Blame a2ps-4.14-bnc955194.patch
|
Bernhard M. Wiedemann |
7eefe3 |
From seclists.org/oss-sec/2015/q4/284
|
|
Bernhard M. Wiedemann |
7eefe3 |
CVE-2015-8107 - a2ps(gnu) v4.14 format string vulnerability
|
|
Bernhard M. Wiedemann |
7eefe3 |
|
|
Bernhard M. Wiedemann |
7eefe3 |
Be aware that if compiled with -D_FORTIFY_SOURCE=2 the a2ps
|
|
Bernhard M. Wiedemann |
7eefe3 |
does abort with
|
|
Bernhard M. Wiedemann |
7eefe3 |
|
|
Bernhard M. Wiedemann |
7eefe3 |
a2ps --prologue=exploit /etc/hosts -o /dev/null
|
|
Bernhard M. Wiedemann |
7eefe3 |
*** %n in writable segment detected ***
|
|
Bernhard M. Wiedemann |
7eefe3 |
Abort
|
|
Bernhard M. Wiedemann |
7eefe3 |
|
|
Bernhard M. Wiedemann |
7eefe3 |
Also the explpoit has to be installed as a pro file in the
|
|
Bernhard M. Wiedemann |
7eefe3 |
appropiate system paths or $HOME/.a2ps of the attacked user.
|
|
Bernhard M. Wiedemann |
7eefe3 |
|
|
Bernhard M. Wiedemann |
7eefe3 |
---
|
|
Bernhard M. Wiedemann |
7eefe3 |
lib/output.c | 2 +-
|
|
Bernhard M. Wiedemann |
7eefe3 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
Bernhard M. Wiedemann |
7eefe3 |
|
|
Bernhard M. Wiedemann |
7eefe3 |
--- lib/output.c
|
|
Bernhard M. Wiedemann |
7eefe3 |
+++ lib/output.c 2015-11-16 15:01:23.414079544 +0000
|
|
Bernhard M. Wiedemann |
7eefe3 |
@@ -525,7 +525,7 @@ output_file (struct output * out, a2ps_j
|
|
Bernhard M. Wiedemann |
7eefe3 |
expand_user_string (job, FIRST_FILE (job),
|
|
Bernhard M. Wiedemann |
7eefe3 |
(const uchar *) "Expand: requirement",
|
|
Bernhard M. Wiedemann |
7eefe3 |
(const uchar *) token));
|
|
Bernhard M. Wiedemann |
7eefe3 |
- output (dest, expansion);
|
|
Bernhard M. Wiedemann |
7eefe3 |
+ output (dest, "%s", expansion);
|
|
Bernhard M. Wiedemann |
7eefe3 |
continue;
|
|
Bernhard M. Wiedemann |
7eefe3 |
}
|
|
Bernhard M. Wiedemann |
7eefe3 |
|