From ${URL} : CVE-2015-8327 was assigned to cups-filters/foomatic-rip since it does not consider the back ticks as an illegal shell escape character and allowing code execution. There was another commit in cups-filters upstream (revision 7419) as well adding (;) to the set of illegal shell escape characters: http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7419 an was found by Adam Chester. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Maintainers can we please have an update of where this bug is?
There has not been an official release since 02-Jul-2012 07:50 Yet releases are coming through the nightly builds. The latest packages are always the packages marked with "current" in their file names in the download area. They are a daily snapshot of Foomatic's Bazaar repositories, taken every night at 12:20am Oregon time. There are daily snapshots of the stable "4.0" branches and the "devel" branches, the head of the development. The Fix has been in there already: http://lists.openembedded.org/pipermail/openembedded-core/2016-February/116590.html
Printing project can you please provide an update or plans about securing the package?
(In reply to Yury German from comment #3) > Printing project can you please provide an update or plans about securing > the package? We will mask this package for removal, as it's deprecated and cups-filters[foomatic] should be a sufficient replacement for it. The only package that currently depends on it is net-print/lprng, all others depend on || ( foomatic-filters cups-filters[foomatic] ).
commit 3ed439d471144c49cbb31d72f8b53f423db172a4 Author: Manuel Rüger <mrueg@gentoo.org> Date: Sat Nov 5 14:25:35 2016 +0100 profiles: Mask net-print/foomatic-filters for removal
Thank you very much.
(In reply to Manuel Rüger from comment #4) > (In reply to Yury German from comment #3) > > Printing project can you please provide an update or plans about securing > > the package? > > We will mask this package for removal, as it's deprecated and > cups-filters[foomatic] should be a sufficient replacement for it. > > The only package that currently depends on it is net-print/lprng, all others > depend on || ( foomatic-filters cups-filters[foomatic] ). That wrong on my system: # equery d net-print/foomatic-filters * These packages depend on net-print/foomatic-filters: net-print/hplip-3.16.10 (hpijs ? >=net-print/foomatic-filters-3.0.20080507[cups])
commit 26316fb66c942f4e13eae2f01baff6ed5f3653c9 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: Mon Dec 19 19:33:28 2016 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: Mon Dec 19 19:39:29 2016 net-print/foomatic-filters: Remove last-rited pkg, #568980