Vulnerabilities > CVE-2004-1186 - Unspecified vulnerability in GNU Enscript 1.6.3
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN gnu
nessus
Summary
Multiple buffer overflows in enscript 1.6.3 allow remote attackers or local users to cause a denial of service (application crash).
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-68-1.NASL description Erik Sjolund discovered several vulnerabilities in enscript which could cause arbitrary code execution with the privileges of the user calling enscript. Quotes and other shell escape characters in titles and file names were not handled in previous versions. (CAN-2004-1184) Previous versions supported reading EPS data not only from a file, but also from an arbitrary command pipe. Since checking for unwanted side effects is infeasible, this feature has been disabled after consultation with the authors of enscript. (CAN-2004-1185) Finally, this update fixes two buffer overflows which were triggered by certain input files. (CAN-2004-1186) These issues can lead to privilege escalation if enscript is called automatically from web server applications like viewcvs. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 20688 published 2006-01-15 reporter Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20688 title Ubuntu 4.10 : enscript vulnerabilities (USN-68-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-040.NASL description An updated enscript package that fixes several security issues is now available for Red Hat Enterprise Linux 4. This update has been rated as having low security impact by the Red Hat Security Response Team. GNU enscript converts ASCII files to PostScript. Enscript has the ability to interpret special escape sequences. A flaw was found in the handling of the epsf command used to insert inline EPS files into a document. An attacker could create a carefully crafted ASCII file which made use of the epsf pipe command in such a way that it could execute arbitrary commands if the file was opened with enscript by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1184 to this issue. Additional flaws in Enscript were also discovered which can only be triggered by executing enscript with carefully crafted command line arguments. These flaws therefore only have a security impact if enscript is executed by other programs and passed untrusted data from remote users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-1185 and CVE-2004-1186 to these issues. All users of enscript should upgrade to these updated packages, which contain backported patches to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 17172 published 2005-02-22 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/17172 title RHEL 4 : enscript (RHSA-2005:040) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200502-03.NASL description The remote host is affected by the vulnerability described in GLSA-200502-03 (enscript: Multiple vulnerabilities) Erik Sjolund discovered several issues in enscript: it suffers from several buffer overflows (CAN-2004-1186), quotes and shell escape characters are insufficiently sanitized in filenames (CAN-2004-1185), and it supported taking input from an arbitrary command pipe, with unwanted side effects (CAN-2004-1184). Impact : An attacker could design malicious files or input data which, once feeded into enscript, would trigger the execution of arbitrary code with the rights of the user running enscript. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 16440 published 2005-02-14 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16440 title GLSA-200502-03 : enscript: Multiple vulnerabilities NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_72DA8AF67C7511D98CC5000854D03344.NASL description Erik Sjolund discovered several issues in enscript : it suffers from several buffer overflows, quotes and shell escape characters are insufficiently sanitized in filenames, and it supported taking input from an arbitrary command pipe, with unwanted side effects. last seen 2020-06-01 modified 2020-06-02 plugin id 18981 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/18981 title FreeBSD : enscript -- multiple vulnerabilities (72da8af6-7c75-11d9-8cc5-000854d03344) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-033.NASL description A vulnerability in the enscript program last seen 2020-06-01 modified 2020-06-02 plugin id 16376 published 2005-02-11 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16376 title Mandrake Linux Security Advisory : enscript (MDKSA-2005:033) NASL family SuSE Local Security Checks NASL id SUSE9_9867.NASL description - Unsanitised input can caues the execution of arbitrary commands via EPSF pipe support. This has been disabled, also upstream. (CVE-2004-1184) - Due to missing sanitising of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. (CVE-2004-1185) - Multiple buffer overflows can cause the program to crash. (CVE-2004-1186) last seen 2020-06-01 modified 2020-06-02 plugin id 41347 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41347 title SuSE9 Security Update : enscript (YOU Patch Number 9867) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-654.NASL description Erik Sjolund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities : - CAN-2004-1184 Unsanitised input can cause the execution of arbitrary commands via EPSF pipe support. This has been disabled, also upstream. - CAN-2004-1185 Due to missing sanitising of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. - CAN-2004-1186 Multiple buffer overflows can cause the program to crash. Usually, enscript is only run locally, but since it is executed inside of viewcvs some of the problems mentioned above can easily be turned into a remote vulnerability. last seen 2020-06-01 modified 2020-06-02 plugin id 16238 published 2005-01-25 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16238 title Debian DSA-654-1 : enscript - several vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2005-015.NASL description Erik Sjolund has discovered several security relevant problems in enscript, a program to converts ASCII text to Postscript and other formats. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities : - CVE-2004-1184 Unsanitised input can causes the execution of arbitrary commands via EPSF pipe support. This has been disabled, also upstream. - CVE-2004-1185 Due to missing sanitising of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. - CVE-2004-1186 Multiple buffer overflows can cause the program to crash. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 16267 published 2005-01-27 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16267 title Fedora Core 2 : enscript-1.6.1-25.2 (2005-015) NASL family Fedora Local Security Checks NASL id FEDORA_2005-016.NASL description Erik Sjolund has discovered several security relevant problems in enscript, a program to converts ASCII text to Postscript and other formats. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities : - CVE-2004-1184 Unsanitised input can causes the execution of arbitrary commands via EPSF pipe support. This has been disabled, also upstream. - CVE-2004-1185 Due to missing sanitising of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. - CVE-2004-1186 Multiple buffer overflows can cause the program to crash. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 16268 published 2005-01-27 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16268 title Fedora Core 3 : enscript-1.6.1-28.0.2 (2005-016) NASL family MacOS X Local Security Checks NASL id MACOSX_10_5_7.NASL description The remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.7. Mac OS X 10.5.7 contains security fixes for the following products : - Apache - ATS - BIND - CFNetwork - CoreGraphics - Cscope - CUPS - Disk Images - enscript - Flash Player plug-in - Help Viewer - iChat - International Components for Unicode - IPSec - Kerberos - Kernel - Launch Services - libxml - Net-SNMP - Network Time - Networking - OpenSSL - PHP - QuickDraw Manager - ruby - Safari - Spotlight - system_cmds - telnet - Terminal - WebKit - X11 last seen 2020-06-01 modified 2020-06-02 plugin id 38744 published 2009-05-13 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38744 title Mac OS X 10.5.x < 10.5.7 Multiple Vulnerabilities NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-039.NASL description An updated enscript package that fixes several security issues is now available. GNU enscript converts ASCII files to PostScript. Enscript has the ability to interpret special escape sequences. A flaw was found in the handling of the epsf command used to insert inline EPS files into a document. An attacker could create a carefully crafted ASCII file which made use of the epsf pipe command in such a way that it could execute arbitrary commands if the file was opened with enscript by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1184 to this issue. Additional flaws in Enscript were also discovered which can only be triggered by executing enscript with carefully crafted command line arguments. These flaws therefore only have a security impact if enscript is executed by other programs and passed untrusted data from remote users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-1185 and CVE-2004-1186 to these issues. All users of enscript should upgrade to these updated packages, which resolve these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 16296 published 2005-02-02 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/16296 title RHEL 2.1 / 3 : enscript (RHSA-2005:039) NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2009-002.NASL description The remote host is running a version of Mac OS X 10.4 that does not have Security Update 2009-002 applied. This security update contains fixes for the following products : - Apache - ATS - BIND - CoreGraphics - Cscope - CUPS - Disk Images - enscript - Flash Player plug-in - Help Viewer - IPSec - Kerberos - Launch Services - libxml - Net-SNMP - Network Time - OpenSSL - QuickDraw Manager - Spotlight - system_cmds - telnet - Terminal - X11 last seen 2020-06-01 modified 2020-06-02 plugin id 38743 published 2009-05-13 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38743 title Mac OS X Multiple Vulnerabilities (Security Update 2009-002)
Oval
| accepted | 2013-04-29T04:11:45.194-04:00 | ||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||
| contributors |
| ||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||
| description | Multiple buffer overflows in enscript 1.6.3 allow remote attackers or local users to cause a denial of service (application crash). | ||||||||||||||||||||
| family | unix | ||||||||||||||||||||
| id | oval:org.mitre.oval:def:11134 | ||||||||||||||||||||
| status | accepted | ||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||
| title | Multiple buffer overflows in enscript 1.6.3 allow remote attackers or local users to cause a denial of service (application crash). | ||||||||||||||||||||
| version | 26 |
Redhat
| advisories |
| ||||
| rpms |
|
Statements
| contributor | Mark J Cox |
| lastmodified | 2007-03-14 |
| organization | Red Hat |
| statement | Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. |
References
- http://lists.apple.com/archives/security-announce/2009/May/msg00002.html
- http://lists.apple.com/archives/security-announce/2009/May/msg00002.html
- http://secunia.com/advisories/35074
- http://secunia.com/advisories/35074
- http://securitytracker.com/id?1012965
- http://securitytracker.com/id?1012965
- http://support.apple.com/kb/HT3549
- http://support.apple.com/kb/HT3549
- http://www.debian.org/security/2005/dsa-654
- http://www.debian.org/security/2005/dsa-654
- http://www.gentoo.org/security/en/glsa/glsa-200502-03.xml
- http://www.gentoo.org/security/en/glsa/glsa-200502-03.xml
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:033
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:033
- http://www.redhat.com/support/errata/RHSA-2005-040.html
- http://www.redhat.com/support/errata/RHSA-2005-040.html
- http://www.securityfocus.com/archive/1/419768/100/0/threaded
- http://www.securityfocus.com/archive/1/419768/100/0/threaded
- http://www.securityfocus.com/archive/1/435199/100/0/threaded
- http://www.securityfocus.com/archive/1/435199/100/0/threaded
- http://www.securityfocus.com/bid/12329
- http://www.securityfocus.com/bid/12329
- http://www.us-cert.gov/cas/techalerts/TA09-133A.html
- http://www.us-cert.gov/cas/techalerts/TA09-133A.html
- http://www.vupen.com/english/advisories/2009/1297
- http://www.vupen.com/english/advisories/2009/1297
- https://exchange.xforce.ibmcloud.com/vulnerabilities/19033
- https://exchange.xforce.ibmcloud.com/vulnerabilities/19033
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11134
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11134
- https://usn.ubuntu.com/68-1/
- https://usn.ubuntu.com/68-1/