Debian Bug report logs - #283134
a2ps: Buggy shell quoting

version graph

Package: a2ps; Maintainer for a2ps is Masayuki Hatta (mhatta) <mhatta@debian.org>; Source for a2ps is src:a2ps.

Reported by: Brian Campbell <bacam@z273.org.uk>

Date: Fri, 26 Nov 2004 19:03:10 UTC

Severity: grave

Tags: fixed, security

Found in version 1:4.13b-4.1

Fixed in version a2ps/1:4.13b-5

Done: Masayuki Hatta (mhatta) <mhatta@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Masayuki Hatta (mhatta) <mhatta@debian.org>:
Bug#283134; Package a2ps. Full text and rfc822 format available.

Acknowledgement sent to Brian Campbell <bacam@z273.org.uk>:
New Bug report received and forwarded. Copy sent to Masayuki Hatta (mhatta) <mhatta@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Brian Campbell <bacam@z273.org.uk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: a2ps: Buggy shell quoting
Date: Fri, 26 Nov 2004 18:56:16 +0000
Package: a2ps
Version: 1:4.13b-4.1
Severity: normal

a2ps has problems with filenames containing quotes:

  bacam@misnomer:~ 0: mkdir /tmp/a2ps
  bacam@misnomer:~ 0: cd /tmp/a2ps/
  bacam@misnomer:/tmp/a2ps 0: echo "Hello" > a\"b
  bacam@misnomer:/tmp/a2ps 0: a2ps a\"b -o a\"b.ps
  sh: -c: line 1: unexpected EOF while looking for matching `"'
  sh: -c: line 2: syntax error: unexpected end of file
  [a"b (plain): 1 page on 1 sheet]
  [Total: 1 page on 1 sheet] saved into the file `a"b.ps'

Although this doesn't appear to have any adverse effect for plain text
files.

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: powerpc (ppc)
Kernel: Linux 2.6.8-powerpc
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8

Versions of packages a2ps depends on:
ii  emacsen-common              1.4.15       Common facilities for all emacsen.
ii  libc6                       2.3.2.ds1-18 GNU C Library: Shared libraries an
ii  libpaper1                   1.1.14-3     Library for handling paper charact

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Masayuki Hatta (mhatta) <mhatta@debian.org>:
Bug#283134; Package a2ps. Full text and rfc822 format available.

Acknowledgement sent to bacam@z273.org.uk (Brian Campbell):
Extra info received and forwarded to list. Copy sent to Masayuki Hatta (mhatta) <mhatta@debian.org>. Full text and rfc822 format available.

Message #10 received at 283134@bugs.debian.org (full text, mbox):

From: bacam@z273.org.uk (Brian Campbell)
To: 283134@bugs.debian.org
Subject: Re: Bug#283134: a2ps: Buggy shell quoting
Date: Mon, 29 Nov 2004 18:45:43 +0000
Other distributions appear to have released security patches for a
similar (perhaps even the same) issue.  See 

  http://www.securityfocus.com/bid/11025

for details.  The patches most of them use look quite reasonable.




Information forwarded to debian-bugs-dist@lists.debian.org, Masayuki Hatta (mhatta) <mhatta@debian.org>:
Bug#283134; Package a2ps. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Masayuki Hatta (mhatta) <mhatta@debian.org>. Full text and rfc822 format available.

Message #15 received at 283134@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: 283134@bugs.debian.org
Cc: control@bugs.debian.org, security@debian.org
Subject: Patch for this vulnerability (woody/sid/sarge)
Date: Sat, 4 Dec 2004 18:21:31 +0100
[Message part 1 (text/plain, inline)]
tags 283134 security
severity 283134 grave
thanks

Hi,
IMHO this vulnerability is more than a normal bug and Sarge should not
ship with it. a2ps is a tool perfectly suited for automatic use in
scripts (think of print spoolers) and so the exploit set seems not
too small.

There does not seem to be a CVE assignment for this vulnerability.

I've rediffed the FreeBSD fix from Rudolf Polzer for the Debian package
(applicable for Woody and sid), it's attached. It has been tested on
both on Woody and sid.

Cheers,
        Moritz
[a2ps-escape-shell-cmds.patch (text/plain, attachment)]

Tags added: security Request was from Moritz Muehlenhoff <jmm@inutil.org> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `grave'. Request was from Moritz Muehlenhoff <jmm@inutil.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Masayuki Hatta (mhatta) <mhatta@debian.org>:
Bug#283134; Package a2ps. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Masayuki Hatta (mhatta) <mhatta@debian.org>. Full text and rfc822 format available.

Message #26 received at 283134@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: 283134@bugs.debian.org, security@debian.org
Subject: Re: Patch for this vulnerability (woody/sid/sarge)
Date: Thu, 9 Dec 2004 20:37:26 +0100
Moritz Muehlenhoff wrote:
> Hi,
> IMHO this vulnerability is more than a normal bug and Sarge should not
> ship with it. a2ps is a tool perfectly suited for automatic use in
> scripts (think of print spoolers) and so the exploit set seems not
> too small.
> 
> There does not seem to be a CVE assignment for this vulnerability.
> 
> I've rediffed the FreeBSD fix from Rudolf Polzer for the Debian package
> (applicable for Woody and sid), it's attached. It has been tested on
> both on Woody and sid.

Agreed.  I'll take care of this.  CVE id is requested, can't do it on
my own unfortunately.

Please let me know which package in sid fixes/will fix this problem.

Thanks a lot,

	Joey

-- 
The MS-DOS filesystem is nice for removable media.  -- H. Peter Anvin



Information forwarded to debian-bugs-dist@lists.debian.org, Masayuki Hatta (mhatta) <mhatta@debian.org>:
Bug#283134; Package a2ps. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Masayuki Hatta (mhatta) <mhatta@debian.org>. Full text and rfc822 format available.

Message #31 received at 283134@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Martin Schulze <joey@infodrom.org>
Cc: 283134@bugs.debian.org, security@debian.org
Subject: Re: Patch for this vulnerability (woody/sid/sarge)
Date: Thu, 9 Dec 2004 22:45:05 +0100
Martin Schulze wrote:
> > ship with it. a2ps is a tool perfectly suited for automatic use in
> > scripts (think of print spoolers) and so the exploit set seems not
> > too small.
>
> Please let me know which package in sid fixes/will fix this problem.

The sid version has already been NMU fixed by Joey Hess (1:4.13b-4.2)

Cheers,
         Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Masayuki Hatta (mhatta) <mhatta@debian.org>:
Bug#283134; Package a2ps. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Masayuki Hatta (mhatta) <mhatta@debian.org>. Full text and rfc822 format available.

Message #36 received at 283134@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 283134@bugs.debian.org, security@debian.org
Subject: Re: Patch for this vulnerability (woody/sid/sarge)
Date: Fri, 10 Dec 2004 08:28:33 +0100
Martin Schulze wrote:
> > There does not seem to be a CVE assignment for this vulnerability.
> 
> Agreed.  I'll take care of this.  CVE id is requested, can't do it on
> my own unfortunately.

Please use CAN-2004-1170.

Regards,

	Joey

-- 
WARNING: Do not execute!  This call violates patent DE10108564.
http://www.elug.de/projekte/patent-party/patente/DE10108564

wget -O patinfo-`date +"%Y%m%d"`.html http://patinfo.ffii.org/

Please always Cc to me when replying to me on the lists.



Merged 283134 284475. Request was from Bas Zoetekouw <bas@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Disconnected #284475 from all other report(s). Request was from Bas Zoetekouw <bas@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: fixed Request was from Adrian Bunk <bunk@stusta.de> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: woody Request was from Adrian Bunk <bunk@stusta.de> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: sarge Request was from Adrian Bunk <bunk@stusta.de> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: sarge Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Masayuki Hatta (mhatta) <mhatta@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Brian Campbell <bacam@z273.org.uk>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #55 received at 283134-close@bugs.debian.org (full text, mbox):

From: Masayuki Hatta (mhatta) <mhatta@debian.org>
To: 283134-close@bugs.debian.org
Subject: Bug#283134: fixed in a2ps 1:4.13b-5
Date: Tue, 02 Aug 2005 10:02:08 -0700
Source: a2ps
Source-Version: 1:4.13b-5

We believe that the bug you reported is fixed in the latest version of
a2ps, which is due to be installed in the Debian FTP archive:

a2ps_4.13b-5.diff.gz
  to pool/main/a/a2ps/a2ps_4.13b-5.diff.gz
a2ps_4.13b-5.dsc
  to pool/main/a/a2ps/a2ps_4.13b-5.dsc
a2ps_4.13b-5_i386.deb
  to pool/main/a/a2ps/a2ps_4.13b-5_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 283134@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Masayuki Hatta (mhatta) <mhatta@debian.org> (supplier of updated a2ps package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed,  3 Aug 2005 00:37:02 +0900
Source: a2ps
Binary: a2ps
Architecture: source i386
Version: 1:4.13b-5
Distribution: unstable
Urgency: low
Maintainer: Masayuki Hatta (mhatta) <mhatta@debian.org>
Changed-By: Masayuki Hatta (mhatta) <mhatta@debian.org>
Description: 
 a2ps       - GNU a2ps - 'Anything to PostScript' converter and pretty-printer
Closes: 147598 156636 193036 193530 246296 267527 269409 274798 280370 283134 286385 286387 291749 314127
Changes: 
 a2ps (1:4.13b-5) unstable; urgency=low
 .
   * Acknowledged NMUs - closes: #283134, #274798, #286385, #286387
   * Updated Standards-Version (no physical changes).
   * Only Suggests: emacsen-common - closes: #246296, #269409
   * Now uses html2ps instead of netscape, thanks Russ Allbery - closes: #193036, #156636, #147598
   * Improved documentation on option -d - closes: #193530
   * Much improved a2ps-lpr-wrapper, thanks guys - closes: #280370, #267527
   * Updated de.po - closes: #314127
   * Now gives gv correct option - closes: #291749
Files: 
 eb88db2e7bcc33a9a28193721859af48 735 text optional a2ps_4.13b-5.dsc
 da5a85b79574699b12b772919563fea0 129197 text optional a2ps_4.13b-5.diff.gz
 66687d376c86e96dac1838eb76f9303b 637456 text optional a2ps_4.13b-5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC76I9y2+jQOcHWlQRAhhIAKCSeeOrMAxpDWFcgSFRPJKHMk34cgCglm3x
dj16J7aEWmyHlPcSmw0Q5+k=
=9KQQ
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 04:17:30 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 16:12:59 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.