FreeBSD : a2ps -- insecure command line argument handling (8091fcea-f35e-11d8-81b0-000347a4fa7d)

critical Nessus Plugin ID 37951

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

Rudolf Polzer reports :

a2ps builds a command line for file() containing an unescaped version of the file name, thus might call external programs described by the file name. Running a cronjob over a public writable directory a2ps-ing all files in it - or simply typing 'a2ps *.txt' in /tmp - is therefore dangerous.

Solution

Update the affected packages.

See Also

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=70618

https://marc.info/?l=full-disclosure&m=109334851517137

http://www.nessus.org/u?974729a8

Plugin Details

Severity: Critical

ID: 37951

File Name: freebsd_pkg_8091fceaf35e11d881b0000347a4fa7d.nasl

Version: 1.18

Type: local

Published: 4/23/2009

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:a2ps-a4, p-cpe:/a:freebsd:freebsd:a2ps-letter, p-cpe:/a:freebsd:freebsd:a2ps-letterdj, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/20/2004

Vulnerability Publication Date: 8/18/2004

Reference Information

CVE: CVE-2004-1170

BID: 11025