Bug 68999

Summary:	<net-print/cups-pdf-1.5.2: insecure creation of spoolfile
Product:	Gentoo Security	Reporter:	Matthias Geerdsen (RETIRED) <vorlon>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	printing
Priority:	High
Version:	unspecified
Hardware:	All
OS:	All
URL:	http://cip.physik.uni-wuerzburg.de/~vrbehr/cups-pdf/
Whiteboard:	B3 [noglsa]
Package list:		Runtime testing required:	---

Description Matthias Geerdsen (RETIRED) gentoo-dev

2004-10-26 06:46:23 UTC

changelog of cups-pdf on http://cip.physik.uni-wuerzburg.de/~vrbehr/cups-pdf/ reads:

08/10/2004 : 1.5.2 (SRPM)
  - fixed insecure creation of spoolfile

1.5.2 is in the tree but ~arch masked, while 1.3.1 is marked stable
also 1.6.4 is out as mentioned in bug #66481

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2004-10-26 09:17:07 UTC

Printing, do you prefer to push 1.5.2 to x86 stable or upgrade everyone to 1.6.4 ?

Comment 2 Heinrich Wendel (RETIRED) gentoo-dev

2004-10-26 10:32:42 UTC

marked 1.5.2 stable on x86 and commited 1.6.4 as ~x86

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2004-10-26 10:35:59 UTC

Please vote on GLSA need

Comment 4 Kurt Lieber (RETIRED) gentoo-dev

2004-10-27 09:35:52 UTC

so the question is whether or not 1.3.1 is vulnerable or if this is a bug unique to the 1.5.x series?

Comment 5 Thierry Carrez (RETIRED) gentoo-dev

2004-10-27 12:28:49 UTC

Not only. It's also if this warrants a GLSA or not. B3 vulns needs a vote. Given the package profile, I would vote no.

Comment 6 Kurt Lieber (RETIRED) gentoo-dev

2004-10-28 11:56:49 UTC

ok, I vote no as well.

Comment 7 Luke Macken (RETIRED) gentoo-dev

2004-10-28 12:02:25 UTC

Closing without GLSA.