Bug 7722 - html2ps - arbitrary file disclosure in SSI directives (CVE-2009-5067)
: html2ps - arbitrary file disclosure in SSI directives (CVE-2009-5067)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/389349/
: MGA1TOO has_procedure mga1-32-OK mga1...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-10-06 09:00 CEST by Oden Eriksson
Modified: 2012-10-16 02:17 CEST (History)
5 users (show)

See Also:
Source RPM: html2ps-2.0-2.b5.5.mga1.src.rpm
CVE:
Status comment:


Attachments

Description Oden Eriksson 2012-10-06 09:00:59 CEST
https://bugzilla.redhat.com/show_bug.cgi?id=526513

" Vincent Danen 2009-09-30 13:26:22 EDT

It was reported [1] that html2ps suffers from an arbitrary file disclosure in SSI directives, as noted via the exploit [2] posted to PacketStorm.  This has not been addressed upstream from what I can tell.  If html2ps is called via a web page that allows a user to upload the content to convert to ps, it could allow for abitrary file content disclosure based on the permissions of the user running html2ps.

This would affect html2ps in Fedora 10, 11, rawhide, and EPEL 5.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=548633
[2] http://www.packetstormsecurity.org/0909-exploits/html2ps-disclose.txt"
Comment 1 Oden Eriksson 2012-10-06 09:10:56 CEST
This was assigned CVE-2009-5067 as of:

http://www.openwall.com/lists/oss-security/2012/10/05/5

This was fixed in cauldron with html2ps-2.0-2.b7.1.mga3.src.rpm

Correct patch can be found in RHEL6 updates.
Comment 2 David Walser 2012-10-06 14:15:18 CEST
Mandriva has issued an advisory for this today (October 6):
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:161
Comment 3 David Walser 2012-10-09 22:35:09 CEST
Updated packages uploaded for Mageia 1 and Mageia 2.

Advisory:
========================

Updated html2ps packages fix security vulnerability:

Directory traversal vulnerability in html2ps before 1.0b7 allows
remote attackers to read arbitrary files via directory traversal
sequences in SSI directives (CVE-2009-5067).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5067
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:161
========================

Updated packages in core/updates_testing:
========================
html2ps-2.0-2.b7.1.mga1
xhtml2ps-2.0-2.b7.1.mga1
html2ps-2.0-2.b7.1.mga2
xhtml2ps-2.0-2.b7.1.mga2

from SRPMS:
html2ps-2.0-2.b7.1.mga1.src.rpm
html2ps-2.0-2.b7.1.mga2.src.rpm
Comment 4 claire robinson 2012-10-11 16:28:59 CEST
Testing using the PoC linked in comment 0

http://www.packetstormsecurity.org/0909-exploits/html2ps-disclose.txt

Installed gv then..

$ python  html2ps-disclose.txt

Displays the contents of /etc/passwd


After update, just displays two 'Epiphant'

Testing complete Mageia 2 x86_64
Comment 5 user7 2012-10-13 01:35:41 CEST
Tested on MGA2, i586, using the procedure from Comment 4.
Thanks Claire!

Note to fellow testers: gv is also a Mageia package, not a python egg... :)

I could reproduce the bug, the update fixes the issue. However, for some reason gv shows an empty file after installing the updated package - but Okular is able to open the file and shows "Epiphant" two times, but not the password. This looks like a regression to me, but since okular can still open the file I'm not sure this should prevent us from pushing this security update. However, it might be easy to fix - what do you think?

SRPM: html2ps-2.0-2.b7.1.mga2.src.rpm
Comment 6 claire robinson 2012-10-13 18:27:11 CEST
Testing complete mga1 32
Comment 7 claire robinson 2012-10-13 19:16:44 CEST
Testing complete mga1 64
Comment 8 Dave Hodgins 2012-10-16 01:44:32 CEST
Testing complete Mageia 2 x86-64, and Mageia 2 i586.

Could someone from the sysadmin team push the srpm
html2ps-2.0-2.b7.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
html2ps-2.0-2.b7.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated html2ps packages fix security vulnerability:

Directory traversal vulnerability in html2ps before 1.0b7 allows
remote attackers to read arbitrary files via directory traversal
sequences in SSI directives (CVE-2009-5067).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5067
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:161

https://bugs.mageia.org/show_bug.cgi?id=7722
Comment 9 Thomas Backlund 2012-10-16 02:17:40 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0297

Note You need to log in before you can comment on or make changes to this bug.