[SRM] foomatic-filters 4.0.5-6+squeeze2 security upload for CVE-2011-2924

To: debian-release@lists.debian.org
Subject: [SRM] foomatic-filters 4.0.5-6+squeeze2 security upload for CVE-2011-2924
From: "Didier 'OdyX' Raboud" <odyx@debian.org>
Date: Tue, 06 Mar 2012 13:20:06 +0100
Message-id: <4F5600F6.9080303@debian.org>
In-reply-to: <4F55F113.1060504@debian.org>
References: <4F55F113.1060504@debian.org>

Hi dear Release team,

as I noticed from the PTS that foomatic-filters is still affected by
CVE-2011-2924 on stable, here I am with a stable upload (I went to the
Security Team first and got asked to go trough a Point update instead).

(Note that the last upload of foomatic-filters to stable-security was to
fix the similar but not same CVE-2011-2964.)

The proposed patch (and full debdiff, but it's a diff-of-diff) is
attached as CVE-2011-2924.patch and was verbatim backported from the
upstream VCS at [ff256]. The proposed changelog is as following:

foomatic-filters (4.0.5-6+squeeze2) stable; urgency=low

   * Fix CVE-2011-2924
    "foomatic-rip (debug mode) insecure temporary file use in renderer
     command line by processing PostScript data"
    - Backport debian/patches/CVE-2011-2924.patch from upstream, add
      DEP-3 headers.

Opinions ?

OdyX

[ff256]
http://bzr.linuxfoundation.org/loggerhead/openprinting/foomatic/foomatic-filters/revision/256

diff -Nru foomatic-filters-4.0.5/debian/changelog foomatic-filters-4.0.5/debian/changelog
--- foomatic-filters-4.0.5/debian/changelog	2012-01-04 11:25:56.000000000 +0100
+++ foomatic-filters-4.0.5/debian/changelog	2012-03-06 13:16:59.000000000 +0100
@@ -1,3 +1,13 @@
+foomatic-filters (4.0.5-6+squeeze2) stable; urgency=low
+
+  * Fix CVE-2011-2924
+    "foomatic-rip (debug mode) insecure temporary file use in renderer command
+     line by processing PostScript data"
+    - Backport debian/patches/CVE-2011-2924.patch from upstream, add DEP-3
+      headers.
+
+ -- Didier Raboud <odyx@debian.org>  Tue, 06 Mar 2012 13:16:50 +0100
+
 foomatic-filters (4.0.5-6+squeeze1) stable-security; urgency=high
 
   * Fix CVE-2011-2964
diff -Nru foomatic-filters-4.0.5/debian/patches/CVE-2011-2924.patch foomatic-filters-4.0.5/debian/patches/CVE-2011-2924.patch
--- foomatic-filters-4.0.5/debian/patches/CVE-2011-2924.patch	1970-01-01 01:00:00.000000000 +0100
+++ foomatic-filters-4.0.5/debian/patches/CVE-2011-2924.patch	2012-03-06 11:45:02.000000000 +0100
@@ -0,0 +1,61 @@
+Description: fix insecure temporary file handling
+ .
+ From upstream changelog entry:
+ .
+ foomaticrip.c, renderer.c: SECURITY FIX: Use the mktemp shell
+ command/mkstemp() function to create the debug log file and the
+ renderer input data file (both files only generated when
+ foomatic-rip is un in debug mode) with file names with an
+ unpredictable part. The names are /tmp/foomatic-rip-XXXXXX.log and
+ /tmp/foomatic-rip-YYYYYY.ps where the XXXXXX and YYYYYY are
+ replaced by random strings. Thanks to Tim Waugh from Red Hat for
+ for the patch (bug #936, CVE-2011-2924).
+
+Acked-by: Till Kamppeter <till.kamppeter@gmail.com>
+Author: Tim Waugh <twaugh@redhat.com>
+Origin: upstream, http://bzr.linuxfoundation.org/loggerhead/openprinting/foomatic/foomatic-filters/revision/256
+Bug-CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2924
+Last-Update: 2012-03-06
+
+--- a/foomaticrip.c
++++ b/foomaticrip.c
+@@ -1173,9 +1173,13 @@
+     if (arglist_remove_flag(arglist, "--debug"))
+         debug = 1;
+ 
+-    if (debug)
+-        logh = fopen(LOG_FILE ".log", "w"); /* insecure, use for debugging only */
+-    else if (quiet && !verbose)
++    if (debug) {
++	int fd = mkstemp (LOG_FILE "-XXXXXX.log");
++	if (fd != -1)
++	    logh = fdopen(fd, "w");
++	else
++	    logh = stderr;
++    } else if (quiet && !verbose)
+         logh = NULL; /* Quiet mode, do not log */
+     else
+         logh = stderr; /* Default: log to stderr */
+@@ -1585,11 +1589,6 @@
+         /* TODO tbd */
+     }
+ 
+-    /* In debug mode save the data supposed to be fed into the
+-       renderer also into a file, reset the file here */
+-    if (debug)
+-        run_system_process("reset-file", "> " LOG_FILE ".ps");
+-
+     filename = strtok_r(filelist->data, " ", &p);
+     while (filename) {
+         _log("\n================================================\n\n"
+--- a/renderer.c
++++ b/renderer.c
+@@ -434,7 +434,7 @@
+         }
+ 
+         /* Save the data supposed to be fed into the renderer also into a file*/
+-        dstrprepend(commandline, "tee -a " LOG_FILE ".ps | ( ");
++        dstrprepend(commandline, "tee $(mktemp " LOG_FILE "-XXXXXX.ps) | ( ");
+         dstrcat(commandline, ")");
+     }
+ 
diff -Nru foomatic-filters-4.0.5/debian/patches/series foomatic-filters-4.0.5/debian/patches/series
--- foomatic-filters-4.0.5/debian/patches/series	2012-01-04 11:04:11.000000000 +0100
+++ foomatic-filters-4.0.5/debian/patches/series	2012-03-06 11:45:02.000000000 +0100
@@ -1,3 +1,4 @@
 strncpy-tochar-use-isempty.patch
 unhtmlify-segfault.patch
 CVE-2011-2964.patch
+CVE-2011-2924.patch

Description: fix insecure temporary file handling
 .
 From upstream changelog entry:
 .
 foomaticrip.c, renderer.c: SECURITY FIX: Use the mktemp shell
 command/mkstemp() function to create the debug log file and the
 renderer input data file (both files only generated when
 foomatic-rip is un in debug mode) with file names with an
 unpredictable part. The names are /tmp/foomatic-rip-XXXXXX.log and
 /tmp/foomatic-rip-YYYYYY.ps where the XXXXXX and YYYYYY are
 replaced by random strings. Thanks to Tim Waugh from Red Hat for
 for the patch (bug #936, CVE-2011-2924).

Acked-by: Till Kamppeter <till.kamppeter@gmail.com>
Author: Tim Waugh <twaugh@redhat.com>
Origin: upstream, http://bzr.linuxfoundation.org/loggerhead/openprinting/foomatic/foomatic-filters/revision/256
Bug-CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2924
Last-Update: 2012-03-06

--- a/foomaticrip.c
+++ b/foomaticrip.c
@@ -1173,9 +1173,13 @@
     if (arglist_remove_flag(arglist, "--debug"))
         debug = 1;
 
-    if (debug)
-        logh = fopen(LOG_FILE ".log", "w"); /* insecure, use for debugging only */
-    else if (quiet && !verbose)
+    if (debug) {
+	int fd = mkstemp (LOG_FILE "-XXXXXX.log");
+	if (fd != -1)
+	    logh = fdopen(fd, "w");
+	else
+	    logh = stderr;
+    } else if (quiet && !verbose)
         logh = NULL; /* Quiet mode, do not log */
     else
         logh = stderr; /* Default: log to stderr */
@@ -1585,11 +1589,6 @@
         /* TODO tbd */
     }
 
-    /* In debug mode save the data supposed to be fed into the
-       renderer also into a file, reset the file here */
-    if (debug)
-        run_system_process("reset-file", "> " LOG_FILE ".ps");
-
     filename = strtok_r(filelist->data, " ", &p);
     while (filename) {
         _log("\n================================================\n\n"
--- a/renderer.c
+++ b/renderer.c
@@ -434,7 +434,7 @@
         }
 
         /* Save the data supposed to be fed into the renderer also into a file*/
-        dstrprepend(commandline, "tee -a " LOG_FILE ".ps | ( ");
+        dstrprepend(commandline, "tee $(mktemp " LOG_FILE "-XXXXXX.ps) | ( ");
         dstrcat(commandline, ")");
     }

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: [SRM] foomatic-filters 4.0.5-6+squeeze2 security upload for CVE-2011-2924
  - From: Cyril Brulebois <kibi@debian.org>

Prev by Date: Bug#656839: transition: linphone libexosip2 libosip2
Next by Date: Re: [SRM] foomatic-filters 4.0.5-6+squeeze2 security upload for CVE-2011-2924
Previous by thread: Bug#634797: marked as done (opencv 2.3 transition)
Next by thread: Re: [SRM] foomatic-filters 4.0.5-6+squeeze2 security upload for CVE-2011-2924
Index(es):
- Date
- Thread