Alerts This Week
Warning Icon 1 646
Alerts This Week
Warning Icon 1 646

Fedora Core 3: 2005-016 Critical: Enscript Command Execution Risk

fedora
Calendar Grey January 26, 2005
Dist Fedora Esm H88
Multiple vulnerabilities in enscript for Fedora Core 3 have been resolved, notably mitigating risks related to unauthorized command executions.
Several security relevant problems in enscript, a program to converts ASCII text to Postscript and other formats.

Summary

GNU enscript is a free replacement for Adobe's Enscript

program. Enscript converts ASCII files to PostScript(TM) and spools

generated PostScript output to the specified printer or saves it to a

file. Enscript can be extended to handle different output media and

includes many options for customizing printouts.

Erik Sj=F6lund has discovered several security relevant problems in

enscript, a program to converts ASCII text to Postscript and other

formats. The Common Vulnerabilities and Exposures project identifies

the following vulnerabilities:

CAN-2004-1184

Unsanitised input can caues the execution of arbitrary commands

via EPSF pipe support. This has been disabled, also upstream.

CAN-2004-1185

Due to missing sanitising of filenames it is possible that a

specially crafted filename can cause arbitrary commands to be

executed.

CAN-2004-1186

Multiple buffer overflows can cause the program to crash.

- Fixed patch for CAN-2004-1186 (bug #114684).

* Tue Jan 11 2005 Tim Waugh 1.6.1-28.0.1

- Added patch to fix CAN-2004-1186 (bug #114684).

- Added patch to fix CAN-2004-1185 (bug #114684).

- Backported patch to fix CAN-2004-1184 (bug #114684).

64cf1cd8caf430620476ff974c243829 SRPMS/enscript-1.6.1-28.0.2.src.rpm

233b8d840cfcc8d17286421e4ce0e868 x86_64/enscript-1.6.1-28.0.2.x86_64.rpm

11834dbe6435a1944da492a91f6a0bb1 x86_64/debug/enscript-debuginfo-1.6.1-28.0.2.x86_64.rpm

97e0027f6d54ca9575e816ba47ee5e0e i386/enscript-1.6.1-28.0.2.i386.rpm

ad12163e561ab7e16637fb75690633d4 i386/debug/enscript-debuginfo-1.6.1-28.0.2.i386.rpm

This update can also be installed with the Update Agent; you can

launch the Update Agent with the 'up2date' command. =20

--sNt4k+cZonCcEAOa

Content-Type: application/pgp-signature

Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFB94EBHU/d4jnpWe0RAnKAAJ4hbue4F58oDhLrmJCZSPgvflldlgCfbuk8

lAB98BI9klaiSConF5DTUaA=vfBK

-----END PGP SIGNATURE-------sNt4k+cZonCcEAOa--

--===============1633749433=Content-Type: text/plain; charset="us-ascii"

MIME-Version: 1.0

Content-Transfer-Encoding: 7bit

Content-Disposition: inline

--fedora-announce-list mailing list

fedora-announce-list@redhat.com

Topics%20covered

Topics Covered

security advisory critical issue buffer overflow command execution enscript Fedora Core update notification

Change Log

References

Update Instructions

Severity
critical
Lowest
Low
Medium
High
Critical

Name: enscript
Version: 1.6.1 =20
Release: 28.0.2 =20
Summary: A plain ASCII to PostScript converter.

Topics%20covered

Topics Covered

security advisory critical issue buffer overflow command execution enscript Fedora Core update notification

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here