Description
The (1) gendef.sh, (2) doc/fixinfo.sh, and (3) contrib/gdiffmk/tests/runtests.in scripts in GNU troff (aka groff) 1.21 and earlier allow local users to overwrite arbitrary files via a symlink attack on a gro#####.tmp or /tmp/##### temporary file.
Affected products
- gnu / groff1.21
- gnu / groff1.10 – 1.10
- gnu / groff1.11 – 1.11
- gnu / groff1.11a – 1.11a
- gnu / groff1.14 – 1.14
- gnu / groff1.15 – 1.15
- gnu / groff1.16 – 1.16
- gnu / groff1.16.1 – 1.16.1
- gnu / groff1.17.1 – 1.17.1
- gnu / groff1.17.2 – 1.17.2
- gnu / groff1.18.1 – 1.18.1
- gnu / groff1.19 – 1.19
- gnu / groff1.19.1 – 1.19.1
- gnu / groff1.19.2 – 1.19.2
- gnu / groff1.20 – 1.20
- gnu / groff1.20.1 – 1.20.1
References
- MAILING_LISThttp://openwall.com/lists/oss-security/2009/08/14/4
- MAILING_LISThttp://openwall.com/lists/oss-security/2009/08/14/5
- MISChttp://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff.diff?r1=1.1%3Br2=1.2%3Bf=h
- VENDOR_ADVISORYhttp://www.mandriva.com/security/advisories?name=MDVSA-2013:085
- MISChttp://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff
- VENDOR_ADVISORYhttp://www.mandriva.com/security/advisories?name=MDVSA-2013:086