Vulnerabilities > CVE-2004-0969

047910
CVSS 2.1 - LOW
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
local
low complexity
gnu
gentoo
ubuntu
nessus

Summary

The groffer script in the Groff package 1.18 and later versions, as used in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files.

Vulnerable Configurations

Part Description Count
Application
Gnu
1
OS
Gentoo
1
OS
Ubuntu
2

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2013-086.NASL
    descriptionMultiple vulnerabilities has been found and corrected in groff : contrib/pdfmark/pdfroff.sh in GNU troff (aka groff) before 1.21 allows local users to overwrite arbitrary files via a symlink attack on a pdf#####.tmp temporary file (CVE-2009-5044). The (1) gendef.sh, (2) doc/fixinfo.sh, and (3) contrib/gdiffmk/tests/runtests.in scripts in GNU troff (aka groff) 1.21 and earlier allow local users to overwrite arbitrary files via a symlink attack on a gro#####.tmp or /tmp/##### temporary file (CVE-2009-5079). The (1) contrib/eqn2graph/eqn2graph.sh, (2) contrib/grap2graph/grap2graph.sh, and (3) contrib/pic2graph/pic2graph.sh scripts in GNU troff (aka groff) 1.21 and earlier do not properly handle certain failed attempts to create temporary directories, which might allow local users to overwrite arbitrary files via a symlink attack on a file in a temporary directory, a different vulnerability than CVE-2004-1296 (CVE-2009-5080). The (1) config.guess, (2) contrib/groffer/perl/groffer.pl, and (3) contrib/groffer/perl/roff2.pl scripts in GNU troff (aka groff) 1.21 and earlier use an insufficient number of X characters in the template argument to the tempfile function, which makes it easier for local users to overwrite arbitrary files via a symlink attack on a temporary file, a different vulnerability than CVE-2004-0969 (CVE-2009-5081). The updated packages have been patched to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id66099
    published2013-04-20
    reporterThis script is Copyright (C) 2013-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/66099
    titleMandriva Linux Security Advisory : groff (MDVSA-2013:086)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandriva Linux Security Advisory MDVSA-2013:086. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(66099);
      script_version("1.8");
      script_cvs_date("Date: 2019/08/02 13:32:55");
    
      script_cve_id(
        "CVE-2009-5044",
        "CVE-2009-5079",
        "CVE-2009-5080",
        "CVE-2009-5081"
      );
      script_bugtraq_id(
        36381,
        53937,
        53940
      );
      script_xref(name:"MDVSA", value:"2013:086");
    
      script_name(english:"Mandriva Linux Security Advisory : groff (MDVSA-2013:086)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandriva Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple vulnerabilities has been found and corrected in groff :
    
    contrib/pdfmark/pdfroff.sh in GNU troff (aka groff) before 1.21 allows
    local users to overwrite arbitrary files via a symlink attack on a
    pdf#####.tmp temporary file (CVE-2009-5044).
    
    The (1) gendef.sh, (2) doc/fixinfo.sh, and (3)
    contrib/gdiffmk/tests/runtests.in scripts in GNU troff (aka groff)
    1.21 and earlier allow local users to overwrite arbitrary files via a
    symlink attack on a gro#####.tmp or /tmp/##### temporary file
    (CVE-2009-5079).
    
    The (1) contrib/eqn2graph/eqn2graph.sh, (2)
    contrib/grap2graph/grap2graph.sh, and (3)
    contrib/pic2graph/pic2graph.sh scripts in GNU troff (aka groff) 1.21
    and earlier do not properly handle certain failed attempts to create
    temporary directories, which might allow local users to overwrite
    arbitrary files via a symlink attack on a file in a temporary
    directory, a different vulnerability than CVE-2004-1296
    (CVE-2009-5080).
    
    The (1) config.guess, (2) contrib/groffer/perl/groffer.pl, and (3)
    contrib/groffer/perl/roff2.pl scripts in GNU troff (aka groff) 1.21
    and earlier use an insufficient number of X characters in the template
    argument to the tempfile function, which makes it easier for local
    users to overwrite arbitrary files via a symlink attack on a temporary
    file, a different vulnerability than CVE-2004-0969 (CVE-2009-5081).
    
    The updated packages have been patched to correct these issues."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:N/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:groff");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:groff-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:groff-for-man");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:groff-perl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:groff-x11");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:business_server:1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2013/04/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/04/20");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"groff-1.21-3.2.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"groff-doc-1.21-3.2.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"groff-for-man-1.21-3.2.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"groff-perl-1.21-3.2.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"groff-x11-1.21-3.2.mbs1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());
      else security_note(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_169F422FBD8811D9A28102E018374E71.NASL
    descriptionThe groffer script in the groff package 1.18 and later versions allows local users to overwrite files via a symlink attack on temporary files.
    last seen2020-06-01
    modified2020-06-02
    plugin id18850
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/18850
    titleFreeBSD : groff -- groffer uses temporary files unsafely (169f422f-bd88-11d9-a281-02e018374e71)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200411-15.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200411-15 (OpenSSL, Groff: Insecure tempfile handling) groffer and the der_chop script create temporary files in world-writeable directories with predictable names. Impact : A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When groffer or der_chop is executed, this would result in the file being overwritten with the rights of the user running the utility, which could be the root user. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id15649
    published2004-11-08
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15649
    titleGLSA-200411-15 : OpenSSL, Groff: Insecure tempfile handling
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2006-038.NASL
    descriptionThe Trustix Secure Linux team discovered a vulnerability in the groffer utility, part of the groff package. It created a temporary directory in an insecure way which allowed for the exploitation of a race condition to create or overwrite files the privileges of the user invoking groffer. Likewise, similar temporary file issues were fixed in the pic2graph and eqn2graph programs which now use mktemp to create temporary files, as discovered by Javier Fernandez-Sanguino Pena. The updated packages have been patched to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id20878
    published2006-02-10
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20878
    titleMandrake Linux Security Advisory : groff (MDKSA-2006:038)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-13-1.NASL
    descriptionRecently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility
    last seen2020-06-01
    modified2020-06-02
    plugin id20520
    published2006-01-15
    reporterUbuntu Security Notice (C) 2004-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20520
    titleUbuntu 4.10 : groff utility vulnerability (USN-13-1)