Your message dated Sat, 22 Mar 2008 12:02:03 +0000 with message-id <E1Jd2QF-0003e4-V7@ries.debian.org> and subject line Bug#472105: fixed in cupsys 1.3.6-3 has caused the Debian Bug report #472105, regarding cupsys: CVE-2008-0047 buffer overflow in cgi applications using crafted search queries to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 472105: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=472105 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: cupsys: CVE-2008-0047 buffer overflow in cgi applications using crafted search queries
- From: Nico Golde <nion@debian.org>
- Date: Sat, 22 Mar 2008 03:21:29 +0100
- Message-id: <[🔎] 20080322022129.GA21608@ngolde.de>
Package: cupsys Severity: important Tags: security patch Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for cupsys. CVE-2008-0047[0]: | Heap-based buffer overflow in CUPS in Apple Mac OS X 10.5.2, when | printer sharing is enabled, allows remote attackers to execute | arbitrary code via crafted search expressions. Patch: https://bugzilla.redhat.com/attachment.cgi?id=296901 If you fix this vulnerability please also include the CVE id in your changelog entry. For further information: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0047 Kind regards Nico -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.Attachment: pgpVSD6oL4H3J.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 472105-close@bugs.debian.org
- Subject: Bug#472105: fixed in cupsys 1.3.6-3
- From: Martin Pitt <mpitt@debian.org>
- Date: Sat, 22 Mar 2008 12:02:03 +0000
- Message-id: <E1Jd2QF-0003e4-V7@ries.debian.org>
Source: cupsys Source-Version: 1.3.6-3 We believe that the bug you reported is fixed in the latest version of cupsys, which is due to be installed in the Debian FTP archive: cupsys-bsd_1.3.6-3_i386.deb to pool/main/c/cupsys/cupsys-bsd_1.3.6-3_i386.deb cupsys-client_1.3.6-3_i386.deb to pool/main/c/cupsys/cupsys-client_1.3.6-3_i386.deb cupsys-common_1.3.6-3_all.deb to pool/main/c/cupsys/cupsys-common_1.3.6-3_all.deb cupsys-dbg_1.3.6-3_i386.deb to pool/main/c/cupsys/cupsys-dbg_1.3.6-3_i386.deb cupsys_1.3.6-3.diff.gz to pool/main/c/cupsys/cupsys_1.3.6-3.diff.gz cupsys_1.3.6-3.dsc to pool/main/c/cupsys/cupsys_1.3.6-3.dsc cupsys_1.3.6-3_i386.deb to pool/main/c/cupsys/cupsys_1.3.6-3_i386.deb libcupsimage2-dev_1.3.6-3_i386.deb to pool/main/c/cupsys/libcupsimage2-dev_1.3.6-3_i386.deb libcupsimage2_1.3.6-3_i386.deb to pool/main/c/cupsys/libcupsimage2_1.3.6-3_i386.deb libcupsys2-dev_1.3.6-3_i386.deb to pool/main/c/cupsys/libcupsys2-dev_1.3.6-3_i386.deb libcupsys2_1.3.6-3_i386.deb to pool/main/c/cupsys/libcupsys2_1.3.6-3_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 472105@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Martin Pitt <mpitt@debian.org> (supplier of updated cupsys package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Sat, 22 Mar 2008 12:37:57 +0100 Source: cupsys Binary: libcupsys2 libcupsimage2 cupsys cupsys-client libcupsys2-dev libcupsimage2-dev cupsys-bsd cupsys-common cupsys-dbg Architecture: source all i386 Version: 1.3.6-3 Distribution: unstable Urgency: high Maintainer: Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org> Changed-By: Martin Pitt <mpitt@debian.org> Description: cupsys - Common UNIX Printing System(tm) - server cupsys-bsd - Common UNIX Printing System(tm) - BSD commands cupsys-client - Common UNIX Printing System(tm) - client programs (SysV) cupsys-common - Common UNIX Printing System(tm) - common files cupsys-dbg - Common UNIX Printing System(tm) - debugging symbols libcupsimage2 - Common UNIX Printing System(tm) - image libs libcupsimage2-dev - Common UNIX Printing System(tm) - image development files libcupsys2 - Common UNIX Printing System(tm) - libs libcupsys2-dev - Common UNIX Printing System(tm) - development files Closes: 472105 Changes: cupsys (1.3.6-3) unstable; urgency=high . [ Till Kamppeter ] * pdftops-cups-1.4.dpatch: Updated to Mike Sweet's patch version from CUPS STR #2716. * debian/patches/ppd-poll-with-client-conf.dpatch: If there is a client.conf pointing to a remote server, clients were not able to poll the PPD options from printers on that server (CUPS STRs #2731, #2763) . [ Martin Pitt ] * Urgency high due to security fix. * debian/local/apparmor-profile: Allow cups-pdf to read files in ~/PDF/, so that it can overwrite files. (LP: #161222) * Add cgiCompileSearch_buffer_overflow.dpatch: Fix buffer overflow in cgiCompileSearch() using crafted search expressions. Exploitable if printer sharing is enabled. (CVE-2008-0047, STR #2729, Closes: #472105) Files: 6c2ad0d80d43ab806ada2ad73ce7b113 1302 net optional cupsys_1.3.6-3.dsc effd72fe2b3d85a1fc8e23e558b42c18 111744 net optional cupsys_1.3.6-3.diff.gz 8b294adcb036bba42554a7a7938e26b5 1127576 net optional cupsys-common_1.3.6-3_all.deb b5a72469bfd636aa286e95a35827f52f 156044 libs optional libcupsys2_1.3.6-3_i386.deb eb2e8100226de2e6213376bbbadf86a9 91598 libs optional libcupsimage2_1.3.6-3_i386.deb 81b2740f5aa3be43742392645ff63c4d 1919336 net optional cupsys_1.3.6-3_i386.deb 3308048fe0440f83dc0a7e22415c5051 78888 net optional cupsys-client_1.3.6-3_i386.deb a4d08ada2b825633ea1a16f74d3e04a0 383072 libdevel optional libcupsys2-dev_1.3.6-3_i386.deb 3a80b83b12568076f8f7cff8d50852ca 59694 libdevel optional libcupsimage2-dev_1.3.6-3_i386.deb 104764317a5ac0add4668ce20b6df6d4 34304 net extra cupsys-bsd_1.3.6-3_i386.deb ee5b51307c1083afb92df5d6756bb949 1060292 libdevel extra cupsys-dbg_1.3.6-3_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFH5PJBDecnbV4Fd/IRAldVAJ4+5km4jCUwyTqhtQ2aqZISa+L0dACg2LWe l4PPKU06W0DZzXLakVyZLO4= =n/Ex -----END PGP SIGNATURE-----
--- End Message ---