Hi dear Release team, as I noticed from the PTS that foomatic-filters is still affected by CVE-2011-2924 on stable, here I am with a stable upload (I went to the Security Team first and got asked to go trough a Point update instead). (Note that the last upload of foomatic-filters to stable-security was to fix the similar but not same CVE-2011-2964.) The proposed patch (and full debdiff, but it's a diff-of-diff) is attached as CVE-2011-2924.patch and was verbatim backported from the upstream VCS at [ff256]. The proposed changelog is as following: foomatic-filters (4.0.5-6+squeeze2) stable; urgency=low * Fix CVE-2011-2924 "foomatic-rip (debug mode) insecure temporary file use in renderer command line by processing PostScript data" - Backport debian/patches/CVE-2011-2924.patch from upstream, add DEP-3 headers. Opinions ? OdyX [ff256] http://bzr.linuxfoundation.org/loggerhead/openprinting/foomatic/foomatic-filters/revision/256
diff -Nru foomatic-filters-4.0.5/debian/changelog foomatic-filters-4.0.5/debian/changelog --- foomatic-filters-4.0.5/debian/changelog 2012-01-04 11:25:56.000000000 +0100 +++ foomatic-filters-4.0.5/debian/changelog 2012-03-06 13:16:59.000000000 +0100 @@ -1,3 +1,13 @@ +foomatic-filters (4.0.5-6+squeeze2) stable; urgency=low + + * Fix CVE-2011-2924 + "foomatic-rip (debug mode) insecure temporary file use in renderer command + line by processing PostScript data" + - Backport debian/patches/CVE-2011-2924.patch from upstream, add DEP-3 + headers. + + -- Didier Raboud <odyx@debian.org> Tue, 06 Mar 2012 13:16:50 +0100 + foomatic-filters (4.0.5-6+squeeze1) stable-security; urgency=high * Fix CVE-2011-2964 diff -Nru foomatic-filters-4.0.5/debian/patches/CVE-2011-2924.patch foomatic-filters-4.0.5/debian/patches/CVE-2011-2924.patch --- foomatic-filters-4.0.5/debian/patches/CVE-2011-2924.patch 1970-01-01 01:00:00.000000000 +0100 +++ foomatic-filters-4.0.5/debian/patches/CVE-2011-2924.patch 2012-03-06 11:45:02.000000000 +0100 @@ -0,0 +1,61 @@ +Description: fix insecure temporary file handling + . + From upstream changelog entry: + . + foomaticrip.c, renderer.c: SECURITY FIX: Use the mktemp shell + command/mkstemp() function to create the debug log file and the + renderer input data file (both files only generated when + foomatic-rip is un in debug mode) with file names with an + unpredictable part. The names are /tmp/foomatic-rip-XXXXXX.log and + /tmp/foomatic-rip-YYYYYY.ps where the XXXXXX and YYYYYY are + replaced by random strings. Thanks to Tim Waugh from Red Hat for + for the patch (bug #936, CVE-2011-2924). + +Acked-by: Till Kamppeter <till.kamppeter@gmail.com> +Author: Tim Waugh <twaugh@redhat.com> +Origin: upstream, http://bzr.linuxfoundation.org/loggerhead/openprinting/foomatic/foomatic-filters/revision/256 +Bug-CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2924 +Last-Update: 2012-03-06 + +--- a/foomaticrip.c ++++ b/foomaticrip.c +@@ -1173,9 +1173,13 @@ + if (arglist_remove_flag(arglist, "--debug")) + debug = 1; + +- if (debug) +- logh = fopen(LOG_FILE ".log", "w"); /* insecure, use for debugging only */ +- else if (quiet && !verbose) ++ if (debug) { ++ int fd = mkstemp (LOG_FILE "-XXXXXX.log"); ++ if (fd != -1) ++ logh = fdopen(fd, "w"); ++ else ++ logh = stderr; ++ } else if (quiet && !verbose) + logh = NULL; /* Quiet mode, do not log */ + else + logh = stderr; /* Default: log to stderr */ +@@ -1585,11 +1589,6 @@ + /* TODO tbd */ + } + +- /* In debug mode save the data supposed to be fed into the +- renderer also into a file, reset the file here */ +- if (debug) +- run_system_process("reset-file", "> " LOG_FILE ".ps"); +- + filename = strtok_r(filelist->data, " ", &p); + while (filename) { + _log("\n================================================\n\n" +--- a/renderer.c ++++ b/renderer.c +@@ -434,7 +434,7 @@ + } + + /* Save the data supposed to be fed into the renderer also into a file*/ +- dstrprepend(commandline, "tee -a " LOG_FILE ".ps | ( "); ++ dstrprepend(commandline, "tee $(mktemp " LOG_FILE "-XXXXXX.ps) | ( "); + dstrcat(commandline, ")"); + } + diff -Nru foomatic-filters-4.0.5/debian/patches/series foomatic-filters-4.0.5/debian/patches/series --- foomatic-filters-4.0.5/debian/patches/series 2012-01-04 11:04:11.000000000 +0100 +++ foomatic-filters-4.0.5/debian/patches/series 2012-03-06 11:45:02.000000000 +0100 @@ -1,3 +1,4 @@ strncpy-tochar-use-isempty.patch unhtmlify-segfault.patch CVE-2011-2964.patch +CVE-2011-2924.patch
Description: fix insecure temporary file handling . From upstream changelog entry: . foomaticrip.c, renderer.c: SECURITY FIX: Use the mktemp shell command/mkstemp() function to create the debug log file and the renderer input data file (both files only generated when foomatic-rip is un in debug mode) with file names with an unpredictable part. The names are /tmp/foomatic-rip-XXXXXX.log and /tmp/foomatic-rip-YYYYYY.ps where the XXXXXX and YYYYYY are replaced by random strings. Thanks to Tim Waugh from Red Hat for for the patch (bug #936, CVE-2011-2924). Acked-by: Till Kamppeter <till.kamppeter@gmail.com> Author: Tim Waugh <twaugh@redhat.com> Origin: upstream, http://bzr.linuxfoundation.org/loggerhead/openprinting/foomatic/foomatic-filters/revision/256 Bug-CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2924 Last-Update: 2012-03-06 --- a/foomaticrip.c +++ b/foomaticrip.c @@ -1173,9 +1173,13 @@ if (arglist_remove_flag(arglist, "--debug")) debug = 1; - if (debug) - logh = fopen(LOG_FILE ".log", "w"); /* insecure, use for debugging only */ - else if (quiet && !verbose) + if (debug) { + int fd = mkstemp (LOG_FILE "-XXXXXX.log"); + if (fd != -1) + logh = fdopen(fd, "w"); + else + logh = stderr; + } else if (quiet && !verbose) logh = NULL; /* Quiet mode, do not log */ else logh = stderr; /* Default: log to stderr */ @@ -1585,11 +1589,6 @@ /* TODO tbd */ } - /* In debug mode save the data supposed to be fed into the - renderer also into a file, reset the file here */ - if (debug) - run_system_process("reset-file", "> " LOG_FILE ".ps"); - filename = strtok_r(filelist->data, " ", &p); while (filename) { _log("\n================================================\n\n" --- a/renderer.c +++ b/renderer.c @@ -434,7 +434,7 @@ } /* Save the data supposed to be fed into the renderer also into a file*/ - dstrprepend(commandline, "tee -a " LOG_FILE ".ps | ( "); + dstrprepend(commandline, "tee $(mktemp " LOG_FILE "-XXXXXX.ps) | ( "); dstrcat(commandline, ")"); }
Attachment:
signature.asc
Description: OpenPGP digital signature