Red Hat Bugzilla – Bug 1287523
CVE-2015-8327 cups-filters: foomatic-rip did not consider the back tick as an illegal shell escape character
Last modified: 2016-03-22 17:04:00 EDT
The following issue was fixed in the 1.2.0 release of cups-filters:
foomatic-rip: SECURITY FIX: Also consider the back tick ('`') as an illegal shell escape character. Thanks to Michal Kowalczyk from the Google Security Team for the hint (CVE-2015-8327).
Fixed in Fedora in:
Upstream fix apparently is:
Plus a related change to add CVE to the NEWS file:
foomatic filters were only added to cups-filters in version 1.0.42:
So the affected code is not in cups-filters or cups packages as shipped in Red Hat Enterprise Linux 7 and earlier. However, foomatic-filters are also packaged separately as foomatic package.
foomatic in Fedora does not include foomatic-rip filter and require cups-filters:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Via RHSA-2016:0491 https://rhn.redhat.com/errata/RHSA-2016-0491.html