freebsd security - Nov 2008 - ports/128958: [vuxml] [patch] fix CVE-2008-3863 in print/enscript-letter

>Number:         128958
>Category:       ports
>Synopsis:       [vuxml] [patch] fix CVE-2008-3863 in print/enscript-letter
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Nov 18 11:30:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.1-PRERELEASE amd64
>Organization:
Code Labs
>Environment:
System: FreeBSD 7.1-PRERELEASE amd64
>Description:
There is a stack-based overflow in the enscript escape codes handling
code.

Citing by the Secunia's report:
-----
The vulnerability is caused due to a boundary error within the 
"read_special_escape()" function in src/psgen.c. This can be exploited
to cause a stack-based buffer overflow by tricking the user into 
converting a malicious file.

Successful exploitation allows execution of arbitrary code, but
requires that special escapes processing is enabled with the "-e" 
option.
-----
>How-To-Repeat:
http://secunia.com/secunia_research/2008-41/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3863
>Fix:
The following patch should introduce the fix to the FreeBSD port:
--- 1.6.4_1-to-1.6.4_2-fix-CVE-2008-4306.diff begins here ---
diff -urN ./Makefile ../enscript-letter/Makefile
--- ./Makefile	2008-11-18 13:57:48.000000000 +0300
+++ ../enscript-letter/Makefile	2008-11-18 13:58:02.000000000 +0300
@@ -7,7 +7,7 @@
 
 PORTNAME=	enscript
 PORTVERSION=	1.6.4
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES+=	print
 MASTER_SITES=	http://www.codento.com/people/mtr/genscript/
 PKGNAMESUFFIX=	-${PAPERSIZE}
diff -urN ./files/patch-CVE-2008-3863-and-4306
../enscript-letter/files/patch-CVE-2008-3863-and-4306
--- ./files/patch-CVE-2008-3863-and-4306	1970-01-01 03:00:00.000000000 +0300
+++ ../enscript-letter/files/patch-CVE-2008-3863-and-4306	2008-11-18
13:57:08.000000000 +0300
@@ -0,0 +1,94 @@
+Patch for CVE-2008-3863 and CVE-2008-4306
+
+Obtained from:
http://cvs.fedoraproject.org/viewvc/devel/enscript/enscript-CVE-2008-3863%2BCVE-2008-4306.patch?revision=1.1
+
+--- src/psgen.c
++++ src/psgen.c	2008-10-29 10:43:08.512598143 +0100
+@@ -24,6 +24,7 @@
+  * Boston, MA 02111-1307, USA.
+  */
+ 
++#include <limits.h>
+ #include "gsint.h"
+ 
+ /*
+@@ -124,7 +125,7 @@ struct gs_token_st
+ 	  double xscale;
+ 	  double yscale;
+ 	  int llx, lly, urx, ury; /* Bounding box. */
+-	  char filename[512];
++	  char filename[PATH_MAX];
+ 	  char *skipbuf;
+ 	  unsigned int skipbuf_len;
+ 	  unsigned int skipbuf_pos;
+@@ -135,11 +136,11 @@ struct gs_token_st
+       Color bgcolor;
+       struct
+ 	{
+-	  char name[512];
++	  char name[PATH_MAX];
+ 	  FontPoint size;
+ 	  InputEncoding encoding;
+ 	} font;
+-      char filename[512];
++      char filename[PATH_MAX];
+     } u;
+ };
+ 
+@@ -248,7 +249,7 @@ static int do_print = 1;
+ static int user_fontp = 0;
+ 
+ /* The user ^@font{}-defined font. */
+-static char user_font_name[256];
++static char user_font_name[PATH_MAX];
+ static FontPoint user_font_pt;
+ static InputEncoding user_font_encoding;
+ 
+@@ -978,7 +979,8 @@ large for page\n"),
+ 			FATAL ((stderr,
+ 				_("user font encoding can be only the system's default or
`ps'")));
+ 
+-		      strcpy (user_font_name, token.u.font.name);
++		      memset  (user_font_name, 0, sizeof(user_font_name));
++		      strncpy (user_font_name, token.u.font.name, sizeof(user_font_name) -
1);
+ 		      user_font_pt.w = token.u.font.size.w;
+ 		      user_font_pt.h = token.u.font.size.h;
+ 		      user_font_encoding = token.u.font.encoding;
+@@ -1444,7 +1446,7 @@ read_special_escape (InputStream *is, To
+ 	  buf[i] = ch;
+ 	  if (i + 1 >= sizeof (buf))
+ 	    FATAL ((stderr, _("too long argument for %s escape:\n%.*s"),
+-		    escapes[i].name, i, buf));
++		    escapes[e].name, i, buf));
+ 	}
+       buf[i] = '\0';
+ 
+@@ -1452,7 +1454,8 @@ read_special_escape (InputStream *is, To
+       switch (escapes[e].escape)
+ 	{
+ 	case ESC_FONT:
+-	  strcpy (token->u.font.name, buf);
++	  memset  (token->u.font.name, 0, sizeof(token->u.font.name));
++	  strncpy (token->u.font.name, buf, sizeof(token->u.font.name) - 1);
+ 
+ 	  /* Check for the default font. */
+ 	  if (strcmp (token->u.font.name, "default") == 0)
+@@ -1465,7 +1468,8 @@ read_special_escape (InputStream *is, To
+ 		FATAL ((stderr, _("malformed font spec for ^@font escape: %s"),
+ 			token->u.font.name));
+ 
+-	      strcpy (token->u.font.name, cp);
++	      memset  (token->u.font.name, 0, sizeof(token->u.font.name));
++	      strncpy (token->u.font.name, cp, sizeof(token->u.font.name) - 1);
+ 	      xfree (cp);
+ 	    }
+ 	  token->type = tFONT;
+@@ -1544,7 +1548,8 @@ read_special_escape (InputStream *is, To
+ 	  break;
+ 
+ 	case ESC_SETFILENAME:
+-	  strcpy (token->u.filename, buf);
++	  memset  (token->u.filename, 0, sizeof(token->u.font.name));
++	  strncpy (token->u.filename, buf, sizeof(token->u.filename) - 1);
+ 	  token->type = tSETFILENAME;
+ 	  break;
--- 1.6.4_1-to-1.6.4_2-fix-CVE-2008-4306.diff ends here ---

The following VuXML entry should be added:
--- vuln.xml begins here ---
  <vuln vid="">
    <topic>GNU enscript -- multiple vulnerabilities</topic>
    <affects>
      <package>
	<name>enscript-letter</name>
	<name>enscript-letterdj</name>
	<name>enscript-a4</name>
	<range><lt>1.6.4_2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Ulf Harnhammar from Secunia Research had discovered stack-based
	buffer overflow vulnerability in the GNU enscript code:</p>
	<blockquote
cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3863">
	<p>Stack-based buffer overflow in the read_special_escape
	function in src/psgen.c in GNU Enscript 1.6.1 and 1.6.4 beta,
	when the -e (aka special escapes processing) option is enabled,
	allows user-assisted remote attackers to execute arbitrary code
	via a crafted ASCII file, related to the setfilename
	command.</p>
	</blockquote>
        <p>CVE-2008-4306 is a Ubuntu-specific mirror issue for this
        vulnerability.</p>
      </body>
    </description>
    <references>
      <cvename>CVE-2008-3863</cvename>
      <cvename>CVE-2008-4306</cvename>
      <url>http://secunia.com/secunia_research/2008-41/</url>
     
<url>http://cvs.fedoraproject.org/viewvc//devel/enscript/enscript-CVE-2008-3863+CVE-2008-4306.patch</url>
     
<url>https://launchpad.net/ubuntu/intrepid/+source/enscript/1.6.4-12ubuntu0.8.10.1</url>
    </references>
    <dates>
      <discovery>2008-10-22</discovery>
    </dates>
  </vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:

Synopsis: [vuxml] [patch] fix CVE-2008-3863 in print/enscript-letter

Responsible-Changed-From-To: freebsd-ports-bugs->rafan
Responsible-Changed-By: edwin
Responsible-Changed-When: Tue Nov 18 11:30:12 UTC 2008
Responsible-Changed-Why: 
Over to maintainer (via the GNATS Auto Assign Tool)

http://www.freebsd.org/cgi/query-pr.cgi?pr=128958

Synopsis: [vuxml] [patch] fix CVE-2008-3863 in print/enscript-letter

State-Changed-From-To: open->closed
State-Changed-By: rafan
State-Changed-When: Tue Nov 18 16:04:10 UTC 2008
State-Changed-Why: 
Committed, with minor changes. Thanks!

http://www.freebsd.org/cgi/query-pr.cgi?pr=128958