The fix for CVE-2014-2707 in 1.0.51 was incomplete, and the issue was completely fixed in 1.0.53, and another security issue was also fixed in 1.0.53, according to this post on oss-security, complete with commit links: http://openwall.com/lists/oss-security/2014/04/25/7 I imagine these will both receive CVEs. We'll need to issue another update for Mageia 4 also. Reproducible: Steps to Reproduce:
Previous bug (posting for the note that only certain systems are affected by the first issue): https://bugs.mageia.org/show_bug.cgi?id=13216
Whiteboard: (none) => MGA4TOO
tv has updated to 1.0.53 in Cauldron. Still no word on CVEs yet.
Version: Cauldron => 4Whiteboard: MGA4TOO => (none)
Fedora has issued an advisory for this on April 29: https://lists.fedoraproject.org/pipermail/package-announce/2014-May/132626.html
URL: (none) => http://lwn.net/Vulnerabilities/597459/
Updated package uploaded for Mageia 4. Advisory: ======================== Updated cups-filters packages fix security vulnerabilities: In cups-filters before 1.0.53, if there was only a single BrowseAllow line in cups-browsed.conf and its host specification was invalid, this was interpreted as if no BrowseAllow line had been specified, which resulted in it accepting browse packets from all hosts. The CVE-2014-2707 issue with malicious broadcast packets, which had been fixed in Mageia Bug 13216 (MGASA-2014-0181), had not been completely fixed by that update. A more complete fix was implemented in cups-filters 1.0.53. Note that only systems that have enabled the affected feature by using the CreateIPPPrinterQueues configuration directive in /etc/cups/cups-browsed.conf were affected by the CVE-2014-2707 issue. References: https://lists.fedoraproject.org/pipermail/package-announce/2014-May/132626.html http://advisories.mageia.org/MGASA-2014-0181.html ======================== Updated packages in core/updates_testing: ======================== cups-filters-1.0.53-1.mga4 libcups-filters1-1.0.53-1.mga4 libcups-filters-devel-1.0.53-1.mga4 from cups-filters-1.0.53-1.mga4.src.rpm
Assignee: thierry.vignaud => qa-bugsSeverity: normal => critical
Testing MGA4 64-bit real h/w lib64cups-filters1-1.0.53-1.mga4 cups-filters-0.53-1.mga4 Real printer: KonicaMinolta Magicolour 1600w Pseudo printer installed (you have to 'add' it too): Cups-PDF Printed both monochrome (B&W) and colour to both 'printers' OK. Cups-PDF puts the output file on the desktop.
CC: (none) => lewyssmithWhiteboard: (none) => MGA4-64-OK
Tested mga4_32, Testing complete for cups-filters-1.0.53-1.mga4, ok for me and nothing to report. cups-filters-1.0.53-1.mga4 libcups-filters1-1.0.53-1.mga4 libcups-filters-devel-1.0.53-1.mga4 - Printer HP Color LaserJet CM1015 MFP - Printer HP Photosmart C4270 - Cups-PDF
CC: (none) => geiger.david68210Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK
Thanks. The CVE request never got answered, but was asked again today: http://openwall.com/lists/oss-security/2014/06/19/9
Advisory uploaded, please push "cups-filters" to 4 core/udpates.
Keywords: (none) => validated_updateWhiteboard: MGA4-64-OK MGA4-32-OK => MGA4-64-OK MGA4-32-OK advisoryCC: (none) => remi, sysadmin-bugs
Finally a response: This can be validated now. Here's an updated advisory. Advisory: ======================== Updated cups-filters packages fix security vulnerabilities: In cups-filters before 1.0.53, out-of-bounds accesses in the process_browse_data function when reading the packet variable could leading to a crash, thus resulting in a denial of service (CVE-2014-4337). In cups-filters before 1.0.53, if there was only a single BrowseAllow line in cups-browsed.conf and its host specification was invalid, this was interpreted as if no BrowseAllow line had been specified, which resulted in it accepting browse packets from all hosts (CVE-2014-4338). The CVE-2014-2707 issue with malicious broadcast packets, which had been fixed in Mageia Bug 13216 (MGASA-2014-0181), had not been completely fixed by that update. A more complete fix was implemented in cups-filters 1.0.53 (CVE-2014-4336). Note that only systems that have enabled the affected feature by using the CreateIPPPrinterQueues configuration directive in /etc/cups/cups-browsed.conf were affected by the CVE-2014-2707/CVE-2014-4336 issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4336 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4337 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4338 https://lists.fedoraproject.org/pipermail/package-announce/2014-May/132626.html http://advisories.mageia.org/MGASA-2014-0181.html http://openwall.com/lists/oss-security/2014/06/19/12
Keywords: validated_update => (none)Whiteboard: MGA4-64-OK MGA4-32-OK advisory => MGA4-64-OK MGA4-32-OK
Oops, Rémi and I were posting at the same time. Rémi, could you update the advisory that you uploaded? Thanks.
I updated the advisory, thanks David.
Keywords: (none) => validated_updateWhiteboard: MGA4-64-OK MGA4-32-OK => MGA4-64-OK MGA4-32-OK advisory
Update pushed: http://advisories.mageia.org/MGASA-2014-0267.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED