Linux groff format string could be used to execute arbitrary commands
| linux-groff-format-string (6918) |  High Risk |
Description:
The groff package is vulnerable to a format string attack, caused by a vulnerability in the 'pic' utility. The 'pic' utility is used to process images. A remote attacker can pass format strings to 'pic' using the line print spooler daemon (lpd), and execute arbitrary commands on the affected system with elevated privileges.
Consequences:
Gain Access
Remedy:
Apply the groff-1.16.1.diff patch for your system, as listed in the BugTraq Mailing List posting dated Fri Jul 27 2001 00:01:41. See References.
For Debian GNU/Linux 2.2 (potato):
Upgrade to the latest version of groff (1.15.2-2 or later), as listed in DSA-072-1 or the latest versions jgroff (1.15+ja-3.4 or later), as listed in DSA-107-1. See References.
For Conectiva Linux 4.0 and 4.0es:
Upgrade to the latest version of groff (1.17.2-1U40 or later), as listed in Conectiva Linux Security Announcement CLA-2001:428. See References.
For Conectiva Linux 4.1:
Upgrade to the latest version of groff (1.17.2-1U41 or later), as listed in Conectiva Linux Security Announcement CLA-2001:428. See References.
For Conectiva Linux 4.2:
Upgrade to the latest version of groff (1.17.2-1U42 or later), as listed in Conectiva Linux Security Announcement CLA-2001:428. See References.
For Conectiva Linux 5.0, ecommerce, and prg graficos:
Upgrade to the latest version of groff (1.17.2-1U50 or later), as listed in Conectiva Linux Security Announcement CLA-2001:428. See References.
For Conectiva Linux 5.1:
Upgrade to the latest version of groff (1.17.2-1U51 or later), as listed in Conectiva Linux Security Announcement CLA-2001:428. See References.
For Conectiva Linux 6.0:
Upgrade to the latest version of groff (1.17.2-1U60 or later), as listed in Conectiva Linux Security Announcement CLA-2001:428. See References.
For other distributions:
Contact your vendor for patch or upgrade information.
References:
- BugTraq Mailing List, Thu Jul 26 2001 - 07:01:41 CDT: ADV/EXP:pic/lpd remote exploit - RH 7.0.
- Conectiva Linux Announcement CLSA-2001:428: groff. (From LinuxSecurity archive)
- Full-Disclosure Mailing List, Tue Oct 08 2002 - 00:29:06 CDT: buffer overrun in pic(1). (From Full-Disclosure Mailing List archive)
- BID-3103: Remote Linux Groff Exploitation Via LPD Vulnerability
- CVE-2001-1022: Format string vulnerability in pic utility in groff 1.16.1 and other versions, and jgroff before 1.15, allows remote attackers to bypass the -S option and execute arbitrary commands via format string specifiers in the plot command.
- DSA-072: groff -- printf format attack
- DSA-107: jgroff -- format print vulnerability
- OSVDB ID: 1914: Groff pic Utility Format String Remote Command Execution
- RHSA-2002-004: New groff packages available to fix security problems
- US-CERT VU#399883: Linux groff utility pic contains format string vulnerability
Platforms Affected:
- Conectiva Linux 4.0
- Conectiva Linux 4.0es
- Conectiva Linux 4.1
- Conectiva Linux 4.2
- Conectiva Linux 5.0
- Conectiva Linux 5.1
- Conectiva Linux 6.0
- Conectiva Linux ecommerce
- Conectiva Linux prg_graficos
- Debian Debian Linux 2.2
- GNU groff
- NetBSD NetBSD 1.5
- NetBSD NetBSD 1.5.1
- NetBSD NetBSD 1.5.2
- NetBSD NetBSD 1.5.3
- NetBSD NetBSD 1.6
- NetBSD NetBSD CURRENT
- RedHat Linux 5.2
- RedHat Linux 7
- RedHat Linux 7.1
- RedHat Linux 7.2
Reported:
Jul 27, 2001
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net