Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 506518 (CVE-2014-2707) - <net-print/cups-filters-1.0.52 : remote command injection in cups-browsed (CVE-2014-2707)
Summary: <net-print/cups-filters-1.0.52 : remote command injection in cups-browsed (CV...
Status: RESOLVED FIXED
Alias: CVE-2014-2707
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-04-02 08:32 UTC by Agostino Sarubbo
Modified: 2014-06-16 18:15 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-04-02 08:32:46 UTC
From ${URL} :

cups-browsed is daemon which browses the Bonjour broadcasts of shared, remote CUPS printers and makes the 
printers available locally. Sebastian Krahmer discovered it was possible to use malicious broadcast 
packets to execute arbitrary commands.

Original report: http://seclists.org/oss-sec/2014/q2/3


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Agostino Sarubbo gentoo-dev 2014-04-11 15:39:52 UTC
fixed in >=1.0.51
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2014-04-15 11:38:35 UTC
+  15 Apr 2014; Andreas K. Huettel <dilfridge@gentoo.org>
+  +cups-filters-1.0.52.ebuild:
+  Version bump, bug 506518

Please test and stabilize 1.0.52
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2014-04-24 00:55:19 UTC
Stable for HPPA.


(In reply to Andreas K. Hüttel from comment #2)
> +  15 Apr 2014; Andreas K. Huettel <dilfridge@gentoo.org>
> +  +cups-filters-1.0.52.ebuild:
> +  Version bump, bug 506518
> 
> Please test and stabilize 1.0.52

Again and again: No, that's wrong for so many reasons.

Do something like this instead:

Arch teams, please test and mark stable:
=net-print/cups-filters-1.0.52
Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 4 Agostino Sarubbo gentoo-dev 2014-04-26 09:09:14 UTC
amd64 stable
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2014-04-27 12:16:42 UTC
Superceded by bug 508844 

Sec team, please do with this bug as you please.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-04-29 21:33:17 UTC
CVE-2014-2707 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2707):
  cups-browsed in cups-filters 1.0.41 before 1.0.51 in allows remote IPP
  printers to execute arbitrary commands via shell metacharacters in the (1)
  model or (2) PDL, related to "System V interface scripts generated for
  queues."
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2014-06-16 05:03:37 UTC
Fixed by bug 508844

Created NEW GLSA Request
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2014-06-16 18:15:13 UTC
This issue was resolved and addressed in
 GLSA 201406-16 at http://security.gentoo.org/glsa/glsa-201406-16.xml
by GLSA coordinator Mikle Kolyada (Zlogene).