oss-sec mailing list archives

Re: CVE id request: groff (pdfroff)


From: Tomas Hoger <thoger () redhat com>
Date: Mon, 10 Aug 2009 15:47:43 +0200

On Sun, 9 Aug 2009 15:48:17 +0200 Nico Golde
<oss-security+ml () ngolde de> wrote:

First one:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538330
pdfroff tool of groff is creating files in a insecure manner 
in the /tmp directory.

Second:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538338
pdfroff tool of groff is calling ghostscript with the 
-dSAFER command line option.

Looking into groff's NEWS file, pdfroff was added in version 1.19.2, so
that may be used as "first affected" in CVE description:

http://cvs.savannah.gnu.org/viewvc/groff/groff/NEWS?view=markup

-- 
Tomas Hoger / Red Hat Security Response Team


Current thread: