Bug#635549: #635549: Two hplip security issues
found 635549 3.10.6-2 notfound 635549 3.11.10 thanks Hi Moritz, Le mardi, 26 juillet 2011 23.07:01, Moritz Muehlenhoff a écrit : Two security issues have been reported in hplip: 1. Shell command injection in foomatic-rip-hplip: https://bugzilla.novell.com/show_bug.cgi?id=698451 This is CVE-2011-2697 As far as I can see, the culprit file is foomatic-rip-hplip, which is only shipped in hplip-ppds, and only in stable; testing and unstable versions rely on the fixed foomatic-rip from the foomatic-filters package. 2. Insecure tempfile handling: https://bugzilla.novell.com/show_bug.cgi?id=704608 https://bugs.launchpad.net/hplip/+bug/809904 This is CVE-2011-2722 This seems to be fixed in 3.11.10, hence again, only stable is affected. This should be fixed in a DSA, could you prepared updated packages? I will try to, but would be happier if the HPLIP team could do this security upload themselves (4 months without a single response; meh). Cheers, -- OdyX signature.asc Description: This is a digitally signed message part.
Bug#635549: #635549: Two hplip security issues
Le vendredi, 25 novembre 2011 12.16:06, Didier Raboud a écrit : found 635549 3.10.6-2 notfound 635549 3.11.10 thanks Hi Moritz, Le mardi, 26 juillet 2011 23.07:01, Moritz Muehlenhoff a écrit : Two security issues have been reported in hplip: 1. Shell command injection in foomatic-rip-hplip: https://bugzilla.novell.com/show_bug.cgi?id=698451 This is CVE-2011-2697 As far as I can see, the culprit file is foomatic-rip-hplip, which is only shipped in hplip-ppds, and only in stable; testing and unstable versions rely on the fixed foomatic-rip from the foomatic-filters package. Hmm. Wrong. usr/lib/cups/filter/foomatic-rip-hplip (supposedly culprit file) is already a symlink to usr/lib/cups/filter/foomatic-rip in the stable package. So this CVE doesn't affect any version bigger than what is in stable -- OdyX signature.asc Description: This is a digitally signed message part.
Bug#635549: #635549: Two hplip security issues
Le vendredi, 25 novembre 2011 12.16:06, Didier Raboud a écrit : 2. Insecure tempfile handling: https://bugzilla.novell.com/show_bug.cgi?id=704608 https://bugs.launchpad.net/hplip/+bug/809904 This is CVE-2011-2722 This seems to be fixed in 3.11.10, hence again, only stable is affected. The attached dpatch against the version currently in stable does fix that bug. As for oldstable, I couldn't find any occurence of this bug in the source code. Cheers, OdyX CVE-2011-2722.dpatch Description: application/shellscript signature.asc Description: This is a digitally signed message part.
Bug#635549: #635549: Two hplip security issues
Le vendredi, 25 novembre 2011 12.22:24, Didier Raboud a écrit : Le mardi, 26 juillet 2011 23.07:01, Moritz Muehlenhoff a écrit : 1. Shell command injection in foomatic-rip-hplip: https://bugzilla.novell.com/show_bug.cgi?id=698451 This is CVE-2011-2697 As far as I can see, the culprit file is foomatic-rip-hplip, which is only shipped in hplip-ppds, and only in stable; testing and unstable versions rely on the fixed foomatic-rip from the foomatic-filters package. usr/lib/cups/filter/foomatic-rip-hplip (supposedly culprit file) is already a symlink to usr/lib/cups/filter/foomatic-rip in the stable package. So this CVE doesn't affect any version bigger than what is in stable And foomatic-rip-hplip is not in oldstable either, so it seems CVE-2011-2697 doesn't affect any currently released hplip. Cheers, -- OdyX signature.asc Description: This is a digitally signed message part.
Bug#635549: #635549: Two hplip security issues
On Fri, Nov 25, 2011 at 02:04:44PM +0100, Didier Raboud wrote: Le vendredi, 25 novembre 2011 12.16:06, Didier Raboud a écrit : 2. Insecure tempfile handling: https://bugzilla.novell.com/show_bug.cgi?id=704608 https://bugs.launchpad.net/hplip/+bug/809904 This is CVE-2011-2722 This seems to be fixed in 3.11.10, hence again, only stable is affected. The attached dpatch against the version currently in stable does fix that bug. As for oldstable, I couldn't find any occurence of this bug in the source code. CVE-2011-2722 itself doesn't warrant a DSA. Could the hplip maintainers please fix this through a point update? http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#635549: #635549: Two hplip security issues
On Fri, Nov 25, 2011 at 12:22:24PM +0100, Didier Raboud wrote: Le vendredi, 25 novembre 2011 12.16:06, Didier Raboud a écrit : found 635549 3.10.6-2 notfound 635549 3.11.10 thanks Hi Moritz, Le mardi, 26 juillet 2011 23.07:01, Moritz Muehlenhoff a écrit : Two security issues have been reported in hplip: 1. Shell command injection in foomatic-rip-hplip: https://bugzilla.novell.com/show_bug.cgi?id=698451 This is CVE-2011-2697 As far as I can see, the culprit file is foomatic-rip-hplip, which is only shipped in hplip-ppds, and only in stable; testing and unstable versions rely on the fixed foomatic-rip from the foomatic-filters package. Hmm. Wrong. usr/lib/cups/filter/foomatic-rip-hplip (supposedly culprit file) is already a symlink to usr/lib/cups/filter/foomatic-rip in the stable package. So this CVE doesn't affect any version bigger than what is in stable Confirmed. I've updated the security tracker. However, we still need to update foomatic-filters to secure Squeeze. Since you're also part of the maintainer group for foomatic-filters, could you investigate/ prepare fixed packages for these two issues in foomatic-filters? http://security-tracker.debian.org/tracker/CVE-2011-2697 http://security-tracker.debian.org/tracker/CVE-2011-2964 A side note for CVE-2011-2697: There two implementation of the affected filter: the version from foomatic-filters 4.0 is written in C and has been assigned CVE-2011-2964 and the version in foomatic-filters 3.x is written in Perl and has been assigned CVE-2011-2697 Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#635549: [Pkg-hpijs-devel] Bug#635549: #635549: Two hplip security issues
On Sat, 26 Nov 2011 04:38:19 Moritz Mühlenhoff wrote: CVE-2011-2722 itself doesn't warrant a DSA. Could the hplip maintainers please fix this through a point update? http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-sta ble Moritz and odyx, Thanks for chasing this down. I should be able to upload something this week. Mark signature.asc Description: This is a digitally signed message part.
