On Sat, Aug 14, 2010 at 13:48:43 +0200, Till Kamppeter wrote: > On 01/-10/-28163 08:59 PM, Julien Cristau wrote: > > On Thu, Aug 12, 2010 at 10:27:32 +0200, Didier 'OdyX' Raboud wrote: > > > >> So it is IMHO safe to allow on the Debian side too. What do you think ? > >> > > Ignoring the upstream changes for a moment, I'm uncomfortable with the > > packaging overhaul. > > I think the new packaging is much better than the classic one, the > debian/rules file is less cluttered, consisting more or less only of > the exceptions from a standard build, and the changes and additions > against the original source (usually only the debian/ directory) in > a tarball, allowing also to set permissions, include empty files, > ... > Maybe so, but a freeze is not the right time for these changes IMO. > > Lots of buffers with a static size in this code btw, it makes baby Jesus > > cry. At the very least people should learn sizeof or #define instead of > > having to remember all the places they need to change the size of the > > buffers. > > > > This problem existed already from foomatic-filters 4.0.0 on, so it > is not newly introduced with 4.0.5, so it should not be the reason > to reject a Feature-Freeze exception. First this is not ubuntu (we don't have a feature freeze). Second, this was just something I noticed while reviewing the diff between the packages. It's certainly not more of an issue with the new package than with the old one, so not going to affect the decision on a freeze exception. > Lars, can you look into changing the code not to use > statically-sized buffers or at least make it easier to change the > size of the buffers? > > > Things like pdf_count_pages make me think shell code injection, but I > > don't know what privileges it's running with or if it controls the file > > name. > > It is usually running as the user "lp". The input file is not > directly executed by Ghostscript as a PostScript program, but read > in as a PDF file for the PDF interpreter. So inserting a malicious > PostScript program as input file here should not work. > > If foomatic-rip does not run as the calling user, it is run by CUPS > as the user "lp". Then CUPS supplies the file name (usually of a > temporary file which CUPS has put into /tmp. If foomatic-rip is > called by CUPS with data streaming from stdin, foomatic-rip creates > a temporary file by itself and generates the name for it. Then the > function is called with this temporary file. > Ok, should be fine then. I was thinking of a scenario where the filename would be user-controllable, and contain shell metacharacters, allowing some sort of code execution when passing that filename to the shell through popen. Cheers, Julien
Attachment:
signature.asc
Description: Digital signature