ports/128958: [vuxml] [patch] fix CVE-2008-3863 in print/enscript-letter

Tue, 18 Nov 2008 03:31:17 -0800 

>Number:         128958
>Category:       ports
>Synopsis:       [vuxml] [patch] fix CVE-2008-3863 in print/enscript-letter
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Nov 18 11:30:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.1-PRERELEASE amd64
>Organization:
Code Labs
>Environment:

System: FreeBSD 7.1-PRERELEASE amd64

>Description:

There is a stack-based overflow in the enscript escape codes handling
code.

Citing by the Secunia's report:
-----
The vulnerability is caused due to a boundary error within the 
"read_special_escape()" function in src/psgen.c. This can be exploited
to cause a stack-based buffer overflow by tricking the user into 
converting a malicious file.

Successful exploitation allows execution of arbitrary code, but
requires that special escapes processing is enabled with the "-e" 
option.
-----

>How-To-Repeat:

http://secunia.com/secunia_research/2008-41/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3863

>Fix:

The following patch should introduce the fix to the FreeBSD port:
--- 1.6.4_1-to-1.6.4_2-fix-CVE-2008-4306.diff begins here ---
diff -urN ./Makefile ../enscript-letter/Makefile
--- ./Makefile  2008-11-18 13:57:48.000000000 +0300
+++ ../enscript-letter/Makefile 2008-11-18 13:58:02.000000000 +0300
@@ -7,7 +7,7 @@
 
 PORTNAME=      enscript
 PORTVERSION=   1.6.4
-PORTREVISION=  1
+PORTREVISION=  2
 CATEGORIES+=   print
 MASTER_SITES=  http://www.codento.com/people/mtr/genscript/
 PKGNAMESUFFIX= -${PAPERSIZE}
diff -urN ./files/patch-CVE-2008-3863-and-4306 
../enscript-letter/files/patch-CVE-2008-3863-and-4306
--- ./files/patch-CVE-2008-3863-and-4306        1970-01-01 03:00:00.000000000 
+0300
+++ ../enscript-letter/files/patch-CVE-2008-3863-and-4306       2008-11-18 
13:57:08.000000000 +0300
@@ -0,0 +1,94 @@
+Patch for CVE-2008-3863 and CVE-2008-4306
+
+Obtained from: 
http://cvs.fedoraproject.org/viewvc/devel/enscript/enscript-CVE-2008-3863%2BCVE-2008-4306.patch?revision=1.1
+
+--- src/psgen.c
++++ src/psgen.c        2008-10-29 10:43:08.512598143 +0100
+@@ -24,6 +24,7 @@
+  * Boston, MA 02111-1307, USA.
+  */
+ 
++#include <limits.h>
+ #include "gsint.h"
+ 
+ /*
+@@ -124,7 +125,7 @@ struct gs_token_st
+         double xscale;
+         double yscale;
+         int llx, lly, urx, ury; /* Bounding box. */
+-        char filename[512];
++        char filename[PATH_MAX];
+         char *skipbuf;
+         unsigned int skipbuf_len;
+         unsigned int skipbuf_pos;
+@@ -135,11 +136,11 @@ struct gs_token_st
+       Color bgcolor;
+       struct
+       {
+-        char name[512];
++        char name[PATH_MAX];
+         FontPoint size;
+         InputEncoding encoding;
+       } font;
+-      char filename[512];
++      char filename[PATH_MAX];
+     } u;
+ };
+ 
+@@ -248,7 +249,7 @@ static int do_print = 1;
+ static int user_fontp = 0;
+ 
+ /* The user [EMAIL PROTECTED] font. */
+-static char user_font_name[256];
++static char user_font_name[PATH_MAX];
+ static FontPoint user_font_pt;
+ static InputEncoding user_font_encoding;
+ 
+@@ -978,7 +979,8 @@ large for page\n"),
+                       FATAL ((stderr,
+                               _("user font encoding can be only the system's 
default or `ps'")));
+ 
+-                    strcpy (user_font_name, token.u.font.name);
++                    memset  (user_font_name, 0, sizeof(user_font_name));
++                    strncpy (user_font_name, token.u.font.name, 
sizeof(user_font_name) - 1);
+                     user_font_pt.w = token.u.font.size.w;
+                     user_font_pt.h = token.u.font.size.h;
+                     user_font_encoding = token.u.font.encoding;
+@@ -1444,7 +1446,7 @@ read_special_escape (InputStream *is, To
+         buf[i] = ch;
+         if (i + 1 >= sizeof (buf))
+           FATAL ((stderr, _("too long argument for %s escape:\n%.*s"),
+-                  escapes[i].name, i, buf));
++                  escapes[e].name, i, buf));
+       }
+       buf[i] = '\0';
+ 
+@@ -1452,7 +1454,8 @@ read_special_escape (InputStream *is, To
+       switch (escapes[e].escape)
+       {
+       case ESC_FONT:
+-        strcpy (token->u.font.name, buf);
++        memset  (token->u.font.name, 0, sizeof(token->u.font.name));
++        strncpy (token->u.font.name, buf, sizeof(token->u.font.name) - 1);
+ 
+         /* Check for the default font. */
+         if (strcmp (token->u.font.name, "default") == 0)
+@@ -1465,7 +1468,8 @@ read_special_escape (InputStream *is, To
+               FATAL ((stderr, _("malformed font spec for [EMAIL PROTECTED] 
escape: %s"),
+                       token->u.font.name));
+ 
+-            strcpy (token->u.font.name, cp);
++            memset  (token->u.font.name, 0, sizeof(token->u.font.name));
++            strncpy (token->u.font.name, cp, sizeof(token->u.font.name) - 1);
+             xfree (cp);
+           }
+         token->type = tFONT;
+@@ -1544,7 +1548,8 @@ read_special_escape (InputStream *is, To
+         break;
+ 
+       case ESC_SETFILENAME:
+-        strcpy (token->u.filename, buf);
++        memset  (token->u.filename, 0, sizeof(token->u.font.name));
++        strncpy (token->u.filename, buf, sizeof(token->u.filename) - 1);
+         token->type = tSETFILENAME;
+         break;
--- 1.6.4_1-to-1.6.4_2-fix-CVE-2008-4306.diff ends here ---

The following VuXML entry should be added:
--- vuln.xml begins here ---
  <vuln vid="">
    <topic>GNU enscript -- multiple vulnerabilities</topic>
    <affects>
      <package>
        <name>enscript-letter</name>
        <name>enscript-letterdj</name>
        <name>enscript-a4</name>
        <range><lt>1.6.4_2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml";>
        <p>Ulf Harnhammar from Secunia Research had discovered stack-based
        buffer overflow vulnerability in the GNU enscript code:</p>
        <blockquote 
cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3863";>
        <p>Stack-based buffer overflow in the read_special_escape
        function in src/psgen.c in GNU Enscript 1.6.1 and 1.6.4 beta,
        when the -e (aka special escapes processing) option is enabled,
        allows user-assisted remote attackers to execute arbitrary code
        via a crafted ASCII file, related to the setfilename
        command.</p>
        </blockquote>
        <p>CVE-2008-4306 is a Ubuntu-specific mirror issue for this
        vulnerability.</p>
      </body>
    </description>
    <references>
      <cvename>CVE-2008-3863</cvename>
      <cvename>CVE-2008-4306</cvename>
      <url>http://secunia.com/secunia_research/2008-41/</url>
      
<url>http://cvs.fedoraproject.org/viewvc//devel/enscript/enscript-CVE-2008-3863+CVE-2008-4306.patch</url>
      
<url>https://launchpad.net/ubuntu/intrepid/+source/enscript/1.6.4-12ubuntu0.8.10.1</url>
    </references>
    <dates>
      <discovery>2008-10-22</discovery>
    </dates>
  </vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to