Bug 152786 - CAN-2004-0801 - cupsomatic, foomatic arbitrary command execution
CAN-2004-0801 - cupsomatic, foomatic arbitrary command execution
Status: CLOSED CURRENTRELEASE
Product: Fedora Legacy
Classification: Retired
Component: Package request (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
https://bugzilla.redhat.com/bugzilla/...
1, LEGACY
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-09-15 15:42 EDT by Marc Deslauriers
Modified: 2008-05-01 11:38 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:27:25 EST
The cupsomatic driver in foomatic has an issue where if a properly
named file is handed to lpr for printing, it can cause arbitrary
command execution.

See:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=130951
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=130949



------- Additional Comments From marcdeslauriers@videotron.ca 2004-09-16 15:41:36 ----

Looks like this issue is not serious in foomatic-2.0.2. Red Hat decided not to
issue a security update for it.

We won't either.

I'm closing this.





------- Additional Comments From marcdeslauriers@videotron.ca 2004-09-21 11:23:05 ----

Red Hat have released an updated foomatic package for FC2, but none for FC1.
This bug is being re-opened for FC1.





------- Additional Comments From rob.myers@gtri.gatech.edu 2004-09-22 04:44:00 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
please test these updated foomatic packages from
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/:
 
4c7eceb66a8194ffc274c72d27c79137  foomatic-3.0.0-21.4.legacy.src.rpm
81252225b354547d489353905c84f357  foomatic-3.0.0-21.4.legacy.i386.rpm
84c40dea726e1c2f82140594fbaeaaa4  foomatic-debuginfo-3.0.0-21.4.legacy.i386.rpm
 
the only change is that the patch for CAN-2004-0801 from fc2 was applied.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBUY+OtU2XAt1OWnsRAhRYAKDUjRwpqiG3vzLJvvT0xac5Rbmk7gCeMrne
AIk0/BF5THLQfxL4Ez8OwBc=
=jqqT
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2004-09-22 12:56:10 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the FC1 package:

4c7eceb66a8194ffc274c72d27c79137  foomatic-3.0.0-21.4.legacy.src.rpm

- - Source files are identical to previous release
- - Spec file looks good
- - Patch file is identical to FC2 release
- - Builds OK, installs OK


Please do sha1sums of your packages instead of md5sums in the future.

+PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBUgMjLMAs/0C4zNoRAkIAAJ0ccMNfCUgU53GydzYM5067kiUT2ACgjpHe
pi3ODUdsL2Tq21KI/ZYPYRw=
=UUNI
-----END PGP SIGNATURE-----




------- Additional Comments From rob.myers@gtri.gatech.edu 2004-09-23 03:47:05 ----

ok sha1sums for next time.



------- Additional Comments From josh.kayse@gtri.gatech.edu 2004-10-07 05:12:30 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the FC1 package: 

4c7eceb66a8194ffc274c72d27c79137  foomatic-3.0.0-21.4.legacy.src.rpm

- - Spec file looks good
- - Patch file is identical to FC2 patch
- - Builds ok
- - Installs ok

Please be gentle, it's my first time.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBZVxgwnUFCSDmt7ERAvRGAJ9dlMncmN+MGC2iz8fkGqsq3WhKdgCfVJgE
09uvKc6rasPqyMyK5Je+4Bk=
=lhb2
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2004-10-07 14:42:10 ----

Packages were pushed to updates-testing.



------- Additional Comments From sheltren@cs.ucsb.edu 2004-10-15 08:31:31 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Verifying the FC1 package:

8a425a8debf0be9be2dbbc0f028ed1eb8350e833  foomatic-3.0.0-21.5.legacy.i386.rpm

Signature is OK
Package installs OK
Print drivers show up in printtool like they should from what I can see

VERIFY++
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFBcBdXKe7MLJjUbNMRAs+IAKCKXTk3ouXWZSd+nJPp00XcNorLfgCeMS+L
g0ji6fXyzWRal/WTcb7GRGM=
=/oIu
-----END PGP SIGNATURE-----



------- Additional Comments From deisenst@gtw.net 2004-11-03 21:54:53 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Verifying the Fedora Core 1 package foomatic-3.0.0-21.5.legacy.i386.rpm
in updates-testing.

8a425a8debf0be9be2dbbc0f028ed1eb8350e833  foomatic-3.0.0-21.5.legacy.i386.rpm

  *  rpm --checksig foomatic-3.0.0-21.5.legacy.i386.rpm
     foomatic-3.0.0-21.5.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK
  *  sha1sum OK
  *  Package installs OK
  *  Print drivers show up fine in printtool.  Was able to install
     HP DeskJet 692C driver.  OK
     
Wasn't able to test out printing with the driver installed with foomatic,
as my printer is broken.  Everything seemed to work fine, though,
with installing foomatic and using printtools with it.

VERIFY+				-David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBid71xou1V/j9XZwRAq2lAJ9ecsXDDKr3Z4hl37WyaXfmCPw8xACgrYmr
3f6YSE1Ig5cpIty/U0NG1Zk=
=MzKn
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2004-11-05 03:17:26 ----

Pushed to official updates



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:27 -------

This bug previously known as bug 2076 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2076
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.


Note You need to log in before you can comment on or make changes to this bug.