Debian Bug report logs - #635549
Two security issues

version graph

Package: hplip; Maintainer for hplip is Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>; Source for hplip is src:hplip.

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Tue, 26 Jul 2011 21:06:24 UTC

Severity: grave

Tags: security

Found in version hplip/3.10.6-2

Fixed in versions 3.11.10-1, hplip/3.10.6-2+squeeze1

Done: Mark Purcell <msp@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>:
Bug#635549; Package hplip. (Tue, 26 Jul 2011 21:06:27 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>. (Tue, 26 Jul 2011 21:06:36 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Two security issues
Date: Tue, 26 Jul 2011 23:07:01 +0200
Package: hplip
Severity: grave
Tags: security

Two security issues have been reported in hplip:

1. Shell command injection in foomatic-rip-hplip: 
https://bugzilla.novell.com/show_bug.cgi?id=698451
This is CVE-2011-2697

2. Insecure tempfile handling:
https://bugzilla.novell.com/show_bug.cgi?id=704608
https://bugs.launchpad.net/hplip/+bug/809904
This is CVE-2011-2722

This should be fixed in a DSA, could you prepared updated
packages?

Cheers,
        Moritz

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash




Information forwarded to debian-bugs-dist@lists.debian.org, Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>:
Bug#635549; Package hplip. (Fri, 25 Nov 2011 11:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Didier Raboud <odyx@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>. (Fri, 25 Nov 2011 11:21:14 GMT) Full text and rfc822 format available.

Message #10 received at 635549@bugs.debian.org (full text, mbox):

From: Didier Raboud <odyx@debian.org>
To: 635549@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@debian.org>
Subject: #635549: Two hplip security issues
Date: Fri, 25 Nov 2011 12:16:06 +0100
[Message part 1 (text/plain, inline)]
found 635549 3.10.6-2
notfound 635549 3.11.10
thanks

Hi Moritz,

Le mardi, 26 juillet 2011 23.07:01, Moritz Muehlenhoff a écrit :
> 
> Two security issues have been reported in hplip:
> 
> 1. Shell command injection in foomatic-rip-hplip:
> https://bugzilla.novell.com/show_bug.cgi?id=698451
> This is CVE-2011-2697

As far as I can see, the culprit file is foomatic-rip-hplip, which is only 
shipped in hplip-ppds, and only in stable; testing and unstable versions rely 
on the fixed foomatic-rip from the foomatic-filters package.

> 2. Insecure tempfile handling:
> https://bugzilla.novell.com/show_bug.cgi?id=704608
> https://bugs.launchpad.net/hplip/+bug/809904
> This is CVE-2011-2722

This seems to be fixed in 3.11.10, hence again, only stable is affected.

> This should be fixed in a DSA, could you prepared updated
> packages?

I will try to, but would be happier if the HPLIP team could do this security 
upload themselves (4 months without a single response; meh).

Cheers,

--
OdyX
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>:
Bug#635549; Package hplip. (Fri, 25 Nov 2011 11:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Didier Raboud <odyx@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>. (Fri, 25 Nov 2011 11:27:05 GMT) Full text and rfc822 format available.

Message #15 received at 635549@bugs.debian.org (full text, mbox):

From: Didier Raboud <odyx@debian.org>
To: 635549@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@debian.org>
Subject: Re: #635549: Two hplip security issues
Date: Fri, 25 Nov 2011 12:22:24 +0100
[Message part 1 (text/plain, inline)]
Le vendredi, 25 novembre 2011 12.16:06, Didier Raboud a écrit :
> found 635549 3.10.6-2
> notfound 635549 3.11.10
> thanks
> 
> Hi Moritz,
> 
> Le mardi, 26 juillet 2011 23.07:01, Moritz Muehlenhoff a écrit :
> > Two security issues have been reported in hplip:
> > 
> > 1. Shell command injection in foomatic-rip-hplip:
> > https://bugzilla.novell.com/show_bug.cgi?id=698451
> > This is CVE-2011-2697
> 
> As far as I can see, the culprit file is foomatic-rip-hplip, which is only
> shipped in hplip-ppds, and only in stable; testing and unstable versions
> rely on the fixed foomatic-rip from the foomatic-filters package.

Hmm. Wrong.

usr/lib/cups/filter/foomatic-rip-hplip (supposedly culprit file) is already a 
symlink to usr/lib/cups/filter/foomatic-rip in the stable package. So this CVE 
doesn't affect any version bigger than what is in stable

-- 
OdyX
[signature.asc (application/pgp-signature, inline)]

Bug Marked as found in versions hplip/3.10.6-2. Request was from Didier Raboud <odyx@debian.org> to control@bugs.debian.org. (Fri, 25 Nov 2011 12:40:49 GMT) Full text and rfc822 format available.

Reply sent to Didier Raboud <odyx@debian.org>:
You have taken responsibility. (Fri, 25 Nov 2011 12:48:26 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Fri, 25 Nov 2011 12:49:00 GMT) Full text and rfc822 format available.

Message #22 received at 635549-done@bugs.debian.org (full text, mbox):

From: Didier Raboud <odyx@debian.org>
To: 635549-done@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@debian.org>
Subject: Re: #635549: Two hplip security issues
Date: Fri, 25 Nov 2011 13:23:10 +0100
[Message part 1 (text/plain, inline)]
Version: 3.11.10-1

Le vendredi, 25 novembre 2011 12.16:06, Didier Raboud a écrit :
> As far as I can see, the culprit file is foomatic-rip-hplip, which is only
> shipped in hplip-ppds, and only in stable; testing and unstable versions
> rely on the fixed foomatic-rip from the foomatic-filters package.
(…)
> This seems to be fixed in 3.11.10, hence again, only stable is affected.

Meh. So it's "-done" in the version currently in testing.
-- 
OdyX
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>:
Bug#635549; Package hplip. (Fri, 25 Nov 2011 13:10:30 GMT) Full text and rfc822 format available.

Acknowledgement sent to Didier Raboud <odyx@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>. (Fri, 25 Nov 2011 13:10:34 GMT) Full text and rfc822 format available.

Message #27 received at 635549@bugs.debian.org (full text, mbox):

From: Didier Raboud <odyx@debian.org>
To: 635549@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@debian.org>
Subject: Re: #635549: Two hplip security issues
Date: Fri, 25 Nov 2011 14:04:44 +0100
[Message part 1 (text/plain, inline)]
Le vendredi, 25 novembre 2011 12.16:06, Didier Raboud a écrit :
> > 
> > 2. Insecure tempfile handling:
> > https://bugzilla.novell.com/show_bug.cgi?id=704608
> > https://bugs.launchpad.net/hplip/+bug/809904
> > This is CVE-2011-2722
> 
> This seems to be fixed in 3.11.10, hence again, only stable is affected.

The attached dpatch against the version currently in stable does fix that bug.

As for oldstable, I couldn't find any occurence of this bug in the source 
code.

Cheers,

OdyX
[CVE-2011-2722.dpatch (application/x-shellscript, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>:
Bug#635549; Package hplip. (Fri, 25 Nov 2011 13:54:42 GMT) Full text and rfc822 format available.

Acknowledgement sent to Didier Raboud <odyx@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>. (Fri, 25 Nov 2011 13:54:42 GMT) Full text and rfc822 format available.

Message #32 received at 635549@bugs.debian.org (full text, mbox):

From: Didier Raboud <odyx@debian.org>
To: 635549@bugs.debian.org
Subject: Re: #635549: Two hplip security issues
Date: Fri, 25 Nov 2011 14:43:49 +0100
[Message part 1 (text/plain, inline)]
Le vendredi, 25 novembre 2011 12.22:24, Didier Raboud a écrit :
> > Le mardi, 26 juillet 2011 23.07:01, Moritz Muehlenhoff a écrit :
> > > 
> > > 1. Shell command injection in foomatic-rip-hplip:
> > > https://bugzilla.novell.com/show_bug.cgi?id=698451
> > > This is CVE-2011-2697
> > 
> > As far as I can see, the culprit file is foomatic-rip-hplip, which is
> > only shipped in hplip-ppds, and only in stable; testing and unstable
> > versions rely on the fixed foomatic-rip from the foomatic-filters
> > package.

> usr/lib/cups/filter/foomatic-rip-hplip (supposedly culprit file) is already
> a symlink to usr/lib/cups/filter/foomatic-rip in the stable package. So
> this CVE doesn't affect any version bigger than what is in stable

And foomatic-rip-hplip is not in oldstable either, so it seems CVE-2011-2697 
doesn't affect any currently released hplip.

Cheers,
-- 
OdyX
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>:
Bug#635549; Package hplip. (Fri, 25 Nov 2011 14:03:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Didier Raboud <odyx@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>. (Fri, 25 Nov 2011 14:03:08 GMT) Full text and rfc822 format available.

Message #37 received at 635549@bugs.debian.org (full text, mbox):

From: Didier Raboud <odyx@debian.org>
To: debian-release@lists.debian.org, pkg-hpijs-devel@lists.alioth.debian.org
Cc: 635549@bugs.debian.org
Subject: Stable update of hplip for CVE-2011-2722 (#635549) ?
Date: Fri, 25 Nov 2011 14:58:55 +0100
[Message part 1 (text/plain, inline)]
Dear Release Team,

after taking a closer look to #635549 and an IRC chat with the Security 
people, I propose to upload hplip to stable with the following changelog 
entry: 

    hplip (3.10.6-2+squeeze0) stable; urgency=low
    
      * Fix CVE-2011-2722 "Insecure tempfile handling" by patching the culprit
        code out. (Closes: #635549)
    
     -- Didier Raboud <odyx@debian.org>  Fri, 25 Nov 2011 14:53:50 +0100

Debdiff and dpatch are attached; please comment.

Cheers,

-- 
OdyX
[hplip_3.10.6-2+squeeze0.debdiff (text/x-patch, attachment)]
[CVE-2011-2722.dpatch (application/x-shellscript, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>:
Bug#635549; Package hplip. (Fri, 25 Nov 2011 17:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>. (Fri, 25 Nov 2011 17:39:03 GMT) Full text and rfc822 format available.

Message #42 received at 635549@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Didier Raboud <odyx@debian.org>
Cc: 635549@bugs.debian.org
Subject: Re: #635549: Two hplip security issues
Date: Fri, 25 Nov 2011 18:36:29 +0100
On Fri, Nov 25, 2011 at 12:22:24PM +0100, Didier Raboud wrote:
> Le vendredi, 25 novembre 2011 12.16:06, Didier Raboud a écrit :
> > found 635549 3.10.6-2
> > notfound 635549 3.11.10
> > thanks
> > 
> > Hi Moritz,
> > 
> > Le mardi, 26 juillet 2011 23.07:01, Moritz Muehlenhoff a écrit :
> > > Two security issues have been reported in hplip:
> > > 
> > > 1. Shell command injection in foomatic-rip-hplip:
> > > https://bugzilla.novell.com/show_bug.cgi?id=698451
> > > This is CVE-2011-2697
> > 
> > As far as I can see, the culprit file is foomatic-rip-hplip, which is only
> > shipped in hplip-ppds, and only in stable; testing and unstable versions
> > rely on the fixed foomatic-rip from the foomatic-filters package.
> 
> Hmm. Wrong.
> 
> usr/lib/cups/filter/foomatic-rip-hplip (supposedly culprit file) is already a 
> symlink to usr/lib/cups/filter/foomatic-rip in the stable package. So this CVE 
> doesn't affect any version bigger than what is in stable

Confirmed. I've updated the security tracker. However, we still need
to update foomatic-filters to secure Squeeze. Since you're also part
of the maintainer group for foomatic-filters, could you investigate/
prepare fixed packages for these two issues in foomatic-filters?
http://security-tracker.debian.org/tracker/CVE-2011-2697 
http://security-tracker.debian.org/tracker/CVE-2011-2964

A side note for CVE-2011-2697:
There two implementation of the affected filter: the version from foomatic-filters
4.0 is written in C and has been assigned CVE-2011-2964 and the version in
foomatic-filters 3.x is written in Perl and has been assigned CVE-2011-2697

Cheers,
        Moritz








Information forwarded to debian-bugs-dist@lists.debian.org, Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>:
Bug#635549; Package hplip. (Fri, 25 Nov 2011 17:39:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>. (Fri, 25 Nov 2011 17:39:05 GMT) Full text and rfc822 format available.

Message #47 received at 635549@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Didier Raboud <odyx@debian.org>
Cc: 635549@bugs.debian.org
Subject: Re: #635549: Two hplip security issues
Date: Fri, 25 Nov 2011 18:38:19 +0100
On Fri, Nov 25, 2011 at 02:04:44PM +0100, Didier Raboud wrote:
> Le vendredi, 25 novembre 2011 12.16:06, Didier Raboud a écrit :
> > > 
> > > 2. Insecure tempfile handling:
> > > https://bugzilla.novell.com/show_bug.cgi?id=704608
> > > https://bugs.launchpad.net/hplip/+bug/809904
> > > This is CVE-2011-2722
> > 
> > This seems to be fixed in 3.11.10, hence again, only stable is affected.
> 
> The attached dpatch against the version currently in stable does fix that bug.
> 
> As for oldstable, I couldn't find any occurence of this bug in the source 
> code.

CVE-2011-2722 itself doesn't warrant a DSA. Could the hplip maintainers
please fix this through a point update?
http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>:
Bug#635549; Package hplip. (Fri, 25 Nov 2011 23:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mark Purcell <msp@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>. (Fri, 25 Nov 2011 23:27:04 GMT) Full text and rfc822 format available.

Message #52 received at 635549@bugs.debian.org (full text, mbox):

From: Mark Purcell <msp@debian.org>
To: pkg-hpijs-devel@lists.alioth.debian.org, Moritz Mühlenhoff <jmm@inutil.org>, 635549@bugs.debian.org
Cc: Didier Raboud <odyx@debian.org>
Subject: Re: [Pkg-hpijs-devel] Bug#635549: #635549: Two hplip security issues
Date: Sat, 26 Nov 2011 10:23:57 +1100
[Message part 1 (text/plain, inline)]
On Sat, 26 Nov 2011 04:38:19 Moritz Mühlenhoff wrote:
> CVE-2011-2722 itself doesn't warrant a DSA. Could the hplip maintainers
> please fix this through a point update?
> http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-sta
> ble

Moritz and odyx,

Thanks for chasing this down.

I should be able to upload something this week.

Mark
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>:
Bug#635549; Package hplip. (Thu, 01 Dec 2011 20:21:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>. (Thu, 01 Dec 2011 20:21:07 GMT) Full text and rfc822 format available.

Message #57 received at 635549@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Didier Raboud <odyx@debian.org>
Cc: debian-release@lists.debian.org, pkg-hpijs-devel@lists.alioth.debian.org, 635549@bugs.debian.org
Subject: Re: Stable update of hplip for CVE-2011-2722 (#635549) ?
Date: Thu, 01 Dec 2011 20:17:07 +0000
On Fri, 2011-11-25 at 14:58 +0100, Didier Raboud wrote:
> after taking a closer look to #635549 and an IRC chat with the Security 
> people, I propose to upload hplip to stable with the following changelog 
> entry: 
> 
>     hplip (3.10.6-2+squeeze0) stable; urgency=low

Why "+squeeze0"?  +squeeze1 is more conventional.
    
>       * Fix CVE-2011-2722 "Insecure tempfile handling" by patching the culprit
>         code out. (Closes: #635549)

I'm assuming the debug code isn't likely to be used that often?  The
upstream bug (<URL:https://bugs.launchpad.net/hplip/+bug/809904>)
implies that they were looking at replacing the code with a mkstemp()
call, rather than removing it.  If it's basically unused then patching
it out should be okay though.

fwiw, my MUA failed to verify the signature on your mail.

Regards,

Adam





Information forwarded to debian-bugs-dist@lists.debian.org, Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>:
Bug#635549; Package hplip. (Sun, 04 Dec 2011 17:27:34 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>. (Sun, 04 Dec 2011 17:27:34 GMT) Full text and rfc822 format available.

Message #62 received at 635549@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Didier Raboud <odyx@debian.org>
Cc: debian-release@lists.debian.org, pkg-hpijs-devel@lists.alioth.debian.org, 635549@bugs.debian.org
Subject: Re: Stable update of hplip for CVE-2011-2722 (#635549) ?
Date: Sun, 04 Dec 2011 17:26:41 +0000
On Thu, 2011-12-01 at 20:17 +0000, Adam D. Barratt wrote:
> On Fri, 2011-11-25 at 14:58 +0100, Didier Raboud wrote:
> >       * Fix CVE-2011-2722 "Insecure tempfile handling" by patching the culprit
> >         code out. (Closes: #635549)
> 
> I'm assuming the debug code isn't likely to be used that often?  The
> upstream bug (<URL:https://bugs.launchpad.net/hplip/+bug/809904>)
> implies that they were looking at replacing the code with a mkstemp()
> call, rather than removing it.  If it's basically unused then patching
> it out should be okay though.

fwiw, the above wasn't a rhetorical question.  I was anticipating that
the next action would have been a reply, not an upload...

Anyway, now the upload has occurred, it will get processed in due
course.

Regards,

Adam





Information forwarded to debian-bugs-dist@lists.debian.org, Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>:
Bug#635549; Package hplip. (Sun, 11 Dec 2011 18:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>. (Sun, 11 Dec 2011 18:06:03 GMT) Full text and rfc822 format available.

Message #67 received at 635549@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: pkg-hpijs-devel@lists.alioth.debian.org
Cc: debian-release@lists.debian.org, 635549@bugs.debian.org
Subject: Re: Stable update of hplip for CVE-2011-2722 (#635549) ?
Date: Sun, 11 Dec 2011 18:02:07 +0000
On Sun, 2011-12-04 at 17:26 +0000, Adam D. Barratt wrote:
> On Thu, 2011-12-01 at 20:17 +0000, Adam D. Barratt wrote:
> > On Fri, 2011-11-25 at 14:58 +0100, Didier Raboud wrote:
> > >       * Fix CVE-2011-2722 "Insecure tempfile handling" by patching the culprit
> > >         code out. (Closes: #635549)
> > 
> > I'm assuming the debug code isn't likely to be used that often?  The
> > upstream bug (<URL:https://bugs.launchpad.net/hplip/+bug/809904>)
> > implies that they were looking at replacing the code with a mkstemp()
> > call, rather than removing it.  If it's basically unused then patching
> > it out should be okay though.
> 
> fwiw, the above wasn't a rhetorical question.  I was anticipating that
> the next action would have been a reply, not an upload...

Having said that, a reply wouldn't be unwelcome...

Regards,

Adam





Information forwarded to debian-bugs-dist@lists.debian.org, Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>:
Bug#635549; Package hplip. (Wed, 04 Jan 2012 12:17:53 GMT) Full text and rfc822 format available.

Acknowledgement sent to Didier Raboud <odyx@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>. (Wed, 04 Jan 2012 12:20:39 GMT) Full text and rfc822 format available.

Message #72 received at 635549@bugs.debian.org (full text, mbox):

From: Didier Raboud <odyx@debian.org>
To: Moritz Mühlenhoff <jmm@inutil.org>
Cc: <team@security.debian.org>, <635549@bugs.debian.org>
Subject: foomatic-filters 4.0.5-6+squeeze1 stable-security upload for CVE-2011-2964
Date: Wed, 04 Jan 2012 13:04:22 +0100
[Message part 1 (text/plain, inline)]
Hi Moritz,
(CC'ing #635549 as it was mentionned there and team@s.d.o as per [0])

First of all, sorry for the delay.

I have been preparing a stable-security upload for foomatic-filters, 
reportedly vulnerable to CVE-2011-2964 in its version currently in 
stable.

(By the way, given that there is _no_ C version of foomatic-rip in 
lenny's foomatic-filters, I think that lenny is not affected by 
CVE-2011-2964; it is by CVE-2011-2697 though, I'll see what I can do on 
that side.)

The Ubuntu folks have already uploaded a fix for this specific issue 
[1], so I have just taken their patch. debdiff and patch are attached, 
proposed changelog entry is below, please comment.

foomatic-filters (4.0.5-6+squeeze1) stable-security; urgency=high

  * Fix CVE-2011-2964
    "foomaticrip.c in foomatic-rip in foomatic-filters allows remote 
attackers
     to execute arbitrary code via a crafted *FoomaticRIPCommandLine 
field in
     a .ppd file."
    - Import debian/patches/CVE-2011-2964.patch from Ubuntu maverick's
      4.0.5-0ubuntu3.1, enhance its DEP-3 headers.

Cheers,

OdyX

[0] http://www.debian.org/security/faq#contact
[1] 
https://launchpad.net/ubuntu/maverick/+source/foomatic-filters/4.0.5-0ubuntu3.1 
and 
http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/maverick/foomatic-filters/maverick-security/view/head:/debian/patches/CVE-2011-2964.patch
[foomatic-filters_4.0.5-6+squeeze1.debdiff (text/plain, attachment)]
[CVE-2011-2964.patch (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>:
Bug#635549; Package hplip. (Wed, 04 Jan 2012 12:57:48 GMT) Full text and rfc822 format available.

Acknowledgement sent to Didier Raboud <didier@raboud.com>:
Extra info received and forwarded to list. Copy sent to Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>. (Wed, 04 Jan 2012 12:57:56 GMT) Full text and rfc822 format available.

Message #77 received at 635549@bugs.debian.org (full text, mbox):

From: Didier Raboud <didier@raboud.com>
To: Moritz Mühlenhoff <jmm@inutil.org>
Cc: <team@security.debian.org>, <635549@bugs.debian.org>
Subject: foomatic-filters 3.0.2-20080211-3.2+lenny1 oldstable-security upload for CVE-2011-2697
Date: Wed, 04 Jan 2012 13:49:50 +0100
[Message part 1 (text/plain, inline)]
Hi again Moritz,
(CC'ing #635549 as it was mentionned there and team@s.d.o as per [0])

On Wed, 04 Jan 2012 13:04:22 +0100, Didier Raboud wrote:
> (By the way, given that there is _no_ C version of foomatic-rip in
> lenny's foomatic-filters, I think that lenny is not affected by
> CVE-2011-2964; it is by CVE-2011-2697 though, I'll see what I can do
> on that side.)

So now I have been preparing an oldstable-security upload for 
foomatic-filters, reportedly vulnerable to CVE-2011-2697 in its version 
currently in oldstable. Same as before: it was mostly a matter of 
cherry-picking the changes already prepared by the Ubuntu folks [1].

debdiff is attached, proposed changelog entry is below, please comment.

foomatic-filters (3.0.2-20080211-3.2+lenny1) oldstable-security; 
urgency=high

 * Fix CVE-2011-2697
   "foomatic-rip in foomatic-filters allows remote attackers to execute
    arbitrary code via a crafted *FoomaticRIPCommandLine field in  a 
ppd
    file."
   - Patch foomatic-rip.in using debian/patches/CVE-2011-2697.patch 
from
     Ubuntu hardy's 3.0.2-20071204-0ubuntu2.3, itself backported from
     upstream (revision 140).

Cheers,

OdyX

[0] http://www.debian.org/security/faq#contact
[1] 
https://launchpad.net/ubuntu/+source/foomatic-filters/3.0.2-20071204-0ubuntu2.3 
and 
http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/hardy/foomatic-filters/hardy-security/view/head:/debian/patches/CVE-2011-2697.patch
[foomatic-filters_3.0.2-20080211-3.2+lenny1.debdiff (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>:
Bug#635549; Package hplip. (Wed, 04 Jan 2012 17:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>. (Wed, 04 Jan 2012 17:36:03 GMT) Full text and rfc822 format available.

Message #82 received at 635549@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Didier Raboud <odyx@debian.org>
Cc: team@security.debian.org, 635549@bugs.debian.org
Subject: Re: foomatic-filters 4.0.5-6+squeeze1 stable-security upload for CVE-2011-2964
Date: Wed, 4 Jan 2012 18:34:18 +0100
On Wed, Jan 04, 2012 at 01:04:22PM +0100, Didier Raboud wrote:
> Hi Moritz,
> (CC'ing #635549 as it was mentionned there and team@s.d.o as per [0])
> 
> First of all, sorry for the delay.
> 
> I have been preparing a stable-security upload for foomatic-filters,
> reportedly vulnerable to CVE-2011-2964 in its version currently in
> stable.

Thanks for preparing the updated packages. Personally I don't have time
to release the update in the next days; I've opened RT ticket #3558
so that someone else from the Security Team and review and release the
update.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>:
Bug#635549; Package hplip. (Sun, 15 Jan 2012 20:39:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>. (Sun, 15 Jan 2012 20:39:07 GMT) Full text and rfc822 format available.

Message #87 received at 635549@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: pkg-hpijs-devel@lists.alioth.debian.org
Cc: Mark Purcell <msp@debian.org>, debian-release@lists.debian.org, 635549@bugs.debian.org
Subject: Re: Stable update of hplip for CVE-2011-2722 (#635549) ?
Date: Sun, 15 Jan 2012 20:35:12 +0000
On Sun, 2011-12-11 at 18:02 +0000, Adam D. Barratt wrote:
> On Sun, 2011-12-04 at 17:26 +0000, Adam D. Barratt wrote:
> > On Thu, 2011-12-01 at 20:17 +0000, Adam D. Barratt wrote:
> > > On Fri, 2011-11-25 at 14:58 +0100, Didier Raboud wrote:
> > > >       * Fix CVE-2011-2722 "Insecure tempfile handling" by patching the culprit
> > > >         code out. (Closes: #635549)
> > > 
> > > I'm assuming the debug code isn't likely to be used that often?  The
> > > upstream bug (<URL:https://bugs.launchpad.net/hplip/+bug/809904>)
> > > implies that they were looking at replacing the code with a mkstemp()
> > > call, rather than removing it.  If it's basically unused then patching
> > > it out should be okay though.
> > 
> > fwiw, the above wasn't a rhetorical question.  I was anticipating that
> > the next action would have been a reply, not an upload...
> 
> Having said that, a reply wouldn't be unwelcome...

Reply came there none.

Given that the affected code hasn't re-appeared in unstable, I've
flagged the upload for acceptance, but for the record I'm somewhat
unimpressed by the lack of response to any of my queries.

Regards,

Adam





Reply sent to Mark Purcell <msp@debian.org>:
You have taken responsibility. (Sun, 15 Jan 2012 20:51:11 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Sun, 15 Jan 2012 20:51:11 GMT) Full text and rfc822 format available.

Message #92 received at 635549-close@bugs.debian.org (full text, mbox):

From: Mark Purcell <msp@debian.org>
To: 635549-close@bugs.debian.org
Subject: Bug#635549: fixed in hplip 3.10.6-2+squeeze1
Date: Sun, 15 Jan 2012 20:47:15 +0000
Source: hplip
Source-Version: 3.10.6-2+squeeze1

We believe that the bug you reported is fixed in the latest version of
hplip, which is due to be installed in the Debian FTP archive:

hpijs-ppds_3.10.6-2+squeeze1_all.deb
  to main/h/hplip/hpijs-ppds_3.10.6-2+squeeze1_all.deb
hpijs_3.10.6-2+squeeze1_amd64.deb
  to main/h/hplip/hpijs_3.10.6-2+squeeze1_amd64.deb
hplip-cups_3.10.6-2+squeeze1_amd64.deb
  to main/h/hplip/hplip-cups_3.10.6-2+squeeze1_amd64.deb
hplip-data_3.10.6-2+squeeze1_all.deb
  to main/h/hplip/hplip-data_3.10.6-2+squeeze1_all.deb
hplip-dbg_3.10.6-2+squeeze1_amd64.deb
  to main/h/hplip/hplip-dbg_3.10.6-2+squeeze1_amd64.deb
hplip-doc_3.10.6-2+squeeze1_all.deb
  to main/h/hplip/hplip-doc_3.10.6-2+squeeze1_all.deb
hplip-gui_3.10.6-2+squeeze1_all.deb
  to main/h/hplip/hplip-gui_3.10.6-2+squeeze1_all.deb
hplip_3.10.6-2+squeeze1.diff.gz
  to main/h/hplip/hplip_3.10.6-2+squeeze1.diff.gz
hplip_3.10.6-2+squeeze1.dsc
  to main/h/hplip/hplip_3.10.6-2+squeeze1.dsc
hplip_3.10.6-2+squeeze1_amd64.deb
  to main/h/hplip/hplip_3.10.6-2+squeeze1_amd64.deb
libhpmud-dev_3.10.6-2+squeeze1_amd64.deb
  to main/h/hplip/libhpmud-dev_3.10.6-2+squeeze1_amd64.deb
libhpmud0_3.10.6-2+squeeze1_amd64.deb
  to main/h/hplip/libhpmud0_3.10.6-2+squeeze1_amd64.deb
libsane-hpaio_3.10.6-2+squeeze1_amd64.deb
  to main/h/hplip/libsane-hpaio_3.10.6-2+squeeze1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 635549@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mark Purcell <msp@debian.org> (supplier of updated hplip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 27 Nov 2011 02:39:13 +1100
Source: hplip
Binary: hplip hplip-data hplip-gui hplip-dbg hplip-doc hpijs-ppds hpijs hplip-cups libhpmud0 libhpmud-dev libsane-hpaio
Architecture: source all amd64
Version: 3.10.6-2+squeeze1
Distribution: stable
Urgency: low
Maintainer: Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>
Changed-By: Mark Purcell <msp@debian.org>
Description: 
 hpijs      - HP Linux Printing and Imaging - gs IJS driver (hpijs)
 hpijs-ppds - HP Linux Printing and Imaging - HPIJS PPD files
 hplip      - HP Linux Printing and Imaging System (HPLIP)
 hplip-cups - HP Linux Printing and Imaging - CUPS Raster driver (hpcups)
 hplip-data - HP Linux Printing and Imaging - data files
 hplip-dbg  - HP Linux Printing and Imaging - debugging information
 hplip-doc  - HP Linux Printing and Imaging - documentation
 hplip-gui  - HP Linux Printing and Imaging - GUI utilities
 libhpmud-dev - HP Multi-Point Transport Driver (hpmud) development libraries
 libhpmud0  - HP Multi-Point Transport Driver (hpmud) run-time libraries
 libsane-hpaio - HP SANE backend for multi-function peripherals
Closes: 635549
Changes: 
 hplip (3.10.6-2+squeeze1) stable; urgency=low
 .
   * Fix "Insecure tempfile handling" CVE-2011-2722 by backporting from
     the removal of the culprit code by upstream.  (Closes: #635549)
     - Added CVE-2011-2722.dpatch by Didier Raboud
Checksums-Sha1: 
 1acf0b797807b6558524c03d16d3f0fb2695c7f8 1948 hplip_3.10.6-2+squeeze1.dsc
 8ed21a0fe41c7a32bdd2d42a4622b422335cbf79 94643 hplip_3.10.6-2+squeeze1.diff.gz
 cc45627815b71b11f21e48f07e1b23e1f4b1f429 11801374 hplip-data_3.10.6-2+squeeze1_all.deb
 c8556f2e7291425b608d8d8e0866789f2d81d7e4 79086 hplip-gui_3.10.6-2+squeeze1_all.deb
 46300e480d3dec618ab3082e5913504c87c82951 667642 hplip-doc_3.10.6-2+squeeze1_all.deb
 4c6629f0f2551d46127f71d79c0e7d760f8263a4 612086 hpijs-ppds_3.10.6-2+squeeze1_all.deb
 e531d34c838d39547744dad4fc3b902f0760f000 145766 hplip_3.10.6-2+squeeze1_amd64.deb
 d37f5ccc2268dd0889921a73fe296abcacfbf21f 1030862 hplip-dbg_3.10.6-2+squeeze1_amd64.deb
 e59906abe6f42649997af4091bce84bbeb641251 422046 hpijs_3.10.6-2+squeeze1_amd64.deb
 567403cec1dfdf7211d4955a75e681519a39e5b3 349756 hplip-cups_3.10.6-2+squeeze1_amd64.deb
 9394f36d3bd8f16ef3c5745f8d4207e767d298df 170572 libhpmud0_3.10.6-2+squeeze1_amd64.deb
 ed8d56c502f5d4bca0c1321a9c3e3ff711c1a177 70430 libhpmud-dev_3.10.6-2+squeeze1_amd64.deb
 34bee16a724a79c0afac71d0a2f6918e4a0acbb7 171358 libsane-hpaio_3.10.6-2+squeeze1_amd64.deb
Checksums-Sha256: 
 54c2a52312c5340fd627271c9e0451393e0a0868797e0226ea1366166dff5d50 1948 hplip_3.10.6-2+squeeze1.dsc
 3e69ba72243296a644886bb24dab6acb4f301b7964d312733ff1a217c7a15b7f 94643 hplip_3.10.6-2+squeeze1.diff.gz
 f83db4fc964225969c69a4cd064008c10f6dd6aef73c4166dbcc88ab8a3b309c 11801374 hplip-data_3.10.6-2+squeeze1_all.deb
 ba03844f0c6601bc0ea828c49516b1431a2121a29a1d7b23587502c632cdc893 79086 hplip-gui_3.10.6-2+squeeze1_all.deb
 29de2b09e2a598f73b3dc4d111d562e1aa96e3315fddcefc97d67e08f70d6a51 667642 hplip-doc_3.10.6-2+squeeze1_all.deb
 318f35433733df6985ab2dfde7283b5a4beea8d1190a52e911dac10009387c07 612086 hpijs-ppds_3.10.6-2+squeeze1_all.deb
 6096ece98690d3793a4218fa955b388acad3d3129ba19c99485ae901d3d27b34 145766 hplip_3.10.6-2+squeeze1_amd64.deb
 41e4dd6b6bf72616f1ffa651915f3eda3f46adf8099a7845c9edf9106b049a79 1030862 hplip-dbg_3.10.6-2+squeeze1_amd64.deb
 832524d212c24395dc6c6965928fed722d9a7addd1a3a81d40671714c70de5ce 422046 hpijs_3.10.6-2+squeeze1_amd64.deb
 2d36facc5be67ea7d3b9b3db511d1560065f044c3b34861e92c801e100814fb8 349756 hplip-cups_3.10.6-2+squeeze1_amd64.deb
 98cab9d1001230aee6dd10755f1aa41898d49441f416bf663ac041167ef5457b 170572 libhpmud0_3.10.6-2+squeeze1_amd64.deb
 0a977bcad7005cdfbcaeac0ecce0e389d92c46d900d9e904cdb25bba38e06f31 70430 libhpmud-dev_3.10.6-2+squeeze1_amd64.deb
 90300115c785cebc2ce0869f59435587923238e55eb04c117914005c0ae0940a 171358 libsane-hpaio_3.10.6-2+squeeze1_amd64.deb
Files: 
 8598ed29b628df3c40eb5d381e1940df 1948 utils optional hplip_3.10.6-2+squeeze1.dsc
 8e8387e0eb8cf7dfc07b9d0daf50b84f 94643 utils optional hplip_3.10.6-2+squeeze1.diff.gz
 a2a05165bfcaeaa2d7508acf6d09c6e5 11801374 utils optional hplip-data_3.10.6-2+squeeze1_all.deb
 ee861d67a1442ef3dfb08d9c8939f75c 79086 utils optional hplip-gui_3.10.6-2+squeeze1_all.deb
 6d023d50b4adf4d697b49167d75f083a 667642 doc optional hplip-doc_3.10.6-2+squeeze1_all.deb
 1d91263f98f702420da6424060fb161a 612086 utils optional hpijs-ppds_3.10.6-2+squeeze1_all.deb
 c4c10cb1509b0eebf4855dd28641abdf 145766 utils optional hplip_3.10.6-2+squeeze1_amd64.deb
 756043d29d575360098fb323c42da1a8 1030862 debug extra hplip-dbg_3.10.6-2+squeeze1_amd64.deb
 425c55ccd05a582d2bc3cb1d46f4e6ae 422046 text optional hpijs_3.10.6-2+squeeze1_amd64.deb
 5c21e2b37407ff65541268257868c5ef 349756 text optional hplip-cups_3.10.6-2+squeeze1_amd64.deb
 d3ff85b39d583af3aa4043e14dc662d5 170572 libs optional libhpmud0_3.10.6-2+squeeze1_amd64.deb
 0f335711ca2241ff74db6509c5e04a18 70430 libdevel optional libhpmud-dev_3.10.6-2+squeeze1_amd64.deb
 2c694f2d88f78a769b7b72197605b986 171358 libs optional libsane-hpaio_3.10.6-2+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk7Zd5oACgkQoCzanz0IthK7nwCbBAm+I+el8VjycMS/RCCC6mBl
GocAoIXL9CMk12CGY04E7DsgmoObcAOS
=3Vuq
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 13 Feb 2012 07:35:41 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 03:35:38 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.