Executive Summary
Summary | |
---|---|
Title | a2ps security update |
Informations | |||
---|---|---|---|
Name | DSA-2892 | First vendor Publication | 2014-03-31 |
Vendor | Debian | Last vendor Modification | 2014-03-31 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.8 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Several vulnerabilities have been found in a2ps, an 'Anything to PostScript' converter and pretty-printer. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2001-1593 The spy_user function which is called when a2ps is invoked with the --debug flag insecurely used temporary files. CVE-2014-0466 Brian M. Carlson reported that a2ps's fixps script does not invoke gs with the -dSAFER option. Consequently executing fixps on a malicious PostScript file could result in files being deleted or arbitrary commands being executed with the privileges of the user running fixps. For the oldstable distribution (squeeze), these problems have been fixed in version 1:4.14-1.1+deb6u1. For the stable distribution (wheezy), these problems have been fixed in version 1:4.14-1.1+deb7u1. For the testing distribution (jessie) and the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your a2ps packages. |
Original Source
Url : http://www.debian.org/security/2014/dsa-2892 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-59 | Improper Link Resolution Before File Access ('Link Following') |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:24211 | |||
Oval ID: | oval:org.mitre.oval:def:24211 | ||
Title: | DSA-2892-1 a2ps - security update | ||
Description: | Several vulnerabilities have been found in a2ps, an <q>Anything to PostScript</q> converter and pretty-printer. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2892-1 CVE-2001-1593 CVE-2014-0466 | Version: | 5 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/Linux 7 Debian GNU/kFreeBSD 6.0 Debian GNU/kFreeBSD 7 | Product(s): | a2ps |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:25285 | |||
Oval ID: | oval:org.mitre.oval:def:25285 | ||
Title: | SUSE-SU-2014:0581-1 -- Security update for a2ps | ||
Description: | The text to postscript converter a2ps received a security update. The fixps script did not call ghostscript with the -DSAFER option, allowing command execution by attacker supplied postscript files. Security Issue reference: * CVE-2014-0466 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0466 > | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:0581-1 CVE-2014-0466 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11 | Product(s): | a2ps |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 6 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2017-01-30 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201701-67.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-279.nasl - Type : ACT_GATHER_INFO |
2014-05-09 | Name : The remote Fedora host is missing a security update. File : fedora_2014-4676.nasl - Type : ACT_GATHER_INFO |
2014-05-09 | Name : The remote Fedora host is missing a security update. File : fedora_2014-4691.nasl - Type : ACT_GATHER_INFO |
2014-04-30 | Name : The remote SuSE 11 host is missing a security update. File : suse_11_a2ps-140331.nasl - Type : ACT_GATHER_INFO |
2014-04-11 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-076.nasl - Type : ACT_GATHER_INFO |
2014-04-01 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2892.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-04-06 13:25:44 |
|
2014-04-03 21:26:00 |
|
2014-04-02 13:22:37 |
|
2014-03-31 21:19:53 |
|