Hi, I prepared a new package of foomatic-filters for Squeeze LTS which fixes the new security vulnerability (https://security-tracker.debian.org/tracker/CVE-2015-8560). You can find the debdiff below for a review.
Jörg, if you need help to prepare the packages for Wheezy and Jessie, feel free to ask me. Regards Yann diff -Nru foomatic-filters-4.0.5/debian/changelog foomatic-filters-4.0.5/debian/changelog --- foomatic-filters-4.0.5/debian/changelog 2015-12-09 09:21:50.000000000 +0100 +++ foomatic-filters-4.0.5/debian/changelog 2015-12-15 11:57:44.000000000 +0100 @@ -1,3 +1,10 @@ +foomatic-filters (4.0.5-6+squeeze2+deb6u12) squeeze-lts; urgency=high + + * CVE-2015-8560: Fix insufficient script injection prevention + (Closes: #807931) + + -- Yann Soubeyrand <yann-externe.soubeyr...@edf.fr> Tue, 15 Dec 2015 11:53:24 +0100 + foomatic-filters (4.0.5-6+squeeze2+deb6u11) squeeze-lts; urgency=high * CVE-2015-8327: Fix insufficient script injection prevention diff -Nru foomatic-filters-4.0.5/debian/patches/CVE-2015-8327.patch foomatic-filters-4.0.5/debian/patches/CVE-2015-8327.patch --- foomatic-filters-4.0.5/debian/patches/CVE-2015-8327.patch 2015-12-09 09:22:38.000000000 +0100 +++ foomatic-filters-4.0.5/debian/patches/CVE-2015-8327.patch 2015-12-15 15:51:56.000000000 +0100 @@ -1,10 +1,14 @@ -Description: foomatic-rip: SECURITY FIX: Also consider the back tick ('`') as - an illegal shell escape character. Thanks to Michal Kowalczyk from the Google - Security Team for the hint. +Description: SECURITY FIX: Also consider the back tick ('`') as an illegal shell escape character + . + Thanks to Michal Kowalczyk from the Google Security Team for the hint + (CVE-2015-8327). Author: Till Kamppeter <till.kamppe...@gmail.com> +Origin: upstream, https://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7406 +Origin: upstream, https://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7407 +Origin: upstream, https://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7409 Bug-CVE: CVE-2015-8327 -Origin: upstream -Last-Update: 2015-11-26 +Bug-Debian: https://bugs.debian.org/806886 +Last-Update: 2015-12-15 --- a/util.c +++ b/util.c diff -Nru foomatic-filters-4.0.5/debian/patches/CVE-2015-8560.patch foomatic-filters-4.0.5/debian/patches/CVE-2015-8560.patch --- foomatic-filters-4.0.5/debian/patches/CVE-2015-8560.patch 1970-01-01 01:00:00.000000000 +0100 +++ foomatic-filters-4.0.5/debian/patches/CVE-2015-8560.patch 2015-12-15 15:51:41.000000000 +0100 @@ -0,0 +1,22 @@ +Description: SECURITY FIX: Also consider the semicolon (';') as an illegal shell escape character + . + Thanks to Adam Chester (adam dot chester at pentest dot co dot uk) for the hint + (CVE-2015-8560). +Author: Till Kamppeter <till.kamppe...@gmail.com> +Origin: upstream, https://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7419 +Origin: upstream, https://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7423 +Bug-CVE: CVE-2015-8560 +Bug-Debian: https://bugs.debian.org/807931 +Last-Update: 2015-12-15 + +--- a/util.c 2015-10-30 15:45:03 +0000 ++++ b/util.c 2015-12-12 23:27:21 +0000 +@@ -31,7 +31,7 @@ + #include <assert.h> + + +-const char* shellescapes = "|<>&!$\'\"`#*?()[]{}"; ++const char* shellescapes = "|;<>&!$\'\"`#*?()[]{}"; + + const char * temp_dir() + { diff -Nru foomatic-filters-4.0.5/debian/patches/series foomatic-filters-4.0.5/debian/patches/series --- foomatic-filters-4.0.5/debian/patches/series 2015-12-09 09:23:03.000000000 +0100 +++ foomatic-filters-4.0.5/debian/patches/series 2015-12-15 11:53:16.000000000 +0100 @@ -3,3 +3,4 @@ CVE-2011-2964.patch CVE-2011-2924.patch CVE-2015-8327.patch +CVE-2015-8560.patch