Mandriva issued this advisory on August 14: http://lists.mandriva.com/security-announce/2011-08/msg00007.php This can be fixed by using the patches from MDV or by updating to 4.0.9.
Hi, thanks for reporting this bug. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it)
Keywords: (none) => TriagedAssignee: bugsquad => dmorganec
Ping ?
CC: (none) => thierry.vignaud
Now the current version is 4.0.12, which contains another security fix: "SECURITY FIX: Use the mktemp shell command and the mkstemp() C function to create debug files with unpredictable names (Thanks to Tim Waugh from Red Hat for the patch)." The upstream website is now here: http://www.linuxfoundation.org/collaborate/workgroups/openprinting The Cauldron package needs to be updated as well. On an unrelated note, the CUPS filters mentioned on their website should also be packaged for Cauldron.
Patched package built. Advisory: ======================== Updated foomatic-filters package fixes security vulnerabilities: foomatic-rip in foomatic-filters before 4.0.8 allows remote attackers to execute arbitrary code via a crafted *FoomaticRIPCommandLine field in a .ppd file (CVE-2011-2697, CVE-2011-2964). foomatic-rip in foomatic-filters before 4.0.12, writing debug file output in debugging mode is performed insecurely (CVE-2011-2924). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2964 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2697 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2011:125 https://bugs.linuxfoundation.org/show_bug.cgi?id=936 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2924 ======================== Updated packages in core/updates_testing: ======================== foomatic-filters-4.0.5-1.1.mga1 from foomatic-filters-4.0.5-1.1.mga1.src.rpm
CC: (none) => dmorganecAssignee: dmorganec => qa-bugs
It's working fine on my i586 system. Is this update complex enough that we should post a request for more general testing before validating, or is the limited qa hardware enough for testing this update?
CC: (none) => davidwhodgins
(In reply to comment #6) > It's working fine on my i586 system. > > Is this update complex enough that we should post a request > for more general testing before validating, or is the limited > qa hardware enough for testing this update? It's not a very complex update. It just changes some tmp file handling and parsing of certain command line options that wouldn't be used in normal situations. As long as foomatic-rip still works, there's no functional difference to before.
Thanks for the answer. Once this can be confirmed on x86-64 by for example, printing a page of a pdf document, the update can be validated.
Tested x86_64 with: foomatic-rip --ppd=/etc/cups/ppd/Cups-PDF.ppd -v <somefile> Update validated Could sysadmin please push from core/updates_testing to core/updates Please see comment 5 for details Thankyou!
Keywords: Triaged => validated_updateCC: (none) => sysadmin-bugsHardware: i586 => All
update pushed
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED