A security issue fixed upstream in cups-filters has been announced: http://openwall.com/lists/oss-security/2015/06/26/4 The issue is fixed in version 1.0.70. There is a link to the upstream commit to fix it in the message above. In a reply to that message, it was stated that a problem was found in the patch and to hold off on packaging it. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
The fix in 1.0.71 was incomplete, and it was really fixed in 1.0.71. CVE-2015-3279 was assigned for the incomplete fix in 1.0.70: http://openwall.com/lists/oss-security/2015/07/03/2 The message above also has a link to the upstream commit with the fix.
Summary: cups-filters new security issue CVE-2015-3258 => cups-filters new security issues CVE-2015-3258 and CVE-2015-3279Severity: normal => major
Patched (Mageia 4) and updated (Mageia 5 and Cauldron) packages uploaded. Advisory: ======================== Updated cups-filters packages fix security vulnerability: A heap-based buffer overflow was discovered in the way the texttopdf utility of cups-filters processed print jobs with a specially crafted line size. An attacker being able to submit print jobs could exploit this flaw to crash texttopdf or, possibly, execute arbitrary code with the privileges of the 'lp' user (CVE-2015-3258, CVE-2015-3279). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3258 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3279 https://bugzilla.redhat.com/show_bug.cgi?id=1235385 https://bugzilla.redhat.com/show_bug.cgi?id=1238990 ======================== Updated packages in core/updates_testing: ======================== cups-filters-1.0.53-1.2.mga4 libcups-filters1-1.0.53-1.2.mga4 libcups-filters-devel-1.0.53-1.2.mga4 cups-filters-1.0.71-1.mga5 libcups-filters1-1.0.71-1.mga5 libcups-filters-devel-1.0.71-1.mga5 from SRPMS: cups-filters-1.0.53-1.2.mga4.src.rpm cups-filters-1.0.71-1.mga5.src.rpm
Version: Cauldron => 5Assignee: thierry.vignaud => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => MGA4TOO
Advisory committed to svn.
CC: (none) => davidwhodginsWhiteboard: MGA4TOO => MGA4TOO advisory
MGA4-64 on HP Probook 6555b KDE No installation issues. I tried to call the filter at the CLI using: /usr/lib/cups/filter/texttopdf 1 herman "" 1 tracefile.txt > tracefile.pdf but this results in a hanging command which produces an empty pdf file. Have been googling in vain for an example or some more explanation. Note: strace on printing a txt file from kwrite does not show texttopdf anywhere.
CC: (none) => herman.viaene
Ubuntu has issued an advisory for this today (July 6): http://www.ubuntu.com/usn/usn-2659-1/
URL: (none) => http://lwn.net/Vulnerabilities/650310/
In VirtualBox, M4, KDE, 32-bit Package(s) under test: cups-filters libcups-filters1 default install of cups-filters libcups-filters1 [root@localhost wilcal]# urpmi cups-filters Package cups-filters-1.0.53-1.1.mga4.i586 is already installed [root@localhost wilcal]# urpmi libcups-filters1 Package libcups-filters1-1.0.53-1.1.mga4.i586 is already installed Printing to my HP USB 5510 printer works Scanning from my HP USB 5510 printer works install cups-filters & libcups-filters1 from updates_testing [root@localhost wilcal]# urpmi cups-filters Package cups-filters-1.0.53-1.2.mga4.i586 is already installed [root@localhost wilcal]# urpmi libcups-filters1 Package libcups-filters1-1.0.53-1.2.mga4.i586 is already installed Printing to my HP USB 5510 printer works Scanning from my HP USB 5510 printer works Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.26-1.mga4.x86_64 virtualbox-guest-additions-4.3.26-1.mga4.x86_64
CC: (none) => wilcal.int
In VirtualBox, M4, KDE, 64-bit Package(s) under test: cups-filters lib64cups-filters1 default install of cups-filters lib64cups-filters1 [root@localhost wilcal]# urpmi cups-filters Package cups-filters-1.0.53-1.1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi lib64cups-filters1 Package lib64cups-filters1-1.0.53-1.1.mga4.x86_64 is already installed Printing to my HP USB 5510 printer works Scanning from my HP USB 5510 printer works install cups-filters & lib64cups-filters1 from updates_testing [root@localhost wilcal]# urpmi cups-filters Package cups-filters-1.0.53-1.2.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi lib64cups-filters1 Package lib64cups-filters1-1.0.53-1.2.mga4.x86_64 is already installed Printing to my HP USB 5510 printer works Scanning from my HP USB 5510 printer works Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.26-1.mga4.x86_64 virtualbox-guest-additions-4.3.26-1.mga4.x86_64
In VirtualBox, M5, KDE, 32-bit Package(s) under test: cups-filters libcups-filters1 default install of cups-filters libcups-filters1 [root@localhost wilcal]# urpmi cups-filters Package cups-filters-1.0.67-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libcups-filters1 Package libcups-filters1-1.0.67-1.mga5.i586 is already installed Printing to my HP USB 5510 printer works Scanning from my HP USB 5510 printer works install cups-filters & libcups-filters1 from updates_testing [root@localhost wilcal]# urpmi cups-filters Package cups-filters-1.0.71-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libcups-filters1 Package libcups-filters1-1.0.71-1.mga5.i586 is already installed Printing to my HP USB 5510 printer works Scanning from my HP USB 5510 printer works Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.26-1.mga4.x86_64 virtualbox-guest-additions-4.3.26-1.mga4.x86_64
In VirtualBox, M5, KDE, 64-bit Package(s) under test: cups-filters lib64cups-filters1 default install of cups-filters lib64cups-filters1 [root@localhost wilcal]# urpmi cups-filters Package cups-filters-1.0.67-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64cups-filters1 Package lib64cups-filters1-1.0.67-1.mga5.x86_64 is already installed Printing to my HP USB 5510 printer works Scanning from my HP USB 5510 printer works install cups-filters & lib64cups-filters1 from updates_testing [root@localhost wilcal]# urpmi cups-filters Package cups-filters-1.0.71-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64cups-filters1 Package lib64cups-filters1-1.0.71-1.mga5.x86_64 is already installed Printing to my HP USB 5510 printer works Scanning from my HP USB 5510 printer works Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.26-1.mga4.x86_64 virtualbox-guest-additions-4.3.26-1.mga4.x86_64
On all four of the arch's if I attempt to install lib(64)cups-filters-devel I get the following kind of error message: Sorry, the following package cannot be selected: - lib64cups-filters-devel-1.0.67-1.mga5.x86_64
(In reply to William Kenney from comment #10) > On all four of the arch's if I attempt to install lib(64)cups-filters-devel > I get the following kind of error message: > > Sorry, the following package cannot be selected: > - lib64cups-filters-devel-1.0.67-1.mga5.x86_64 Make sure you don't have the other arch's devel package installed. Besides that, what's the actual error? Why does it say it can't be selected?
> Make sure you don't have the other arch's devel package installed. There are no cups-filters devel packages installed in all 4 clients > Besides that, what's the actual error? In the MCC the message in the error window is: Sorry, the following package cannot be selected: - lib64cups-filters-devel-1.0.67-1.mga5.x86_64 > Why does it say it can't be selected? It suggests nothing.
(In reply to William Kenney from comment #12) > > Why does it say it can't be selected? > > It suggests nothing. Try it with urpmi.
> Try it with urpmi. You get to choose :-): [root@localhost wilcal]# urpmi lib64cups-filters-devel In order to satisfy the 'devel(libgcc_s(64bit))' dependency, one of the following packages is needed: 1- gcc-4.9.2-4.mga5.x86_64: GNU Compiler Collection (to install) 2- gcc3.3-3.3.6-11.mga5.x86_64: GNU Compiler Collection (to install)
(In reply to William Kenney from comment #14) > > Try it with urpmi. > > You get to choose :-): > > [root@localhost wilcal]# urpmi lib64cups-filters-devel > In order to satisfy the 'devel(libgcc_s(64bit))' dependency, one of the > following packages is needed: > 1- gcc-4.9.2-4.mga5.x86_64: GNU Compiler Collection (to install) > 2- gcc3.3-3.3.6-11.mga5.x86_64: GNU Compiler Collection (to install) 1
Choice #2 In order to satisfy the 'devel(libgcc_s(64bit))' dependency, one of the following packages is needed: 1- gcc-4.9.2-4.mga5.x86_64: GNU Compiler Collection (to install) 2- gcc3.3-3.3.6-11.mga5.x86_64: GNU Compiler Collection (to install)
(In reply to William Kenney from comment #16) > Choice #2 > > In order to satisfy the 'devel(libgcc_s(64bit))' dependency, one of the > following packages is needed: > 1- gcc-4.9.2-4.mga5.x86_64: GNU Compiler Collection (to install) > 2- gcc3.3-3.3.6-11.mga5.x86_64: GNU Compiler Collection (to install) That's the same thing as last time. copy-paste error? Anyway, when it doubt, choose 1.
In order to satisfy the 'devel(libstdc++(64bit))' dependency, one of the following packages is needed: 1- libstdc++-devel-4.9.2-4.mga5.x86_64: Header files and libraries for C++ development (to install) 2- libstdc++5-devel-3.3.6-11.mga5.x86_64: Header files and libraries for C++ development (to install) What is your choice? (1-2) 1 In order to satisfy the 'devel(libgcc_s(64bit))' dependency, one of the following packages is needed: 1- gcc-4.9.2-4.mga5.x86_64: GNU Compiler Collection (to install) 2- gcc3.3-3.3.6-11.mga5.x86_64: GNU Compiler Collection (to install) What is your choice? (1-2) 1 To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "core64") gcc 4.9.2 4.mga5 x86_64 gcc-cpp 4.9.2 4.mga5 x86_64 glibc-devel 2.20 20.mga5 x86_64 gnutls 3.2.21 1.mga5 x86_64 kernel-userspace-headers 3.19.8 3.mga5 x86_64 lib64avahi-client-devel 0.6.31 16.mga5 x86_64 lib64avahi-common-devel 0.6.31 16.mga5 x86_64 lib64dbus-devel 1.8.16 1.mga5 x86_64 lib64ext2fs-devel 1.42.12 5.mga5 x86_64 lib64ffi-devel 3.1 4.mga5 x86_64 lib64gmp-devel 6.0.0a 3.mga5 x86_64 lib64gnutls-devel 3.2.21 1.mga5 x86_64 lib64gnutls-ssl27 3.2.21 1.mga5 x86_64 lib64jbig-devel 2.1 3.mga5 x86_64 lib64jpeg-devel 1.3.1 4.mga5 x86_64 lib64krb53-devel 1.12.2 8.mga5 x86_64 lib64lzma-devel 5.2.0 1.mga5 x86_64 lib64mpc3 1.0.2 4.mga5 x86_64 lib64nettle2.7-devel 2.7.1 6.mga5 x86_64 lib64p11-kit-devel 0.20.6 6.mga5 x86_64 lib64png-devel 1.6.17 1.mga5 x86_64 lib64tasn1-devel 4.2 4.mga5 x86_64 lib64tiff-devel 4.0.4 0.1.mga5 x86_64 lib64turbojpeg0 1.3.1 4.mga5 x86_64 lib64verto-devel 0.2.6 3.mga5 x86_64 lib64zlib-devel 1.2.8 7.mga5 x86_64 libstdc++-devel 4.9.2 4.mga5 x86_64 (medium "core_updates_testing_64") cups-common 2.0.3 1.mga5 x86_64 lib64cups-filters-devel 1.0.71 1.mga5 x86_64 lib64cups2 2.0.3 1.mga5 x86_64 lib64cups2-devel 2.0.3 1.mga5 x86_64 105MB of additional disk space will be used. 25MB of packages will be retrieved. Proceed with the installation of the 31 packages? (Y/n) Here we go.
[root@localhost wilcal]# urpmi lib64cups-filters-devel Package lib64cups-filters-devel-1.0.71-1.mga5.x86_64 is already installed Looks good
Thanks. It looks like it's fine.
Same process on M5 i586 [root@localhost wilcal]# urpmi libcups-filters-devel Package libcups-filters-devel-1.0.71-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libcups-filters-devel Package libcups-filters-devel-1.0.53-1.2.mga4.i586 is already installed
[root@localhost wilcal]# urpmi lib64cups-filters-devel Package lib64cups-filters-devel-1.0.53-1.2.mga4.x86_64 is already installed
Shall we push this thing?
(In reply to William Kenney from comment #24) > Shall we push this thing? Yes please. Thanks.
This update works fine. Testing complete for mga4 & mga5 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push 16221.adv to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: MGA4TOO advisory => MGA4TOO advisory MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0270.html
Status: NEW => RESOLVEDResolution: (none) => FIXED