cupsys: Several security vulnerabilities

Automatically imported from Debian bug report #286988 http://bugs.debian.org/286988

Message-ID: <email address hidden>
Date: Thu, 23 Dec 2004 14:02:01 +0100
From: Martin Pitt <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: cupsys: Several security vulnerabilities

--0F1p//8PRICkK4MW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: cupsys
Version: 1.1.20final+rc1-10
Severity: critical
Tags: security patch
Justification: root security hole

Hi!

Recently CAN-2004-1125 has been discovered in xpdf. Since CUPS
contains verbatim xpdf code (sigh), this package is affected as well.

  http://www.idefense.com/application/poi/display?id=3D172

In addition, there are four additional CANs which were recently
discovered by some students of D. J. Bernstein, which concern the HPGL
input driver and lppasswd.

  http://tigger.uic.edu/~jlongs2/holes/cups.txt
  http://tigger.uic.edu/~jlongs2/holes/cups2.txt

Please also see the Ubuntu security notice for details:

  http://www.ubuntulinux.org/support/documentation/usn/usn-50-1

You can get the Ubuntu security patch from

  http://patches.ubuntu.com/patches/cupsys.multiple-CAN.diff

Thanks,

Martin

--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org

--0F1p//8PRICkK4MW
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBysHJDecnbV4Fd/IRAvrnAJ9XDUjaoDJ5/RmZ2YcnlJ0SCNcPzACggfn2
K3x1dIAvlvhXfevIgT73qrM=
=TeYj
-----END PGP SIGNATURE-----

--0F1p//8PRICkK4MW--

Message-Id: <email address hidden>
Date: Fri, 24 Dec 2004 08:49:05 +0900
From: Kenshi Muto <email address hidden>
To: Martin Pitt <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#286988: cupsys: Several security vulnerabilities

Hi,

At Thu, 23 Dec 2004 14:02:01 +0100,
Martin Pitt wrote:
> Package: cupsys
> Version: 1.1.20final+rc1-10
> Severity: critical
> Tags: security patch
> Justification: root security hole
>
> Recently CAN-2004-1125 has been discovered in xpdf. Since CUPS
> contains verbatim xpdf code (sigh), this package is affected as well.
> In addition, there are four additional CANs which were recently
> discovered by some students of D. J. Bernstein, which concern the HPGL
> input driver and lppasswd.

Thanks for your effort.
But current cupsys in sid, 1.1.22-2 is same as upstream 1.1.23rc1.
Is this new version really affected?

Thanks,
--
Kenshi Muto
<email address hidden>

Message-Id: <email address hidden>
Date: Fri, 24 Dec 2004 19:00:41 +0900
From: Kenshi Muto <email address hidden>
To: <email address hidden>
Subject: Re: Bug#286988: cupsys: Several security vulnerabilities

At Thu, 23 Dec 2004 14:02:01 +0100,
Martin Pitt wrote:
> Package: cupsys
> Version: 1.1.20final+rc1-10
> Severity: critical
> Tags: security patch
> Justification: root security hole

I reviewed your patch and this fix looks be already merged in current
cupsys (1.1.22-2).

Thanks,
--
Kenshi Muto
<email address hidden>

Already fixed in Warty (USN-50-1) and Hoary.