Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 68999 - <net-print/cups-pdf-1.5.2: insecure creation of spoolfile
Summary: <net-print/cups-pdf-1.5.2: insecure creation of spoolfile
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
URL: http://cip.physik.uni-wuerzburg.de/~v...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2004-10-26 06:46 UTC by Matthias Geerdsen (RETIRED)
Modified: 2009-07-13 22:33 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-26 06:46:23 UTC 
changelog of cups-pdf on http://cip.physik.uni-wuerzburg.de/~vrbehr/cups-pdf/ reads:

08/10/2004 : 1.5.2 (SRPM)
  - fixed insecure creation of spoolfile

1.5.2 is in the tree but ~arch masked, while 1.3.1 is marked stable
also 1.6.4 is out as mentioned in bug #66481
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-10-26 09:17:07 UTC 
Printing, do you prefer to push 1.5.2 to x86 stable or upgrade everyone to 1.6.4 ?
Comment 2 Heinrich Wendel (RETIRED) gentoo-dev 2004-10-26 10:32:42 UTC 
marked 1.5.2 stable on x86 and commited 1.6.4 as ~x86
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-10-26 10:35:59 UTC 
Please vote on GLSA need
Comment 4 Kurt Lieber (RETIRED) gentoo-dev 2004-10-27 09:35:52 UTC 
so the question is whether or not 1.3.1 is vulnerable or if this is a bug unique to the 1.5.x series?
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-10-27 12:28:49 UTC 
Not only. It's also if this warrants a GLSA or not. B3 vulns needs a vote. Given the package profile, I would vote no.
Comment 6 Kurt Lieber (RETIRED) gentoo-dev 2004-10-28 11:56:49 UTC 
ok, I vote no as well.
Comment 7 Luke Macken (RETIRED) gentoo-dev 2004-10-28 12:02:25 UTC 
Closing without GLSA.