Ubuntu has issued advisories today (March 12): http://www.ubuntu.com/usn/usn-2143-1/ http://www.ubuntu.com/usn/usn-2144-1/ Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
LWN reference for CVE-2013-647[4-6]: http://lwn.net/Vulnerabilities/590371/ LWN reference for CVE-2013-6473: http://lwn.net/Vulnerabilities/590377/
URL: (none) => http://lwn.net/Vulnerabilities/590371/
The issues are fixed upstream in cups-filters 1.0.47. We have a newer version in Cauldron, so it's not affected. cups-filters does not exist in Mageia 3, and the affected code is not in our cups package in Mageia 3. Patched cups-filters package uploaded for Mageia 4. Advisory: ======================== Updated cups-filters packages fix security vulnerabilities: Florian Weimer discovered that cups-filters incorrectly handled memory in the urftopdf filter. An attacker could possibly use this issue to execute arbitrary code with the privileges of the lp user (CVE-2013-6473). Florian Weimer discovered that cups-filters incorrectly handled memory in the pdftoopvp filter. An attacker could possibly use this issue to execute arbitrary code with the privileges of the lp user (CVE-2013-6474, CVE-2013-6475). Florian Weimer discovered that cups-filters did not restrict driver directories in in the pdftoopvp filter. An attacker could possibly use this issue to execute arbitrary code with the privileges of the lp user (CVE-2013-6476). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6473 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6474 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6475 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6476 http://www.ubuntu.com/usn/usn-2143-1/ ======================== Updated packages in core/updates_testing: ======================== cups-filters-1.0.41-3.2.mga4 libcups-filters1-1.0.41-3.2.mga4 libcups-filters-devel-1.0.41-3.2.mga4 from cups-filters-1.0.41-3.2.mga4.src.rpm
CC: (none) => thierry.vignaudVersion: Cauldron => 4Assignee: thierry.vignaud => qa-bugsSummary: cups, cups-filters new security issues CVE-2013-647[3-6] => cups-filters new security issues CVE-2013-647[3-6]Source RPM: cups, cups-filters => cups-filtersWhiteboard: MGA4TOO, MGA3TOO => (none)
No regressions noticed mga4 64 with a Canon ip4950 printer
I can still print on mga4 x64_86 with a network printer (ricoh).
CC: (none) => dirteat
After updating my system, i do not notice any regression on my HP Deskjet 1510 or anywhere else in my system. On mga i586.
CC: (none) => filorin.mageia
Testing MGA4 64-bit real hardware, printer = KonicaMinolta Magicolour 1600w After applying the update, the printer still works OK.
CC: (none) => lewyssmith
Thanks everybody for the tests. Validating. Advisory uploaded. Could sysadmin please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: (none) => advisory mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
http://advisories.mageia.org/MGASA-2014-0170.html
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED