CVE-2014-0466

EUVD-2014-0504
The fixps script in a2ps 4.14 does not use the -dSAFER option when executing gs, which allows context-dependent attackers to delete arbitrary files or execute arbitrary commands via a crafted PostScript file.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.8 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 53%
Affected Products (NVD)
VendorProductVersion
gnua2ps
4.14
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
a2ps
bookworm
1:4.14-8
fixed
bullseye
1:4.14-7
fixed
sid
1:4.15.6-1
fixed
trixie
1:4.15.6-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
a2ps
lucid
ignored
precise
Fixed 1:4.14-1.1+deb7u1build0.12.04.1
released
quantal
ignored
saucy
ignored
trusty
dne
utopic
not-affected
vivid
not-affected
References
http://lists.opensuse.org/opensuse-updates/2014-04/msg00021.html
http://www.debian.org/security/2014/dsa-2892
http://www.securityfocus.com/bid/66660
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742902
https://security.gentoo.org/glsa/201701-67
http://lists.opensuse.org/opensuse-updates/2014-04/msg00021.html
http://www.debian.org/security/2014/dsa-2892
http://www.securityfocus.com/bid/66660
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742902
https://security.gentoo.org/glsa/201701-67