------------------------------------------------------------------------ BCSA 002 Badly Coded, Inc. Security Advisory September 22nd, 2014 ------------------------------------------------------------------------ BCSA-002: Shell code injection and directory traversal in BCLPR 1.1 Affected versions: 1.1 and earlier Fixed versions: 1.2 and later Two vulnerabilities have been found in BCLPR versions 1.1 and earlier that could lead to local privilege escalation. Affected users are urged to upgrade immediately. BCLPR versions 1.1 and earlier contain a shell-code injection vulnerability in the code that invokes the pdftotext program to convert PDF files into plain text. A maliciously chosen filename containing shell metacharacters could allow the execution of arbitrary code with root privileges. BCLPR versions 1.1 and earlier also contain a directory traversal vulnerability. If the printer name supplied with the -p option is an absolute path, or if it used the ".." parent directory, BCLPR could be fooled into writing its spool and output files in directories of an attacker's choosing, perhaps overwriting important system files, leading to denial of service of privilege escalation. We would like to acknowledge a number of students from the University of Minnesota's Computer Science and Engineering 5271 course who reported both vulnerabilities. Version 1.2 of BCLPR contains patches to address both vulnerabilities; we suggest that affected users upgrade at their earliest convenience.