Enscript Security Patch

Alexander E. Patrakov patrakov at ums.usu.ru
Tue Apr 11 07:18:19 PDT 2006


Randy McMurchy wrote:
> Hi Alexander,

Hello!

> Could you look at http://wiki.linuxfromscratch.org/blfs/ticket/1799
> and review the report I put in it yesterday? Thanks.

When trying to recreate and reatach the patch, I got:

===========================================
Trac detected an internal error:

SQL logic error or missing database
===========================================

(manifestation of Ticket 1879?)

So please find the patch attached to this mail. Sorry for the inconvenience.

Origin: Debian, the descriptions of the vulnerabilities can be retrieved from 
http://wiki.linuxfromscratch.org/blfs/wiki/Enscript

-- 
Alexander E. Patrakov
-------------- next part --------------
--- enscript-1.6.4/src/gsint.h	2003-03-05 08:37:06.000000000 +0100
+++ enscript-1.6.4/src/gsint.h	2005-01-20 19:54:57.000000000 +0100
@@ -701,4 +701,9 @@
  */
 void printer_close ___P ((void *context));
 
+/*
+ * Escape filenames for shell usage
+ */
+char *shell_escape ___P ((const char *fn));
+
 #endif /* not GSINT_H */
--- enscript-1.6.4/src/main.c	2005-01-20 19:54:40.000000000 +0100
+++ enscript-1.6.4/src/main.c	2005-01-20 19:54:57.000000000 +0100
@@ -1556,9 +1556,13 @@
       buffer_append (&cmd, intbuf);
       buffer_append (&cmd, " ");
 
-      buffer_append (&cmd, "-Ddocument_title=\"");
-      buffer_append (&cmd, title);
-      buffer_append (&cmd, "\" ");
+      buffer_append (&cmd, "-Ddocument_title=\'");
+      if ((cp = shell_escape (title)) != NULL)
+	{
+	  buffer_append (&cmd, cp);
+	  free (cp);
+	}
+      buffer_append (&cmd, "\' ");
 
       buffer_append (&cmd, "-Dtoc=");
       buffer_append (&cmd, toc ? "1" : "0");
@@ -1575,8 +1579,14 @@
       /* Append input files. */
       for (i = optind; i < argc; i++)
 	{
-	  buffer_append (&cmd, " ");
-	  buffer_append (&cmd, argv[i]);
+	  char *cp;
+	  if ((cp = shell_escape (argv[i])) != NULL)
+	    {
+	      buffer_append (&cmd, " \'");
+	      buffer_append (&cmd, cp);
+	      buffer_append (&cmd, "\'");
+	      free (cp);
+	    }
 	}
 
       /* And do the job. */
@@ -1637,7 +1647,7 @@
 				 buffer_ptr (opts), buffer_len (opts));
 	    }
 
-	  buffer_append (&buffer, " \"%s\"");
+	  buffer_append (&buffer, " \'%s\'");
 
 	  input_filter = buffer_copy (&buffer);
 	  input_filter_stdin = "-";
--- enscript-1.6.4/src/util.c	2003-03-05 08:26:32.000000000 +0100
+++ enscript-1.6.4/src/util.c	2005-01-20 19:54:57.000000000 +0100
@@ -1239,6 +1239,8 @@
 
   /* Create result. */
   cp = xmalloc (len + 1);
+  if (cp == NULL)
+      return NULL;
   for (i = 0, j = 0; string[i]; i++)
     switch (string[i])
       {
@@ -1879,6 +1881,7 @@
       char *cmd = NULL;
       int cmdlen;
       int i, pos;
+      char *cp;
 
       is->is_pipe = 1;
 
@@ -1902,12 +1905,16 @@
 		{
 		case 's':
 		  /* Expand cmd-buffer. */
-		  cmdlen += strlen (fname);
-		  cmd = xrealloc (cmd, cmdlen);
+		  if ((cp = shell_escape (fname)) != NULL)
+		    {
+		      cmdlen += strlen (cp);
+		      cmd = xrealloc (cmd, cmdlen);
 
-		  /* Paste filename. */
-		  strcpy (cmd + pos, fname);
-		  pos += strlen (fname);
+		      /* Paste filename. */
+		      strcpy (cmd + pos, cp);
+		      pos += strlen (cp);
+		      free (cp);
+		    }
 
 		  i++;
 		  break;
@@ -2116,3 +2123,36 @@
 {
   return buffer->len;
 }
+
+/*
+ * Escapes the name of a file so that the shell groks it in 'single'
+ * quotation marks.  The resulting pointer has to be free()ed when not
+ * longer used.
+*/
+char *
+shell_escape(const char *fn)
+{
+  size_t len = 0;
+  const char *inp;
+  char *retval, *outp;
+
+  for(inp = fn; *inp; ++inp)
+    switch(*inp)
+    {
+      case '\'': len += 4; break;
+      default:   len += 1; break;
+    }
+
+  outp = retval = malloc(len + 1);
+  if(!outp)
+    return NULL; /* perhaps one should do better error handling here */
+  for(inp = fn; *inp; ++inp)
+    switch(*inp)
+    {
+      case '\'': *outp++ = '\''; *outp++ = '\\'; *outp++ = '\'', *outp++ = '\''; break;
+      default:   *outp++ = *inp; break;
+    }
+  *outp = 0;
+
+  return retval;
+}
--- enscript-1.6.4/src/psgen.c	2005-01-20 19:56:16.000000000 +0100
+++ enscript-1.6.4/src/psgen.c	2005-01-20 19:56:28.000000000 +0100
@@ -2385,9 +2385,10 @@
   MESSAGE (2, (stderr, "^@epsf=\"%s\"\n", token->u.epsf.filename));
 
   i = strlen (token->u.epsf.filename);
+  /*
   if (i > 0 && token->u.epsf.filename[i - 1] == '|')
     {
-      /* Read EPS data from pipe. */
+      / * Read EPS data from pipe. * /
       token->u.epsf.pipe = 1;
       token->u.epsf.filename[i - 1] = '\0';
       token->u.epsf.fp = popen (token->u.epsf.filename, "r");
@@ -2400,6 +2401,7 @@
 	}
     }
   else
+  */
     {
       char *filename;
 
--- enscript-1.6.4/src/psgen.c	2005-01-20 19:59:18.000000000 +0100
+++ enscript-1.6.4/src/psgen.c	2005-01-20 19:59:30.000000000 +0100
@@ -2034,8 +2034,9 @@
   else
     {
       ftail++;
-      strncpy (buf, fname, ftail - fname);
-      buf[ftail - fname] = '\0';
+      i = ftail - fname >= sizeof (buf)-1 ? sizeof (buf)-1 : ftail - fname;
+      strncpy (buf, fname, i);
+      buf[i] = '\0';
     }
 
   if (nup > 1)


More information about the blfs-dev mailing list