‘GNU Enscript ‘setfilename’ Special Escape Buffer Overflow’
Summary
”GNU Enscript is a free replacement for the Adobe’s enscript program. Enscript converts ASCII files to PostScript and spools generated PostScript output to the specified printer or leaves it to file. Enscript can be easily extended to handle different output media and it has many options that can be used to customize printouts.’
Credit:
‘The information has been provided by Secunia Research.
The original article can be found at: http://secunia.com/secunia_research/2008-41/‘
Details
‘Vulnerable Systems:
* GNU Enscript version 1.6.1
* GNU Enscript version 1.6.4 (beta)
The vulnerability is caused due to a boundary error within the ‘read_special_escape()’ function in src/psgen.c. This can be exploited to cause a stack-based buffer overflow by tricking the user into converting a malicious file.
Successful exploitation allows execution of arbitrary code, but requires that special escapes processing is enabled with the ‘-e’ option.
Time Table :
08/10/2008 – vendor-sec contacted.
08/10/2008 – vendor-sec replied.
13/10/2008 – Red Hat asks for additional information.
14/10/2008 – Reply sent to Red Hat.
22/10/2008 – Public disclosure.
CVE Information:
CVE-2008-3863‘