Bug 17330

Summary: cups-filters new security issue CVE-2015-8560
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/668128/
Whiteboard: has_procedue advisory mga5-32-ok MGA5-64-OK
Source RPM: cups-filters-1.0.71-1.1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-12-14 17:12:07 CET 
A CVE was requested for an issue fixed upstream in cups-filters on December 13:
http://openwall.com/lists/oss-security/2015/12/13/2

I've added the patch in Cauldron.  Locally I've added the ";" to the CVE-2015-8327 patch for Mageia 5, but waiting for a CVE assignment before committing it.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-12-14 22:43:42 CET 
This has been assigned CVE-2015-8560:
http://openwall.com/lists/oss-security/2015/12/14/13

Patched package uploaded for Mageia 5.  This was already fixed in Cauldron.

Advisory:
========================

Updated cups-filters package fixes security vulnerability:

Adam Chester discovered that missing input sanitising in the foomatic-rip
print filter might result in the execution of arbitrary commands
(CVE-2015-8327).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8560
http://openwall.com/lists/oss-security/2015/12/14/13
========================

Updated packages in core/updates_testing:
========================
cups-filters-1.0.71-1.2.mga5
libcups-filters1-1.0.71-1.2.mga5
libcups-filters-devel-1.0.71-1.2.mga5

from cups-filters-1.0.71-1.2.mga5.src.rpm

Assignee: bugsquad => qa-bugs
Summary: cups-filters new security issue similar to CVE-2015-8327 => cups-filters new security issue CVE-2015-8560

Comment 2 James Kerr 2015-12-15 12:16:17 CET 
On mga5-64

Installed packages from testing:

lib64cups-filters1-1.0.71-1.2.mga5
cups-filters-1.0.71-1.2.mga5

Packages installed cleanly. Printer continues to function normally.

OK for mga5-64

Whiteboard: (none) => MGA5-64-OK

Comment 3 David Walser 2015-12-16 14:38:06 CET 
Debian has issued an advisory for this on December 15:
https://www.debian.org/security/2015/dsa-3419
Comment 4 claire robinson 2015-12-16 16:20:11 CET 
Testing complete mga5 32, same as comment 2

Validating. Advisory uploaded.

Please push to 5 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => has_procedue advisory mga5-32-ok MGA5-64-OK
CC: (none) => sysadmin-bugs

David Walser 2015-12-16 19:31:14 CET

URL: (none) => http://lwn.net/Vulnerabilities/668128/

Comment 5 Mageia Robot 2015-12-16 22:02:01 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0476.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 6 David Walser 2015-12-17 17:42:10 CET 
Hmm, I had the right CVE in the references and bug title, but the wrong one in the advisory text and the advisory committed to SVN had the wrong CVE.  I fixed the advisory in SVN :o(