Your message dated Sun, 27 Dec 2015 21:47:42 +0000 with message-id <[email protected]> and subject line Bug#806886: fixed in foomatic-filters 4.0.17-1+deb7u1 has caused the Debian Bug report #806886, regarding CVE-2015-8327 Insufficient script injection prevention to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 806886: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806886 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: foomatic-filters Version: 4.0-20090301-1 Severity: important Tags: security upstream Hi, cups-filters 1.2.0 was released last Tuesday with a security fix for CVE-2015-8327 in foomatic-rip/util.c: > foomatic-rip: SECURITY FIX: Also consider the back tick > ('`') as an illegal shell escape character. Thanks to Michal > Kowalczyk from the Google Security Team for the hint (CVE-2015-8327). cups-filters 1.2.0 is fixed and a security upload for its version in stable has already been uploaded, but foomatic-filters is also affected in all suites, as the culprit code exists since 4.0-20090301. The patch is straightforward, and is attached to this bugreport. Cheers, OdyXDescription: foomatic-rip: SECURITY FIX: Also consider the back tick ('`') as an illegal shell escape character. Thanks to Michal Kowalczyk from the Google Security Team for the hint. Author: Till Kamppeter <[email protected]> Bug-CVE: CVE-2015-8327 Origin: upstream Last-Update: 2015-11-26 --- a/util.c +++ b/util.c @@ -31,7 +31,7 @@ #include <assert.h> -const char* shellescapes = "|<>&!$\'\"#*?()[]{}"; +const char* shellescapes = "|<>&!$\'\"`#*?()[]{}"; const char * temp_dir() {
--- End Message ---
--- Begin Message ---Source: foomatic-filters Source-Version: 4.0.17-1+deb7u1 We believe that the bug you reported is fixed in the latest version of foomatic-filters, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <[email protected]> (supplier of updated foomatic-filters package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 20 Dec 2015 21:55:22 +0100 Source: foomatic-filters Binary: foomatic-filters Architecture: source amd64 Version: 4.0.17-1+deb7u1 Distribution: wheezy-security Urgency: high Maintainer: Debian Printing Group <[email protected]> Changed-By: Salvatore Bonaccorso <[email protected]> Description: foomatic-filters - OpenPrinting printer support - filters Closes: 806886 807993 Changes: foomatic-filters (4.0.17-1+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-8327.patch patch. CVE-2015-8327: foomatic-rip did not consider the back tick as an illegal shell escape character allowing arbitrary code execution. (Closes: #806886) * Add CVE-2015-8560.patch patch. CVE-2015-8560: code execution via improper escaping of ; (semicolon). (Closes: #807993) Checksums-Sha1: 2246f98e82d4f74598fa93ef7180451fdbf5ac90 2098 foomatic-filters_4.0.17-1+deb7u1.dsc bde0cf8bcc61cb1e7c894b7125348fb95efa8c60 266276 foomatic-filters_4.0.17.orig.tar.gz e58dab696efe1aa55a0df3a4e5012bf1aeb13b65 52815 foomatic-filters_4.0.17-1+deb7u1.debian.tar.gz 1396874be7aa19e4373095ba94381b5767d90719 163626 foomatic-filters_4.0.17-1+deb7u1_amd64.deb Checksums-Sha256: 79bd64b48caefb6fe5673ea04f4d5c2b9d22b9ca4f529a0f1c3a3042c34a3d9a 2098 foomatic-filters_4.0.17-1+deb7u1.dsc a2e2e53e502571e88eeb9010c45a0d54671f15707ee104f5c9c22b59ea7a33e3 266276 foomatic-filters_4.0.17.orig.tar.gz d69e64604f844538aff02705d1c2db43f92c976a934b859b59f5d6cf1247adc1 52815 foomatic-filters_4.0.17-1+deb7u1.debian.tar.gz 4d7f2fd6c8c094e1c2bec1787afd2ed449d327a5bcc030d14fa44de986bf3d47 163626 foomatic-filters_4.0.17-1+deb7u1_amd64.deb Files: 5287a8f6bb50d09aff7cfd2037258e70 2098 text optional foomatic-filters_4.0.17-1+deb7u1.dsc b05f5dcbfe359f198eef3df5b283d896 266276 text optional foomatic-filters_4.0.17.orig.tar.gz abe90fb7e6f02b455af0de088bf0affc 52815 text optional foomatic-filters_4.0.17-1+deb7u1.debian.tar.gz 4d8365f249ac743911d01c822ba38df8 163626 text optional foomatic-filters_4.0.17-1+deb7u1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWdxdmAAoJEAVMuPMTQ89EhY0QAIdV1lmqp60SxZHsVGg9+RNK PDf17ucQLUi16bKOBq3iyq76aFYTEZ946FaGF/k8F/rSTqzi8ceKKRu9qePwT/Lx AlfukWHN9Vb4+3eRRolw0EGkgSPXvUVs/zbbeeQKZnL8VcwYSKrlZUZjtgm6MQrZ xeb3rJ/SfLyUSkdgD8gvjvrvk5OYc8FcL0z9JfvwhA3QPrCuTtf5lxVRvpFvZ3y6 6rz6pfLiuBoJfhtiKaOEldgQZYUfKs/lR2InGq2cScX4FTNxYXs2if3CCq+aR85d 2CdTgrms+t6C9jwktAo/zDlQN5U+f8fjR84qjshklodGq2RBRzYIb0pluXBzOYOu Uy9NgFHOvtOkY/1h4sp0KBLQwfz5MZRng18cnJNBj0r1tJoHh8khQV5hjyyIPnC1 IYCNqdhr3K0SesPk4WP/ejeTiy5Tn5k8uayFFRK/UavK6eXxF42x/Mg2gnXD1KZL QgsB1At6Dyn0nVmFC9TaslHaMz4PgoQnDF7W6LYcKTg22G3MvgYlzRcuecfJsQjq b2sukzDTez3oyC1nSIk/RFneWcknlNnVrz9K2XQhSs4jpwQBhFPggXEFLiExHAwa 8ipCb5Qq8TDXMYRgeMCj+8dQ2J4xHrROQ+3dZ95JKpM1PRKrnpoG6Yah/Fu5UU0r twOMbxhIOVVi7y+aF5tN =R+1m -----END PGP SIGNATURE-----
--- End Message ---

