SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#399883

Linux groff utility pic contains format string vulnerability

Overview

The pic component of the image processing package groff contains a format string vulnerability that could allow a remote attacker to execute arbitrary code.

I. Description

groff is an image processing package on Linux systems. A component of groff called pic contains a format-string vulnerability that can be exploited to execute arbitrary code. Since groff and pic are used by lpd to render documents for printing, an attacker can craft a printer spool file to execute arbitrary code on an lpd print server.

II. Impact

Remote attackers can cause execution of arbitrary code.

III. Solution

Apply a patch or upgrade

Apply a patch or upgrade as appropriate. See the Systems Affected section for more details.

Systems Affected

VendorStatusDate NotifiedDate Updated
Apple Computer Inc.Vulnerable28-Oct-2003
ConectivaVulnerable28-Oct-2003
Cray Inc.Not Vulnerable28-Oct-2003
Data GeneralUnknown27-Oct-2003
DebianVulnerable28-Oct-2003
FreeBSDUnknown27-Oct-2003
FujitsuUnknown27-Oct-2003
Guardian Digital Inc. Unknown27-Oct-2003
Hewlett-Packard CompanyVulnerable28-Oct-2003
IBMUnknown27-Oct-2003
MandrakeSoftVulnerable28-Oct-2003
MontaVista SoftwareUnknown27-Oct-2003
NEC CorporationUnknown27-Oct-2003
NetBSDVulnerable28-Oct-2003
OpenBSDUnknown27-Oct-2003
Openwall GNU/*/LinuxVulnerable28-Oct-2003
Red Hat Inc.Vulnerable28-Oct-2003
SCOVulnerable28-Oct-2003
SequentUnknown27-Oct-2003
SGIUnknown27-Oct-2003
Sony CorporationUnknown27-Oct-2003
Sun Microsystems Inc.Not Vulnerable28-Oct-2003
SuSE Inc.Vulnerable28-Oct-2003
TrustixVulnerable28-Oct-2003
UnisysUnknown27-Oct-2003
Wind River Systems Inc.Unknown27-Oct-2003
WirexUnknown27-Oct-2003

References


http://www.securityfocus.com/bid/3103

Credit

Thanks to zen-parse for reporting this vulnerability.

This document was written by Shawn Van Ittersum and Art Manion.

Other Information

Date Public:2001-07-26
Date First Published:2003-10-27
Date Last Updated:2003-10-28
CERT Advisory: 
CVE-ID(s):CVE-2001-1022
NVD-ID(s):CVE-2001-1022
US-CERT Technical Alerts: 
Metric:10.80
Document Revision:13

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader