rpm/a2ps
SHA256
1
0
Fork 0
forked from pool/a2ps
Code Pull Requests Activity

Accepting request 345894 from Publishing

Browse Source 
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/345894
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/a2ps?expand=0&rev=40
This commit is contained in:
Dominique Leuenberger 2015-11-26 16:03:53 +00:00 committed by Git OBS Bridge
commit 1c08c833b9
3 changed files with 37 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
a2ps-4.14-bnc955194.patch Normal file
View File

@ -0,0 +1,28 @@
From seclists.org/oss-sec/2015/q4/284
CVE-2015-8107 - a2ps(gnu) v4.14 format string vulnerability
Be aware that if compiled with -D_FORTIFY_SOURCE=2 the a2ps
does abort with
a2ps --prologue=exploit /etc/hosts -o /dev/null
*** %n in writable segment detected ***
Abort
Also the explpoit has to be installed as a pro file in the
appropiate system paths or $HOME/.a2ps of the attacked user.
---
lib/output.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- lib/output.c
+++ lib/output.c 2015-11-16 15:01:23.414079544 +0000
@@ -525,7 +525,7 @@ output_file (struct output * out, a2ps_j
expand_user_string (job, FIRST_FILE (job),
(const uchar *) "Expand: requirement",
(const uchar *) token));
- output (dest, expansion);
+ output (dest, "%s", expansion);
continue;
}

6
a2ps.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Mon Nov 16 15:05:43 UTC 2015 - werner@suse.de
- Add patch a2ps-4.14-bnc955194.patch to fix format string
vulnerability (bnc#955194)
------------------------------------------------------------------- -------------------------------------------------------------------
Sun May 24 10:13:38 UTC 2015 - mpluskal@suse.com Sun May 24 10:13:38 UTC 2015 - mpluskal@suse.com

3
a2ps.spec
View File

@ -44,6 +44,8 @@ Patch13: a2ps-4.14-linker.patch
# PATCH-FIX-USTREAM Bug 871097 - CVE-2014-0466: a2ps: fixps does not use -dSAFER # PATCH-FIX-USTREAM Bug 871097 - CVE-2014-0466: a2ps: fixps does not use -dSAFER
Patch14: CVE-2014-0466.diff Patch14: CVE-2014-0466.diff
Patch15: a2ps-4.14-gperf.patch Patch15: a2ps-4.14-gperf.patch
# PATCH-FIX-SUSE Bug 955194 - CVE-2015-8107: CVE-2015-8107 - a2ps(gnu) v4.14 format string vulnerability
Patch16: a2ps-4.14-bnc955194.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
BuildRequires: emacs-nox BuildRequires: emacs-nox
@ -120,6 +122,7 @@ touch -r configure.in .ref
%patch13 -p1 %patch13 -p1
%patch14 -p1 %patch14 -p1
%patch15 -p1 %patch15 -p1
%patch16 -p0
%patch0 -b .p0 %patch0 -b .p0
cp -f %{SOURCE3} po/ko.po cp -f %{SOURCE3} po/ko.po
find -type f | grep -vE '(parseppd|parsessh).y' | xargs \ find -type f | grep -vE '(parseppd|parsessh).y' | xargs \