Executive Summary

Summary
Title Groff: Multiple Vulnerabilities
Informations
Name GLSA-201310-14 First vendor Publication 2013-10-25
Vendor Gentoo Last vendor Modification 2013-10-25
Severity (Vendor) Low Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:P/A:P)
Cvss Base Score 6.4 Attack Range Network
Cvss Impact Score 4.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

Multiple vulnerabilities have been found in Groff, allowing context-dependent attackers to conduct symlink attacks.

Background

GNU Troff (Groff) is a text formatter used for man pages.

Description

Multiple vulnerabilities have been discovered in Groff. Please review the CVE identifiers referenced below for details.

Impact

A context-dependent attacker could perform symlink attacks to overwrite arbitrary files with the privileges of the user running the application.

Workaround

There is no known workaround at this time.

Resolution

All Groff users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/groff-1.22.2"

References

[ 1 ] CVE-2009-5044 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5044
[ 2 ] CVE-2009-5078 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5078
[ 3 ] CVE-2009-5079 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5079
[ 4 ] CVE-2009-5080 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5080
[ 5 ] CVE-2009-5081 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5081
[ 6 ] CVE-2009-5082 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5082

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201310-14.xml

Original Source

Url : http://security.gentoo.org/glsa/glsa-201310-14.xml

CWE : Common Weakness Enumeration

% Id Name
83 % CWE-59 Improper Link Resolution Before File Access ('Link Following')
17 % CWE-254 Security Features

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 2
Application 16
Os 102

OpenVAS Exploits

Date Description
2012-08-30 Name : Fedora Update for groff FEDORA-2012-8577
File : nvt/gb_fedora_2012_8577_groff_fc17.nasl
2012-06-08 Name : Fedora Update for groff FEDORA-2012-8590
File : nvt/gb_fedora_2012_8590_groff_fc15.nasl
2012-06-08 Name : Fedora Update for groff FEDORA-2012-8596
File : nvt/gb_fedora_2012_8596_groff_fc16.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
74393 GNU troff config.guess mktemp Function Weakness Temporary File Symlink Arbitr...
74392 GNU troff configure mktemp Function Weakness Temporary File Symlink Arbitrary...
74391 GNU troff contrib/groffer/perl/roff2.pl tempfile Function template Argument X...
74390 GNU troff contrib/groffer/perl/groffer.pl tempfile Function template Argument...
74389 GNU troff config.guess tempfile Function template Argument X Character Tempor...
74388 GNU troff contrib/pic2graph/pic2graph.sh Directory Creation Temporary File Sy...
74387 GNU troff contrib/grap2graph/grap2graph.sh Directory Creation Temporary File ...
74386 GNU troff contrib/eqn2graph/eqn2graph.sh Directory Creation Temporary File Sy...
74385 GNU troff contrib/gdiffmk/tests/runtests.in Multiple Temporary File Symlink A...
74384 GNU troff doc/fixinfo.sh Multiple Temporary File Symlink Arbitrary File Overw...
74383 GNU troff gendef.sh Multiple Temporary File Symlink Arbitrary File Overwrite
74382 GNU troff contrib/pdfmark/pdfroff.sh Ghostscript Launch Arbitrary File Manipu...
73111 GNU Troff pdfroff Temporary File Symlink Arbitrary File Overwrite

Information Assurance Vulnerability Management (IAVM)

Date Description
2015-08-20 IAVM : 2015-A-0199 - Multiple Vulnerabilities in Apple Mac OS X
Severity : Category I - VMSKEY : V0061337

Nessus® Vulnerability Scanner

Date Description
2015-08-17 Name : The remote host is missing a Mac OS X update that fixes multiple security vul...
File : macosx_10_10_5.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : suse_11_4_groff-110609.nasl - Type : ACT_GATHER_INFO
2013-10-27 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201310-14.nasl - Type : ACT_GATHER_INFO
2013-04-20 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2013-086.nasl - Type : ACT_GATHER_INFO
2012-06-08 Name : The remote Fedora host is missing a security update.
File : fedora_2012-8577.nasl - Type : ACT_GATHER_INFO
2012-06-08 Name : The remote Fedora host is missing a security update.
File : fedora_2012-8590.nasl - Type : ACT_GATHER_INFO
2012-06-08 Name : The remote Fedora host is missing a security update.
File : fedora_2012-8596.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2014-02-17 11:37:50
  • Multiple Updates
2013-10-26 05:18:28
  • First insertion