Vigil@nce: Groff, file corruption via pdfroff
August 2009 by Vigil@nce
A local attacker can use the pdfroff.sh utility of Groff in order
to alter user’s files or to execute code.
Severity: 2/4
Consequences: user access/rights, data creation/edition, data
deletion
Provenance: user shell
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: multiples sources (3/5)
Diffusion of the vulnerable configuration: high (3/3)
Number of vulnerabilities in this bulletin: 2
Creation date: 10/08/2009
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The Groff (GNU Troff) suite provides the pdfroff.sh utility to
format documents in PDF. It is impacted by two vulnerabilities.
The pdftroff.sh script creates a temporay file ($WRKFILE) whose
name can be predicted. A local attacker can thus use a symbolic
link in order to corrupt a file with privileges of the pdftroff.sh
user. [grav:1/4; 538330]
The pdftroff.sh script uses GhostScript without the -dSAFER
parameter. An attacker can thus invite the victim to open a
malicious troff file in order to execute shell commands.
[grav:2/4; 538338]
A local attacker can therefore use the pdfroff.sh utility of Groff
in order to alter user’s files or to execute code.
CHARACTERISTICS
Identifiers: 538330, 538338, VIGILANCE-VUL-8927
http://vigilance.fr/vulnerability/Groff-file-corruption-via-pdfroff-8927