Bug 13130

Summary: a2ps new security issue CVE-2014-0466
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: lewyssmith, mageia, shlomif, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/592675/
Whiteboard: MGA3TOO advisory has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK
Source RPM: a2ps-4.14-12.mga3.src.rpm CVE:
Status comment:

Description David Walser 2014-04-01 18:59:01 CEST 
Debian has issued an advisory on March 31:
https://www.debian.org/security/2014/dsa-2892

Note that CVE-2001-1593 was fixed several years ago in the Mandrake days.

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated a2ps packages fix security vulnerability:

Brian M. Carlson reported that a2ps's fixps script does not invoke gs with
the -dSAFER option. Consequently executing fixps on a malicious PostScript
file could result in files being deleted or arbitrary commands being
executed with the privileges of the user running fixps (CVE-2014-0466).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0466
https://www.debian.org/security/2014/dsa-2892
========================

Updated packages in core/updates_testing:
========================
a2ps-4.14-12.1.mga3.i586.rpm
a2ps-devel-4.14-12.1.mga3.i586.rpm
a2ps-4.14-13.1.mga4.i586.rpm
a2ps-devel-4.14-13.1.mga4.i586.rpm

from SRPMS:
a2ps-4.14-12.1.mga3.src.rpm
a2ps-4.14-13.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-04-01 18:59:07 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 Lewis Smith 2014-04-03 18:04:23 CEST 
This is currently flagged as just i586, but as there was an x64 pkg in Updates Testing, I tested it for MGA4.

Release: a2ps-4.14-13.mga4.x86_64.rpm
Converted a few files with limited success. Only text files are really handled (I think what is now called Anything-to-PS used to be ASCII-to-PS). HTML is referred to html2ps, and images delegated to ImageMagick.

Updated to: a2ps-4.14-13.1.mga4 x64 variant.
Converting the same mixture of files as previously gave the same results for all of them.

MGA4-64-OK.

CC: (none) => lewyssmith
Whiteboard: MGA3TOO => MGA3TOO MGA4-64-OK

Comment 2 David Walser 2014-04-03 18:20:54 CEST 
Sorry, the patch wasn't actually applied in the Mageia 3 update, so I had to rebuild it.  Mageia 3 now has:
a2ps-4.14-12.2.mga3.i586.rpm
a2ps-devel-4.14-12.2.mga3.i586.rpm

from a2ps-4.14-12.2.mga3.src.rpm
Comment 3 David Walser 2014-04-03 19:24:29 CEST 
PoC:
https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=test-wrapper-fixps;att=1;bug=742902

Save it as test-wrapper-fixps.sh and install both the a2ps and ghostscript packages.

Run the script as follows:
test-wrapper-fixps.sh a2ps

and after installing the update it should report it as not vulnerable.

I've verified we're not vulnerable after installing the update on Mageia 3 and Mageia 4 i586.  For some not obvious reason, it also said not vulnerable before the update on Mageia 4 for me.  Mageia 3 before the update did report as vulnerable.
Comment 4 Shlomi Fish 2014-04-03 19:38:42 CEST 
I tested the PoC exploit and some basic usage of a2ps (like «a2ps -o test.pdf --pro=color myfile.c») on MGA4-i586 and it's OK there.

CC: (none) => shlomif
Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO MGA4-64-OK MGA4-32-OK

Comment 5 Shlomi Fish 2014-04-03 19:55:08 CEST 
It's fine on MGA3-i586 too.

Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK => MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32-OK

Comment 6 Shlomi Fish 2014-04-03 20:08:47 CEST 
OK, I have some bad news. The PoC exploit on MGA3-x86-64 reports that the programs (a2ps and fixps) is still vulnerable and I don't see "SAFER" anywhere in /usr/bin/fixps . Seems like something there is wrong. Can the packager investigate?

Regards,

-- Shlomi Fish
Comment 7 David Walser 2014-04-03 20:13:03 CEST 
(In reply to Shlomi Fish from comment #6)
> OK, I have some bad news. The PoC exploit on MGA3-x86-64 reports that the
> programs (a2ps and fixps) is still vulnerable and I don't see "SAFER"
> anywhere in /usr/bin/fixps . Seems like something there is wrong. Can the
> packager investigate?

Did you make sure to get the 12.2.mga3 version of the update?
Comment 8 Shlomi Fish 2014-04-03 20:24:27 CEST 
(In reply to Shlomi Fish from comment #6)
> OK, I have some bad news. The PoC exploit on MGA3-x86-64 reports that the
> programs (a2ps and fixps) is still vulnerable and I don't see "SAFER"
> anywhere in /usr/bin/fixps . Seems like something there is wrong. Can the
> packager investigate?
> 

OK, I seemed to have used a package from an old mirror - mirrors.garr.it . After I switched to the mirrors.kernel.org mirror everything works fine - the PoC exploit reports that the package is not vulnerable and a2ps works fine with "-o test.pdf --pro=color".

Regards,

-- Shlomi Fish

> Regards,
> 
> -- Shlomi Fish

Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32-OK => MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK

Comment 9 Shlomi Fish 2014-04-03 20:25:04 CEST 
OK, the update was tested and validated on all platforms. Ship it!
Comment 10 claire robinson 2014-04-04 12:27:41 CEST 
Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK => MGA3TOO advisory has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK
CC: (none) => sysadmin-bugs

Comment 11 Damien Lallement 2014-04-04 12:59:01 CEST 
http://advisories.mageia.org/MGASA-2014-0161.html

Status: NEW => RESOLVED
CC: (none) => mageia
Resolution: (none) => FIXED