A security issue fixed upstream in cups-filters has been announced: https://www.openwall.com/lists/oss-security/2023/05/17/5 Commits to fix the issue have been linked in the message above. The fixes will be included in versions 2.0.0 and 1.28.18. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 1.28.18Whiteboard: (none) => MGA8TOO
Ubuntu has issued an advisory for this on May 17: https://ubuntu.com/security/notices/USN-6083-1
SUSE has issued an advisory for this on May 17: https://lists.suse.com/pipermail/sle-security-updates/2023-May/014921.html
Fedora has issued an advisory for this today (May 19): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YNCGL2ZTAS2GFF23QFT55UFWIDMI4ZJK/
This pkg has different committers, so assigning this update globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: If you use the Backend Error Handler (beh) to create an accessible network printer, this security vulnerability can cause remote code execution. `beh.c` contains the line `retval = system(cmdline) >> 8;` which calls the `system` command with the operand `cmdline`. `cmdline` contains multiple user controlled, unsanitized values. As a result an attacker with network access to the hosted print server can exploit this vulnerability to inject system commands which are executed in the context of the running server. (CVE-2023-24805) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24805 https://www.openwall.com/lists/oss-security/2023/05/17/5 https://ubuntu.com/security/notices/USN-6083-1 https://lists.suse.com/pipermail/sle-security-updates/2023-May/014921.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YNCGL2ZTAS2GFF23QFT55UFWIDMI4ZJK/ ======================== Updated packages in core/updates_testing: ======================== cups-filters-1.28.7-1.1.mga8 lib(64)cups-filters1-1.28.7-1.1.mga8 lib(64)cups-filters-devel-1.28.7-1.1.mga8 from SRPM: cups-filters-1.28.7-1.1.mga8.src.rpm
Whiteboard: MGA8TOO => (none)Status: NEW => ASSIGNEDSource RPM: cups-filters-1.28.16-5.mga9.src.rpm => cups-filters-1.28.7-1.mga8.src.rpmStatus comment: Fixed upstream in 1.28.18 => (none)Version: Cauldron => 8Assignee: pkg-bugs => qa-bugsCC: (none) => nicolas.salguero
MGA8-64 Plasma system, with an HP color Laserjet CP1215 and cups-pdf printers installed. No installation issues. Using the procedure from several previous updates, I checked the function of the printers, and both real and virtual functioned normally. Giving this an OK, and validating. Advisory in comment 5.
CC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: (none) => MGA8-64-OKKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0189.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED