Debian Bug report logs -
#743470
cups-filters: CVE-2014-2707: remote command injection in cups-browsed
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 3 Apr 2014 04:45:07 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in version cups-filters/1.0.50-1
Fixed in version cups-filters/1.0.51-1
Done: Didier Raboud <odyx@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#743470; Package src:cups-filters.
(Thu, 03 Apr 2014 04:45:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Printing Team <debian-printing@lists.debian.org>.
(Thu, 03 Apr 2014 04:45:12 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: cups-filters
Version: 1.0.50-1
Severity: grave
Tags: security upstream fixed-upstream
Justification: user security hole
Hi
See [1] and [2]:
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1083326
[2] http://seclists.org/oss-sec/2014/q2/3
AFAICS this was introduced in 1.0.41 and wheezy is not affected by the
issue.
Ubuntu has already fixed it with the 1.0.51-0ubuntu1 upload.
Regards and thanks for your work,
Salvatore
Reply sent
to Didier Raboud <odyx@debian.org>:
You have taken responsibility.
(Thu, 03 Apr 2014 09:51:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 03 Apr 2014 09:51:06 GMT) (full text, mbox, link).
Message #10 received at 743470-close@bugs.debian.org (full text, mbox, reply):
Source: cups-filters
Source-Version: 1.0.51-1
We believe that the bug you reported is fixed in the latest version of
cups-filters, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 743470@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Didier Raboud <odyx@debian.org> (supplier of updated cups-filters package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 03 Apr 2014 11:11:10 +0200
Source: cups-filters
Binary: libcupsfilters1 libfontembed1 cups-filters cups-filters-core-drivers libcupsfilters-dev libfontembed-dev cups-browsed
Architecture: source amd64
Version: 1.0.51-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Didier Raboud <odyx@debian.org>
Description:
cups-browsed - OpenPrinting CUPS Filters - cups-browsed
cups-filters - OpenPrinting CUPS Filters - Main Package
cups-filters-core-drivers - OpenPrinting CUPS Filters - PPD-less printing
libcupsfilters-dev - OpenPrinting CUPS Filters - Development files for the library
libcupsfilters1 - OpenPrinting CUPS Filters - Shared library
libfontembed-dev - OpenPrinting CUPS Filters - Development files for font embed libr
libfontembed1 - OpenPrinting CUPS Filters - Font Embed Shared library
Closes: 743470
Changes:
cups-filters (1.0.51-1) unstable; urgency=medium
.
* New upstream bug fix release
- cups-browsed: SECURITY FIX to prevent arbitrary code
injection into the System V interface scripts generated for
queues for discovered native IPP printers by a malicious IPP
print service with forged make/model and/or PDL string.
CVE-2014-2707 (Closes: #743470)
.
[ Didier Raboud ]
* Add patch to explicitly link to libm as -lm was dropped from
cups-config --libs
Checksums-Sha1:
b98dca708273341bdd244297961547f415f25d40 2681 cups-filters_1.0.51-1.dsc
54fe303496b9008274f4966e395cb5552d0dbadb 1310952 cups-filters_1.0.51.orig.tar.xz
588e56f44fff765ef08a4c47e6538f1b3e7b5640 64384 cups-filters_1.0.51-1.debian.tar.xz
b0934b8e8c4c5f139548bd979de39eeeaa77e997 98052 libcupsfilters1_1.0.51-1_amd64.deb
c0af774c703cc0ac04650334033914385d3b53e5 67578 libfontembed1_1.0.51-1_amd64.deb
3788f559af0af7f8f756d725db4d3e443edf19d4 473172 cups-filters_1.0.51-1_amd64.deb
00b95ea3a10aed22c575505305d9587795be8820 133454 cups-filters-core-drivers_1.0.51-1_amd64.deb
49b0e5b68c70a49732bc542a86dcaa6d783f70c8 104368 libcupsfilters-dev_1.0.51-1_amd64.deb
53ae6edad28a6af491b6091ba3f7befa8a6c737f 70272 libfontembed-dev_1.0.51-1_amd64.deb
53875fb804173eba247dbc959b3fcfcdf7de3543 72470 cups-browsed_1.0.51-1_amd64.deb
Checksums-Sha256:
4a58a13dc326add1c5796c97725e77c4dd122aa32233c51dbdcb21530e5fbec1 2681 cups-filters_1.0.51-1.dsc
c29d99265510d740843526a30c46bb9e2ef33536aebfe3c73b1fae3ff9cc678b 1310952 cups-filters_1.0.51.orig.tar.xz
963f40ca0659c6a982afd890064bd20a5774f69a0503371bad92b23521465669 64384 cups-filters_1.0.51-1.debian.tar.xz
136a52b317d642208b0fbebb181fa66e049ec9e1a3a6d93dda9a6a5f14b89e3f 98052 libcupsfilters1_1.0.51-1_amd64.deb
6a95ea5c03438ad78480eb0ff4b1e2ed73056234e0f1e0d371e075d5bbd49e0e 67578 libfontembed1_1.0.51-1_amd64.deb
b814fd234cacab7912c5db32a6ab70630c125e01cb2fd65c34fbe6c2943b7745 473172 cups-filters_1.0.51-1_amd64.deb
449dc0044f45edf2f24ecad98c3adadfa19898836fb284c1e364dbb160c1e377 133454 cups-filters-core-drivers_1.0.51-1_amd64.deb
919b5627c6875245a14e8ee0016efc84edfe4cdb5581c648630ec19d3c1187f7 104368 libcupsfilters-dev_1.0.51-1_amd64.deb
330c6aaa39adbc7ddc84e07ce3a5bd2a937150e7667812d90d3a8ba80e0245d5 70272 libfontembed-dev_1.0.51-1_amd64.deb
d404285d0bb0ce032651748299feb998e466cd32ac1bd1568faab97fdb95d9d3 72470 cups-browsed_1.0.51-1_amd64.deb
Files:
7ce110cc4c492da43194bb216924df07 2681 net optional cups-filters_1.0.51-1.dsc
bd2287007c04993af9959b06ce2a2880 1310952 net optional cups-filters_1.0.51.orig.tar.xz
379079f94ce6818ae108aa470ee90c07 64384 net optional cups-filters_1.0.51-1.debian.tar.xz
d3e39d1aa76a67081f38882396bc6f1c 98052 libs optional libcupsfilters1_1.0.51-1_amd64.deb
3fffbea4402d70c1b8e9448840141706 67578 libs optional libfontembed1_1.0.51-1_amd64.deb
fcbb761f8cc93675417a3dc67c27020a 473172 net optional cups-filters_1.0.51-1_amd64.deb
a1678c633a5d0e8d01583f9698937a4b 133454 net optional cups-filters-core-drivers_1.0.51-1_amd64.deb
c3cbb26f7ecd8d99d10f6c1badc8e1c9 104368 libdevel optional libcupsfilters-dev_1.0.51-1_amd64.deb
6b65832e0a972e5ab63a6775e24ed1e7 70272 libdevel optional libfontembed-dev_1.0.51-1_amd64.deb
2b1580c8f6be3107509001a01a09d679 72470 net optional cups-browsed_1.0.51-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAEBCAAGBQJTPSnoAAoJEIvPpx7KFjRVy+EL/in9eYYi8TY1avbeStoDkeYT
qIr+jaO92lg3NP6Q4GmTZxydRzMBIkXKTygOpKG2RkHzcH+B8yTv8LBDy16i7+0K
weCRrFTunAVRR6dE9XPfkb2B+PQi+nK0D1B4vW6t6utLaK6kRJwRuITx79riQ8xh
558giadDgHl+QyxA+7iVLBElJqbghobjXe7rWJ30SzXV7BgOZWFCDZC9AioONkNF
cBK36vbLOBEB2njw+h4AArQg2xrk81WdagLKfZrZoNAx01RBpMSTrRdEjdlUGwB1
P6GAoaJTBU8ZD8g8KSnfZDRlhLO8tegMtffknhcJmFkUOG8xCFxJht8bmRn8rQlt
dwcD9OV6JU+15mtYYq9xwCBUzWhCmPeUby1yI7xZN2f8SROxOcIWhZxQxZBpdN20
d3Y0B1f6f4eeOyQ6sFzJ0PF5DZ2PJcMi5GXJ/dHplBorUZqvxJXrWKd+2gbF8bSB
MisUJ80tj9N/AgeYXZkGPw3mhR8mRlJytcGOBWIcVQ==
=h4TJ
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 25 May 2014 07:40:20 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:39:22 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon