USN-1979-1: txt2man vulnerability

30 September 2013

txt2man vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 13.04
  • Ubuntu 12.10
  • Ubuntu 12.04 LTS

Summary

txt2man could be made to overwrite files.

Software Description

  • txt2man - Converts flat ASCII text to man page format

Details

Patrick J Cherry discovered that txt2man contained leftover debugging code that incorrectly created a temporary file. A local attacker could possibly use this issue to overwrite arbitrary files. In the default Ubuntu installation, this should be prevented by the Yama link restrictions.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 13.04
txt2man - 1.5.5-4ubuntu0.13.04.1
Ubuntu 12.10
txt2man - 1.5.5-4ubuntu0.12.10.1
Ubuntu 12.04 LTS
txt2man - 1.5.5-4ubuntu0.12.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References