Re: cups-filters 1.2.0 released!

To: Till Kamppeter <till.kamppeter@gmail.com>, Debian Security Team <team@security.debian.org>
Cc: debian-printing@lists.debian.org
Subject: Re: cups-filters 1.2.0 released!
From: Didier 'OdyX' Raboud <odyx@debian.org>
Date: Mon, 30 Nov 2015 22:21:58 +0100
Message-id: <[🔎] 2725023.9BFnctctQb@odyx.org>
In-reply-to: <[🔎] 565766B0.7010204@gmail.com>
References: <[🔎] 565766B0.7010204@gmail.com>

Hi Till,

Le jeudi, 26 novembre 2015, 18.08:16 Till Kamppeter a écrit :
> I have released cups-filters 1.2.0 now, with the following changes:
> 
> - cups-browsed: When using IP-address-based device URIs via the
> "IPBasedDeviceURIs" directive in cups-browsed.conf, add two additional
> settings to restrict the used IP addresses to either only IPv4
> addresses or only IPv6 addresses.
> - foomatic-rip: SECURITY FIX: Also consider the back tick ('`') as an
> illegal shell escape character. Thanks to Michal Kowalczyk from the
> Google Security Team for the hint (CVE-2015-8327).

Uploaded, thanks!

I'm hereby CC'ing the security team to discuss the backport of that 
security fix (patch CC'ed) to jessie-security. At this stage, I don't 
have more details than the above, can you share more Till?

Cheers,
OdyX

diff --git a/debian/changelog b/debian/changelog
index 5a05047..449b9eb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+cups-filters (1.0.61-5+deb8u2) jessie-security; urgency=high
+
+  * Backport upstream fixes to also consider the back tick ('`') as an illegal
+    shell escape character (CVE-2015-8327)
+
+ -- Didier Raboud <odyx@debian.org>  Mon, 30 Nov 2015 21:52:45 +0100
+
 cups-filters (1.0.61-5+deb8u1) jessie-security; urgency=high
 
   * Backport upstream fixes for buffer overflows on size allocation in texttopdf
diff --git a/debian/patches/r7406_also_consider_the_back_tick_as_an_illegal_shell_escape_character.patch b/debian/patches/r7406_also_consider_the_back_tick_as_an_illegal_shell_escape_character.patch
new file mode 100644
index 0000000..45fe9c4
--- /dev/null
+++ b/debian/patches/r7406_also_consider_the_back_tick_as_an_illegal_shell_escape_character.patch
@@ -0,0 +1,19 @@
+Description: foomatic-rip: SECURITY FIX: Also consider the back tick ('`') as
+ an illegal shell escape character. Thanks to Michal Kowalczyk from the Google
+ Security Team for the hint.
+Author: Till Kamppeter <till.kamppeter@gmail.com>
+Bug-CVE: CVE-2015-8327
+Origin: upstream
+Last-Update: 2015-11-26
+
+--- a/filter/foomatic-rip/util.c
++++ b/filter/foomatic-rip/util.c
+@@ -31,7 +31,7 @@
+ #include <assert.h>
+ 
+ 
+-const char* shellescapes = "|<>&!$\'\"#*?()[]{}";
++const char* shellescapes = "|<>&!$\'\"`#*?()[]{}";
+ 
+ const char * temp_dir()
+ {
diff --git a/debian/patches/series b/debian/patches/series
index 67c23a3..2dd1634 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 r7303_browsed_support_BrowseAllow_all.patch
 r7333_fixed_a_security_bug_in_remove_bad_chars_failing_to_reliably_filter_out_illegal_characters.patch
 r7363-r7365_fixed_buffer_overflow_on_size_allocation_of_texttopdf.patch
+r7406_also_consider_the_back_tick_as_an_illegal_shell_escape_character.patch

Reply to:

References:
- cups-filters 1.2.0 released!
  - From: Till Kamppeter <till.kamppeter@gmail.com>

Prev by Date: Re: Problem moving /usr/share/cups/mime/mime.convs from cups-server-common to cups-core-drivers
Next by Date: cups-filters_1.2.0-1_source.changes ACCEPTED into unstable
Previous by thread: cups-filters 1.2.0 released!
Next by thread: CUPS upload
Index(es):
- Date
- Thread