Debian Bug report logs -
#806886
CVE-2015-8327 Insufficient script injection prevention
Reported by: Didier 'OdyX' Raboud <odyx@debian.org>
Date: Wed, 2 Dec 2015 13:45:02 UTC
Severity: important
Tags: security, upstream
Found in version foomatic-filters/4.0-20090301-1
Fixed in versions foomatic-filters/4.0.5-6+squeeze2+deb6u11, foomatic-filters/4.0.17-7, foomatic-filters/4.0.17-5+deb8u1, foomatic-filters/4.0.17-1+deb7u1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jörg Frings-Fürst <debian@jff-webhosting.net>:
Bug#806886; Package foomatic-filters.
(Wed, 02 Dec 2015 13:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Didier 'OdyX' Raboud <odyx@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jörg Frings-Fürst <debian@jff-webhosting.net>.
(Wed, 02 Dec 2015 13:45:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: foomatic-filters
Version: 4.0-20090301-1
Severity: important
Tags: security upstream
Hi,
cups-filters 1.2.0 was released last Tuesday with a security fix for
CVE-2015-8327 in foomatic-rip/util.c:
> foomatic-rip: SECURITY FIX: Also consider the back tick
> ('`') as an illegal shell escape character. Thanks to Michal
> Kowalczyk from the Google Security Team for the hint (CVE-2015-8327).
cups-filters 1.2.0 is fixed and a security upload for its version in stable has
already been uploaded, but foomatic-filters is also affected in all suites, as
the culprit code exists since 4.0-20090301.
The patch is straightforward, and is attached to this bugreport.
Cheers,
OdyX
[r7406_also_consider_the_back_tick_as_an_illegal_shell_escape_character.patch (text/x-diff, attachment)]
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Wed, 09 Dec 2015 09:54:08 GMT) (full text, mbox, link).
Notification sent
to Didier 'OdyX' Raboud <odyx@debian.org>:
Bug acknowledged by developer.
(Wed, 09 Dec 2015 09:54:08 GMT) (full text, mbox, link).
Message #10 received at 806886-close@bugs.debian.org (full text, mbox, reply):
Source: foomatic-filters
Source-Version: 4.0.5-6+squeeze2+deb6u11
We believe that the bug you reported is fixed in the latest version of
foomatic-filters, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 806886@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated foomatic-filters package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 09 Dec 2015 10:21:20 +0200
Source: foomatic-filters
Binary: foomatic-filters
Architecture: source amd64
Version: 4.0.5-6+squeeze2+deb6u11
Distribution: squeeze-lts
Urgency: high
Maintainer: Debian Printing Group <debian-printing@lists.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
foomatic-filters - OpenPrinting printer support - filters
Closes: 806886
Changes:
foomatic-filters (4.0.5-6+squeeze2+deb6u11) squeeze-lts; urgency=high
.
* CVE-2015-8327: Fix insufficient script injection prevention
(Closes: #806886)
Checksums-Sha1:
35f9bdcb84fae93fad5a939e4ec4c3e13d5ed9bc 2055 foomatic-filters_4.0.5-6+squeeze2+deb6u11.dsc
1345880f3b89242b0ac7fae1e3750bf2154130f4 243239 foomatic-filters_4.0.5.orig.tar.gz
2c8596426a4f95c140afe3426c36453a76552661 53071 foomatic-filters_4.0.5-6+squeeze2+deb6u11.debian.tar.gz
a8951bc5db708b935be8b88a6e0bc41a0f26d93d 151072 foomatic-filters_4.0.5-6+squeeze2+deb6u11_amd64.deb
Checksums-Sha256:
42bf968f6c59caed8ce10824b398ce9ed6c28b280737cadf3dab1c0cbf4bb55a 2055 foomatic-filters_4.0.5-6+squeeze2+deb6u11.dsc
dafa39cd5a9de94db59aacd05f0ccbc4eba362d1633419f3dc3c7126c83c1036 243239 foomatic-filters_4.0.5.orig.tar.gz
1d417101e7b3215ad3b56f629e9d91a7eee4bd74bc07e1edb0944ab274b929ba 53071 foomatic-filters_4.0.5-6+squeeze2+deb6u11.debian.tar.gz
75807917d884143c78fe0b1b3b3dc77e0f2568911a3f158bccda2b8e77299ba0 151072 foomatic-filters_4.0.5-6+squeeze2+deb6u11_amd64.deb
Files:
0645dc9fb1b72cf77da074314e5e4f43 2055 text optional foomatic-filters_4.0.5-6+squeeze2+deb6u11.dsc
fd99dac3a36807a47ffa4f9eb15c1b07 243239 text optional foomatic-filters_4.0.5.orig.tar.gz
87e23c57105a7df6c079d18c4d48bab6 53071 text optional foomatic-filters_4.0.5-6+squeeze2+deb6u11.debian.tar.gz
7602759182b8ebfb15a98f2110767f60 151072 text optional foomatic-filters_4.0.5-6+squeeze2+deb6u11_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJWZ+VSAAoJEB6VPifUMR5Yq6YP/iYg295takkPAC4dV3fyKiGf
R3XszfDWTHALYiMhaSvKca4hBqzELVoHLGBBTUO41Kb8GckJcI1kZqAoCvo/uwVu
7dqRyf1OJ6fKYCPfiD+tl0xi7770qW7VndJRT/h92ItYHPTXcDWW0bFcMi0LcKqJ
v4XAOGDp5JEZI4+dlyJC5Rf51p/HWjMWXM6mD/4Hvq5TaELbOjlFk09ubz3GdbTi
M/aTjHIGl4UCL5KXuwzre8hKDyYoHiRSRZYVTfKRUmJ3oqJVQSQ1uz1yyMGdk4so
2qR57x3QT4hBsTNaNvnJlfQdNnRcpMZA3qKERvB8YX5ZV5ZdeRnkB4+qkmBJmCHl
PI3Kdg0sMK1CpIaOnNiDOJLGx+ql/IQT/S07cAdmQKmW90ftFBttxomBH17w+wm7
65zbQ5vCExun6i6OeqrB8AcXNmHN+k3U22yatI3WpxwUNZkte2UiI0CKN6u+S+Ph
e+yX7KgjX9UuenanWmkt3OC6rX4ppppPvIOFMNgEVHiOOXhbh4gV2q3z+domwXyu
Xg623LBsrV2SJ9CLNxD0i3xmtMsrs9B428mb3x6R90lfehX+/TPB9m1X/IddH6PP
TMlVrjc5nqWMi2PdPM8kFhIbf7mZ9FghhJFAhIn5QfuODqRLAVVn4YTgCVGbZ+AS
55UMgJHxOk5xeqU6Dz41
=+8s9
-----END PGP SIGNATURE-----
Reply sent
to Jörg Frings-Fürst <debian@jff-webhosting.net>:
You have taken responsibility.
(Mon, 21 Dec 2015 05:39:04 GMT) (full text, mbox, link).
Notification sent
to Didier 'OdyX' Raboud <odyx@debian.org>:
Bug acknowledged by developer.
(Mon, 21 Dec 2015 05:39:04 GMT) (full text, mbox, link).
Message #15 received at 806886-close@bugs.debian.org (full text, mbox, reply):
Source: foomatic-filters
Source-Version: 4.0.17-7
We believe that the bug you reported is fixed in the latest version of
foomatic-filters, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 806886@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jörg Frings-Fürst <debian@jff-webhosting.net> (supplier of updated foomatic-filters package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 16 Dec 2015 00:49:11 +0100
Source: foomatic-filters
Binary: foomatic-filters
Architecture: source
Version: 4.0.17-7
Distribution: unstable
Urgency: high
Maintainer: Jörg Frings-Fürst <debian@jff-webhosting.net>
Changed-By: Jörg Frings-Fürst <debian@jff-webhosting.net>
Description:
foomatic-filters - OpenPrinting printer support - filters
Closes: 806886 807931
Changes:
foomatic-filters (4.0.17-7) unstable; urgency=high
.
* New patch debian/patches/0500-r7406_also_consider_the_back_\
tick_as_an_illegal_shell_escape_character.patch
(Closes: #806886, #807931)
- CVE-2015-8327 Insufficient script injection prevention.
- Add changes from upstream revision 7419.
- CVE-2015-8560: code execution via improper escaping of ; in foomatic-rip.
* Rename patches.
* To prevent build warnings:
- debian/control: Add autotools-dev and autoconf to Build-Depends.
- debian/rules: Add --with autotools-dev.
Checksums-Sha1:
b1a07c97692066817866eba91b29f4df1b14eadc 2012 foomatic-filters_4.0.17-7.dsc
e26679f8fca9f0938c48a9160b7f2d11505ee91b 51992 foomatic-filters_4.0.17-7.debian.tar.xz
Checksums-Sha256:
c215415598f732207e3a549a8773dd0667c6d53b58cedc484027e94fcc2be897 2012 foomatic-filters_4.0.17-7.dsc
112898771de9b764d59e472515248c39ba4010a99c04bd7772e6cf1646b09f13 51992 foomatic-filters_4.0.17-7.debian.tar.xz
Files:
f5e653345d9f62c7bcfa2f00d2801897 2012 text optional foomatic-filters_4.0.17-7.dsc
3312bf654030d3e71662ad295379c8c8 51992 text optional foomatic-filters_4.0.17-7.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJWd42GAAoJEI7tzBuqHzL/B0gP/RqEdDqP9BvelogD6/1hkcm9
Ht03VR3Mslv5PtKcvPNCvntKbZjLwuBZPkiTwv83YhrUU7i5IiMVurtuWGuflrIX
+q0dS6EtRZVMafT2ekoN5EwIdDBX3zPIErFf5YE8sUXCm4brbPVt7IJZVJBixikV
Yae66nfHEUDEwgbXo/CL59xNydNjitWE0xw+upOn+I2RcllCMXqaEDL+RpS7HPoG
l+L3oRyxyNNBi0vrNmfjkRjWSwYWyFMjBCjwZg57HjKWb9qYHdWTdhth+6rUivWP
5x4jGNv4OAFMQgcWDJdE73UFv9bgxvPyy44Fz8eQ0reh4u48JJ9XmM2yo6BP0nPa
HY61j9ZykUfH/s69K3DXexDd/50UOKuNO95oox5tpxX9nryKhegz0mCFfStU7MfO
EzpW7Tj0hsP4IIYSJ6XjPMHNrzC4aemgjanZne7S3IdOFsBD4R1SQMcDiHhJm0AT
tKRKoIZZMSsuE85PDLYwSr6kLtcEDR4GKuboz7g9wwLmw4I1Xt7q4EkjPbzLEsXT
4qy2tuWBE107H9ssB2usva2b8e++JUMav+WKrzfBdILDpwc4vuZezLRBacygMU33
32/RR6ZQzbBifjWNtILEvV6JvoZSrdkbOiXIULrDQar7wzMgcUX5sHGrlqEV3nZ1
WqYK0PfDOoa2fGB+G2UV
=9lUu
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 27 Dec 2015 17:36:32 GMT) (full text, mbox, link).
Notification sent
to Didier 'OdyX' Raboud <odyx@debian.org>:
Bug acknowledged by developer.
(Sun, 27 Dec 2015 17:36:32 GMT) (full text, mbox, link).
Message #20 received at 806886-close@bugs.debian.org (full text, mbox, reply):
Source: foomatic-filters
Source-Version: 4.0.17-5+deb8u1
We believe that the bug you reported is fixed in the latest version of
foomatic-filters, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 806886@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated foomatic-filters package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 20 Dec 2015 22:09:42 +0100
Source: foomatic-filters
Binary: foomatic-filters
Architecture: source
Version: 4.0.17-5+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Jörg Frings-Fürst <debian@jff-webhosting.net>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 806886 807993
Description:
foomatic-filters - OpenPrinting printer support - filters
Changes:
foomatic-filters (4.0.17-5+deb8u1) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add CVE-2015-8327.patch patch.
CVE-2015-8327: foomatic-rip did not consider the back tick as an illegal
shell escape character allowing arbitrary code execution. (Closes: #806886)
* Add CVE-2015-8560.patch patch.
CVE-2015-8560: code execution via improper escaping of ; (semicolon).
(Closes: #807993)
Checksums-Sha1:
f4bfee1cb2ec6a5af89e612d50c0de75894186dd 2015 foomatic-filters_4.0.17-5+deb8u1.dsc
7f740968ca73595738d257bbfed93a8ac1b2c460 49588 foomatic-filters_4.0.17-5+deb8u1.debian.tar.xz
Checksums-Sha256:
3b0548da61c34a4173e4c4d4916bc64fb04de5a18a5aeebd105fd30ab2b497f3 2015 foomatic-filters_4.0.17-5+deb8u1.dsc
e98b33fe2a2d759a44f1051bcdb67ec5256e0452cade716bad3c12ea1e4614cc 49588 foomatic-filters_4.0.17-5+deb8u1.debian.tar.xz
Files:
a236e9eabe75ffd5d1b6d82bc390aaed 2015 text optional foomatic-filters_4.0.17-5+deb8u1.dsc
7025675b2e16a75f2d580f9b76917e8f 49588 text optional foomatic-filters_4.0.17-5+deb8u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWdxnkAAoJEAVMuPMTQ89EkGQP/ja+oD/lYa7nIuCcJN2/cS+L
6vaU2mr3RePjNdzx45Nt6zYv+U3PvGLgp/Hd+IiGxOmhIZczgiHuJWCBuS27QQdx
LDt1NUQZ/VLHPMADc69KQIkOdx9YWaSpoov+6L5YWD7SrmQAMM/N2Df1yDJD87Cn
FoPnB5kfl8rfOzliVXw69ZAhBV3NztGkmNdK4FWLr08hdBcMhV0EI651y5r5qKDx
8bFtysykSV+k1ylmQDuR0YQBRWQDVS0hSfmp1RT1BWiZzRX65EFFqSR4py0rlVF3
0nyrYQO1W79YB+J3/ZwheZrInQlDioD2NuxOixLsMq+/xHYVAGy8n00qU84ZRyz8
GCT7uweowUY6QdnFvdMQO5QyimisC+ZgeMK1cU5ARX/lT5RAaqDSfkIWSgQbdDtr
p0aK1hkzcQFa8U5A7kAFVLD40ubMVJAmu6SZyk2ZIecfilx3c29Y3pAkRb3ME+Nj
a9UlJ2u8AcNS4byhbeIp6OrRJhxgX7gGFT75lr1+bB18EnftkgdQ+shvpO0stTb/
BGP1UzzM4Ml+VUJARYk5iM0YrFtZycOYWy71A2dqOxp3pGzv+ILQkpNypVcW4w+A
3G9z8kASGAK85dO3MW6kJhhteqQbbpeJ0eo+xOmf8DupzQZa2ao8GasS5I9mapku
ZXnr8LHe0KgbdnsHhFN+
=OTLn
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 27 Dec 2015 21:51:33 GMT) (full text, mbox, link).
Notification sent
to Didier 'OdyX' Raboud <odyx@debian.org>:
Bug acknowledged by developer.
(Sun, 27 Dec 2015 21:51:33 GMT) (full text, mbox, link).
Message #25 received at 806886-close@bugs.debian.org (full text, mbox, reply):
Source: foomatic-filters
Source-Version: 4.0.17-1+deb7u1
We believe that the bug you reported is fixed in the latest version of
foomatic-filters, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 806886@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated foomatic-filters package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 20 Dec 2015 21:55:22 +0100
Source: foomatic-filters
Binary: foomatic-filters
Architecture: source amd64
Version: 4.0.17-1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Printing Group <debian-printing@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
foomatic-filters - OpenPrinting printer support - filters
Closes: 806886 807993
Changes:
foomatic-filters (4.0.17-1+deb7u1) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add CVE-2015-8327.patch patch.
CVE-2015-8327: foomatic-rip did not consider the back tick as an illegal
shell escape character allowing arbitrary code execution. (Closes: #806886)
* Add CVE-2015-8560.patch patch.
CVE-2015-8560: code execution via improper escaping of ; (semicolon).
(Closes: #807993)
Checksums-Sha1:
2246f98e82d4f74598fa93ef7180451fdbf5ac90 2098 foomatic-filters_4.0.17-1+deb7u1.dsc
bde0cf8bcc61cb1e7c894b7125348fb95efa8c60 266276 foomatic-filters_4.0.17.orig.tar.gz
e58dab696efe1aa55a0df3a4e5012bf1aeb13b65 52815 foomatic-filters_4.0.17-1+deb7u1.debian.tar.gz
1396874be7aa19e4373095ba94381b5767d90719 163626 foomatic-filters_4.0.17-1+deb7u1_amd64.deb
Checksums-Sha256:
79bd64b48caefb6fe5673ea04f4d5c2b9d22b9ca4f529a0f1c3a3042c34a3d9a 2098 foomatic-filters_4.0.17-1+deb7u1.dsc
a2e2e53e502571e88eeb9010c45a0d54671f15707ee104f5c9c22b59ea7a33e3 266276 foomatic-filters_4.0.17.orig.tar.gz
d69e64604f844538aff02705d1c2db43f92c976a934b859b59f5d6cf1247adc1 52815 foomatic-filters_4.0.17-1+deb7u1.debian.tar.gz
4d7f2fd6c8c094e1c2bec1787afd2ed449d327a5bcc030d14fa44de986bf3d47 163626 foomatic-filters_4.0.17-1+deb7u1_amd64.deb
Files:
5287a8f6bb50d09aff7cfd2037258e70 2098 text optional foomatic-filters_4.0.17-1+deb7u1.dsc
b05f5dcbfe359f198eef3df5b283d896 266276 text optional foomatic-filters_4.0.17.orig.tar.gz
abe90fb7e6f02b455af0de088bf0affc 52815 text optional foomatic-filters_4.0.17-1+deb7u1.debian.tar.gz
4d8365f249ac743911d01c822ba38df8 163626 text optional foomatic-filters_4.0.17-1+deb7u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWdxdmAAoJEAVMuPMTQ89EhY0QAIdV1lmqp60SxZHsVGg9+RNK
PDf17ucQLUi16bKOBq3iyq76aFYTEZ946FaGF/k8F/rSTqzi8ceKKRu9qePwT/Lx
AlfukWHN9Vb4+3eRRolw0EGkgSPXvUVs/zbbeeQKZnL8VcwYSKrlZUZjtgm6MQrZ
xeb3rJ/SfLyUSkdgD8gvjvrvk5OYc8FcL0z9JfvwhA3QPrCuTtf5lxVRvpFvZ3y6
6rz6pfLiuBoJfhtiKaOEldgQZYUfKs/lR2InGq2cScX4FTNxYXs2if3CCq+aR85d
2CdTgrms+t6C9jwktAo/zDlQN5U+f8fjR84qjshklodGq2RBRzYIb0pluXBzOYOu
Uy9NgFHOvtOkY/1h4sp0KBLQwfz5MZRng18cnJNBj0r1tJoHh8khQV5hjyyIPnC1
IYCNqdhr3K0SesPk4WP/ejeTiy5Tn5k8uayFFRK/UavK6eXxF42x/Mg2gnXD1KZL
QgsB1At6Dyn0nVmFC9TaslHaMz4PgoQnDF7W6LYcKTg22G3MvgYlzRcuecfJsQjq
b2sukzDTez3oyC1nSIk/RFneWcknlNnVrz9K2XQhSs4jpwQBhFPggXEFLiExHAwa
8ipCb5Qq8TDXMYRgeMCj+8dQ2J4xHrROQ+3dZ95JKpM1PRKrnpoG6Yah/Fu5UU0r
twOMbxhIOVVi7y+aF5tN
=R+1m
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 25 Jan 2016 07:48:25 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:07:33 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon