Control: tags -1 +patch +upstream +fixed-upstream
Le lundi, 14 décembre 2015, 15.45:31 Yann Soubeyrand a écrit :
> There is a patch upstream for this vulnerability:
> https://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7419.
Thanks for the hint.
I'm likely to wait for 1.4.0 upstream release for an upload to unstable,
and will then prepare the package for jessie (if the Security Team
agrees).
Cheers,
OdyX
=== modified file 'NEWS'
--- NEWS 2015-12-12 02:11:10 +0000
+++ NEWS 2015-12-12 23:27:21 +0000
@@ -3,6 +3,10 @@
CHANGES IN V1.4.0
+ - foomatic-rip: SECURITY FIX: Also consider the semicolon
+ (';') as an illegal shell escape character. Thanks to Adam
+ Chester (adam dot chester at pentest dot co dot uk) for the
+ hint.
- brftoembosser, imagetobrf, imagetoubrl, imageubrltoindexv3,
imageubrltoindexv4, textbrftoindexv3, textbrftoindexv4,
texttobrf, braille.convs, braille.types, generic-brf.drv,
=== modified file 'filter/foomatic-rip/util.c'
--- filter/foomatic-rip/util.c 2015-10-30 15:45:03 +0000
+++ filter/foomatic-rip/util.c 2015-12-12 23:27:21 +0000
@@ -31,7 +31,7 @@
#include <assert.h>
-const char* shellescapes = "|<>&!$\'\"`#*?()[]{}";
+const char* shellescapes = "|;<>&!$\'\"`#*?()[]{}";
const char * temp_dir()
{
