https://bugzilla.redhat.com/show_bug.cgi?id=526513 " Vincent Danen 2009-09-30 13:26:22 EDT It was reported [1] that html2ps suffers from an arbitrary file disclosure in SSI directives, as noted via the exploit [2] posted to PacketStorm. This has not been addressed upstream from what I can tell. If html2ps is called via a web page that allows a user to upload the content to convert to ps, it could allow for abitrary file content disclosure based on the permissions of the user running html2ps. This would affect html2ps in Fedora 10, 11, rawhide, and EPEL 5. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=548633 [2] http://www.packetstormsecurity.org/0909-exploits/html2ps-disclose.txt"
This was assigned CVE-2009-5067 as of: http://www.openwall.com/lists/oss-security/2012/10/05/5 This was fixed in cauldron with html2ps-2.0-2.b7.1.mga3.src.rpm Correct patch can be found in RHEL6 updates.
Mandriva has issued an advisory for this today (October 6): http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:161
CC: (none) => luigiwalserSource RPM: html2ps => html2ps-2.0-2.b5.5.mga1.src.rpmWhiteboard: (none) => MGA1TOO
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5067 => http://lwn.net/Vulnerabilities/389349/
Updated packages uploaded for Mageia 1 and Mageia 2. Advisory: ======================== Updated html2ps packages fix security vulnerability: Directory traversal vulnerability in html2ps before 1.0b7 allows remote attackers to read arbitrary files via directory traversal sequences in SSI directives (CVE-2009-5067). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5067 http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:161 ======================== Updated packages in core/updates_testing: ======================== html2ps-2.0-2.b7.1.mga1 xhtml2ps-2.0-2.b7.1.mga1 html2ps-2.0-2.b7.1.mga2 xhtml2ps-2.0-2.b7.1.mga2 from SRPMS: html2ps-2.0-2.b7.1.mga1.src.rpm html2ps-2.0-2.b7.1.mga2.src.rpm
Assignee: bugsquad => qa-bugsSummary: CVE-2009-5067: html2ps - arbitrary file disclosure in SSI directives => html2ps - arbitrary file disclosure in SSI directives (CVE-2009-5067)Severity: normal => major
Testing using the PoC linked in comment 0 http://www.packetstormsecurity.org/0909-exploits/html2ps-disclose.txt Installed gv then.. $ python html2ps-disclose.txt Displays the contents of /etc/passwd After update, just displays two 'Epiphant' Testing complete Mageia 2 x86_64
Whiteboard: MGA1TOO => MGA1TOO mga2-64-OK
Whiteboard: MGA1TOO mga2-64-OK => MGA1TOO has_procedure mga2-64-OK
Tested on MGA2, i586, using the procedure from Comment 4. Thanks Claire! Note to fellow testers: gv is also a Mageia package, not a python egg... :) I could reproduce the bug, the update fixes the issue. However, for some reason gv shows an empty file after installing the updated package - but Okular is able to open the file and shows "Epiphant" two times, but not the password. This looks like a regression to me, but since okular can still open the file I'm not sure this should prevent us from pushing this security update. However, it might be easy to fix - what do you think? SRPM: html2ps-2.0-2.b7.1.mga2.src.rpm
CC: (none) => wassi
Testing complete mga1 32
Whiteboard: MGA1TOO has_procedure mga2-64-OK => MGA1TOO has_procedure mga1-32-OK mga2-64-OK
Testing complete mga1 64
Whiteboard: MGA1TOO has_procedure mga1-32-OK mga2-64-OK => MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-64-OK
Testing complete Mageia 2 x86-64, and Mageia 2 i586. Could someone from the sysadmin team push the srpm html2ps-2.0-2.b7.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpm html2ps-2.0-2.b7.1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated html2ps packages fix security vulnerability: Directory traversal vulnerability in html2ps before 1.0b7 allows remote attackers to read arbitrary files via directory traversal sequences in SSI directives (CVE-2009-5067). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5067 http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:161 https://bugs.mageia.org/show_bug.cgi?id=7722
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-64-OK => MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-64-OK MGA2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0297
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED