Debian DSA-2892-1 : a2ps - security update

medium Nessus Plugin ID 73278

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been found in a2ps, an 'Anything to PostScript' converter and pretty-printer. The Common Vulnerabilities and Exposures project identifies the following problems :

- CVE-2001-1593 The spy_user function which is called when a2ps is invoked with the --debug flag insecurely used temporary files.

- CVE-2014-0466 Brian M. Carlson reported that a2ps's fixps script does not invoke gs with the -dSAFER option. Consequently executing fixps on a malicious PostScript file could result in files being deleted or arbitrary commands being executed with the privileges of the user running fixps.

Solution

Upgrade the a2ps packages.

For the oldstable distribution (squeeze), these problems have been fixed in version 1:4.14-1.1+deb6u1.

For the stable distribution (wheezy), these problems have been fixed in version 1:4.14-1.1+deb7u1.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737385

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742902

https://security-tracker.debian.org/tracker/CVE-2001-1593

https://security-tracker.debian.org/tracker/CVE-2014-0466

https://packages.debian.org/source/squeeze/a2ps

https://packages.debian.org/source/wheezy/a2ps

https://www.debian.org/security/2014/dsa-2892

Plugin Details

Severity: Medium

ID: 73278

File Name: debian_DSA-2892.nasl

Version: 1.9

Type: local

Agent: unix

Published: 4/1/2014

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:a2ps, cpe:/o:debian:debian_linux:6.0, cpe:/o:debian:debian_linux:7.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 3/31/2014

Reference Information

CVE: CVE-2001-1593, CVE-2014-0466

BID: 65294

DSA: 2892