Debian Bug report logs -
#741318
cups-filters: CVE-2013-6476 CVE-2013-6475 CVE-2013-6474 CVE-2013-6473
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Tue, 11 Mar 2014 08:27:02 UTC
Severity: grave
Tags: security
Found in version cups-filters/1.0.25-1
Fixed in versions cups-filters/1.0.47-1, cups-filters/1.0.18-2.1+deb7u1
Done: Didier Raboud <odyx@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#741318; Package cups-filters.
(Tue, 11 Mar 2014 08:27:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Printing Team <debian-printing@lists.debian.org>.
(Tue, 11 Mar 2014 08:27:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: cups-filters
Severity: grave
Tags: security
Justification: user security hole
Hi,
Fixed upstream in 1.0.47:
CVE-2013-6473:
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7175
CVE-2013-6474:
CVE-2013-6475:
CVE-2013-6476:
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7176
I haven't checked the filters from src:cups in oldstable yet.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#741318; Package cups-filters.
(Tue, 11 Mar 2014 10:54:05 GMT) (full text, mbox, link).
Acknowledgement sent
to "Didier 'OdyX' Raboud" <odyx@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>.
(Tue, 11 Mar 2014 10:54:05 GMT) (full text, mbox, link).
Message #10 received at 741318@bugs.debian.org (full text, mbox, reply):
Control: found -1 cups/1.4.4-7+squeeze3
Control: found -1 cups-filters/1.0.25-1
Control: notfound -1 cups-filters/1.0.18-2.1
Hi Moritz, and thanks for the heads-up,
Le mardi, 11 mars 2014, 09.14:30 Moritz Muehlenhoff a écrit :
> Fixed upstream in 1.0.47:
>
> CVE-2013-6473:
> http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/re
> vision/7175
This doesn't affect stable's cups-filters (urftopdf was introduced in
cups-filters 1.0.25 and has never been in cups itself).
> CVE-2013-6474:
> CVE-2013-6475:
> CVE-2013-6476:
> http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/re
> vision/7176
>
> I haven't checked the filters from src:cups in oldstable yet.
This affects cups-filters in stable too, I'll prepare an updated
package.
It also affects the cups-filters as released in src:cups as
debian/local/filters/ in oldstable, I'll prepare an update too.
Cheers,
OdyX
Marked as found in versions cups/1.4.4-7+squeeze3.
Request was from "Didier 'OdyX' Raboud" <odyx@debian.org>
to 741318-submit@bugs.debian.org.
(Tue, 11 Mar 2014 10:54:05 GMT) (full text, mbox, link).
Marked as found in versions cups-filters/1.0.25-1.
Request was from "Didier 'OdyX' Raboud" <odyx@debian.org>
to 741318-submit@bugs.debian.org.
(Tue, 11 Mar 2014 10:54:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#741318; Package cups-filters.
(Tue, 11 Mar 2014 11:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Didier 'OdyX' Raboud" <odyx@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>.
(Tue, 11 Mar 2014 11:03:04 GMT) (full text, mbox, link).
Message #19 received at 741318@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: notfound -1 cups/1.4.4-7+squeeze3
Control: clone -1 -2
Control: reassign -2 cups/1.4.4-7+squeeze3
Control: retitle -2 cups: CVE-2013-6476 CVE-2013-6475 CVE-2013-6474
Le mardi, 11 mars 2014, 11.50:27 Didier '' Raboud a écrit :
> It also affects the cups-filters as released in src:cups as
> debian/local/filters/ in oldstable, I'll prepare an update too.
And, according to bugs.debian.org, this should be tracked using a
separate bug, not a found, hereby fixing.
OdyX
[signature.asc (application/pgp-signature, inline)]
No longer marked as found in versions cups/1.4.4-7+squeeze3.
Request was from "Didier 'OdyX' Raboud" <odyx@debian.org>
to 741318-submit@bugs.debian.org.
(Tue, 11 Mar 2014 11:03:04 GMT) (full text, mbox, link).
Bug 741318 cloned as bug 741333
Request was from "Didier 'OdyX' Raboud" <odyx@debian.org>
to 741318-submit@bugs.debian.org.
(Tue, 11 Mar 2014 11:03:06 GMT) (full text, mbox, link).
Reply sent
to Didier Raboud <odyx@debian.org>:
You have taken responsibility.
(Tue, 11 Mar 2014 13:06:06 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Tue, 11 Mar 2014 13:06:06 GMT) (full text, mbox, link).
Message #28 received at 741318-close@bugs.debian.org (full text, mbox, reply):
Source: cups-filters
Source-Version: 1.0.47-1
We believe that the bug you reported is fixed in the latest version of
cups-filters, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 741318@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Didier Raboud <odyx@debian.org> (supplier of updated cups-filters package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 11 Mar 2014 13:36:14 +0100
Source: cups-filters
Binary: libcupsfilters1 libfontembed1 cups-filters cups-filters-core-drivers libcupsfilters-dev libfontembed-dev cups-browsed
Architecture: source amd64
Version: 1.0.47-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Didier Raboud <odyx@debian.org>
Description:
cups-browsed - OpenPrinting CUPS Filters - cups-browsed
cups-filters - OpenPrinting CUPS Filters - Main Package
cups-filters-core-drivers - OpenPrinting CUPS Filters - PPD-less printing
libcupsfilters-dev - OpenPrinting CUPS Filters - Development files for the library
libcupsfilters1 - OpenPrinting CUPS Filters - Shared library
libfontembed-dev - OpenPrinting CUPS Filters - Development files for font embed libr
libfontembed1 - OpenPrinting CUPS Filters - Font Embed Shared library
Closes: 741318
Changes:
cups-filters (1.0.47-1) unstable; urgency=medium
.
* New upstream release 1.0.47
- pdftoopvp: SECURITY FIX for CVE-2013-6474, CVE-2013-6475,
and CVE-2013-6476: Introduction of gmallocn and gmallocn3
to protect against arbitrary code execution with the
privileges of the "lp" user via malicious PDF files. Also
restrict the directory from where OPVP drivers can get
loaded (Closes: #741318)
- urftopdf: SECURITY FIX for CVE-2013-6473: Two heap-based
buffer overflow flaws in urftopdf. If a malicious URF file
were processed it could lead to arbitrary code execution
with the privileges of the "lp" user (Closes: #741318)
.
[ Till Kamppeter ]
* Demote Dependency of cups-browsed on avahi-daemon to Recommends, also
remove "on started avahi-daemon" from the "start on ..." rule in
/etc/init/cups-browsed.conf (LP: #1242185, LP: #1178172)
Checksums-Sha1:
9952f45c5cdf26e369a55898f30e4f01777a6f2f 2681 cups-filters_1.0.47-1.dsc
1645b70f83c9e3722860848c6db67a5916d480a7 1310256 cups-filters_1.0.47.orig.tar.xz
12ef54f8c1719245e961dfdce7475177665f454e 63588 cups-filters_1.0.47-1.debian.tar.xz
a1aa9605a0b16721af720c67a365a89424f44299 96948 libcupsfilters1_1.0.47-1_amd64.deb
556797a3793c25d6dc6f5412805e57f6d8849c83 66326 libfontembed1_1.0.47-1_amd64.deb
abf229126bb10eda706d55bf6a631ecc585b3360 471774 cups-filters_1.0.47-1_amd64.deb
e444b99e1fa81e4b52ccd79a19120f4d68a7a2a6 131666 cups-filters-core-drivers_1.0.47-1_amd64.deb
73375f8f87094a9ae0709391b2775dbd004e98f4 103174 libcupsfilters-dev_1.0.47-1_amd64.deb
697f3085ba18ae9e6c1a57d04696dc9f48a5099e 69052 libfontembed-dev_1.0.47-1_amd64.deb
4163980c2b7fbe466999fb31baada35829b33fb1 71280 cups-browsed_1.0.47-1_amd64.deb
Checksums-Sha256:
e18ffd9634e7a58a858e6df4c8a9db44600985b070b6fec2dc36b9e6e25f0cda 2681 cups-filters_1.0.47-1.dsc
5c49f221f0b2954584eb17303e618a2db59027434d9a48a89c11faf03a9f0870 1310256 cups-filters_1.0.47.orig.tar.xz
adfdeb38e398096f026896c53265de31582988df39803af9d44c26e94798dee4 63588 cups-filters_1.0.47-1.debian.tar.xz
af35af575991d3325f2c119c808282603f7c6d1d688e202de4391a73702fe1dd 96948 libcupsfilters1_1.0.47-1_amd64.deb
8901cd9eab1c66f8b82c925bfd5128751e751c9d0f5b1f120a7c86616e6acd0a 66326 libfontembed1_1.0.47-1_amd64.deb
6da88d8d6412c478d4ffa0981e1b754dfe742a5e918bc329d04d48485aa08255 471774 cups-filters_1.0.47-1_amd64.deb
4095c6aee8b5a416699acedfebbfb353ea08850f5c9a5af325ae9ab9df9c1220 131666 cups-filters-core-drivers_1.0.47-1_amd64.deb
c82a9566486d39161ff8d89c88535607ffaf45924618d3f684ea4c155573a471 103174 libcupsfilters-dev_1.0.47-1_amd64.deb
08f8e818edc535f5745ea874ebe3e33cc19b32761c5a7a3ba61e5eceaaeca8c1 69052 libfontembed-dev_1.0.47-1_amd64.deb
e1ce21ffe8b4c4e8e15a74c99c20f64e63f9b96370faf1eb69ae4b9eea57462a 71280 cups-browsed_1.0.47-1_amd64.deb
Files:
8a686707fbbaf3c8a33cce8d559f085a 2681 net optional cups-filters_1.0.47-1.dsc
c1baecc8996c97af1ffe58b5f2046e86 1310256 net optional cups-filters_1.0.47.orig.tar.xz
e73ac72ace3df789f7d8056e430f461b 63588 net optional cups-filters_1.0.47-1.debian.tar.xz
b2b6be26840c8a2a864df35c9ff44c47 96948 libs optional libcupsfilters1_1.0.47-1_amd64.deb
f745beaa2ff0dc09b08ae6fed6b4775c 66326 libs optional libfontembed1_1.0.47-1_amd64.deb
9835325329e2e41a32007c51d7f24e8b 471774 net optional cups-filters_1.0.47-1_amd64.deb
ceccf06694de655b2c79797f9b835261 131666 net optional cups-filters-core-drivers_1.0.47-1_amd64.deb
b33814e62d433ea481b74875ac303232 103174 libdevel optional libcupsfilters-dev_1.0.47-1_amd64.deb
14c0601385265b63f14987022da78cf7 69052 libdevel optional libfontembed-dev_1.0.47-1_amd64.deb
054d2d6300c90ba1d954c401e0a9d631 71280 net optional cups-browsed_1.0.47-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAEBCAAGBQJTHwiEAAoJEIvPpx7KFjRVC6oMAI9aAlG9lGp3VlndqaW4gUS6
AoS9N8pua2xfDajYoAyp8+OT9kTs4oT3NgC4TJpougRJhp5GNvTlA1fZizJe+Q5J
strPOAd4gWusN9v8II4n84xrZRs/aPRUkYm8Ux2NSjPkbP9j5c0ZXiqHWDywnV2M
3qLFAa2OWUc+UFYmaZ7/4J3tpu1CDJavLsMdB5Ehr7l2J8C+IH/9O3Q092bqxh9H
G1FLToNXm84S8eY5cHoSb7MpzLJ8DgEZPqqsyYJibTT4HDEplWXu1w4oG+yXFe9m
5c+YZ9+iqfGF5byWCXgClCqsJ1ejWV9WzkI9b5PJulrCO2cJSnLbqHVTdWvusa5R
E8MsK7jxQxKiT5bbBrQJQHUT3PlcMezf4aVyThOpu9v10y6i3hOGf3l/R3Li9CZF
mdSqVQcH/71qVYEo3nHo81EQqO0q7L2m5JZE5HmdTTfOd6iw8VYhf8OYnhfY3T/V
JNNw2UlQvk0JOPNO8qov55NUudyCMI1bxG35C+KJvQ==
=jT5t
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#741318; Package cups-filters.
(Tue, 11 Mar 2014 13:39:10 GMT) (full text, mbox, link).
Acknowledgement sent
to "Didier 'OdyX' Raboud" <odyx@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>.
(Tue, 11 Mar 2014 13:39:10 GMT) (full text, mbox, link).
Message #33 received at 741318@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi dear security team,
Le mardi, 11 mars 2014, 11.50:27 Didier 'OdyX' Raboud a écrit :
> > CVE-2013-6474:
> > CVE-2013-6475:
> > CVE-2013-6476:
> > http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/
> > re vision/7176
> >
> > I haven't checked the filters from src:cups in oldstable yet.
>
> This affects cups-filters in stable too, I'll prepare an updated
> package.
The proposed debdiff for stable-security is attached (straightforward
backport + changelog).h
Can I proceed with the upload?
Cheers,
OdyX
[cups-filters_1.0.18-2.1+deb7u1.debdiff (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Didier Raboud <odyx@debian.org>:
You have taken responsibility.
(Sun, 16 Mar 2014 19:51:44 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Sun, 16 Mar 2014 19:51:44 GMT) (full text, mbox, link).
Message #38 received at 741318-close@bugs.debian.org (full text, mbox, reply):
Source: cups-filters
Source-Version: 1.0.18-2.1+deb7u1
We believe that the bug you reported is fixed in the latest version of
cups-filters, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 741318@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Didier Raboud <odyx@debian.org> (supplier of updated cups-filters package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 11 Mar 2014 14:03:57 +0100
Source: cups-filters
Binary: libcupsfilters1 cups-filters libcupsfilters-dev
Architecture: source amd64
Version: 1.0.18-2.1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>
Changed-By: Didier Raboud <odyx@debian.org>
Description:
cups-filters - OpenPrinting CUPS Filters
libcupsfilters-dev - OpenPrinting CUPS Filters - Development files for the library
libcupsfilters1 - OpenPrinting CUPS Filters - Shared library
Closes: 741318
Changes:
cups-filters (1.0.18-2.1+deb7u1) stable-security; urgency=high
.
* Backport security fix from cups-filters 1.0.47:
pdftoopvp: SECURITY FIX for CVE-2013-6474, CVE-2013-6475, and
CVE-2013-6476: Introduction of gmallocn and gmallocn3 to protect against
arbitrary code execution with the privileges of the "lp" user via
malicious PDF files. Also restrict the directory from where OPVP drivers
can get loaded (Closes: #741318)
Checksums-Sha1:
e8efd8a886f21a95b648a6911fada91d3fc5f60f 2331 cups-filters_1.0.18-2.1+deb7u1.dsc
00fa6d585a4b546b36d0f4a92855a43982933875 1022509 cups-filters_1.0.18.orig.tar.gz
9e86b8b6e5ce25ed72fc86d43e9848e8b3577d90 42634 cups-filters_1.0.18-2.1+deb7u1.debian.tar.gz
4c2a140c6d9c3d781ba0d5581b92a990a8ebda25 65740 libcupsfilters1_1.0.18-2.1+deb7u1_amd64.deb
bcc53db485f08448dec57f3c562930dab8202514 387130 cups-filters_1.0.18-2.1+deb7u1_amd64.deb
a44c05253eff7270d8c3a0228921f2aae351f3b1 76752 libcupsfilters-dev_1.0.18-2.1+deb7u1_amd64.deb
Checksums-Sha256:
bb6ec5c361e2055dce9a0c697a3b565ef4ac338fc9caeaa45a65cc0cc80434e5 2331 cups-filters_1.0.18-2.1+deb7u1.dsc
6926980653e7cb5f94b91921517678cca7f0e6781364823a05f7b4b0ec919106 1022509 cups-filters_1.0.18.orig.tar.gz
9ab29ee0c71eb7b5c11063e8094f0b08e91a4c604bf66b76ae70407a0dfb6ff2 42634 cups-filters_1.0.18-2.1+deb7u1.debian.tar.gz
44350be3b210b6728b13a5ce8a09fcf9a4799563153fec37eefc1b404d7294d7 65740 libcupsfilters1_1.0.18-2.1+deb7u1_amd64.deb
c11bc67afe1c43caf48eb6419d01ccebb008e99c862b6c42131c62025d2b420f 387130 cups-filters_1.0.18-2.1+deb7u1_amd64.deb
547f453f5c46975b899630b27cb973c7b7b32a0137fcb6acc346443a5b79de45 76752 libcupsfilters-dev_1.0.18-2.1+deb7u1_amd64.deb
Files:
154983b5286a45c564b28d3f884ca518 2331 net optional cups-filters_1.0.18-2.1+deb7u1.dsc
63972b426b7224915cdbb42b2a937374 1022509 net optional cups-filters_1.0.18.orig.tar.gz
148d683c261510862b3589cc42ecb469 42634 net optional cups-filters_1.0.18-2.1+deb7u1.debian.tar.gz
af130d679362919bf04b02275760b0d9 65740 libs optional libcupsfilters1_1.0.18-2.1+deb7u1_amd64.deb
21b027e21028a8d24a29cb8f3b72ca18 387130 net optional cups-filters_1.0.18-2.1+deb7u1_amd64.deb
c21d78b73949cde82612321e69df310a 76752 libdevel optional libcupsfilters-dev_1.0.18-2.1+deb7u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAEBCAAGBQJTHxhAAAoJEIvPpx7KFjRVaIkL+QEEQRAQNGzBWFzzMukWyTaf
vJ+GTIjj8rTq/ND2RwBDGALOWt4mTaapAkPwTupwdpNTsnRsVDxEQQZBPWq80nUc
XuhyLDC77GP5+roqJ/6VPUUTH/60Ou4jRvW90A7CGrIyTKgBIUm9v7D4+o9AF9Pd
pJVHSUKICSUIQRCnx+nAoUrJ3KT2bfzdGNo11B3chia8Ud8y+EyRdYoeVQKQz4gS
pUGiAqCR0wQyUCISc5X+2tVlJbbDUCuWJT7jfotcbVXOByCeYwDE3BISfT8nw25V
vq0PG+IWzm5t/DWyQrW1IO8lsOmnBotlH3dnjENlZvjhHMvUb2SUicKghTDAqlyZ
zd10x8ef9oLHMnvEkY+icrRyHF5UveLckpyXyUholEf2zW7wucwhyrRVUKPJAqEb
2KssFSnrWgePYQoRx5au28noPy1kttYEj1t/4OdzzypJ/9ok0++JVOG1wFIypVv3
2UH6wrBc4I4p5r+/eENDzIsXJ+i2oq/pQyspvGHk8g==
=r5uh
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 14 Apr 2014 07:26:16 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:13:28 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon