Debian Bug report logs -
#448866
[CVE-2007-4351] CUPS IPP Tags Memory Corruption Vulnerability
Reported by: Daniel Leidert <daniel.leidert@wgdd.de>
Date: Thu, 1 Nov 2007 14:21:01 UTC
Severity: grave
Tags: patch
Found in version cupsys/1.3.2-1
Fixed in version cupsys/1.3.4-1
Done: Kenshi Muto <kmuto@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#448866; Package cupsys.
(full text, mbox, link).
Acknowledgement sent to Daniel Leidert <daniel.leidert@wgdd.de>:
New Bug report received and forwarded. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: cupsys
Version: 1.3.2-1
Severity: important
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Secunia published a vulnerability report for Cups 1.3.3 (but older
versions may be affected too). The complete report is at
http://secunia.com/secunia_research/2007-76/advisory. Version 1.3.4
should already contain the fix.
Please check, if Etch is affected too.
Regards, Daniel
- -- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (850, 'unstable'), (700, 'testing'), (550, 'stable'), (110, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.21.5 (PREEMPT)
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash
Versions of packages cupsys depends on:
ii adduser 3.105 add and remove users and groups
ii cupsys-common 1.3.2-1 Common UNIX Printing System(tm) -
ii debconf [debconf-2 1.5.16 Debian configuration management sy
ii ghostscript [gs-es 8.61.dfsg.1~svn8187-2 The GPL Ghostscript PostScript/PDF
ii gs-esp 8.61.dfsg.1~svn8187-2 Transitional package
ii libavahi-compat-li 0.6.21-2 Avahi Apple Bonjour compatibility
ii libc6 2.6.1-6 GNU C Library: Shared libraries
ii libcupsimage2 1.3.2-1 Common UNIX Printing System(tm) -
ii libcupsys2 1.3.2-1 Common UNIX Printing System(tm) -
ii libdbus-1-3 1.1.1-3 simple interprocess messaging syst
ii libgnutls13 2.0.1-1 the GNU TLS library - runtime libr
ii libkrb53 1.6.dfsg.3~beta1-2 MIT Kerberos runtime libraries
ii libldap2 2.1.30.dfsg-13.5 OpenLDAP libraries
ii libpam0g 0.99.7.1-5 Pluggable Authentication Modules l
ii libpaper1 1.1.23 library for handling paper charact
ii libslp1 1.2.1-7 OpenSLP libraries
ii lsb-base 3.1-24 Linux Standard Base 3.1 init scrip
ii perl-modules 5.8.8-11.1 Core Perl modules
ii procps 1:3.2.7-5 /proc file system utilities
ii ssl-cert 1.0.14 Simple debconf wrapper for openssl
ii xpdf-utils [popple 3.02-1.2 Portable Document Format (PDF) sui
Versions of packages cupsys recommends:
ii cups-pdf 2.4.6-4 PDF printer for CUPS
ii cupsys-client 1.3.2-1 Common UNIX Printing System(tm) -
ii foomatic-filters 3.0.2-20061031-1.2 linuxprinting.org printer support
ii smbclient 3.0.26a-1 a LanManager-like simple client fo
- -- debconf information excluded
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHKeCAm0bx+wiPa4wRAi7dAKCN/KXeC/Twd8tSBLqcf9SjxbxQwQCfYJmz
VcZS6jbuulJGnL5rKNHoDd0=
=/fQA
-----END PGP SIGNATURE-----
Severity set to `grave' from `important'
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Thu, 01 Nov 2007 14:51:04 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#448866; Package cupsys.
(full text, mbox, link).
Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>.
(full text, mbox, link).
Message #12 received at 448866@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 448866 patch
thanks
Hi
Attached you will find an upstream patch from the 1.3 branch. I think the
patch should be complete. I am not sure, but I guess Red Hat missed some
parts in its advisory. I still have to test it properly, but feel free to
review.
Cheers
Steffen
[nmu.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Tags added: patch
Request was from Steffen Joeris <steffen.joeris@skolelinux.de>
to control@bugs.debian.org.
(Sat, 03 Nov 2007 07:06:03 GMT) (full text, mbox, link).
Reply sent to Kenshi Muto <kmuto@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Daniel Leidert <daniel.leidert@wgdd.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #19 received at 448866-close@bugs.debian.org (full text, mbox, reply):
Source: cupsys
Source-Version: 1.3.4-1
We believe that the bug you reported is fixed in the latest version of
cupsys, which is due to be installed in the Debian FTP archive:
cupsys-bsd_1.3.4-1_amd64.deb
to pool/main/c/cupsys/cupsys-bsd_1.3.4-1_amd64.deb
cupsys-client_1.3.4-1_amd64.deb
to pool/main/c/cupsys/cupsys-client_1.3.4-1_amd64.deb
cupsys-common_1.3.4-1_all.deb
to pool/main/c/cupsys/cupsys-common_1.3.4-1_all.deb
cupsys-dbg_1.3.4-1_amd64.deb
to pool/main/c/cupsys/cupsys-dbg_1.3.4-1_amd64.deb
cupsys_1.3.4-1.diff.gz
to pool/main/c/cupsys/cupsys_1.3.4-1.diff.gz
cupsys_1.3.4-1.dsc
to pool/main/c/cupsys/cupsys_1.3.4-1.dsc
cupsys_1.3.4-1_amd64.deb
to pool/main/c/cupsys/cupsys_1.3.4-1_amd64.deb
cupsys_1.3.4.orig.tar.gz
to pool/main/c/cupsys/cupsys_1.3.4.orig.tar.gz
libcupsimage2-dev_1.3.4-1_amd64.deb
to pool/main/c/cupsys/libcupsimage2-dev_1.3.4-1_amd64.deb
libcupsimage2_1.3.4-1_amd64.deb
to pool/main/c/cupsys/libcupsimage2_1.3.4-1_amd64.deb
libcupsys2-dev_1.3.4-1_amd64.deb
to pool/main/c/cupsys/libcupsys2-dev_1.3.4-1_amd64.deb
libcupsys2_1.3.4-1_amd64.deb
to pool/main/c/cupsys/libcupsys2_1.3.4-1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 448866@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kenshi Muto <kmuto@debian.org> (supplier of updated cupsys package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 02 Nov 2007 21:32:29 +0900
Source: cupsys
Binary: libcupsys2-dev cupsys libcupsys2 libcupsimage2 cupsys-common cupsys-client cupsys-dbg cupsys-bsd libcupsimage2-dev
Architecture: source amd64 all
Version: 1.3.4-1
Distribution: unstable
Urgency: high
Maintainer: Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>
Changed-By: Kenshi Muto <kmuto@debian.org>
Description:
cupsys - Common UNIX Printing System(tm) - server
cupsys-bsd - Common UNIX Printing System(tm) - BSD commands
cupsys-client - Common UNIX Printing System(tm) - client programs (SysV)
cupsys-common - Common UNIX Printing System(tm) - common files
cupsys-dbg - Common UNIX Printing System(tm) - debugging symbols
libcupsimage2 - Common UNIX Printing System(tm) - image libs
libcupsimage2-dev - Common UNIX Printing System(tm) - image development files
libcupsys2 - Common UNIX Printing System(tm) - libs
libcupsys2-dev - Common UNIX Printing System(tm) - development files
Closes: 446740 448866
Changes:
cupsys (1.3.4-1) unstable; urgency=high
.
* New upstream release.
- Fixes CVE-2007-4351
IPP Tags Memory Corruption Vulnerability (closes: #448866)
.
[ Martin Pitt ]
* debian/cupsys.postinst: Drop ancient code to remove root from group
lpadmin.
.
[ Kenshi Muto ]
* Debconf translation
- Finnish (closes: #446740)
Files:
fccc3ab3f2556355b2207cc0137a51ce 1178 net optional cupsys_1.3.4-1.dsc
447d2a4e134633a389c82ed64c2b21da 4859414 net optional cupsys_1.3.4.orig.tar.gz
7291a12547d9e1e457d588a8b40df81e 101421 net optional cupsys_1.3.4-1.diff.gz
5791d4d96bd3797f15127012afb994fa 1120750 net optional cupsys-common_1.3.4-1_all.deb
d25962b55d2c9c430b97c077afa0857e 166342 libs optional libcupsys2_1.3.4-1_amd64.deb
48a222fdde8d155bc0d4b6a6c4a4a12f 86764 libs optional libcupsimage2_1.3.4-1_amd64.deb
a6890af8a2a7bca1624ed7051f399379 2086684 net optional cupsys_1.3.4-1_amd64.deb
2d3856b8fc2c88fda0b36734ec91b96e 88686 net optional cupsys-client_1.3.4-1_amd64.deb
c5ed5c45cc2cb44b55f82b0fb5cf7fe9 148910 libdevel optional libcupsys2-dev_1.3.4-1_amd64.deb
d0f9dacfbcef9bede2c745d5bd4fa32f 59302 libdevel optional libcupsimage2-dev_1.3.4-1_amd64.deb
ecb9aa49cd3e2428e504fe226e50940b 37290 net extra cupsys-bsd_1.3.4-1_amd64.deb
c720b95cc561a4d73bdb938e7374f038 1127832 libdevel extra cupsys-dbg_1.3.4-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iEYEARECAAYFAkcsJOUACgkQQKW+7XLQPLE/jACeOoiFm/jL+7Sw1TQwXsK4gBS/
vasAn3wDtH/R2MC8yYqUHPiJxV69771I
=gzLa
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 28 Dec 2007 07:31:41 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:34:52 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon