1287523 – (CVE-2015-8327) CVE-2015-8327 cups-filters: foomatic-rip did not consider the back tick as an illegal shell escape character

Bug 1287523 (CVE-2015-8327) - CVE-2015-8327 cups-filters: foomatic-rip did not consider the back tick as an illegal shell escape character

Summary: CVE-2015-8327 cups-filters: foomatic-rip did not consider the back tick as an...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2015-8327
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	Engineering1301076 Engineering1301077
Blocks:	Embargoed1287524
TreeView+	depends on / blocked

Reported:	2015-12-02 09:33 UTC by Martin Prpič
Modified:	2021-02-17 04:39 UTC (History)
CC List:	2 users (show)
Fixed In Version:	cups-filters 1.2.0
Doc Type:	Bug Fix
Doc Text:	It was discovered that foomatic-rip failed to remove all shell special characters from inputs used to construct command lines for external programs run by the filter. An attacker could possibly use this flaw to execute arbitrary commands.
Clone Of:
Environment:
Last Closed:	2019-06-08 02:46:01 UTC

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:0491	0	normal	SHIPPED_LIVE	Moderate: foomatic security update	2016-03-23 01:02:15 UTC

Description Martin Prpič 2015-12-02 09:33:21 UTC

The following issue was fixed in the 1.2.0 release of cups-filters:

foomatic-rip: SECURITY FIX: Also consider the back tick ('`') as an illegal shell escape character. Thanks to Michal Kowalczyk from the Google Security Team for the hint (CVE-2015-8327).

External References:

https://lists.debian.org/debian-printing/2015/11/msg00020.html

Comment 1 Martin Prpič 2015-12-02 09:33:52 UTC

Fixed in Fedora in:

cups-filters-1.2.0-1.fc24
cups-filters-1.2.0-1.fc23
cups-filters-1.2.0-1.fc22

Comment 2 Tomas Hoger 2015-12-02 10:12:38 UTC

Upstream fix apparently is:

http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7406

Plus a related change to add CVE to the NEWS file:

http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7409

foomatic filters were only added to cups-filters in version 1.0.42:

http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7120#NEWS

So the affected code is not in cups-filters or cups packages as shipped in Red Hat Enterprise Linux 7 and earlier.  However, foomatic-filters are also packaged separately as foomatic package.

Comment 3 Tomas Hoger 2015-12-02 10:18:57 UTC

foomatic in Fedora does not include foomatic-rip filter and require cups-filters:

http://pkgs.fedoraproject.org/cgit/foomatic.git/commit/?id=7ceea0f262bd8b96c6f173a1e193b902804012ad

Comment 7 errata-xmlrpc 2016-03-22 21:04:00 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:0491 https://rhn.redhat.com/errata/RHSA-2016-0491.html

Note You need to log in before you can comment on or make changes to this bug.