Your message dated Mon, 21 Dec 2015 05:34:17 +0000 with message-id <[email protected]> and subject line Bug#806886: fixed in foomatic-filters 4.0.17-7 has caused the Debian Bug report #806886, regarding CVE-2015-8327 Insufficient script injection prevention to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 806886: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806886 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: foomatic-filters Version: 4.0-20090301-1 Severity: important Tags: security upstream Hi, cups-filters 1.2.0 was released last Tuesday with a security fix for CVE-2015-8327 in foomatic-rip/util.c: > foomatic-rip: SECURITY FIX: Also consider the back tick > ('`') as an illegal shell escape character. Thanks to Michal > Kowalczyk from the Google Security Team for the hint (CVE-2015-8327). cups-filters 1.2.0 is fixed and a security upload for its version in stable has already been uploaded, but foomatic-filters is also affected in all suites, as the culprit code exists since 4.0-20090301. The patch is straightforward, and is attached to this bugreport. Cheers, OdyXDescription: foomatic-rip: SECURITY FIX: Also consider the back tick ('`') as an illegal shell escape character. Thanks to Michal Kowalczyk from the Google Security Team for the hint. Author: Till Kamppeter <[email protected]> Bug-CVE: CVE-2015-8327 Origin: upstream Last-Update: 2015-11-26 --- a/util.c +++ b/util.c @@ -31,7 +31,7 @@ #include <assert.h> -const char* shellescapes = "|<>&!$\'\"#*?()[]{}"; +const char* shellescapes = "|<>&!$\'\"`#*?()[]{}"; const char * temp_dir() {
--- End Message ---
--- Begin Message ---Source: foomatic-filters Source-Version: 4.0.17-7 We believe that the bug you reported is fixed in the latest version of foomatic-filters, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jörg Frings-Fürst <[email protected]> (supplier of updated foomatic-filters package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 16 Dec 2015 00:49:11 +0100 Source: foomatic-filters Binary: foomatic-filters Architecture: source Version: 4.0.17-7 Distribution: unstable Urgency: high Maintainer: Jörg Frings-Fürst <[email protected]> Changed-By: Jörg Frings-Fürst <[email protected]> Description: foomatic-filters - OpenPrinting printer support - filters Closes: 806886 807931 Changes: foomatic-filters (4.0.17-7) unstable; urgency=high . * New patch debian/patches/0500-r7406_also_consider_the_back_\ tick_as_an_illegal_shell_escape_character.patch (Closes: #806886, #807931) - CVE-2015-8327 Insufficient script injection prevention. - Add changes from upstream revision 7419. - CVE-2015-8560: code execution via improper escaping of ; in foomatic-rip. * Rename patches. * To prevent build warnings: - debian/control: Add autotools-dev and autoconf to Build-Depends. - debian/rules: Add --with autotools-dev. Checksums-Sha1: b1a07c97692066817866eba91b29f4df1b14eadc 2012 foomatic-filters_4.0.17-7.dsc e26679f8fca9f0938c48a9160b7f2d11505ee91b 51992 foomatic-filters_4.0.17-7.debian.tar.xz Checksums-Sha256: c215415598f732207e3a549a8773dd0667c6d53b58cedc484027e94fcc2be897 2012 foomatic-filters_4.0.17-7.dsc 112898771de9b764d59e472515248c39ba4010a99c04bd7772e6cf1646b09f13 51992 foomatic-filters_4.0.17-7.debian.tar.xz Files: f5e653345d9f62c7bcfa2f00d2801897 2012 text optional foomatic-filters_4.0.17-7.dsc 3312bf654030d3e71662ad295379c8c8 51992 text optional foomatic-filters_4.0.17-7.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWd42GAAoJEI7tzBuqHzL/B0gP/RqEdDqP9BvelogD6/1hkcm9 Ht03VR3Mslv5PtKcvPNCvntKbZjLwuBZPkiTwv83YhrUU7i5IiMVurtuWGuflrIX +q0dS6EtRZVMafT2ekoN5EwIdDBX3zPIErFf5YE8sUXCm4brbPVt7IJZVJBixikV Yae66nfHEUDEwgbXo/CL59xNydNjitWE0xw+upOn+I2RcllCMXqaEDL+RpS7HPoG l+L3oRyxyNNBi0vrNmfjkRjWSwYWyFMjBCjwZg57HjKWb9qYHdWTdhth+6rUivWP 5x4jGNv4OAFMQgcWDJdE73UFv9bgxvPyy44Fz8eQ0reh3u48JJ9XmM2yo6BP0nPa HY61j9ZykUfH/s69K3DXexDd/50UOKuNO95oox5tpxX9nryKhegz0mCFfStU7MfO EzpW7Tj0hsP4IIYSJ6XjPMHNrzC4aemgjanZne7S3IdOFsBD4R1SQMcDiHhJm0AT tKRKoIZZMSsuE85PDLYwSr6kLtcEDR4GKuboz7g9wwLmw4I1Xt7q4EkjPbzLEsXT 4qy2tuWBE107H9ssB2usva2b8e++JUMav+WKrzfBdILDpwc4vuZezLRBacygMU33 32/RR6ZQzbBifjWNtILEvV6JvoZSrdkbOiXIULrDQar7wzMgcUX5sHGrlqEV3nZ1 WqYK0PfDOoa2fGB+G2UV =9lUu -----END PGP SIGNATURE-----
--- End Message ---

