Hi,
I prepared a new package of foomatic-filters for Squeeze LTS which fixes
the new security vulnerability
(https://security-tracker.debian.org/tracker/CVE-2015-8560). You can
find the debdiff below for a review.
Jörg, if you need help to prepare the packages for Wheezy and Jessie,
feel free to ask me.
Regards
Yann
diff -Nru foomatic-filters-4.0.5/debian/changelog
foomatic-filters-4.0.5/debian/changelog
--- foomatic-filters-4.0.5/debian/changelog 2015-12-09 09:21:50.000000000
+0100
+++ foomatic-filters-4.0.5/debian/changelog 2015-12-15 11:57:44.000000000
+0100
@@ -1,3 +1,10 @@
+foomatic-filters (4.0.5-6+squeeze2+deb6u12) squeeze-lts; urgency=high
+
+ * CVE-2015-8560: Fix insufficient script injection prevention
+ (Closes: #807931)
+
+ -- Yann Soubeyrand <yann-externe.soubeyr...@edf.fr> Tue, 15 Dec 2015
11:53:24 +0100
+
foomatic-filters (4.0.5-6+squeeze2+deb6u11) squeeze-lts; urgency=high
* CVE-2015-8327: Fix insufficient script injection prevention
diff -Nru foomatic-filters-4.0.5/debian/patches/CVE-2015-8327.patch
foomatic-filters-4.0.5/debian/patches/CVE-2015-8327.patch
--- foomatic-filters-4.0.5/debian/patches/CVE-2015-8327.patch 2015-12-09
09:22:38.000000000 +0100
+++ foomatic-filters-4.0.5/debian/patches/CVE-2015-8327.patch 2015-12-15
15:51:56.000000000 +0100
@@ -1,10 +1,14 @@
-Description: foomatic-rip: SECURITY FIX: Also consider the back tick ('`') as
- an illegal shell escape character. Thanks to Michal Kowalczyk from the Google
- Security Team for the hint.
+Description: SECURITY FIX: Also consider the back tick ('`') as an illegal
shell escape character
+ .
+ Thanks to Michal Kowalczyk from the Google Security Team for the hint
+ (CVE-2015-8327).
Author: Till Kamppeter <till.kamppe...@gmail.com>
+Origin: upstream,
https://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7406
+Origin: upstream,
https://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7407
+Origin: upstream,
https://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7409
Bug-CVE: CVE-2015-8327
-Origin: upstream
-Last-Update: 2015-11-26
+Bug-Debian: https://bugs.debian.org/806886
+Last-Update: 2015-12-15
--- a/util.c
+++ b/util.c
diff -Nru foomatic-filters-4.0.5/debian/patches/CVE-2015-8560.patch
foomatic-filters-4.0.5/debian/patches/CVE-2015-8560.patch
--- foomatic-filters-4.0.5/debian/patches/CVE-2015-8560.patch 1970-01-01
01:00:00.000000000 +0100
+++ foomatic-filters-4.0.5/debian/patches/CVE-2015-8560.patch 2015-12-15
15:51:41.000000000 +0100
@@ -0,0 +1,22 @@
+Description: SECURITY FIX: Also consider the semicolon (';') as an illegal
shell escape character
+ .
+ Thanks to Adam Chester (adam dot chester at pentest dot co dot uk) for the
hint
+ (CVE-2015-8560).
+Author: Till Kamppeter <till.kamppe...@gmail.com>
+Origin: upstream,
https://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7419
+Origin: upstream,
https://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7423
+Bug-CVE: CVE-2015-8560
+Bug-Debian: https://bugs.debian.org/807931
+Last-Update: 2015-12-15
+
+--- a/util.c 2015-10-30 15:45:03 +0000
++++ b/util.c 2015-12-12 23:27:21 +0000
+@@ -31,7 +31,7 @@
+ #include <assert.h>
+
+
+-const char* shellescapes = "|<>&!$\'\"`#*?()[]{}";
++const char* shellescapes = "|;<>&!$\'\"`#*?()[]{}";
+
+ const char * temp_dir()
+ {
diff -Nru foomatic-filters-4.0.5/debian/patches/series
foomatic-filters-4.0.5/debian/patches/series
--- foomatic-filters-4.0.5/debian/patches/series 2015-12-09
09:23:03.000000000 +0100
+++ foomatic-filters-4.0.5/debian/patches/series 2015-12-15
11:53:16.000000000 +0100
@@ -3,3 +3,4 @@
CVE-2011-2964.patch
CVE-2011-2924.patch
CVE-2015-8327.patch
+CVE-2015-8560.patch
