[Am-info] GNU Enscript Insecure Temporary File Creation Vulnerability

[Fred A. Miller]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

GNU Enscript Insecure Temporary File Creation Vulnerability
BugTraq ID: 3920
Remote: No
Date Published: Jan 21 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3920
Summary:

Enscript is a freely available, open source program for transforming
ASCII files into Postscript documents.  Enscript is used mainly on Unix
and Linux Operating Systems.

A problem with Enscript could make it possible for local users to
overwrite arbitrary files.  The problem is in the creation of insecure
temporary files.

When executed, Enscript will translate a document written in ASCII to a
document written in Postscript.  This transforms the formatting of the
document, making it possible to add additional features such as images,
typesetting, or other enhancements.

Enscript creates temporary files insecurely.  Enscript makes use of
insecure temporary file creation functions tmpnam() and tempnam().  The
tmpnam() function, used in main.c, and tempnam() function used in
psgen.c, do not create adequately secure temporary file names.  In
addition to the design problems involved with the tmpnam() and tempnam()
functions, inadequate checks are performed by the program to ensure the
temporary files do not already exist.

This problem makes it possible for a local user to launch a symbolic 
link attack against a user of Enscript.  This problem could result in 
the corruption of arbitrary files, and potentially elevated privileges.

- -- 
Fred A. Miller
Systems Administrator
Cornell Univ. Press Services
fm@cupserv.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8VaY1IhTtc6nTZIIRAnVlAJoDszZcoV6TrO+qkMxTHqVHb418swCeL/hr
yVk8rcwiwJVPFpdTIrLLJiQ=
=s/l2
-----END PGP SIGNATURE-----