A security issue in cups-filters was fixed upstream in this commit: http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7333 It was included in the 1.0.66 release. Thierry has committed that update in Cauldron SVN and asked for a freeze push. I have added the patch in Mageia 4 SVN. Reproducible: Steps to Reproduce:
Updated package uploaded for Cauldron. Patched package uploaded for Mageia 4. I haven't seen a CVE request for this. Advisory: ======================== Updated cups-filters package fixes security vulnerability: cups-browsed in cups-filters before 1.0.66 contained a bug in the remove_bad_chars() function, where it failed to reliably filter out illegal characters if there were two or more subsequent illegal characters, allowing execution of arbitrary commands with the rights of the "lp" user, using forged print service announcements on DNS-SD servers (LinuxFoundation#1265). References: https://bugs.linuxfoundation.org/show_bug.cgi?id=1265 ======================== Updated packages in core/updates_testing: ======================== cups-filters-1.0.53-1.1.mga4 libcups-filters1-1.0.53-1.1.mga4 libcups-filters-devel-1.0.53-1.1.mga4 from cups-filters-1.0.53-1.1.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugs
CVE request: http://openwall.com/lists/oss-security/2015/03/09/5
Fedora has issued an advisory for this on March 4: https://lists.fedoraproject.org/pipermail/package-announce/2015-March/151662.html Ubuntu has issued an advisory for this today (March 16): http://www.ubuntu.com/usn/usn-2532-1/ I'm not sure where they got the CVE from. Advisory: ======================== Updated cups-filters package fixes security vulnerability: cups-browsed in cups-filters before 1.0.66 contained a bug in the remove_bad_chars() function, where it failed to reliably filter out illegal characters if there were two or more subsequent illegal characters, allowing execution of arbitrary commands with the rights of the "lp" user, using forged print service announcements on DNS-SD servers (CVE-2015-2265). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2265 https://bugs.linuxfoundation.org/show_bug.cgi?id=1265 http://www.ubuntu.com/usn/usn-2532-1/
URL: (none) => http://lwn.net/Vulnerabilities/636945/Summary: cups-filters new security issue fixed upstream in 1.0.66 => cups-filters new security issue fixed upstream in 1.0.66 (CVE-2015-2265)Severity: normal => critical
To test this, just test cups-browsed. Share a printer via CUPS on a remote machine (on your LAN), then run the cups-browsed service locally. Things that use CUPS locally like KDE and LibreOffice should automatically see the remote printer within a minute.
Whiteboard: (none) => has_procedure
Testing complete mga4 64 Tested printer sharing, ensured it is seen by remote cups server.
Whiteboard: has_procedure => has_procedure mga4-64-ok
Advisory uploaded.
Whiteboard: has_procedure mga4-64-ok => has_procedure advisory mga4-64-ok
Testing complete mga4 32 Checked the shared printer is still found with the updates installed
Keywords: (none) => validated_updateWhiteboard: has_procedure advisory mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0132.html
Status: NEW => RESOLVEDResolution: (none) => FIXED