enscript -e option a security risk?

To: debian-security@lists.debian.org
Subject: enscript -e option a security risk?
From: Ben Pfaff <pfaffben@msu.edu>
Date: 12 Sep 2001 15:43:21 -0400
Message-id: <[🔎] 87u1y86vqe.fsf@pfaffben.user.msu.edu>
Reply-to: pfaffben@msu.edu

In looking through the print filter generated by magicfilter, I
noticed that it gives the -e option to GNU enscript.  The -e
option turns on special "escapes", including the following as
documented in the enscript manpage:

       epsf    inline  EPS file to the document.  Escape's syntax
               is:

               ^@epsf[options]{filename}

               where options is an optional  sequence  of  option
               characters  and  values enclosed with brackets and
               filename is the name of the EPS file.

               If filename ends to the `|' character, then  file-
               name  is assumed to name a command that prints EPS
               data  to  its  standard  output.   In  this  case,
               enscript opens a pipe to the specified command and
               reads EPS data from pipe.

It seems to me that this is a security risk.  Agreed?  If so,
I'll file a bug against magicfilter asking that this option be
removed from the filters.  This option is present in several
filters, by the way:

pfaffben:/etc/magicfilter# grep -l 'enscript.*-e' *
bj600-filter
bj600_draft-filter
bj610-filter
bj800-filter
bj800_draft-filter
cpsonly300-filter
cpsonly400-filter
cpsonly600-filter
psonly300-filter
psonly400-filter
pfaffben:/etc/magicfilter#

-- 
"A computer is a state machine. 
 Threads are for people who cant [sic] program state machines."
--Alan Cox

Reply to:

Prev by Date: Re: Listening Ports
Next by Date: exim + procmail = segmenatation fault
Previous by thread: Re: Is snort-stat and 5snort really broken in sid?
Next by thread: LogCheck Issues
Index(es):
- Date
- Thread