[Pkg-hpijs-devel] Bug#635549: foomatic-filters 4.0.5-6+squeeze1 stable-security upload for CVE-2011-2964
Didier Raboud
odyx at debian.org
Wed Jan 4 12:04:22 UTC 2012
Hi Moritz,
(CC'ing #635549 as it was mentionned there and team at s.d.o as per [0])
First of all, sorry for the delay.
I have been preparing a stable-security upload for foomatic-filters,
reportedly vulnerable to CVE-2011-2964 in its version currently in
stable.
(By the way, given that there is _no_ C version of foomatic-rip in
lenny's foomatic-filters, I think that lenny is not affected by
CVE-2011-2964; it is by CVE-2011-2697 though, I'll see what I can do on
that side.)
The Ubuntu folks have already uploaded a fix for this specific issue
[1], so I have just taken their patch. debdiff and patch are attached,
proposed changelog entry is below, please comment.
foomatic-filters (4.0.5-6+squeeze1) stable-security; urgency=high
* Fix CVE-2011-2964
"foomaticrip.c in foomatic-rip in foomatic-filters allows remote
attackers
to execute arbitrary code via a crafted *FoomaticRIPCommandLine
field in
a .ppd file."
- Import debian/patches/CVE-2011-2964.patch from Ubuntu maverick's
4.0.5-0ubuntu3.1, enhance its DEP-3 headers.
Cheers,
OdyX
[0] http://www.debian.org/security/faq#contact
[1]
https://launchpad.net/ubuntu/maverick/+source/foomatic-filters/4.0.5-0ubuntu3.1
and
http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/maverick/foomatic-filters/maverick-security/view/head:/debian/patches/CVE-2011-2964.patch
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: foomatic-filters_4.0.5-6+squeeze1.debdiff
URL: <http://lists.alioth.debian.org/pipermail/pkg-hpijs-devel/attachments/20120104/e42c5bda/attachment-0002.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: CVE-2011-2964.patch
URL: <http://lists.alioth.debian.org/pipermail/pkg-hpijs-devel/attachments/20120104/e42c5bda/attachment-0003.ksh>
More information about the Pkg-hpijs-devel
mailing list