groff-1.22.3-2.5 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10031-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z groff-1.22.3-2.5 on GA media These are all security issues fixed in the groff-1.22.3-2.5 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10031 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2009-5044/ SUSE CVE CVE-2009-5044 page https://www.suse.com/security/cve/CVE-2009-5080/ SUSE CVE CVE-2009-5080 page https://www.suse.com/security/cve/CVE-2009-5081/ SUSE CVE CVE-2009-5081 page openSUSE Tumbleweed groff-1.22.3-2.5 groff-doc-1.22.3-2.5 groff-full-1.22.3-2.5 gxditview-1.22.3-2.5 groff-1.22.3-2.5 as a component of openSUSE Tumbleweed groff-doc-1.22.3-2.5 as a component of openSUSE Tumbleweed groff-full-1.22.3-2.5 as a component of openSUSE Tumbleweed gxditview-1.22.3-2.5 as a component of openSUSE Tumbleweed contrib/pdfmark/pdfroff.sh in GNU troff (aka groff) before 1.21 allows local users to overwrite arbitrary files via a symlink attack on a pdf#####.tmp temporary file. CVE-2009-5044 openSUSE Tumbleweed:groff-1.22.3-2.5 openSUSE Tumbleweed:groff-doc-1.22.3-2.5 openSUSE Tumbleweed:groff-full-1.22.3-2.5 openSUSE Tumbleweed:gxditview-1.22.3-2.5 moderate 3.3 AV:L/AC:M/Au:N/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-5044.html CVE-2009-5044 https://bugzilla.suse.com/698290 SUSE Bug 698290 https://bugzilla.suse.com/703666 SUSE Bug 703666 The (1) contrib/eqn2graph/eqn2graph.sh, (2) contrib/grap2graph/grap2graph.sh, and (3) contrib/pic2graph/pic2graph.sh scripts in GNU troff (aka groff) 1.21 and earlier do not properly handle certain failed attempts to create temporary directories, which might allow local users to overwrite arbitrary files via a symlink attack on a file in a temporary directory, a different vulnerability than CVE-2004-1296. CVE-2009-5080 openSUSE Tumbleweed:groff-1.22.3-2.5 openSUSE Tumbleweed:groff-doc-1.22.3-2.5 openSUSE Tumbleweed:groff-full-1.22.3-2.5 openSUSE Tumbleweed:gxditview-1.22.3-2.5 moderate 3.3 AV:L/AC:M/Au:N/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-5080.html CVE-2009-5080 https://bugzilla.suse.com/703665 SUSE Bug 703665 The (1) config.guess, (2) contrib/groffer/perl/groffer.pl, and (3) contrib/groffer/perl/roff2.pl scripts in GNU troff (aka groff) 1.21 and earlier use an insufficient number of X characters in the template argument to the tempfile function, which makes it easier for local users to overwrite arbitrary files via a symlink attack on a temporary file, a different vulnerability than CVE-2004-0969. CVE-2009-5081 openSUSE Tumbleweed:groff-1.22.3-2.5 openSUSE Tumbleweed:groff-doc-1.22.3-2.5 openSUSE Tumbleweed:groff-full-1.22.3-2.5 openSUSE Tumbleweed:gxditview-1.22.3-2.5 moderate 3.3 AV:L/AC:M/Au:N/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-5081.html CVE-2009-5081 https://bugzilla.suse.com/703666 SUSE Bug 703666