Your message dated Sun, 27 Dec 2015 17:32:06 +0000 with message-id <[email protected]> and subject line Bug#806886: fixed in foomatic-filters 4.0.17-5+deb8u1 has caused the Debian Bug report #806886, regarding CVE-2015-8327 Insufficient script injection prevention to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 806886: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806886 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: foomatic-filters Version: 4.0-20090301-1 Severity: important Tags: security upstream Hi, cups-filters 1.2.0 was released last Tuesday with a security fix for CVE-2015-8327 in foomatic-rip/util.c: > foomatic-rip: SECURITY FIX: Also consider the back tick > ('`') as an illegal shell escape character. Thanks to Michal > Kowalczyk from the Google Security Team for the hint (CVE-2015-8327). cups-filters 1.2.0 is fixed and a security upload for its version in stable has already been uploaded, but foomatic-filters is also affected in all suites, as the culprit code exists since 4.0-20090301. The patch is straightforward, and is attached to this bugreport. Cheers, OdyXDescription: foomatic-rip: SECURITY FIX: Also consider the back tick ('`') as an illegal shell escape character. Thanks to Michal Kowalczyk from the Google Security Team for the hint. Author: Till Kamppeter <[email protected]> Bug-CVE: CVE-2015-8327 Origin: upstream Last-Update: 2015-11-26 --- a/util.c +++ b/util.c @@ -31,7 +31,7 @@ #include <assert.h> -const char* shellescapes = "|<>&!$\'\"#*?()[]{}"; +const char* shellescapes = "|<>&!$\'\"`#*?()[]{}"; const char * temp_dir() {
--- End Message ---
--- Begin Message ---Source: foomatic-filters Source-Version: 4.0.17-5+deb8u1 We believe that the bug you reported is fixed in the latest version of foomatic-filters, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <[email protected]> (supplier of updated foomatic-filters package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 20 Dec 2015 22:09:42 +0100 Source: foomatic-filters Binary: foomatic-filters Architecture: source Version: 4.0.17-5+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Jörg Frings-Fürst <[email protected]> Changed-By: Salvatore Bonaccorso <[email protected]> Closes: 806886 807993 Description: foomatic-filters - OpenPrinting printer support - filters Changes: foomatic-filters (4.0.17-5+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-8327.patch patch. CVE-2015-8327: foomatic-rip did not consider the back tick as an illegal shell escape character allowing arbitrary code execution. (Closes: #806886) * Add CVE-2015-8560.patch patch. CVE-2015-8560: code execution via improper escaping of ; (semicolon). (Closes: #807993) Checksums-Sha1: f4bfee1cb2ec6a5af89e612d50c0de75894186dd 2015 foomatic-filters_4.0.17-5+deb8u1.dsc 7f740968ca73595738d257bbfed93a8ac1b2c460 49588 foomatic-filters_4.0.17-5+deb8u1.debian.tar.xz Checksums-Sha256: 3b0548da61c34a4173e4c4d4916bc64fb04de5a18a5aeebd105fd30ab2b497f3 2015 foomatic-filters_4.0.17-5+deb8u1.dsc e98b33fe2a2d759a44f1051bcdb67ec5256e0452cade716bad3c12ea1e4614cc 49588 foomatic-filters_4.0.17-5+deb8u1.debian.tar.xz Files: a236e9eabe75ffd5d1b6d82bc390aaed 2015 text optional foomatic-filters_4.0.17-5+deb8u1.dsc 7025675b2e16a75f2d580f9b76917e8f 49588 text optional foomatic-filters_4.0.17-5+deb8u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWdxnkAAoJEAVMuPMTQ89EkGQP/ja+oD/lYa7nIuCcJN2/cS+L 6vaU2mr3RePjNdzx45Nt6zYv+U3PvGLgp/Hd+IiGxOmhIZczgiHuJWCBuS27QQdx LDt1NUQZ/VLHPMADc69KQIkOdx9YWaSpoov+6L5YWD7SrmQAMM/N2Df1yDJD87Cn FoPnB5kfl8rfOzliVXw69ZAhBV3NztGkmNdK4FWLr08hdBcMhV0EI651y5r5qKDx 8bFtysykSV+k1ylmQDuR0YQBRWQDVS0hSfmp1RT1BWiZzRX65EFFqSR4py0rlVF3 0nyrYQO1W79YB+J3/ZwheZrInQlDioD2NuxOixLsMq+/xHYVAGy8n00qU84ZRyz8 GCT7uweowUY6QdnFvdMQO5QyimisC+ZgeMK1cU5ARX/lT5RAaqDSfkIWSgQbdDtr p0aK1hkzcQFa8U5A7kAFVLD40ubMVJAmu6SZyk2ZIecfilx3c29Y3pAkRb3ME+Nj a9UlJ2u8AcNS4byhbeIp6OrRJhxgX7gGFT75lr1+bB18EnftkgdQ+shvpO0stTb/ BGP1UzzM4Ml+VUJARYk5iM0YrFtZycOYWy71A2dqOxp3pGzv+ILQkpNypVcW4w+A 3G9z8kASGAK85dO3MW6kJhhteqQbbpeJ0eo+xOmf8DupzQZa2ao8GasS5I9mapku ZXnr8LHe0KgbdnsHhFN+ =OTLn -----END PGP SIGNATURE-----
--- End Message ---

