Your message dated Fri, 11 Apr 2008 19:52:38 +0000 with message-id <E1JkPIc-0008GN-Le@ries.debian.org> and subject line Bug#472105: fixed in cupsys 1.2.7-4etch3 has caused the Debian Bug report #472105, regarding cupsys: CVE-2008-0047 buffer overflow in cgi applications using crafted search queries to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 472105: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=472105 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: cupsys: CVE-2008-0047 buffer overflow in cgi applications using crafted search queries
- From: Nico Golde <nion@debian.org>
- Date: Sat, 22 Mar 2008 03:21:29 +0100
- Message-id: <20080322022129.GA21608@ngolde.de>
Package: cupsys Severity: important Tags: security patch Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for cupsys. CVE-2008-0047[0]: | Heap-based buffer overflow in CUPS in Apple Mac OS X 10.5.2, when | printer sharing is enabled, allows remote attackers to execute | arbitrary code via crafted search expressions. Patch: https://bugzilla.redhat.com/attachment.cgi?id=296901 If you fix this vulnerability please also include the CVE id in your changelog entry. For further information: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0047 Kind regards Nico -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.Attachment: pgpgWlbwMH29A.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 472105-close@bugs.debian.org
- Subject: Bug#472105: fixed in cupsys 1.2.7-4etch3
- From: Martin Pitt <mpitt@debian.org>
- Date: Fri, 11 Apr 2008 19:52:38 +0000
- Message-id: <E1JkPIc-0008GN-Le@ries.debian.org>
Source: cupsys Source-Version: 1.2.7-4etch3 We believe that the bug you reported is fixed in the latest version of cupsys, which is due to be installed in the Debian FTP archive: cupsys-bsd_1.2.7-4etch3_i386.deb to pool/main/c/cupsys/cupsys-bsd_1.2.7-4etch3_i386.deb cupsys-client_1.2.7-4etch3_i386.deb to pool/main/c/cupsys/cupsys-client_1.2.7-4etch3_i386.deb cupsys-common_1.2.7-4etch3_all.deb to pool/main/c/cupsys/cupsys-common_1.2.7-4etch3_all.deb cupsys-dbg_1.2.7-4etch3_i386.deb to pool/main/c/cupsys/cupsys-dbg_1.2.7-4etch3_i386.deb cupsys_1.2.7-4etch3.diff.gz to pool/main/c/cupsys/cupsys_1.2.7-4etch3.diff.gz cupsys_1.2.7-4etch3.dsc to pool/main/c/cupsys/cupsys_1.2.7-4etch3.dsc cupsys_1.2.7-4etch3_i386.deb to pool/main/c/cupsys/cupsys_1.2.7-4etch3_i386.deb libcupsimage2-dev_1.2.7-4etch3_i386.deb to pool/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch3_i386.deb libcupsimage2_1.2.7-4etch3_i386.deb to pool/main/c/cupsys/libcupsimage2_1.2.7-4etch3_i386.deb libcupsys2-dev_1.2.7-4etch3_i386.deb to pool/main/c/cupsys/libcupsys2-dev_1.2.7-4etch3_i386.deb libcupsys2-gnutls10_1.2.7-4etch3_all.deb to pool/main/c/cupsys/libcupsys2-gnutls10_1.2.7-4etch3_all.deb libcupsys2_1.2.7-4etch3_i386.deb to pool/main/c/cupsys/libcupsys2_1.2.7-4etch3_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 472105@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Martin Pitt <mpitt@debian.org> (supplier of updated cupsys package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Sat, 22 Mar 2008 13:12:42 +0100 Source: cupsys Binary: libcupsys2-dev cupsys libcupsys2 libcupsimage2 cupsys-common cupsys-client cupsys-dbg cupsys-bsd libcupsys2-gnutls10 libcupsimage2-dev Architecture: source i386 all Version: 1.2.7-4etch3 Distribution: stable-security Urgency: high Maintainer: noahm@debian.org Changed-By: Martin Pitt <mpitt@debian.org> Description: cupsys - Common UNIX Printing System(tm) - server cupsys-bsd - Common UNIX Printing System(tm) - BSD commands cupsys-client - Common UNIX Printing System(tm) - client programs (SysV) cupsys-common - Common UNIX Printing System(tm) - common files cupsys-dbg - Common UNIX Printing System(tm) - debugging symbols libcupsimage2 - Common UNIX Printing System(tm) - image libs libcupsimage2-dev - Common UNIX Printing System(tm) - image development files libcupsys2 - Common UNIX Printing System(tm) - libs libcupsys2-dev - Common UNIX Printing System(tm) - development files libcupsys2-gnutls10 - Common UNIX Printing System(tm) - dummy libs for transition Closes: 467653 472105 Changes: cupsys (1.2.7-4etch3) stable-security; urgency=high . * Add 72_CVE-2008-0047.dpatch: Fix buffer overflow in cgiCompileSearch() using crafted search expressions. Exploitable if printer sharing is enabled. (CVE-2008-0047, STR #2729, Closes: #472105) * Add 73_CVE-2008-0882.dpatch: Fix double-free in process_browse_data(), which could be exploited to a remote DoS by sending crafted data to the cups UDP port. Thanks to Nico Golde for the report and dpatchifying! (CVE-2008-0882, STR #2656, Closes: #467653) * 47_pid.dpatch: Specify PidFile in temporary directory in the self test's cupsd.conf. This affects the test suite (in the sense that it actually works now) and does not affect the built binaries at all. (Backported from trunk). Files: 0276f8e59e00181d39d204a28494d18c 1084 net optional cupsys_1.2.7-4etch3.dsc b684811e24921a7574798108ac6988d7 104776 net optional cupsys_1.2.7-4etch3.diff.gz 0b4ce3e9c2af460c5b694b906f450b12 45654 libs optional libcupsys2-gnutls10_1.2.7-4etch3_all.deb 65b1ff3cb7b8bbbe3b334ee43875aac4 927322 net optional cupsys-common_1.2.7-4etch3_all.deb c029e686ec624c2fdf156f885d1daf5c 160080 libs optional libcupsys2_1.2.7-4etch3_i386.deb aebef9f4a309afdff01a7cce17b6f57b 86674 libs optional libcupsimage2_1.2.7-4etch3_i386.deb 7c19a56cb4a782487e104a01f31e0b47 1565044 net optional cupsys_1.2.7-4etch3_i386.deb 7460f7b76d597bcb02bdc0fe5897a32a 79892 net optional cupsys-client_1.2.7-4etch3_i386.deb b726701fdb3e8948e5111e2e831bf853 137686 libdevel optional libcupsys2-dev_1.2.7-4etch3_i386.deb b45cf2a324d52524244351d213c8be41 53418 libdevel optional libcupsimage2-dev_1.2.7-4etch3_i386.deb fa90419b34b6733ef32f13797e4606f3 37600 net extra cupsys-bsd_1.2.7-4etch3_i386.deb e754dc8df237302fac7019754e42352b 997608 libdevel extra cupsys-dbg_1.2.7-4etch3_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFH5d/TYrVLjBFATsMRAoZ3AJ0Rx/qG88XHgPkp7MqFsvFqRopvRQCfY1wC 0N01eA9Dxu1e0ujH6cHfA2E= =fUAX -----END PGP SIGNATURE-----
--- End Message ---