Vulnerabilities > CVE-2004-0969
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
The groffer script in the Groff package 1.18 and later versions, as used in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 | |
| OS | 1 | |
| OS | 2 |
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2013-086.NASL description Multiple vulnerabilities has been found and corrected in groff : contrib/pdfmark/pdfroff.sh in GNU troff (aka groff) before 1.21 allows local users to overwrite arbitrary files via a symlink attack on a pdf#####.tmp temporary file (CVE-2009-5044). The (1) gendef.sh, (2) doc/fixinfo.sh, and (3) contrib/gdiffmk/tests/runtests.in scripts in GNU troff (aka groff) 1.21 and earlier allow local users to overwrite arbitrary files via a symlink attack on a gro#####.tmp or /tmp/##### temporary file (CVE-2009-5079). The (1) contrib/eqn2graph/eqn2graph.sh, (2) contrib/grap2graph/grap2graph.sh, and (3) contrib/pic2graph/pic2graph.sh scripts in GNU troff (aka groff) 1.21 and earlier do not properly handle certain failed attempts to create temporary directories, which might allow local users to overwrite arbitrary files via a symlink attack on a file in a temporary directory, a different vulnerability than CVE-2004-1296 (CVE-2009-5080). The (1) config.guess, (2) contrib/groffer/perl/groffer.pl, and (3) contrib/groffer/perl/roff2.pl scripts in GNU troff (aka groff) 1.21 and earlier use an insufficient number of X characters in the template argument to the tempfile function, which makes it easier for local users to overwrite arbitrary files via a symlink attack on a temporary file, a different vulnerability than CVE-2004-0969 (CVE-2009-5081). The updated packages have been patched to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 66099 published 2013-04-20 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/66099 title Mandriva Linux Security Advisory : groff (MDVSA-2013:086) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2013:086. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(66099); script_version("1.8"); script_cvs_date("Date: 2019/08/02 13:32:55"); script_cve_id( "CVE-2009-5044", "CVE-2009-5079", "CVE-2009-5080", "CVE-2009-5081" ); script_bugtraq_id( 36381, 53937, 53940 ); script_xref(name:"MDVSA", value:"2013:086"); script_name(english:"Mandriva Linux Security Advisory : groff (MDVSA-2013:086)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Multiple vulnerabilities has been found and corrected in groff : contrib/pdfmark/pdfroff.sh in GNU troff (aka groff) before 1.21 allows local users to overwrite arbitrary files via a symlink attack on a pdf#####.tmp temporary file (CVE-2009-5044). The (1) gendef.sh, (2) doc/fixinfo.sh, and (3) contrib/gdiffmk/tests/runtests.in scripts in GNU troff (aka groff) 1.21 and earlier allow local users to overwrite arbitrary files via a symlink attack on a gro#####.tmp or /tmp/##### temporary file (CVE-2009-5079). The (1) contrib/eqn2graph/eqn2graph.sh, (2) contrib/grap2graph/grap2graph.sh, and (3) contrib/pic2graph/pic2graph.sh scripts in GNU troff (aka groff) 1.21 and earlier do not properly handle certain failed attempts to create temporary directories, which might allow local users to overwrite arbitrary files via a symlink attack on a file in a temporary directory, a different vulnerability than CVE-2004-1296 (CVE-2009-5080). The (1) config.guess, (2) contrib/groffer/perl/groffer.pl, and (3) contrib/groffer/perl/roff2.pl scripts in GNU troff (aka groff) 1.21 and earlier use an insufficient number of X characters in the template argument to the tempfile function, which makes it easier for local users to overwrite arbitrary files via a symlink attack on a temporary file, a different vulnerability than CVE-2004-0969 (CVE-2009-5081). The updated packages have been patched to correct these issues." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:N/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:groff"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:groff-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:groff-for-man"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:groff-perl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:groff-x11"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:business_server:1"); script_set_attribute(attribute:"patch_publication_date", value:"2013/04/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/04/20"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"groff-1.21-3.2.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"groff-doc-1.21-3.2.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"groff-for-man-1.21-3.2.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"groff-perl-1.21-3.2.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"groff-x11-1.21-3.2.mbs1")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_169F422FBD8811D9A28102E018374E71.NASL description The groffer script in the groff package 1.18 and later versions allows local users to overwrite files via a symlink attack on temporary files. last seen 2020-06-01 modified 2020-06-02 plugin id 18850 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/18850 title FreeBSD : groff -- groffer uses temporary files unsafely (169f422f-bd88-11d9-a281-02e018374e71) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200411-15.NASL description The remote host is affected by the vulnerability described in GLSA-200411-15 (OpenSSL, Groff: Insecure tempfile handling) groffer and the der_chop script create temporary files in world-writeable directories with predictable names. Impact : A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When groffer or der_chop is executed, this would result in the file being overwritten with the rights of the user running the utility, which could be the root user. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 15649 published 2004-11-08 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15649 title GLSA-200411-15 : OpenSSL, Groff: Insecure tempfile handling NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-038.NASL description The Trustix Secure Linux team discovered a vulnerability in the groffer utility, part of the groff package. It created a temporary directory in an insecure way which allowed for the exploitation of a race condition to create or overwrite files the privileges of the user invoking groffer. Likewise, similar temporary file issues were fixed in the pic2graph and eqn2graph programs which now use mktemp to create temporary files, as discovered by Javier Fernandez-Sanguino Pena. The updated packages have been patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 20878 published 2006-02-10 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20878 title Mandrake Linux Security Advisory : groff (MDKSA-2006:038) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-13-1.NASL description Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility last seen 2020-06-01 modified 2020-06-02 plugin id 20520 published 2006-01-15 reporter Ubuntu Security Notice (C) 2004-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20520 title Ubuntu 4.10 : groff utility vulnerability (USN-13-1)
References
- http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136313
- http://secunia.com/advisories/18764
- http://www.gentoo.org/security/en/glsa/glsa-200411-15.xml
- http://www.securityfocus.com/bid/11287
- http://www.trustix.org/errata/2004/0050
- http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:038
- https://exchange.xforce.ibmcloud.com/vulnerabilities/17583