Re: squeeze update of dwarfutils?

[Troy Heber]

On 12/11/15 11:21, Guido Günther wrote:
 
> the Debian LTS team would like to fix the security issues which are
> currently open in the Squeeze version of dwarfutils:
> https://security-tracker.debian.org/tracker/CVE-2015-8538
> 
> Would you like to take care of this yourself?

According to the RHEL bug[1] for CVE-2015-8538 :

  "There is a out of bound read in  latest release version
  dwarf-20151114, and we have tested the other version dwarf-20140805,
  so we guess the versions which are between these two version will be
  affected too."

I just tested the version in squeeze (20100214-1) and it is indeed not
affected by this CVE, and does not segfault with the provided test case.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1289385



signature.asc
Description: Digital signature

Re: squeeze update of cacti?

[Chris Lamb]

> Please find attached the debdiff that I could come up with from my work
> on sid, jessie and wheezy. It isn't tested yet (I don't have a suitable
> setup for that) so I appreciate it if somebody could check the patch
> doesn't break graph.php.

Whilst I happened to have generated it, here is the diffoscope comparison from 
the previous version in squeeze:

  https://try.diffoscope.org/zbpxqvgckury.html


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

foomatic-filters: security fix for Squeeze LTS

[Yann Soubeyrand]

Hi,

I prepared a new package of foomatic-filters for Squeeze LTS which fixes
the new security vulnerability
(https://security-tracker.debian.org/tracker/CVE-2015-8560). You can
find the debdiff below for a review.

Jörg, if you need help to prepare the packages for Wheezy and Jessie,
feel free to ask me.

Regards

Yann



diff -Nru foomatic-filters-4.0.5/debian/changelog 
foomatic-filters-4.0.5/debian/changelog
--- foomatic-filters-4.0.5/debian/changelog 2015-12-09 09:21:50.0 
+0100
+++ foomatic-filters-4.0.5/debian/changelog 2015-12-15 11:57:44.0 
+0100
@@ -1,3 +1,10 @@
+foomatic-filters (4.0.5-6+squeeze2+deb6u12) squeeze-lts; urgency=high
+
+  * CVE-2015-8560: Fix insufficient script injection prevention
+(Closes: #807931)
+
+ -- Yann Soubeyrand   Tue, 15 Dec 2015 
11:53:24 +0100
+
 foomatic-filters (4.0.5-6+squeeze2+deb6u11) squeeze-lts; urgency=high
 
   * CVE-2015-8327: Fix insufficient script injection prevention
diff -Nru foomatic-filters-4.0.5/debian/patches/CVE-2015-8327.patch 
foomatic-filters-4.0.5/debian/patches/CVE-2015-8327.patch
--- foomatic-filters-4.0.5/debian/patches/CVE-2015-8327.patch   2015-12-09 
09:22:38.0 +0100
+++ foomatic-filters-4.0.5/debian/patches/CVE-2015-8327.patch   2015-12-15 
15:51:56.0 +0100
@@ -1,10 +1,14 @@
-Description: foomatic-rip: SECURITY FIX: Also consider the back tick ('`') as
- an illegal shell escape character. Thanks to Michal Kowalczyk from the Google
- Security Team for the hint.
+Description: SECURITY FIX: Also consider the back tick ('`') as an illegal 
shell escape character
+ .
+ Thanks to Michal Kowalczyk from the Google Security Team for the hint
+ (CVE-2015-8327).
 Author: Till Kamppeter 
+Origin: upstream, 
https://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7406
+Origin: upstream, 
https://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7407
+Origin: upstream, 
https://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7409
 Bug-CVE: CVE-2015-8327
-Origin: upstream
-Last-Update: 2015-11-26
+Bug-Debian: https://bugs.debian.org/806886
+Last-Update: 2015-12-15
 
 --- a/util.c
 +++ b/util.c
diff -Nru foomatic-filters-4.0.5/debian/patches/CVE-2015-8560.patch 
foomatic-filters-4.0.5/debian/patches/CVE-2015-8560.patch
--- foomatic-filters-4.0.5/debian/patches/CVE-2015-8560.patch   1970-01-01 
01:00:00.0 +0100
+++ foomatic-filters-4.0.5/debian/patches/CVE-2015-8560.patch   2015-12-15 
15:51:41.0 +0100
@@ -0,0 +1,22 @@
+Description: SECURITY FIX: Also consider the semicolon (';') as an illegal 
shell escape character
+ .
+ Thanks to Adam Chester (adam dot chester at pentest dot co dot uk) for the 
hint
+ (CVE-2015-8560).
+Author: Till Kamppeter 
+Origin: upstream, 
https://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7419
+Origin: upstream, 
https://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7423
+Bug-CVE: CVE-2015-8560
+Bug-Debian: https://bugs.debian.org/807931
+Last-Update: 2015-12-15
+
+--- a/util.c   2015-10-30 15:45:03 +
 b/util.c   2015-12-12 23:27:21 +
+@@ -31,7 +31,7 @@
+ #include 
+ 
+ 
+-const char* shellescapes = "|<>&!$\'\"`#*?()[]{}";
++const char* shellescapes = "|;<>&!$\'\"`#*?()[]{}";
+ 
+ const char * temp_dir()
+ {
diff -Nru foomatic-filters-4.0.5/debian/patches/series 
foomatic-filters-4.0.5/debian/patches/series
--- foomatic-filters-4.0.5/debian/patches/series2015-12-09 
09:23:03.0 +0100
+++ foomatic-filters-4.0.5/debian/patches/series2015-12-15 
11:53:16.0 +0100
@@ -3,3 +3,4 @@
 CVE-2011-2964.patch
 CVE-2011-2924.patch
 CVE-2015-8327.patch
+CVE-2015-8560.patch

Re: squeeze update of cacti?

[Chris Lamb]

> > Just to clarify what's needed here - are you part of Debian LTS?
> 
> What a difficult question to answer straight. Yes and no. Yes, I lurk on
> this e-mail list, yes, I have the intention to take care of "my" own
> packages as said multiple times on this list.

Oh, I didn't mean to put you in a difficult position - am fairly "new" so 
haven't seen you on the list before. I also didn't mean to imply anything 
negative, I just didn't want either of us to do unnecessary duplicated work. :)

> So, if you can check and test my debdiff you can upload and announce if
> you are satisfied with it

Looks good, at least by eye. However, Buxy pointed me towards a supplementary 
CVE-2015-8377 
(http://seclists.org/fulldisclosure/2015/Dec/att-57/cacti_sqli%281%29.txt) - we 
should probably test and upload these at the same time.


Best,

-- 
Chris Lamb
chris-lamb.co.uk / @lolamby

Re: Bug#802828: python-pygments: shell injection in FontManager._get_nix_font_path

[Raphael Hertzog]

Control: retitle -1 python-pygments: CVE-2015-8557: shell injection in 
FontManager._get_nix_font_path
Control: severity -1 important
Control: tag -1 + patch

On Fri, 23 Oct 2015, Jakub Wilk wrote:
> Javantea reported in :

This has been assigned CVE-2015-8557 and the recommended patch
to use is
https://bitbucket.org/birkenfeld/pygments-main/commits/0036ab1c99e256298094505e5e92f

I'm upgrading the severity to important. All Debian releases are affected.

Piotr, the Debian LTS team wants to fix this issue in squeeze too. Do you
want to take care of this by yourself?

If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/