Vulnerabilities > CVE-2004-1296

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
nessus

Summary

The (1) eqn2graph and (2) pic2graph scripts in groff 1.18.1 allow local users to overwrite arbitrary files via a symlink attack on temporary files.

Vulnerable Configurations

Part Description Count
Application
Gnu
1

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2013-086.NASL
    descriptionMultiple vulnerabilities has been found and corrected in groff : contrib/pdfmark/pdfroff.sh in GNU troff (aka groff) before 1.21 allows local users to overwrite arbitrary files via a symlink attack on a pdf#####.tmp temporary file (CVE-2009-5044). The (1) gendef.sh, (2) doc/fixinfo.sh, and (3) contrib/gdiffmk/tests/runtests.in scripts in GNU troff (aka groff) 1.21 and earlier allow local users to overwrite arbitrary files via a symlink attack on a gro#####.tmp or /tmp/##### temporary file (CVE-2009-5079). The (1) contrib/eqn2graph/eqn2graph.sh, (2) contrib/grap2graph/grap2graph.sh, and (3) contrib/pic2graph/pic2graph.sh scripts in GNU troff (aka groff) 1.21 and earlier do not properly handle certain failed attempts to create temporary directories, which might allow local users to overwrite arbitrary files via a symlink attack on a file in a temporary directory, a different vulnerability than CVE-2004-1296 (CVE-2009-5080). The (1) config.guess, (2) contrib/groffer/perl/groffer.pl, and (3) contrib/groffer/perl/roff2.pl scripts in GNU troff (aka groff) 1.21 and earlier use an insufficient number of X characters in the template argument to the tempfile function, which makes it easier for local users to overwrite arbitrary files via a symlink attack on a temporary file, a different vulnerability than CVE-2004-0969 (CVE-2009-5081). The updated packages have been patched to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id66099
    published2013-04-20
    reporterThis script is Copyright (C) 2013-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/66099
    titleMandriva Linux Security Advisory : groff (MDVSA-2013:086)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandriva Linux Security Advisory MDVSA-2013:086. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(66099);
      script_version("1.8");
      script_cvs_date("Date: 2019/08/02 13:32:55");
    
      script_cve_id(
        "CVE-2009-5044",
        "CVE-2009-5079",
        "CVE-2009-5080",
        "CVE-2009-5081"
      );
      script_bugtraq_id(
        36381,
        53937,
        53940
      );
      script_xref(name:"MDVSA", value:"2013:086");
    
      script_name(english:"Mandriva Linux Security Advisory : groff (MDVSA-2013:086)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandriva Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple vulnerabilities has been found and corrected in groff :
    
    contrib/pdfmark/pdfroff.sh in GNU troff (aka groff) before 1.21 allows
    local users to overwrite arbitrary files via a symlink attack on a
    pdf#####.tmp temporary file (CVE-2009-5044).
    
    The (1) gendef.sh, (2) doc/fixinfo.sh, and (3)
    contrib/gdiffmk/tests/runtests.in scripts in GNU troff (aka groff)
    1.21 and earlier allow local users to overwrite arbitrary files via a
    symlink attack on a gro#####.tmp or /tmp/##### temporary file
    (CVE-2009-5079).
    
    The (1) contrib/eqn2graph/eqn2graph.sh, (2)
    contrib/grap2graph/grap2graph.sh, and (3)
    contrib/pic2graph/pic2graph.sh scripts in GNU troff (aka groff) 1.21
    and earlier do not properly handle certain failed attempts to create
    temporary directories, which might allow local users to overwrite
    arbitrary files via a symlink attack on a file in a temporary
    directory, a different vulnerability than CVE-2004-1296
    (CVE-2009-5080).
    
    The (1) config.guess, (2) contrib/groffer/perl/groffer.pl, and (3)
    contrib/groffer/perl/roff2.pl scripts in GNU troff (aka groff) 1.21
    and earlier use an insufficient number of X characters in the template
    argument to the tempfile function, which makes it easier for local
    users to overwrite arbitrary files via a symlink attack on a temporary
    file, a different vulnerability than CVE-2004-0969 (CVE-2009-5081).
    
    The updated packages have been patched to correct these issues."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:N/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:groff");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:groff-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:groff-for-man");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:groff-perl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:groff-x11");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:business_server:1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2013/04/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/04/20");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"groff-1.21-3.2.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"groff-doc-1.21-3.2.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"groff-for-man-1.21-3.2.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"groff-perl-1.21-3.2.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"groff-x11-1.21-3.2.mbs1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());
      else security_note(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_01BB84E2BD8811D9A28102E018374E71.NASL
    descriptionThe eqn2graph and pic2graph scripts in groff 1.18.1 allow local users to overwrite arbitrary files via a symlink attack on temporary files.
    last seen2020-06-01
    modified2020-06-02
    plugin id18816
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/18816
    titleFreeBSD : groff -- pic2graph and eqn2graph are vulnerable to symlink attack through temporary files (01bb84e2-bd88-11d9-a281-02e018374e71)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2019 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(18816);
      script_version("1.19");
      script_cvs_date("Date: 2019/08/02 13:32:36");
    
      script_cve_id("CVE-2004-1296");
      script_bugtraq_id(12058);
    
      script_name(english:"FreeBSD : groff -- pic2graph and eqn2graph are vulnerable to symlink attack through temporary files (01bb84e2-bd88-11d9-a281-02e018374e71)");
      script_summary(english:"Checks for updated package in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote FreeBSD host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The eqn2graph and pic2graph scripts in groff 1.18.1 allow local users
    to overwrite arbitrary files via a symlink attack on temporary files."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=80671"
      );
      # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286371
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286371"
      );
      # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286372
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286372"
      );
      # https://vuxml.freebsd.org/freebsd/01bb84e2-bd88-11d9-a281-02e018374e71.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?bb9ebccd"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected package.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:ja-groff");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/12/20");
      script_set_attribute(attribute:"patch_publication_date", value:"2005/05/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"ja-groff>=1.18.1<1.18.1_8")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_note(port:0, extra:pkg_report_get());
      else security_note(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    

Statements

contributorMark J Cox
lastmodified2007-03-14
organizationRed Hat
statementRed Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.