oss-security - CVE id request: groff (pdfroff)

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Date: Sun, 9 Aug 2009 15:48:17 +0200
From: Nico Golde <oss-security+ml@...lde.de>
To: oss-security@...ts.openwall.com
Subject: CVE id request: groff (pdfroff)

Hi,
We got two bug reports in our BTS for groff with security 
impact which need CVE ids.

First one:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538330
pdfroff tool of groff is creating files in a insecure manner 
in the /tmp directory.

Second:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538338
pdfroff tool of groff is calling ghostscript with the 
-dSAFER command line option. From the manpage:

       -dSAFER
              Disables  the  "deletefile"  and  "renamefile" operators and the
              ability to open files in any mode other  than  read-only.   This
              strongly  recommended  for spoolers, conversion scripts or other
              sensitive  environments  where  a  badly  written  or  malicious
              PostScript  program  code must be prevented from changing impor-
              tant files.

This allows an attacker to delete or rename arbitrary victim owned files.

Can you allocate CVE ids for that?

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@...ber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.