Gentoo Archives: gentoo-announce

From: Sean Amoss <ackle@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] [ GLSA 201203-07 ] foomatic-filters: User-assisted execution of arbitrary code
Date: Tue, 06 Mar 2012 03:48:34
Message-Id: 4F5570EC.7030907@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201203-07
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: foomatic-filters: User-assisted execution of arbitrary code
9 Date: March 06, 2012
10 Bugs: #379559
11 ID: 201203-07
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 A vulnerability in foomatic-filters could result in the execution of
19 arbitrary code.
20
21 Background
22 ==========
23
24 The foomatic-filters package contains wrapper scripts which are
25 designed to be used with Foomatic.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 net-print/foomatic-filters
34 < 4.0.9 >= 4.0.9
35
36 Description
37 ===========
38
39 The foomatic-rip filter improperly handles command-line arguments,
40 including those issued by FoomaticRIPCommandLine fields in PPD files.
41
42 Impact
43 ======
44
45 A remote attacker could entice a user to open a specially crafted PPD
46 file, possibly resulting in execution of arbitrary code with the
47 privileges of the system user "lp".
48
49 Workaround
50 ==========
51
52 There is no known workaround at this time.
53
54 Resolution
55 ==========
56
57 All foomatic-filters users should upgrade to the latest version:
58
59 # emerge --sync
60 # emerge --ask --oneshot -v ">=net-print/foomatic-filters-4.0.9"
61
62 References
63 ==========
64
65 [ 1 ] CVE-2011-2697
66 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2697
67 [ 2 ] CVE-2011-2964
68 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2964
69
70 Availability
71 ============
72
73 This GLSA and any updates to it are available for viewing at
74 the Gentoo Security Website:
75
76 http://security.gentoo.org/glsa/glsa-201203-07.xml
77
78 Concerns?
79 =========
80
81 Security is a primary focus of Gentoo Linux and ensuring the
82 confidentiality and security of our users' machines is of utmost
83 importance to us. Any security concerns should be addressed to
84 security@g.o or alternatively, you may file a bug at
85 https://bugs.gentoo.org.
86
87 License
88 =======
89
90 Copyright 2012 Gentoo Foundation, Inc; referenced text
91 belongs to its owner(s).
92
93 The contents of this document are licensed under the
94 Creative Commons - Attribution / Share Alike license.
95
96 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature