Description
The fixps script in a2ps 4.14 does not use the -dSAFER option when executing gs, which allows context-dependent attackers to delete arbitrary files or execute arbitrary commands via a crafted PostScript file.
References (5)
Core 5
Core References
Issue Tracking x_refsource_confirm
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742902
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/66660
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201701-67
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2014-04/msg00021.html
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2014/dsa-2892
Scores
EPSS
0.0034
EPSS Percentile
56.9%
Details
Status
published
Products (1)
gnu/a2ps
4.14
Published
Apr 03, 2014
Tracked Since
Feb 18, 2026