Your message dated Wed, 09 Dec 2015 09:51:47 +0000
with message-id <[email protected]>
and subject line Bug#806886: fixed in foomatic-filters 4.0.5-6+squeeze2+deb6u11
has caused the Debian Bug report #806886,
regarding CVE-2015-8327 Insufficient script injection prevention
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
806886: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806886
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: foomatic-filters
Version: 4.0-20090301-1
Severity: important
Tags: security upstream

Hi,

cups-filters 1.2.0 was released last Tuesday with a security fix for
CVE-2015-8327 in foomatic-rip/util.c:

> foomatic-rip: SECURITY FIX: Also consider the back tick
> ('`') as an illegal shell escape character. Thanks to Michal
> Kowalczyk from the Google Security Team for the hint (CVE-2015-8327).

cups-filters 1.2.0 is fixed and a security upload for its version in stable has
already been uploaded, but foomatic-filters is also affected in all suites, as
the culprit code exists since 4.0-20090301.

The patch is straightforward, and is attached to this bugreport.

Cheers,

OdyX
Description: foomatic-rip: SECURITY FIX: Also consider the back tick ('`') as
 an illegal shell escape character. Thanks to Michal Kowalczyk from the Google
 Security Team for the hint.
Author: Till Kamppeter <[email protected]>
Bug-CVE: CVE-2015-8327
Origin: upstream
Last-Update: 2015-11-26

--- a/util.c
+++ b/util.c
@@ -31,7 +31,7 @@
 #include <assert.h>
 
 
-const char* shellescapes = "|<>&!$\'\"#*?()[]{}";
+const char* shellescapes = "|<>&!$\'\"`#*?()[]{}";
 
 const char * temp_dir()
 {

--- End Message ---
--- Begin Message ---
Source: foomatic-filters
Source-Version: 4.0.5-6+squeeze2+deb6u11

We believe that the bug you reported is fixed in the latest version of
foomatic-filters, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <[email protected]> (supplier of updated foomatic-filters package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 09 Dec 2015 10:21:20 +0200
Source: foomatic-filters
Binary: foomatic-filters
Architecture: source amd64
Version: 4.0.5-6+squeeze2+deb6u11
Distribution: squeeze-lts
Urgency: high
Maintainer: Debian Printing Group <[email protected]>
Changed-By: Chris Lamb <[email protected]>
Description: 
 foomatic-filters - OpenPrinting printer support - filters
Closes: 806886
Changes: 
 foomatic-filters (4.0.5-6+squeeze2+deb6u11) squeeze-lts; urgency=high
 .
   * CVE-2015-8327: Fix insufficient script injection prevention
     (Closes: #806886)
Checksums-Sha1: 
 35f9bdcb84fae93fad5a939e4ec4c3e13d5ed9bc 2055 
foomatic-filters_4.0.5-6+squeeze2+deb6u11.dsc
 1345880f3b89242b0ac7fae1e3750bf2154130f4 243239 
foomatic-filters_4.0.5.orig.tar.gz
 2c8596426a4f95c140afe3426c36453a76552661 53071 
foomatic-filters_4.0.5-6+squeeze2+deb6u11.debian.tar.gz
 a8951bc5db708b935be8b88a6e0bc41a0f26d93d 151072 
foomatic-filters_4.0.5-6+squeeze2+deb6u11_amd64.deb
Checksums-Sha256: 
 42bf968f6c59caed8ce10824b398ce9ed6c28b280737cadf3dab1c0cbf4bb55a 2055 
foomatic-filters_4.0.5-6+squeeze2+deb6u11.dsc
 dafa39cd5a9de94db59aacd05f0ccbc4eba362d1633419f3dc3c7126c83c1036 243239 
foomatic-filters_4.0.5.orig.tar.gz
 1d417101e7b3215ad3b56f629e9d91a7eee4bd74bc07e1edb0944ab274b929ba 53071 
foomatic-filters_4.0.5-6+squeeze2+deb6u11.debian.tar.gz
 75807917d884143c78fe0b1b3b3dc77e0f2568911a3f158bccda2b8e77299ba0 151072 
foomatic-filters_4.0.5-6+squeeze2+deb6u11_amd64.deb
Files: 
 0645dc9fb1b72cf77da074314e5e4f43 2055 text optional 
foomatic-filters_4.0.5-6+squeeze2+deb6u11.dsc
 fd99dac3a36807a47ffa4f9eb15c1b07 243239 text optional 
foomatic-filters_4.0.5.orig.tar.gz
 87e23c57105a7df6c079d18c4d48bab6 53071 text optional 
foomatic-filters_4.0.5-6+squeeze2+deb6u11.debian.tar.gz
 7602759182b8ebfb15a98f2110767f60 151072 text optional 
foomatic-filters_4.0.5-6+squeeze2+deb6u11_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWZ+VSAAoJEB6VPifUMR5Yq6YP/iYg295takkPAC4dV3fyKiGf
R3XszfDWTHALYiMhaSvKca4hBqzELVoHLGBBTUO41Kb8GckJcI1kZqAoCvo/uwVu
7dqRyf1OJ6fKYCPfiD+tl0xi7770qW7VndJRT/h92ItYHPTXcDWW0bFcMi0LcKqJ
v4XAOGDp5JEZI4+dlyJC5Rf51p/HWjMWXM6mD/4Hvq5TaELbOjlFk09ubz3GdbTi
M/aTjHIGl4UCL5KXuwzre8hKDyYoHiRSRZYVTfKRUmJ3oqJVQSQ1uz1yyMGdk4so
2qR57x3QT4hBsTNaNvnJlfQdNnRcpMZA3qKERvB8YX5ZV5ZdeRnkB4+qkmBJmCHl
PI3Kdg0sMK1CpIaOnNiDOJLGx+ql/IQT/S07cAdmQKmW90ftFBttxomBH17w+wm7
65zbQ5vCExun6i6OeqrB8AcXNmHN+k3U22yatI3WpxwUNZkte2UiI0CKN6u+S+Ph
e+yX7KgjX9UuenanWmkt3OC6rX4ppppPvIOFMNgEVHiOOXhbh1gV2q3z+domwXyu
Xg623LBsrV2SJ9CLNxD0i3xmtMsrs9B428mb3x6R90lfehX+/TPB9m1X/IddH6PP
TMlVrjc5nqWMi2PdPM8kFhIbf7mZ9FghhJFAhIn5QfuODqRLAVVn4YTgCVGbZ+AS
55UMgJHxOk5xeqU6Dz41
=+8s9
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to