Debian has issued an advisory on March 31: https://www.debian.org/security/2014/dsa-2892 Note that CVE-2001-1593 was fixed several years ago in the Mandrake days. Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated a2ps packages fix security vulnerability: Brian M. Carlson reported that a2ps's fixps script does not invoke gs with the -dSAFER option. Consequently executing fixps on a malicious PostScript file could result in files being deleted or arbitrary commands being executed with the privileges of the user running fixps (CVE-2014-0466). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0466 https://www.debian.org/security/2014/dsa-2892 ======================== Updated packages in core/updates_testing: ======================== a2ps-4.14-12.1.mga3.i586.rpm a2ps-devel-4.14-12.1.mga3.i586.rpm a2ps-4.14-13.1.mga4.i586.rpm a2ps-devel-4.14-13.1.mga4.i586.rpm from SRPMS: a2ps-4.14-12.1.mga3.src.rpm a2ps-4.14-13.1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
This is currently flagged as just i586, but as there was an x64 pkg in Updates Testing, I tested it for MGA4. Release: a2ps-4.14-13.mga4.x86_64.rpm Converted a few files with limited success. Only text files are really handled (I think what is now called Anything-to-PS used to be ASCII-to-PS). HTML is referred to html2ps, and images delegated to ImageMagick. Updated to: a2ps-4.14-13.1.mga4 x64 variant. Converting the same mixture of files as previously gave the same results for all of them. MGA4-64-OK.
CC: (none) => lewyssmithWhiteboard: MGA3TOO => MGA3TOO MGA4-64-OK
Sorry, the patch wasn't actually applied in the Mageia 3 update, so I had to rebuild it. Mageia 3 now has: a2ps-4.14-12.2.mga3.i586.rpm a2ps-devel-4.14-12.2.mga3.i586.rpm from a2ps-4.14-12.2.mga3.src.rpm
PoC: https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=test-wrapper-fixps;att=1;bug=742902 Save it as test-wrapper-fixps.sh and install both the a2ps and ghostscript packages. Run the script as follows: test-wrapper-fixps.sh a2ps and after installing the update it should report it as not vulnerable. I've verified we're not vulnerable after installing the update on Mageia 3 and Mageia 4 i586. For some not obvious reason, it also said not vulnerable before the update on Mageia 4 for me. Mageia 3 before the update did report as vulnerable.
I tested the PoC exploit and some basic usage of a2ps (like «a2ps -o test.pdf --pro=color myfile.c») on MGA4-i586 and it's OK there.
CC: (none) => shlomifWhiteboard: MGA3TOO MGA4-64-OK => MGA3TOO MGA4-64-OK MGA4-32-OK
It's fine on MGA3-i586 too.
Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK => MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32-OK
OK, I have some bad news. The PoC exploit on MGA3-x86-64 reports that the programs (a2ps and fixps) is still vulnerable and I don't see "SAFER" anywhere in /usr/bin/fixps . Seems like something there is wrong. Can the packager investigate? Regards, -- Shlomi Fish
(In reply to Shlomi Fish from comment #6) > OK, I have some bad news. The PoC exploit on MGA3-x86-64 reports that the > programs (a2ps and fixps) is still vulnerable and I don't see "SAFER" > anywhere in /usr/bin/fixps . Seems like something there is wrong. Can the > packager investigate? Did you make sure to get the 12.2.mga3 version of the update?
(In reply to Shlomi Fish from comment #6) > OK, I have some bad news. The PoC exploit on MGA3-x86-64 reports that the > programs (a2ps and fixps) is still vulnerable and I don't see "SAFER" > anywhere in /usr/bin/fixps . Seems like something there is wrong. Can the > packager investigate? > OK, I seemed to have used a package from an old mirror - mirrors.garr.it . After I switched to the mirrors.kernel.org mirror everything works fine - the PoC exploit reports that the package is not vulnerable and a2ps works fine with "-o test.pdf --pro=color". Regards, -- Shlomi Fish > Regards, > > -- Shlomi Fish
Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32-OK => MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK
OK, the update was tested and validated on all platforms. Ship it!
Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK => MGA3TOO advisory has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OKCC: (none) => sysadmin-bugs
http://advisories.mageia.org/MGASA-2014-0161.html
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED