Hello community, here is the log from the commit of package foomatic-filters for openSUSE:11.3 checked in at Wed Aug 10 18:18:42 CEST 2011. -------- --- old-versions/11.3/all/foomatic-filters/foomatic-filters.changes 2010-04-08 16:41:45.000000000 +0200 +++ 11.3/foomatic-filters/foomatic-filters.changes 2011-08-10 17:11:10.000000000 +0200 @@ -1,0 +2,6 @@ +Wed Aug 10 16:58:30 CEST 2011 - jsmeix@suse.de + +- foomaticrip.c.CVE-2011-2697.patch fixes CVE-2011-2697 which is + a remote code execution as user lp issue (bnc#698451). + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.3/all/foomatic-filters Destination is old-versions/11.3/UPDATES/all/foomatic-filters calling whatdependson for 11.3-i586 New: ---- foomaticrip.c.CVE-2011-2697.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ foomatic-filters.spec ++++++ --- /var/tmp/diff_new_pack.Qt92nA/_old 2011-08-10 18:18:24.000000000 +0200 +++ /var/tmp/diff_new_pack.Qt92nA/_new 2011-08-10 18:18:24.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package foomatic-filters (Version 4.0.1) +# spec file for package foomatic-filters # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -34,7 +34,7 @@ AutoReqProv: on # See the VERSION file: Version: 4.0.1 -Release: 2 +Release: 7.<RELEASE2> # Source0...Source9 is for sources from upstream: # URL for Source0: http://www.openprinting.org/download/foomatic/foomatic-filters-4.0.1.tar.gz #Source0: %{name}-%{version}.tar.bz2 @@ -46,6 +46,9 @@ # Patch10 fixes a "control reaches end of non-void function" warning in renderer.c # The upstream bug report is http://bugs.linux-foundation.org/show_bug.cgi?id=348 Patch10: fix_no-return-in-nonvoid-function.patch +# Patch11 foomaticrip.c.CVE-2011-2697.patch fixes CVE-2011-2697 +# which is a remote code execution as user lp issue (bnc#698451): +Patch11: foomaticrip.c.CVE-2011-2697.patch # Source100... is for special Suse sources: # ... Url: http://www.openprinting.org/ @@ -71,6 +74,9 @@ %setup -q -n %{name}-%{bzrdate} # Patch10 fixes a "control reaches end of non-void function" warning in renderer.c: %patch10 +# Patch11 foomaticrip.c.CVE-2011-2697.patch fixes CVE-2011-2697 +# which is a remote code execution as user lp issue (bnc#698451): +%patch11 %build export CFLAGS="$RPM_OPT_FLAGS -fstack-protector" ++++++ foomaticrip.c.CVE-2011-2697.patch ++++++ --- foomaticrip.c.orig 2011-08-10 15:35:49.000000000 +0200 +++ foomaticrip.c 2011-08-10 16:49:31.000000000 +0200 @@ -1183,8 +1183,11 @@ int main(int argc, char** argv) } /* Check for LPRng first so we do not pick up bogus ppd files by the -ppd option */ - if (arglist_remove_flag(arglist, "--lprng")) - spooler = SPOOLER_LPRNG; + if (spooler != SPOOLER_CUPS && spooler != SPOOLER_PPR && + spooler != SPOOLER_PPR_INT) { + if (arglist_remove_flag(arglist, "--lprng")) + spooler = SPOOLER_LPRNG; + } /* 'PRINTCAP_ENTRY' environment variable is : LPRng the :ppd=/path/to/ppdfile printcap entry should be used */ @@ -1205,96 +1208,106 @@ int main(int argc, char** argv) } } - /* PPD file name given via the command line - allow duplicates, and use the last specified one */ - if (spooler != SPOOLER_LPRNG) { - while ((str = arglist_get_value(arglist, "-p"))) { - strncpy(job->ppdfile, str, 256); - arglist_remove(arglist, "-p"); - } - } - while ((str = arglist_get_value(arglist, "--ppd"))) { - strncpy(job->ppdfile, str, 256); - arglist_remove(arglist, "--ppd"); - } - - /* Check for LPD/GNUlpr by typical options which the spooler puts onto - the filter's command line (options "-w": text width, "-l": text - length, "-i": indent, "-x", "-y": graphics size, "-c": raw printing, - "-n": user name, "-h": host name) */ - if ((str = arglist_get_value(arglist, "-h"))) { - if (spooler != SPOOLER_GNULPR && spooler != SPOOLER_LPRNG) - spooler = SPOOLER_LPD; - strncpy(job->host, str, 127); - job->host[127] = '\0'; - arglist_remove(arglist, "-h"); - } - if ((str = arglist_get_value(arglist, "-n"))) { - if (spooler != SPOOLER_GNULPR && spooler != SPOOLER_LPRNG) - spooler = SPOOLER_LPD; + /* CUPS calls foomatic-rip only with 5 or 6 positional parameters, + not with named options, like for example "-p <string>". Also PPR + does not used named options. */ + if (spooler != SPOOLER_CUPS && spooler != SPOOLER_PPR && + spooler != SPOOLER_PPR_INT) { - strncpy(job->user, str, 127); - job->user[127] = '\0'; - arglist_remove(arglist, "-n"); - } - if (arglist_remove(arglist, "-w") || - arglist_remove(arglist, "-l") || - arglist_remove(arglist, "-x") || - arglist_remove(arglist, "-y") || - arglist_remove(arglist, "-i") || - arglist_remove_flag(arglist, "-c")) { + /* Check for LPD/GNUlpr by typical options which the spooler puts onto + the filter's command line (options "-w": text width, "-l": text + length, "-i": indent, "-x", "-y": graphics size, "-c": raw printing, + "-n": user name, "-h": host name) */ + if ((str = arglist_get_value(arglist, "-h"))) { + if (spooler != SPOOLER_GNULPR && spooler != SPOOLER_LPRNG) + spooler = SPOOLER_LPD; + strncpy(job->host, str, 127); + job->host[127] = '\0'; + arglist_remove(arglist, "-h"); + } + if ((str = arglist_get_value(arglist, "-n"))) { if (spooler != SPOOLER_GNULPR && spooler != SPOOLER_LPRNG) spooler = SPOOLER_LPD; - } - /* LPRng delivers the option settings via the "-Z" argument */ - if ((str = arglist_get_value(arglist, "-Z"))) { - spooler = SPOOLER_LPRNG; - dstrcatf(job->optstr, "%s ", str); - arglist_remove(arglist, "-Z"); - } - /* Job title and options for stock LPD */ - if ((str = arglist_get_value(arglist, "-j")) || (str = arglist_get_value(arglist, "-J"))) { - strncpy_omit(job->title, str, 128, omit_shellescapes); - if (spooler == SPOOLER_LPD) - dstrcatf(job->optstr, "%s ", job->title); - if (!arglist_remove(arglist, "-j")) - arglist_remove(arglist, "-J"); - } - /* Check for CPS */ - if (arglist_remove_flag(arglist, "--cps") > 0) - spooler = SPOOLER_CPS; - /* Options for spooler-less printing, CPS, or PDQ */ - while ((str = arglist_get_value(arglist, "-o"))) { - strncpy_omit(tmp, str, 1024, omit_shellescapes); - dstrcatf(job->optstr, "%s ", tmp); - arglist_remove(arglist, "-o"); - /* If we don't print as PPR RIP or as CPS filter, we print - without spooler (we check for PDQ later) */ - if (spooler != SPOOLER_PPR && spooler != SPOOLER_CPS) - spooler = SPOOLER_DIRECT; - } + strncpy(job->user, str, 127); + job->user[127] = '\0'; + arglist_remove(arglist, "-n"); + } + if (arglist_remove(arglist, "-w") || + arglist_remove(arglist, "-l") || + arglist_remove(arglist, "-x") || + arglist_remove(arglist, "-y") || + arglist_remove(arglist, "-i") || + arglist_remove_flag(arglist, "-c")) { + if (spooler != SPOOLER_GNULPR && spooler != SPOOLER_LPRNG) + spooler = SPOOLER_LPD; + } + /* LPRng delivers the option settings via the "-Z" argument */ + if ((str = arglist_get_value(arglist, "-Z"))) { + spooler = SPOOLER_LPRNG; + dstrcatf(job->optstr, "%s ", str); + arglist_remove(arglist, "-Z"); + } + /* Job title and options for stock LPD */ + if ((str = arglist_get_value(arglist, "-j")) || (str = arglist_get_value(arglist, "-J"))) { + strncpy_omit(job->title, str, 128, omit_shellescapes); + if (spooler == SPOOLER_LPD) + dstrcatf(job->optstr, "%s ", job->title); + if (!arglist_remove(arglist, "-j")) + arglist_remove(arglist, "-J"); + } - /* Printer for spooler-less printing or PDQ */ - if ((str = arglist_get_value(arglist, "-d"))) { - strncpy_omit(job->printer, str, 256, omit_shellescapes); - arglist_remove(arglist, "-d"); - } + /* Check for CPS */ + if (arglist_remove_flag(arglist, "--cps") > 0) + spooler = SPOOLER_CPS; - /* Printer for spooler-less printing, PDQ, or LPRng */ - if ((str = arglist_get_value(arglist, "-P"))) { - strncpy_omit(job->printer, str, 256, omit_shellescapes); - arglist_remove(arglist, "-P"); - } + /* PPD file name given via the command line + allow duplicates, and use the last specified one */ + if (spooler != SPOOLER_GNULPR && spooler != SPOOLER_LPRNG && + spooler != SPOOLER_LPD) { + while ((str = arglist_get_value(arglist, "-p"))) { + strncpy(job->ppdfile, str, 256); + arglist_remove(arglist, "-p"); + } + while ((str = arglist_get_value(arglist, "--ppd"))) { + strncpy(job->ppdfile, str, 256); + arglist_remove(arglist, "--ppd"); + } + } - /* Were we called from a PDQ wrapper? */ - if (arglist_remove_flag(arglist, "--pdq")) - spooler = SPOOLER_PDQ; + /* Options for spooler-less printing, CPS, or PDQ */ + while ((str = arglist_get_value(arglist, "-o"))) { + strncpy_omit(tmp, str, 1024, omit_shellescapes); + dstrcatf(job->optstr, "%s ", tmp); + arglist_remove(arglist, "-o"); + /* If we don't print as PPR RIP or as CPS filter, we print + without spooler (we check for PDQ later) */ + if (spooler != SPOOLER_PPR && spooler != SPOOLER_CPS) + spooler = SPOOLER_DIRECT; + } - /* Were we called to build the PDQ driver declaration file? */ - genpdqfile = check_pdq_file(arglist); - if (genpdqfile) - spooler = SPOOLER_PDQ; + /* Printer for spooler-less printing or PDQ */ + if ((str = arglist_get_value(arglist, "-d"))) { + strncpy_omit(job->printer, str, 256, omit_shellescapes); + arglist_remove(arglist, "-d"); + } + + /* Printer for spooler-less printing, PDQ, or LPRng */ + if ((str = arglist_get_value(arglist, "-P"))) { + strncpy_omit(job->printer, str, 256, omit_shellescapes); + arglist_remove(arglist, "-P"); + } + + /* Were we called from a PDQ wrapper? */ + if (arglist_remove_flag(arglist, "--pdq")) + spooler = SPOOLER_PDQ; + + /* Were we called to build the PDQ driver declaration file? */ + genpdqfile = check_pdq_file(arglist); + if (genpdqfile) + spooler = SPOOLER_PDQ; + + } /* spooler specific initialization */ switch (spooler) { ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org