CVE-2004-1296

Vulnerability

The vulnerability resides in the eqn2graph and pic2graph scripts included with groff version 1.18.1. These scripts create temporary files in an insecure manner, which allows a local attacker to exploit a race condition to overwrite arbitrary files. The flaw is due to the scripts using predictable temporary file names without proper safeguards against symlink attacks.

Exploitation

An attacker with local access to the system can create symbolic links pointing to arbitrary files. When a user (or an automated process) executes the vulnerable scripts, the attacker can win a race condition, causing the script to overwrite the target file with the privileges of the running user. No special authentication or network access is required beyond local system access.

Impact

Successful exploitation allows a local attacker to overwrite arbitrary files with the privileges of the user running the script. This could lead to denial of service by corrupting critical system files, or potentially to privilege escalation if the script is executed with elevated privileges (e.g., as root).

Mitigation

The vulnerability is fixed in groff version 1.18.1.1-1ubuntu0.2 (for Ubuntu 4.10) [1]. Users should upgrade to this version or any later release that includes the patch. No workarounds are mentioned in the advisory. The vulnerability is considered low severity due to the requirement of local access and a race condition.