
-----END PGP SIGNATURE-----

--- End Message ---

Bug#506261: marked as done (enscript: Buffer overflows)

Reply via email to