Bug 7722

Summary: html2ps - arbitrary file disclosure in SSI directives (CVE-2009-5067)
Product: Mageia Reporter: Oden Eriksson <oe>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: davidwhodgins, luigiwalser, sysadmin-bugs, tmb, wassi
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/389349/
Whiteboard: MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-64-OK MGA2-32-OK
Source RPM: html2ps-2.0-2.b5.5.mga1.src.rpm CVE:
Status comment:

Description Oden Eriksson 2012-10-06 09:00:59 CEST 
https://bugzilla.redhat.com/show_bug.cgi?id=526513

" Vincent Danen 2009-09-30 13:26:22 EDT

It was reported [1] that html2ps suffers from an arbitrary file disclosure in SSI directives, as noted via the exploit [2] posted to PacketStorm.  This has not been addressed upstream from what I can tell.  If html2ps is called via a web page that allows a user to upload the content to convert to ps, it could allow for abitrary file content disclosure based on the permissions of the user running html2ps.

This would affect html2ps in Fedora 10, 11, rawhide, and EPEL 5.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=548633
[2] http://www.packetstormsecurity.org/0909-exploits/html2ps-disclose.txt"
Comment 1 Oden Eriksson 2012-10-06 09:10:56 CEST 
This was assigned CVE-2009-5067 as of:

http://www.openwall.com/lists/oss-security/2012/10/05/5

This was fixed in cauldron with html2ps-2.0-2.b7.1.mga3.src.rpm

Correct patch can be found in RHEL6 updates.
Comment 2 David Walser 2012-10-06 14:15:18 CEST 
Mandriva has issued an advisory for this today (October 6):
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:161

CC: (none) => luigiwalser
Source RPM: html2ps => html2ps-2.0-2.b5.5.mga1.src.rpm
Whiteboard: (none) => MGA1TOO

David Walser 2012-10-09 13:06:48 CEST

URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5067 => http://lwn.net/Vulnerabilities/389349/

Comment 3 David Walser 2012-10-09 22:35:09 CEST 
Updated packages uploaded for Mageia 1 and Mageia 2.

Advisory:
========================

Updated html2ps packages fix security vulnerability:

Directory traversal vulnerability in html2ps before 1.0b7 allows
remote attackers to read arbitrary files via directory traversal
sequences in SSI directives (CVE-2009-5067).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5067
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:161
========================

Updated packages in core/updates_testing:
========================
html2ps-2.0-2.b7.1.mga1
xhtml2ps-2.0-2.b7.1.mga1
html2ps-2.0-2.b7.1.mga2
xhtml2ps-2.0-2.b7.1.mga2

from SRPMS:
html2ps-2.0-2.b7.1.mga1.src.rpm
html2ps-2.0-2.b7.1.mga2.src.rpm

Assignee: bugsquad => qa-bugs
Summary: CVE-2009-5067: html2ps - arbitrary file disclosure in SSI directives => html2ps - arbitrary file disclosure in SSI directives (CVE-2009-5067)
Severity: normal => major

Comment 4 claire robinson 2012-10-11 16:28:59 CEST 
Testing using the PoC linked in comment 0

http://www.packetstormsecurity.org/0909-exploits/html2ps-disclose.txt

Installed gv then..

$ python  html2ps-disclose.txt

Displays the contents of /etc/passwd


After update, just displays two 'Epiphant'

Testing complete Mageia 2 x86_64
claire robinson 2012-10-11 16:29:09 CEST

Whiteboard: MGA1TOO => MGA1TOO mga2-64-OK

claire robinson 2012-10-11 18:20:21 CEST

Whiteboard: MGA1TOO mga2-64-OK => MGA1TOO has_procedure mga2-64-OK

Comment 5 user7 2012-10-13 01:35:41 CEST 
Tested on MGA2, i586, using the procedure from Comment 4.
Thanks Claire!

Note to fellow testers: gv is also a Mageia package, not a python egg... :)

I could reproduce the bug, the update fixes the issue. However, for some reason gv shows an empty file after installing the updated package - but Okular is able to open the file and shows "Epiphant" two times, but not the password. This looks like a regression to me, but since okular can still open the file I'm not sure this should prevent us from pushing this security update. However, it might be easy to fix - what do you think?

SRPM: html2ps-2.0-2.b7.1.mga2.src.rpm

CC: (none) => wassi

Comment 6 claire robinson 2012-10-13 18:27:11 CEST 
Testing complete mga1 32

Whiteboard: MGA1TOO has_procedure mga2-64-OK => MGA1TOO has_procedure mga1-32-OK mga2-64-OK

Comment 7 claire robinson 2012-10-13 19:16:44 CEST 
Testing complete mga1 64

Whiteboard: MGA1TOO has_procedure mga1-32-OK mga2-64-OK => MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-64-OK

Comment 8 Dave Hodgins 2012-10-16 01:44:32 CEST 
Testing complete Mageia 2 x86-64, and Mageia 2 i586.

Could someone from the sysadmin team push the srpm
html2ps-2.0-2.b7.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
html2ps-2.0-2.b7.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated html2ps packages fix security vulnerability:

Directory traversal vulnerability in html2ps before 1.0b7 allows
remote attackers to read arbitrary files via directory traversal
sequences in SSI directives (CVE-2009-5067).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5067
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:161

https://bugs.mageia.org/show_bug.cgi?id=7722

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-64-OK => MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-64-OK MGA2-32-OK

Comment 9 Thomas Backlund 2012-10-16 02:17:40 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0297

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED