Summary: | <net-print/foomatic-filters-4.0.9: Command Injection Vulnerability (CVE-2011-{2697,2964}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | jlec, printing |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/45196/ | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 325523 |
Description
Agostino Sarubbo
2011-08-17 11:05:39 UTC
Looks like upstream bug is at: https://bugzilla.novell.com/show_bug.cgi?id=698451 CVE-2011-2964 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2964): foomaticrip.c in foomatic-rip in foomatic-filters in Foomatic 4.0.6 allows remote attackers to execute arbitrary code via a crafted *FoomaticRIPCommandLine field in a .ppd file, a different vulnerability than CVE-2011-2697. CVE-2011-2697 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2697): foomatic-rip-hplip in HP Linux Imaging and Printing (HPLIP) 3.11.5 allows remote attackers to execute arbitrary code via a crafted *FoomaticRIPCommandLine field in a .ppd file. I just added version 4.0.9 which should contain the fix according to the novell bug. From the ChangeLog * foomaticrip.c: SECURITY FIX: It was possible to make CUPS executing arbitrary commands as the system user "lp" when foomatic-rip was used as CUPS filter. Fixed by not parsing named options (like "--ppd lj.ppd") when foomatic-rip is running as CUPS filter, as CUPS does not supply named options to their filters. Thanks, Justin. This looks to be a big jump (based on nothing other than version numbers). Are we ok to stabilize 4.0.9? I cannot really judge this. I added the package yesterday. Other distros e.g. suse use this version in their stable releases. So probably yes. (In reply to comment #6) > I cannot really judge this. I added the package yesterday. Other distros e.g. > suse use this version in their stable releases. So probably yes. Ok, let's go for it. Arches, please test and mark stable: =net-print/foomatic-filters-4.0.9 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" (In reply to comment #7) > (In reply to comment #6) > > I cannot really judge this. I added the package yesterday. Other distros e.g. > > suse use this version in their stable releases. So probably yes. > > Ok, let's go for it. > > Arches, please test and mark stable: > =net-print/foomatic-filters-4.0.9 > Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" I can't really judge this either, but since it's kinda urgent, I suggest you proceed. So, ack from printing. amd64 stable Stable on alpha. Stable for HPPA. x86 stable ia64/m68k/s390/sh/sparc stable ppc done ppc64 done Thanks, folks. Already part of draft GLSA. This issue was resolved and addressed in GLSA 201203-07 at http://security.gentoo.org/glsa/glsa-201203-07.xml by GLSA coordinator Sean Amoss (ackle). |