Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 567286 (CVE-2015-8327)

Summary: <net-print/cups-filters-{1.0.71,1.4.0,1.5.0}: foomatic-rip - consider the back tick as an illegal shell escape character (CVE-2015-{8327,8560})
Product: Gentoo Security Reporter: Manuel Rüger (RETIRED) <mrueg>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: printing
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://lists.debian.org/debian-printing/2015/11/msg00020.html
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---

Description Manuel Rüger (RETIRED) gentoo-dev 2015-12-01 21:05:26 UTC
foomatic-rip: SECURITY FIX: Also consider the back tick
          ('`') as an illegal shell escape character. Thanks to Michal
          Kowalczyk from the Google Security Team for the hint
          (CVE-2015-8327).
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2015-12-01 23:58:35 UTC
https://www.openprinting.org/download/cups-filters/

Hi,

I have released cups-filters 1.2.0 now, with the following changes:

        - cups-browsed: When using IP-address-based device URIs via
          the "IPBasedDeviceURIs" directive in cups-browsed.conf, add
          two additional settings to restrict the used IP addresses to
          either only IPv4 addresses or only IPv6 addresses.
        - foomatic-rip: SECURITY FIX: Also consider the back tick
          ('`') as an illegal shell escape character. Thanks to Michal
          Kowalczyk from the Google Security Team for the hint
          (CVE-2015-8327).

I would appreciate if you could upload it to Debian soon so that it syncs into Ubuntu, as it is needed for further development work on Ubuntu.
Comment 2 Manuel Rüger (RETIRED) gentoo-dev 2015-12-15 20:09:56 UTC
CHANGES IN V1.4.0

	- foomatic-rip: SECURITY FIX: Also consider the semicolon
	  (';') as an illegal shell escape character. Thanks to Adam
	  Chester (adam dot chester at pentest dot co dot uk) for the
	  hint (CVE-2015-8560).
	- brftoembosser, imagetobrf, imagetoubrl, imageubrltoindexv3,
	  imageubrltoindexv4, textbrftoindexv3, textbrftoindexv4,
	  texttobrf, braille.convs, braille.types, generic-brf.drv,
	  indexv3.drv, indexv4.drv: Added support for Braille
	  embossing via CUPS. Text and even images can now be sent to
	  a Braille embosser like to a printer. Thanks to Samuel
	  Thibault (samuel dot thibault at ens-lyon dot org) for this
	  contribution.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2015-12-25 01:03:27 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 4 Matthias Maier gentoo-dev 2016-01-12 16:50:50 UTC
Arches please stabilize
  =net-print/cups-filters-1.5.0

Keywords for net-print/cups-filters:
         |                                 | u   |  
         | a a   a         n   p r     s   | n   |  
         | l m   r h i m m i   p i s   p   | u s | r
         | p d a m p a 6 i o p c s 3   a x | s l | e
         | h 6 r 6 p 6 8 p s p 6 c 9 s r 8 | e o | p
         | a 4 m 4 a 4 k s 2 c 4 v 0 h c 6 | d t | o
---------+---------------------------------+-----+-------
  1.0.71 | + + + o + + o ~ o + + o ~ o + + | o 0 | gentoo
   1.4.0 | ~ ~ ~ ~ ~ ~ o ~ o ~ ~ o ~ o ~ ~ | #   | gentoo
[I]1.5.0 | ~ ~ ~ ~ ~ ~ o ~ o ~ ~ o ~ o ~ ~ | o   | gentoo
    9999 | o o o o o o o o o o o o o o o o | o   | gentoo
Comment 5 Agostino Sarubbo gentoo-dev 2016-01-14 11:56:14 UTC
amd64 stable
Comment 6 Markus Meier gentoo-dev 2016-01-17 11:32:06 UTC
arm stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2016-01-17 15:58:55 UTC
Stable on alpha.
Comment 8 Agostino Sarubbo gentoo-dev 2016-01-17 17:07:42 UTC
ppc stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2016-01-18 04:52:57 UTC
Stable for HPPA PPC64.
Comment 10 Andreas Schürch gentoo-dev 2016-01-18 18:38:29 UTC
x86 done.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2016-02-25 06:36:26 UTC
Ping on ia64 and sparc stabilization, for this vulnerability.
Comment 12 Agostino Sarubbo gentoo-dev 2016-03-19 11:37:17 UTC
sparc stable
Comment 13 Agostino Sarubbo gentoo-dev 2016-03-20 12:01:28 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 14 SpanKY gentoo-dev 2016-03-23 06:29:03 UTC
dropped now
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2016-04-26 06:01:52 UTC
Arches and Maintainer(s), Thank you for your work.
GLSA Vote: No
Closing as [noglsa].