Comment 1 Tim Sammut (RETIRED) 2011-08-20 02:52:50 UTC

Looks like upstream bug is at: https://bugzilla.novell.com/show_bug.cgi?id=698451

Comment 2 GLSAMaker/CVETool Bot 2011-10-08 12:56:08 UTC

CVE-2011-2964 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2964):
  foomaticrip.c in foomatic-rip in foomatic-filters in Foomatic 4.0.6 allows
  remote attackers to execute arbitrary code via a crafted
  *FoomaticRIPCommandLine field in a .ppd file, a different vulnerability than
  CVE-2011-2697.

CVE-2011-2697 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2697):
  foomatic-rip-hplip in HP Linux Imaging and Printing (HPLIP) 3.11.5 allows
  remote attackers to execute arbitrary code via a crafted
  *FoomaticRIPCommandLine field in a .ppd file.

Comment 3 Justin Lecher (RETIRED) 2012-01-17 13:57:02 UTC

I just added version 4.0.9 which should contain the fix according to the novell bug.

Comment 4 Justin Lecher (RETIRED) 2012-01-17 13:58:06 UTC

From the ChangeLog

	* foomaticrip.c: SECURITY FIX: It was possible to make CUPS executing
	  arbitrary commands as the system user "lp" when foomatic-rip was
	  used as CUPS filter. Fixed by not parsing named options (like
	  "--ppd lj.ppd") when foomatic-rip is running as CUPS filter, as
	  CUPS does not supply named options to their filters.

Comment 5 Tim Sammut (RETIRED) 2012-01-18 07:36:15 UTC

Thanks, Justin. This looks to be a big jump (based on nothing other than version numbers). Are we ok to stabilize 4.0.9?

Comment 6 Justin Lecher (RETIRED) 2012-01-18 07:39:03 UTC

I cannot really judge this. I added the package yesterday. Other distros e.g. suse use this version in their stable releases. So probably yes.

Comment 7 Tim Sammut (RETIRED) 2012-01-18 07:41:22 UTC

(In reply to comment #6)
> I cannot really judge this. I added the package yesterday. Other distros e.g.
> suse use this version in their stable releases. So probably yes.

Ok, let's go for it.

Arches, please test and mark stable:
=net-print/foomatic-filters-4.0.9
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

Comment 8 Andreas K. Hüttel 2012-01-18 09:55:30 UTC

(In reply to comment #7)
> (In reply to comment #6)
> > I cannot really judge this. I added the package yesterday. Other distros e.g.
> > suse use this version in their stable releases. So probably yes.
> 
> Ok, let's go for it.
> 
> Arches, please test and mark stable:
> =net-print/foomatic-filters-4.0.9
> Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

I can't really judge this either, but since it's kinda urgent, I suggest you proceed. So, ack from printing.

Comment 9 Agostino Sarubbo 2012-01-18 11:42:38 UTC

amd64 stable

Comment 10 Tobias Klausmann (RETIRED) 2012-01-18 12:13:07 UTC

Stable on alpha.

Comment 11 Jeroen Roovers (RETIRED) 2012-01-18 20:00:31 UTC

Stable for HPPA.

Comment 12 Thomas Kahle (RETIRED) 2012-01-20 10:52:29 UTC

x86 stable

Comment 13 Raúl Porcel (RETIRED) 2012-01-22 15:00:53 UTC

ia64/m68k/s390/sh/sparc stable

Comment 14 Brent Baude (RETIRED) 2012-02-01 17:02:35 UTC

ppc done

Comment 15 Brent Baude (RETIRED) 2012-03-02 21:28:52 UTC

ppc64 done

Comment 16 Tim Sammut (RETIRED) 2012-03-02 22:30:17 UTC

Thanks, folks. Already part of draft GLSA.

Comment 17 GLSAMaker/CVETool Bot 2012-03-06 02:06:03 UTC

This issue was resolved and addressed in
 GLSA 201203-07 at http://security.gentoo.org/glsa/glsa-201203-07.xml
by GLSA coordinator Sean Amoss (ackle).