The cupsomatic driver in foomatic has an issue where if a properly named file is handed to lpr for printing, it can cause arbitrary command execution. I'll attach the patch when it becomes available. Fedora core is handled by bug 130949 This issue should also affect RHEL2.1
Created attachment 103115 [details] foomatic-cmdexec.patch This is based on the patch that Klaus Singvogel sent.
Created attachment 103143 [details] Here's a more detailed patch from Till, it's expected to go into upstream.
Although RHEL2.1 includes the affected code, it does not include CUPS -- lpdomatic is used instead of cupsomatic. I think there are some dangerous bits of code in there too.
From Tim Waugh: The exploit certainly works (with foomatic 3.x) but on closer inspection it looks like this *particular* exploit only affects the foomatic-rip script, and that first appeared in foomatic-3.0. We ship foomatic-2.0.2 in RHEL3. There were other problems that I fixed however, including an exploit via the job's title. I can't see any way of exploiting any of these from the default installation though, and even when customized it has to be a very unusual type of customization. To get an exploit to work on RHEL3 I think the administrator would have to configure CUPS to get foomatic to convert text jobs to PostScript, rather than performing the task with its own pstops program. For RHEL-2.1, the only dangerous "open" in lpdomatic was for the data blob file, which is not user-configurable but may only be changed by the administrator. So it actually looks to me like we might not need an advisory here.
I'm in agreement, this does not require a security advisory and can simply be fixed with the next update that happens to require updated foomatic packages. (Leaving bug open until it becomes unembargoed)
Removing embargo