-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 updated packages for FC1: i took the patch straight out of redhat bugzilla, but in order for it to work i had to incorporate the cups_strcpy function from cups 1.1.20. i took this approach because i thought it would be easier to QA. is this sound reasoning or would it have been better to create a single patch that changed everything needed to fix the vulnerability? changelog: * Tue Oct 5 2004 Rob Myers <rob.myers.edu> 1:1.1.19-13.3.legacy - - Apply patch to fix CAN-2004-0558 (rh bug #130646). - - Apply patch to add cups_strcpy from cups 1.1.20 (for other patch to work) * Sun Oct 3 2004 Marc Deslauriers <marcdeslauriers> 1:1.1.19-13.2.legacy - - Rebuilt 28a9f79f370bc0d9b1c7fb774f5b288da3a69ece http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-1.1.19-13.3.legacy.src.rpm 0c099ef8659ae07f0c81711fefbe6fe749416820 http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-1.1.19-13.3.legacy.i386.rpm 795539ac4cb5afd3f1fc269e05a12be8e26e527c http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-devel-1.1.19-13.3.legacy.i386.rpm 331f44dc4159b309fe8478683e9f37954f0c310d http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-libs-1.1.19-13.3.legacy.i386.rpm a2f1f99c7facecce2d7367d488f8b175bf3c25d8 http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-debuginfo-1.1.19-13.3.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBYtqLtU2XAt1OWnsRAgm4AJ98+KnJFVijuA3Xb1WEYZVXhY2FeQCfSUR5 f4uepKBVd7Z8Rmm7HdGCywk= =8UgI -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-10-06 15:15:49 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did QA on the fc1 package: 28a9f79f370bc0d9b1c7fb774f5b288da3a69ece cups-1.1.19-13.3.legacy.src.rpm - - Source files match previous version - - Patch files are good (the approach used is fine) - - Spec file is good - - Builds, installs and runs good +PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBZJjnLMAs/0C4zNoRAsj2AKCTZloWnsHOsHUaumtCitmHeNVmawCgutKJ ejMMUI8yY4LAvDkZZyJcq7c= =ISq4 -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-10-06 15:18:09 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated cups packages to QA for rh9: Changelog: * Wed Oct 06 2004 Marc Deslauriers <marcdeslauriers> 1.1.17-13.3.0.7.legacy - - Apply backported patch to fix CAN-2004-0558 - - Apply patch to add cups_strcpy from cups 1.1.20 9fcfb34def130691df94aaec2ad07e025e51f7b5 cups-1.1.17-13.3.0.7.legacy.i386.rpm cb943d811bd5c6d802e4e2a3f3ff5db8728f8736 cups-1.1.17-13.3.0.7.legacy.src.rpm a08a0caa829e06a6c9ef60445e664fa9f6c7bfcb cups-devel-1.1.17-13.3.0.7.legacy.i386.rpm 0f32aaac7dd920947094004f2855ef8d18969117 cups-libs-1.1.17-13.3.0.7.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/cups-1.1.17-13.3.0.7.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/cups-1.1.17-13.3.0.7.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/cups-devel-1.1.17-13.3.0.7.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/cups-libs-1.1.17-13.3.0.7.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBZJlvLMAs/0C4zNoRAselAJ9VRY6Eu/KFoif3FF8oo8ehII9dfgCcDoaV WhwNp1mKV2Po+5x2NhvFyYM= =9tFp -----END PGP SIGNATURE----- ------- Additional Comments From josh.kayse.edu 2004-10-08 03:45:21 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did QA on the FC1 package: 28a9f79f370bc0d9b1c7fb774f5b288da3a69ece cups-1.1.19-13.3.legacy.src.rpm - - Source files identical to previous - - Spec file is good - - builds ok - - installs ok - - runs ok -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBZpnHwnUFCSDmt7ERAhUzAJ9SGKo/sZm0oQmCDBi/7zyEWDJVkwCePXRM XHub9kj7RubSq9nDU54rzrE= =aeYe -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-10-23 01:21:22 ---- Another issue has turned up that must be taken care of: During a source code audit, Chris Evans discovered a number of integer overflow bugs that affect xpdf. CUPS contains a copy of the xpdf code used for parsing PDF files and is therefore affected by these bugs. An attacker who has the ability to send a malicious PDF file to a printer could cause CUPS to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0888 to this issue. Ref: https://rhn.redhat.com/errata/RHSA-2004-543.html New cups packages are needed. ------- Additional Comments From rob.myers.edu 2004-10-27 05:59:38 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated cups packages to QA for rh73, rh9 and fc1: these CAN's should all be fixed: CAN-2004-0558 UDP DoS CAN-2004-0888,0889 xpdf integer overflows CAN-2004-0923 information disclosure in logfile please verify that the patches applied actually fix each of these issues. for some reason mach isn't stripping binaries. how to fix? changelogs: rh73: * Tue Oct 26 2004 Rob Myers <rob.myers.edu> 1.1.14-15.4.1.legacy - - Apply patch for UDP packet DoS CAN-2004-0558 UDP DoS (FL #2072) - - Apply patch for information disclosure in logfile CAN-2004-0923 (FL #2127) - - Apply patch for pdftops integer overflow CAN-2004-0888 (FL #2127) (RH #135378) - - add BuildPrereq: pam-devel openssl-devel autoconf zlib-devel libjpeg-devel libtiff-devel libpng-devel - - to build in mach i had to: if [ ! -x /usr/lib/libtiff.so.3 ]; then (cd /usr/lib ; ln -s libtiff.so.3.5 libtiff.so.3) ; fi * Tue May 13 2003 Tim Waugh <twaugh> 1.1.14-15.4 - - Updated HTTP blocking fix; now based on cups-1.1.18-str75.patchv2. rh9: * Tue Oct 26 2004 Rob Myers <rob.myers.edu> 1.1.17-13.3.0.9.legacy - - in mach i had to: if [ ! -x /usr/lib/libtiff.so.3 ]; then (cd /usr/lib ; ln -s libtiff.so.3.5 libtiff.so.3) ; fi - - group, organize, rename Fedora Legacy security update patches - - fix wrong CAN number in changelog (Oct 6 2004) - - rebuild * Mon Oct 25 2004 Rob Myers <rob.myers.edu> 1.1.17-13.3.0.8.legacy - - Apply patch for pdftops integer overflow CAN-2004-0888 (FL #2127) (RH#135378) * Wed Oct 06 2004 Marc Deslauriers <marcdeslauriers> 1.1.17-13.3.0.7.legacy - - Apply backported patch to fix CAN-2004-0923 - - Apply patch to add cups_strcpy from cups 1.1.20 fc1: * Tue Oct 26 2004 Rob Myers <rob.myers.edu> 1:1.1.19-13.4.legacy - - Apply patch for pdftops integer overflow CAN-2004-0888 (FL #2127) (RH #135378) - - group, organize, rename Fedora Legacy security update patches - - fix wrong CAN number in changelog (Oct 5 2004) - - to build in mach i had to: if [ ! -x /usr/lib/libtiff.so.3 ]; then (cd /usr/lib ; ln -s libtiff.so.3.5 libtiff.so.3) ; fi * Tue Oct 05 2004 Rob Myers <rob.myers.edu> 1:1.1.19-13.3.legacy - - Apply patch to fix CAN-2004-0923 (rh bug #130646). - - Apply patch to add cups_strcpy from cups 1.1.20 * Sun Oct 03 2004 Marc Deslauriers <marcdeslauriers> 1:1.1.19-13.2.legacy - - Rebuilt sha1sums: rh73: 01fbac62164c3c8e08522d2bd07489d2d9fc6771 cups-1.1.14-15.4.1.legacy.i386.rpm 2619168f54f7ea13ec4f12b7029b2dfaa3a6c1da cups-1.1.14-15.4.1.legacy.src.rpm 7431c98feab8cd545b6be3f2ee2a096ea0976cf4 cups-devel-1.1.14-15.4.1.legacy.i386.rpm f67821d3df9a976f3e94aaf88b59e9cffaad3d35 cups-libs-1.1.14-15.4.1.legacy.i386.rpm rh9: 94d38f1679fb44d2c2327f41161a5a89c1d6704f cups-1.1.17-13.3.0.9.legacy.i386.rpm e1f24d35ac1c6a8d025ad08363da6bc61643d525 cups-1.1.17-13.3.0.9.legacy.src.rpm 3f019c6cd5bf8e8d849f8bc81ff8b0558194b31e cups-devel-1.1.17-13.3.0.9.legacy.i386.rpm d97007137d25303d111a782486527a7addd8963a cups-libs-1.1.17-13.3.0.9.legacy.i386.rpm fc1: a1cfd5949aea28b38c7024c0405036f8344d8b1f cups-1.1.19-13.4.legacy.i386.rpm eb0132f19c10fc06671bc8afbd703c5c07ceb10b cups-1.1.19-13.4.legacy.src.rpm d8f5709013eb372906c7932149344f89342234bb cups-devel-1.1.19-13.4.legacy.i386.rpm a7bffe32dfb91c4533ea41d9ebadf7b202c0607b cups-libs-1.1.19-13.4.legacy.i386.rpm files: rh73: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-1.1.14-15.4.1.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-1.1.14-15.4.1.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-devel-1.1.14-15.4.1.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-libs-1.1.14-15.4.1.legacy.i386.rpm rh9: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-1.1.17-13.3.0.9.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-1.1.17-13.3.0.9.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-devel-1.1.17-13.3.0.9.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-libs-1.1.17-13.3.0.9.legacy.i386.rpm fc1: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-1.1.19-13.4.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-1.1.19-13.4.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-devel-1.1.19-13.4.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-libs-1.1.19-13.4.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBf8VatU2XAt1OWnsRAllXAKDWP5puz99VhsLAtbhgg04kob76TgCeJsFa zi1t5TXbPoNDlTFiL5DhsUo= =lGhy -----END PGP SIGNATURE----- ------- Additional Comments From rob.myers.edu 2004-10-28 08:08:55 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated cups packages to QA for rh9 and fc1: these are the same as earlier packages, but they use redhat's xpdf-2.0x patch instead of the cups patch. the newer xpdf patch seems more robust. changelogs: rh9: * Thu Oct 28 2004 Rob Myers <rob.myers.edu> 1.1.17-13.3.0.10.legacy - - include updated patch with "anti-optimizer" changes fc1: * Thu Oct 28 2004 Rob Myers <rob.myers.edu> 1:1.1.19-13.5.legacy - - include updated patch with "anti-optimizer" changes sha1sums: rh9: 790ee6186f30a478e688bc778bc4b40ffda3f783 cups-1.1.17-13.3.0.10.legacy.i386.rpm 2cc26d1264b08a3002cce1a58af3957fa52dc86c cups-1.1.17-13.3.0.10.legacy.src.rpm 46b6b9218d1e6f6dc1fbb37a6d72b9ba317fd323 cups-debuginfo-1.1.17-13.3.0.10.legacy.i386.rpm 686fa0e4cf2b29f7323d1d5fcdb33d78440cd493 cups-devel-1.1.17-13.3.0.10.legacy.i386.rpm 6127e16d7d1e67637962c096dc82f6ce210f3e78 cups-libs-1.1.17-13.3.0.10.legacy.i386.rpm fc1: 49a18c1a3006e19120189a97a68a4305788dae20 cups-1.1.19-13.5.legacy.i386.rpm 965d7fcb746b2a9357bc71f168cb5a684f113682 cups-1.1.19-13.5.legacy.src.rpm 696d55a58ed2a8462a345b60d2fd5e92aa9e6165 cups-debuginfo-1.1.19-13.5.legacy.i386.rpm 13309da37972749672c82624f9839be810653ad6 cups-devel-1.1.19-13.5.legacy.i386.rpm 4c0166a00092ff9e17c1f66065a8cb1c013b2172 cups-libs-1.1.19-13.5.legacy.i386.rpm files: rh9: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-1.1.17-13.3.0.10.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-1.1.17-13.3.0.10.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-devel-1.1.17-13.3.0.10.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-libs-1.1.17-13.3.0.10.legacy.i386.rpm fc1: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-1.1.19-13.5.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-1.1.19-13.5.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-devel-1.1.19-13.5.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-libs-1.1.19-13.5.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBgTVGtU2XAt1OWnsRAuUJAJ9ZjKxzbsyB3IwBqay3nDjKLm/e2wCglWG1 etJLLRXnkERgt9Y850lCZ3k= =X1ma -----END PGP SIGNATURE----- ------- Additional Comments From bugzilla.fedora.us 2004-11-17 07:51:40 ---- comment #5 mentions CAN-2004-0889, but the changelog doesn't. has it been fixed? are the packages near to being published? ------- Additional Comments From rob.myers.edu 2004-11-17 12:12:48 ---- afaict: CAN-2004-0889 is specific to xpdf >= 3.0. the xpdf used by these cups packages is all < 3.0. so CAN-2004-0889 does not apply to these cups packages, and any reference to it is in error. in fact, for fc1 at least, i incorrectly included CAN-2004-0889 in the filename to the patch: cups-xpdf-CAN-2004-0888-CAN-2004-0889.patch. it should be cups-xpdf-CAN-2004-0888.patch. if noone QAs the existing package(s) i'll respin "soonish" for correctness. sorry for the confusion. ------- Additional Comments From rob.myers.edu 2004-11-17 13:48:19 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated cups packages to QA for rh73, rh9, and fc1: the only difference between these and the previous version is that the patchfile was renamed to cups-xpdf-CAN-2004-0888.patch from cups-xpdf-CAN-2004-0888-CAN-2004-0889.patch. while not critical these were respun to avoid any confusion that CAN-2004-0889 applied to these packages. changelogs: rh73: * Wed Nov 17 2004 Rob Myers <rob.myers.edu> 1.1.14-15.4.2.legacy - - remove CAN-2004-0889 from patch filename, since the xpdf used here is < 3.0 and CAN-2004-0889 does not apply rh9: * Wed Nov 17 2004 Rob Myers <rob.myers.edu> 1.1.17-13.3.0.11.legacy - - remove CAN-2004-0889 from patch filename, since the xpdf used here is < 3.0 and CAN-2004-0889 does not apply fc1: * Wed Nov 17 2004 Rob Myers <rob.myers.edu> 1:1.1.19-13.6.legacy - - remove CAN-2004-0889 from patch filename, since the xpdf used here is < 3.0 and CAN-2004-0889 does not apply sha1sums: rh73: 246ec6f4a6c3aa47ca5d44e9a00226d05b9b6468 cups-1.1.14-15.4.2.legacy.i386.rpm a8bae72266ae57cc49b8369c82f04263759d2c43 cups-1.1.14-15.4.2.legacy.src.rpm 9153b7a87373ab1f51e239d2e252175be68fd2ff cups-devel-1.1.14-15.4.2.legacy.i386.rpm 83c5d6407af5c6b7964bd1a68d97ec4a62df29e9 cups-libs-1.1.14-15.4.2.legacy.i386.rpm rh9: c9e21bd5992a21602b2519ba2c344b531130ff9c cups-1.1.17-13.3.0.11.legacy.i386.rpm 32d4e723517e30d5c1daa679fc91126e98ad79b1 cups-1.1.17-13.3.0.11.legacy.src.rpm 54649e913e2b6280844037df580fb37b1f4b75e1 cups-debuginfo-1.1.17-13.3.0.11.legacy.i386.rpm a511cb81454c499107eb5aceba04a31b13b84ddb cups-devel-1.1.17-13.3.0.11.legacy.i386.rpm 0ee3150d0db3935a9fd568d18b8ce0077ffae71c cups-libs-1.1.17-13.3.0.11.legacy.i386.rpm fc1: 71f81a803c5a4f2ed5fadf7a8961faac7ae8e68b cups-1.1.19-13.6.legacy.i386.rpm fce3487e0aeee852a20e252ee2556f318681c3d8 cups-1.1.19-13.6.legacy.src.rpm f31a54ff4512a96171bc38a8d3dd9c11cd01986d cups-debuginfo-1.1.19-13.6.legacy.i386.rpm 74ba968bed9376ada2f0ef30a6d7b2f593081261 cups-devel-1.1.19-13.6.legacy.i386.rpm 5047ec6d6501eabbbc7991aec2e2812eaf0e573b cups-libs-1.1.19-13.6.legacy.i386.rpm files: rh73: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-1.1.14-15.4.2.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-1.1.14-15.4.2.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-devel-1.1.14-15.4.2.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-libs-1.1.14-15.4.2.legacy.i386.rpm rh9: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-1.1.17-13.3.0.11.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-1.1.17-13.3.0.11.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-debuginfo-1.1.17-13.3.0.11.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-devel-1.1.17-13.3.0.11.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-libs-1.1.17-13.3.0.11.legacy.i386.rpm fc1: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-1.1.19-13.6.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-1.1.19-13.6.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-debuginfo-1.1.19-13.6.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-devel-1.1.19-13.6.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-libs-1.1.19-13.6.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBm+CKtU2XAt1OWnsRAhOJAKDxqveTIKmRnPYNBsY7v65yVi1o2wCaA+0e pizo+DqnP3r0vuJyc72ZFUs= =+uU0 -----END PGP SIGNATURE----- ------- Additional Comments From bugzilla.fedora.us 2004-12-16 08:41:49 ---- there's a newly reported CUPS vuln discovered by Ariel Berkman. from http://tigger.uic.edu/~jlongs2/holes/cups.txt === A CUPS installation is at risk whenever it prints an HPGL file obtained from email (or a web page or any other source that could be controlled by an attacker). You are at risk if you print data through a CUPS installation at risk. The source of the HPGL file has complete control over the CUPS ``lp'' account; in particular, he can read and modify the files you are printing. ... Here's the bug: In hpgl-input.c, ParseCommand() reads any number of bytes into a 262144-byte buf[] array. === ------- Additional Comments From bugzilla.fedora.us 2004-12-16 08:49:10 ---- more CUPS bugs from another DJB student, Bartlomiej Sieka... from http://tigger.uic.edu/~jlongs2/holes/cups2.txt === First, lppasswd blithely ignores write errors in fputs(line,outfile) at lines 311 and 315 of lppasswd.c, and in fprintf(...) at line 346. An attacker who fills up the disk at the right moment can arrange for /usr/local/etc/cups/passwd to be truncated. Second, if lppasswd bumps into a file-size resource limit while writing passwd.new, it leaves passwd.new in place, disabling all subsequent invocations of lppasswd. Any local user can thus disable lppasswd by running the attached program 63.c. Third, line 306 of lppasswd.c prints an error message to stderr but does not exit. This is not a problem on systems that ensure that file descriptors 0, 1, and 2 are open for setuid programs, but it is a problem on other systems; lppasswd does not check that passwd.new is different from stderr, so it ends up writing a user-controlled error message to passwd if the user closes file descriptor 2. === ------- Additional Comments From marcdeslauriers 2004-12-18 08:11:05 ---- see https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=143087 ------- Additional Comments From rob.myers.edu 2004-12-22 16:35:16 ---- added CAN-2004-1125 to summary, fc1 is at least vulnerable. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1125 i've got fc1 rpms built, will look at rh73 and rh9 now. ------- Additional Comments From rob.myers.edu 2004-12-22 17:48:06 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated cups packages to QA for rh73, rh9, and fc1: - - include patch for xpdf overflow CAN-2004-1125 - - include patches for DJB's holes - - all 3 patches are verifiable upstream and in FC-3 cvs changelogs: rh73: * Wed Dec 22 2004 Rob Myers <rob.myers.edu> 1.1.14-15.4.3.legacy - - xpdf security fix CAN-2004-1125 - - Fixed STR #1023 (FL bug #2127 comment 11) - - Fixed STR #1024 (FL bug #2127 comment 10) rh9: * Wed Dec 22 2004 Rob Myers <rob.myers.edu> 1.1.17-13.3.0.12.legacy - - xpdf security fix CAN-2004-1125 - - Fixed STR #1023 (FL bug #2127 comment 11) - - Fixed STR #1024 (FL bug #2127 comment 10) fc1: * Wed Dec 22 2004 Rob Myers <rob.myers.edu> 1:1.1.19-13.7.legacy - - xpdf security fix CAN-2004-1125 - - Fixed STR #1023 (FL bug #2127 comment 11) - - Fixed STR #1024 (FL bug #2127 comment 10) this file is available at: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/2127.txt.asc files: rh73: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-1.1.14-15.4.3.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-1.1.14-15.4.3.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-devel-1.1.14-15.4.3.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-libs-1.1.14-15.4.3.legacy.i386.rpm rh9: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-1.1.17-13.3.0.12.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-1.1.17-13.3.0.12.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-debuginfo-1.1.17-13.3.0.12.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-devel-1.1.17-13.3.0.12.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-libs-1.1.17-13.3.0.12.legacy.i386.rpm fc1: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-1.1.19-13.7.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-1.1.19-13.7.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-debuginfo-1.1.19-13.7.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-devel-1.1.19-13.7.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-libs-1.1.19-13.7.legacy.i386.rpm sha1sums: rh73: 6c6911ef095998e4bf9c6b448242178ddd77ad2c cups-1.1.14-15.4.3.legacy.i386.rpm 6368de7d9ff0873a75ab9398b2461a336baaf48a cups-1.1.14-15.4.3.legacy.src.rpm dffa268c42ec804e0707f03e8a1e5aea03308dcd cups-devel-1.1.14-15.4.3.legacy.i386.rpm 2845820b9906a608f7eefb14b7584d85630bda2f cups-libs-1.1.14-15.4.3.legacy.i386.rpm rh9: 76c982cc31b237144f8ae9471dc8ce1d8acc5101 cups-1.1.17-13.3.0.12.legacy.i386.rpm 080cf3bb10b6bc74c247db8311a8af8575aca9aa cups-1.1.17-13.3.0.12.legacy.src.rpm 7d464b8c06b7222e053e86985924de0bf79dc361 cups-debuginfo-1.1.17-13.3.0.12.legacy.i386.rpm 93c6926875e0519a63d2c7539ff812ff4b4aab52 cups-devel-1.1.17-13.3.0.12.legacy.i386.rpm 959afabb8b9bb4d9e16776e964f52f6deeb10a91 cups-libs-1.1.17-13.3.0.12.legacy.i386.rpm fc1: ef72a9d0377b63afa413594a7c20418facd61f01 cups-1.1.19-13.7.legacy.i386.rpm 7de5b207522e0ae5f1fb77c2d485838e7aa98dff cups-1.1.19-13.7.legacy.src.rpm 352cec5de34073aab94d034926cfb470e031e586 cups-debuginfo-1.1.19-13.7.legacy.i386.rpm 92cc696110acd07023e9f88cde9390dfab958d71 cups-devel-1.1.19-13.7.legacy.i386.rpm d9bb90e4e690260e1f8b5090eccefecf3f22e551 cups-libs-1.1.19-13.7.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFByj+KtU2XAt1OWnsRAt0DAKC9+wUY44Go7pg973Hefx/1u8BqXACfUdfH H1299UnqPxxyhW26YoOTdMs= =DV21 -----END PGP SIGNATURE----- ------- Additional Comments From pekkas 2004-12-23 09:48:11 ---- The 4 DJB issues have been given CAN-2004-1267 .. 1270. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for all the packages: - sources match fine - the patches for RHL9 and FC1 verified correspond to the various other patches (from xpdf, cups and CVS) -- a bit tricky due to different naming. - RHL73 patches likewise, EXCEPT that I did not have to time to do lengthy review on the xpdf-1.0 patches, but as they come from an already QA'd package from bugzilla, that might be OK. - spec files reviewed to be OK. +PUBLISH RHL9, FC1, (RHL73 with the xpdf caveat above) 6368de7d9ff0873a75ab9398b2461a336baaf48a cups-1.1.14-15.4.3.legacy.src.rpm 080cf3bb10b6bc74c247db8311a8af8575aca9aa cups-1.1.17-13.3.0.12.legacy.src.rpm 7de5b207522e0ae5f1fb77c2d485838e7aa98dff cups-1.1.19-13.7.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFByyDHGHbTkzxSL7QRAvjXAKC+I1B8CvHa7pDV2frJ3poSjgApvACaA1/C CU2jdFZhHZ8vSbqxvw200T4= =Aba0 -----END PGP SIGNATURE----- ------- Additional Comments From rob.myers.edu 2005-01-11 06:17:05 ---- this regression probably effects us as well: http://www.redhat.com/archives/fedora-announce-list/2005-January/msg00035.html is it small enough to apply at mach build time? Index: cups-str1023.patch =================================================================== RCS file: /cvs/dist/rpms/cups/FC-2/cups-str1023.patch,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- cups-str1023.patch 17 Dec 2004 11:41:45 -0000 1.1 +++ cups-str1023.patch 6 Jan 2005 12:58:26 -0000 1.2 @@ -216,7 +216,7 @@ unlink(passwdold); - link(passwdmd5, passwdold); -+ if (link(passwdmd5, passwdold)) ++ if (link(passwdmd5, passwdold) && errno != ENOENT) + { + perror("lppasswd: failed to backup old password file"); + unlink(passwdnew); ------- Additional Comments From pekkas 2005-01-11 07:38:11 ---- Verified the patch, looks OK. No problem for me to do that at mach. ------- Additional Comments From pekkas 2005-01-19 04:08:15 ---- And CAN-2005-0064 affects cups as well, I think... ------- Additional Comments From rob.myers.edu 2005-01-19 06:21:47 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated cups packages to QA for rh73, rh9, and fc1: - - include upstream patch for xpdf CAN-2005-0064 - - include str-1023 regression fix changelogs: rh73: * Wed Jan 19 2005 Rob Myers <rob.myers.edu> 1.1.14-15.4.4.legacy - - xpdf patch CAN-2005-0064 - - fix small regression in STR #1023 (FL bug #2127 comment 16) rh9: * Wed Jan 19 2005 Rob Myers <rob.myers.edu> 1.1.17-13.3.0.13.legacy - - xpdf patch CAN-2005-0064 - - fix small regression in STR #1023 (FL bug #2127 comment 16) fc1: * Wed Jan 19 2005 Rob Myers <rob.myers.edu> 1:1.1.19-13.8.legacy - - xpdf patch CAN-2005-0064 - - fix small regression in STR #1023 (FL bug #2127 comment 16) this file is available at: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/2127.txt.asc files: rh73: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-1.1.14-15.4.4.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-1.1.14-15.4.4.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-devel-1.1.14-15.4.4.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-libs-1.1.14-15.4.4.legacy.i386.rpm rh9: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-1.1.17-13.3.0.13.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-1.1.17-13.3.0.13.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-debuginfo-1.1.17-13.3.0.13.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-devel-1.1.17-13.3.0.13.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-libs-1.1.17-13.3.0.13.legacy.i386.rpm fc1: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-1.1.19-13.8.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-1.1.19-13.8.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-debuginfo-1.1.19-13.8.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-devel-1.1.19-13.8.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/cups-libs-1.1.19-13.8.legacy.i386.rpm sha1sums: rh73: 7ed2968c4c1e7b43a30402e15dcd8ce34d6b1ff1 cups-1.1.14-15.4.4.legacy.i386.rpm 25b1cd126bbb96f1f607047401cdadedfadd89ef cups-1.1.14-15.4.4.legacy.src.rpm 653f9f100fd17887a12bc39ffb3921cb55ff6039 cups-devel-1.1.14-15.4.4.legacy.i386.rpm b71b0287812f4658f041abe915297a432ecef247 cups-libs-1.1.14-15.4.4.legacy.i386.rpm rh9: dc5ca3c2cf4c69356393744764da22220703f217 cups-1.1.17-13.3.0.13.legacy.i386.rpm 01e7ff08efcab42f9e72c00675ef67bd5419daac cups-1.1.17-13.3.0.13.legacy.src.rpm f99a8abf929a961127ba95fd88c945d749342229 cups-debuginfo-1.1.17-13.3.0.13.legacy.i386.rpm dab94c35bcb99f221da080700fe446ac05ab70aa cups-devel-1.1.17-13.3.0.13.legacy.i386.rpm efbb95018549bc35400d2159bbc3be65cac2f9ed cups-libs-1.1.17-13.3.0.13.legacy.i386.rpm fc1: 9f6f61ab730839736c92847ee7933dbb36b5e000 cups-1.1.19-13.8.legacy.i386.rpm ded577d3e4d1f5cc59d1252156d1f7b49840f295 cups-1.1.19-13.8.legacy.src.rpm 4f10aa72fed5a4907514512da9aeb813dfe61b94 cups-debuginfo-1.1.19-13.8.legacy.i386.rpm 9b6ececf481cfd2a841c99686739accf12292460 cups-devel-1.1.19-13.8.legacy.i386.rpm 9645205746c4810c60d760d4c15a372615f07ae1 cups-libs-1.1.19-13.8.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFB7oiwtU2XAt1OWnsRAnHwAJwNcShJbYGnKelVU2lx7GGXkFo/2gCfaGg/ g4tDyebnKEtnH9jasqieBEc= =tWXd -----END PGP SIGNATURE----- ------- Additional Comments From pekkas 2005-01-19 20:45:29 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for new cups RPMS w/ rpm-build-compare.sh: - source integrity OK - spec file changes minimal - patch verified to come from xpdf - regression modification verified +PUBLISH (RHL73,RHL9,FC1) 25b1cd126bbb96f1f607047401cdadedfadd89ef cups-1.1.14-15.4.4.legacy.src.rpm 01e7ff08efcab42f9e72c00675ef67bd5419daac cups-1.1.17-13.3.0.13.legacy.src.rpm ded577d3e4d1f5cc59d1252156d1f7b49840f295 cups-1.1.19-13.8.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFB71N4GHbTkzxSL7QRAnvWAJ4gu2VM8VyCoayJhpBQYDv0drzVqACfbJ2j QKXSdGosqqJ56RhDaN9JZSA= =8qle -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2005-02-04 12:39:05 ---- Packages built and pushed to updates-testing. ------- Additional Comments From sheltren.edu 2005-02-12 16:11:09 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Verifying packages for RH9/FC1: c6fdf900397f732b510fbfa21a5fa977e984c2cb cups-1.1.17-13.3.0.13.legacy.i386.rpm a18781d8f285db684790d32b9a8eca4ca4504124 cups-devel-1.1.17-13.3.0.13.legacy.i386.rpm 01741a487d1a9ffdede42fbe0e80f1bfa09250f7 cups-libs-1.1.17-13.3.0.13.legacy.i386.rpm 9637c0555edd133c1fb8ef7c7818c3e794408e04 cups-1.1.19-13.8.legacy.i386.rpm bc4b60d13ac3cae0a047149b9f8350a4ca8bb427 cups-devel-1.1.19-13.8.legacy.i386.rpm 3a1fea385f2fc5302e9529ed64cb36c17d64ed3f cups-libs-1.1.19-13.8.legacy.i386.rpm Signatures are OK Packages install OK Able to add printers and print OK RH9 VERIFY++ FC1 VERIFY++ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFCDrasKe7MLJjUbNMRApw2AKC4Bnz9HXWBXDBgrNfm13UcB9a/bQCff6Fk UN7HK19BS4gw1vrYBvoIys0= =F6EY -----END PGP SIGNATURE----- ------- Additional Comments From rob.myers.edu 2005-02-23 03:53:51 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 GPG signatures ok for these FC1 cups packages: 9637c0555edd133c1fb8ef7c7818c3e794408e04 cups-1.1.19-13.8.legacy.i386.rpm bc4b60d13ac3cae0a047149b9f8350a4ca8bb427 cups-devel-1.1.19-13.8.legacy.i386.rpm 3a1fea385f2fc5302e9529ed64cb36c17d64ed3f cups-libs-1.1.19-13.8.legacy.i386.rpm installs ok prints ok +VERIFY FC1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCHIq0tU2XAt1OWnsRAlc8AKDp6sHwhpytJyqifhG/EEfIDbHQSgCgnZNf 9ykxGE8z1h8PraJzS4upbfs= =5Gzs -----END PGP SIGNATURE----- ------- Additional Comments From pekkas 2005-03-01 10:36:17 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for RHL73 version of cups: - PGP signature OK - installed nicely - I switched a local printer to use cups from LPRng, and printing works OK +VERIFY RHL73 0db34c2e38a4041f73d2a78a9b2915f75a66c24a cups-1.1.14-15.4.4.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFCJNIUGHbTkzxSL7QRAgYFAKCpMWBK1nsYKP5aF6mm1Aahv3KEcgCeKZY3 KeJmLivu6REahyGEuzu9KkU= =UzLK -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2005-03-02 14:25:36 ---- Packages were released to official updates. ------- Bug moved to this database by dkl 2005-03-30 18:27 ------- This bug previously known as bug 2127 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2127 Originally filed under the Fedora Legacy product and Package request component. Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.
Nobody remembered to close this case :)