Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2015-6520

Source

Debian Bug report logs - #795162
ippusbxd: CVE-2015-6520: allows access to a connected USB printer via all configured network addresses

Package: src:ippusbxd; Maintainer for src:ippusbxd is Debian Printing Team <debian-printing@lists.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 11 Aug 2015 08:54:06 UTC

Severity: important

Tags: pending, security, upstream

Found in version ippusbxd/1.21.2-1

Fixed in version ippusbxd/1.22-1

Done: Didier Raboud <odyx@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#795162; Package src:ippusbxd. (Tue, 11 Aug 2015 08:54:10 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Printing Team <debian-printing@lists.debian.org>. (Tue, 11 Aug 2015 08:54:10 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: ippusbxd
Version: 1.21.2-1
Severity: important
Tags: security upstream

Hi

While reviewing ippusbxd in Ubuntu it was found that ippusbxd allows
access to a connected USB printer via all configured network
addresses, see
https://bugs.launchpad.net/ubuntu/+source/ippusbxd/+bug/1455644 and
for the CVE request
http://www.openwall.com/lists/oss-security/2015/08/11/1 .

Regards,
Salvatore

Reply sent to Didier Raboud <odyx@debian.org>:
You have taken responsibility. (Thu, 13 Aug 2015 07:51:08 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 13 Aug 2015 07:51:08 GMT) (full text, mbox, link).

Message #10 received at 795162-close@bugs.debian.org (full text, mbox, reply):

Source: ippusbxd
Source-Version: 1.22-1

We believe that the bug you reported is fixed in the latest version of
ippusbxd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 795162@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Didier Raboud <odyx@debian.org> (supplier of updated ippusbxd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 13 Aug 2015 09:07:51 +0200
Source: ippusbxd
Binary: ippusbxd
Architecture: source
Version: 1.22-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Didier Raboud <odyx@debian.org>
Description:
 ippusbxd   - Daemon for IPP USB printer support
Closes: 795162
Changes:
 ippusbxd (1.22-1) unstable; urgency=medium
 .
   * New 1.22 upstream release
     - SECURITY FIX: Actually restrict the access to the printer to localhost
       (Closes: #795162, LP: #1455644)
 .
   * Drop the aquire→acquire typo patch, merged upstream
   * Add gbp.conf
   * Update Vcs-Browser to use the https variant
Checksums-Sha1:
 ce434b0ad065984910d1e24865f6ac7b29c65fb5 1761 ippusbxd_1.22-1.dsc
 a040389726e82dbeaf8cc7440f42ad6e43fa655e 72958 ippusbxd_1.22.orig.tar.gz
 a11801bacea5e76526d2b0f4dff069740f05ef64 2500 ippusbxd_1.22-1.debian.tar.xz
Checksums-Sha256:
 faf21e6446697d25ac8cc07b4e989ad72b466719d25ff8e8656b4dd2b24dfaec 1761 ippusbxd_1.22-1.dsc
 4940cb8b7b70e092b54b7833afd92b474f17ef868a10e2ff4e41e1525c3f1d31 72958 ippusbxd_1.22.orig.tar.gz
 17547432fb64a31a1a98538ea9beffb6acc8bad48cdd79f2da62152dbacf717e 2500 ippusbxd_1.22-1.debian.tar.xz
Files:
 e4d9eef20a51296c738b573dcd90c412 1761 comm extra ippusbxd_1.22-1.dsc
 38b628e80bdb3c6f039e1554bea37328 72958 comm extra ippusbxd_1.22.orig.tar.gz
 34194b10b3af8126cf3514ede9eadf2b 2500 comm extra ippusbxd_1.22-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJVzEilAAoJEIvPpx7KFjRV5AoMAIGBFSIaFFBS9Ojf+ef/gm0v
mlXGBohbMS7e495wEUOUyafQ2JcMPtia/HUuN9GuZlo+1dAE8mp+cFAK0lbs+L55
4g3IKaD7VMxU9lI1Vx8SmPvgM3FwQEJ/XlwWr+c1Kjep2kLVo1SouKCa8rjy2cZ3
NFGwTgrrVMPgBQ1YqZzEHlk5yg0qFpjONdAii1WevcaN1x/qYkG/lVA0ZlVoUG/H
aJSV3sheRBt0d1SGqLnXfbcZDgJDy1Sfb4oTL81tjLabm5MhX5rWCxlYCnb9YQpe
u4LwbWGeo5ZIcIjcDci6JVi1UBQ9kzOgQeV5Zx4oNdvkvkUnHQRCXXk1tUCQEvn3
vgZJMFJjiz+eCQLlCS2O014CdKCFNp6csk23yzPUAwJ5eGYx8T0ubVpq4uVLCkc6
iBM9EhZuO0pbMGSThBhZu+kYQYWM9qhepVuowBKoLVDAfLE30/zovu2tCgSt9U3S
uIN67DiP5/F6HNNXuY1G/QOr/pfRCpTGgL58b3UGpw==
=h8Cp
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#795162; Package src:ippusbxd. (Thu, 13 Aug 2015 07:51:10 GMT) (full text, mbox, link).

Acknowledgement sent to Didier 'OdyX' Raboud <odyx@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>. (Thu, 13 Aug 2015 07:51:10 GMT) (full text, mbox, link).

Message #15 received at 795162@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Control: tags -1 +pending

Le mardi, 11 août 2015, 10.51:47 Salvatore Bonaccorso a écrit :
> While reviewing ippusbxd in Ubuntu it was found that ippusbxd allows
> access to a connected USB printer via all configured network
> addresses, see
> https://bugs.launchpad.net/ubuntu/+source/ippusbxd/+bug/1455644 and
> for the CVE request
> http://www.openwall.com/lists/oss-security/2015/08/11/1 .

Thanks for the report. For now I have uploaded without the CVE number, 
as it wasn't assigned yet.

Cheers, OdyX

[signature.asc (application/pgp-signature, inline)]

Added tag(s) pending. Request was from Didier 'OdyX' Raboud <odyx@debian.org> to 795162-submit@bugs.debian.org. (Thu, 13 Aug 2015 07:51:10 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#795162; Package src:ippusbxd. (Thu, 13 Aug 2015 08:06:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>. (Thu, 13 Aug 2015 08:06:03 GMT) (full text, mbox, link).

Message #22 received at 795162@bugs.debian.org (full text, mbox, reply):

Hi Didier,

On Thu, Aug 13, 2015 at 09:50:24AM +0200, Didier 'OdyX' Raboud wrote:
> Control: tags -1 +pending
> 
> Le mardi, 11 août 2015, 10.51:47 Salvatore Bonaccorso a écrit :
> > While reviewing ippusbxd in Ubuntu it was found that ippusbxd allows
> > access to a connected USB printer via all configured network
> > addresses, see
> > https://bugs.launchpad.net/ubuntu/+source/ippusbxd/+bug/1455644 and
> > for the CVE request
> > http://www.openwall.com/lists/oss-security/2015/08/11/1 .
> 
> Thanks for the report. For now I have uploaded without the CVE number, 
> as it wasn't assigned yet.

yes sure that's fine. We don't have to wait for a CVE assignment for
uploading a fix (although for tracking issues it would be nice). I
have updated the tracker: https://security-tracker.debian.org/795162

Regards,
Salvatore

Changed Bug title to 'ippusbxd: CVE-2015-6520: allows access to a connected USB printer via all configured network addresses' from 'ippusbxd: allows access to a connected USB printer via all configured network addresses' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 19 Aug 2015 06:12:15 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 16 Sep 2015 07:36:52 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:33:59 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

ippusbxd: CVE-2015-6520: allows access to a connected USB printer via all configured network addresses

Debian Bug report logs - #795162
ippusbxd: CVE-2015-6520: allows access to a connected USB printer via all configured network addresses

Vulmon Search

About

Products

Connect

ippusbxd: CVE-2015-6520: allows access to a connected USB printer via all configured network addresses

Debian Bug report logs - #795162 ippusbxd: CVE-2015-6520: allows access to a connected USB printer via all configured network addresses

Vulmon Search

About

Products

Connect

Debian Bug report logs - #795162
ippusbxd: CVE-2015-6520: allows access to a connected USB printer via all configured network addresses