Bug 17330 - cups-filters new security issue CVE-2015-8560
Summary: cups-filters new security issue CVE-2015-8560
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/668128/
Whiteboard: has_procedue advisory mga5-32-ok MGA5...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-12-14 17:12 CET by David Walser
Modified: 2015-12-17 17:42 CET (History)
1 user (show)

See Also:
Source RPM: cups-filters-1.0.71-1.1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-12-14 17:12:07 CET 
A CVE was requested for an issue fixed upstream in cups-filters on December 13:
http://openwall.com/lists/oss-security/2015/12/13/2

I've added the patch in Cauldron.  Locally I've added the ";" to the CVE-2015-8327 patch for Mageia 5, but waiting for a CVE assignment before committing it.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-12-14 22:43:42 CET 
This has been assigned CVE-2015-8560:
http://openwall.com/lists/oss-security/2015/12/14/13

Patched package uploaded for Mageia 5.  This was already fixed in Cauldron.

Advisory:
========================

Updated cups-filters package fixes security vulnerability:

Adam Chester discovered that missing input sanitising in the foomatic-rip
print filter might result in the execution of arbitrary commands
(CVE-2015-8327).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8560
http://openwall.com/lists/oss-security/2015/12/14/13
========================

Updated packages in core/updates_testing:
========================
cups-filters-1.0.71-1.2.mga5
libcups-filters1-1.0.71-1.2.mga5
libcups-filters-devel-1.0.71-1.2.mga5

from cups-filters-1.0.71-1.2.mga5.src.rpm

Assignee: bugsquad => qa-bugs
Summary: cups-filters new security issue similar to CVE-2015-8327 => cups-filters new security issue CVE-2015-8560

Comment 2 James Kerr 2015-12-15 12:16:17 CET 
On mga5-64

Installed packages from testing:

lib64cups-filters1-1.0.71-1.2.mga5
cups-filters-1.0.71-1.2.mga5

Packages installed cleanly. Printer continues to function normally.

OK for mga5-64

Whiteboard: (none) => MGA5-64-OK

Comment 3 David Walser 2015-12-16 14:38:06 CET 
Debian has issued an advisory for this on December 15:
https://www.debian.org/security/2015/dsa-3419
Comment 4 claire robinson 2015-12-16 16:20:11 CET 
Testing complete mga5 32, same as comment 2

Validating. Advisory uploaded.

Please push to 5 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => has_procedue advisory mga5-32-ok MGA5-64-OK
CC: (none) => sysadmin-bugs

David Walser 2015-12-16 19:31:14 CET

URL: (none) => http://lwn.net/Vulnerabilities/668128/

Comment 5 Mageia Robot 2015-12-16 22:02:01 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0476.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 6 David Walser 2015-12-17 17:42:10 CET 
Hmm, I had the right CVE in the references and bug title, but the wrong one in the advisory text and the advisory committed to SVN had the wrong CVE.  I fixed the advisory in SVN :o(
Note You need to log in before you can comment on or make changes to this bug.