Hello community, here is the log from the commit of package foomatic-filters checked in at Fri May 26 14:46:08 CEST 2006. -------- --- foomatic-filters/foomatic-filters.changes 2006-01-25 21:35:59.000000000 +0100 +++ foomatic-filters/foomatic-filters.changes 2006-05-24 11:00:19.000000000 +0200 @@ -1,0 +2,5 @@ +Tue May 23 21:02:40 CEST 2006 - kssingvo@suse.de + +- fixed remote command execution vulnerability SWAMP#4432 (bugzilla#59233) + +------------------------------------------------------------------- New: ---- foomatic-filters-3.0.1-exec.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ foomatic-filters.spec ++++++ --- /var/tmp/diff_new_pack.PyXJMZ/_old 2006-05-26 14:44:08.000000000 +0200 +++ /var/tmp/diff_new_pack.PyXJMZ/_new 2006-05-26 14:44:08.000000000 +0200 @@ -5,7 +5,7 @@ # This file and all modifications and additions to the pristine # package are under the same license as the package itself. # -# Please submit bugfixes or comments via http://bugs.opensuse.org +# Please submit bugfixes or comments via http://bugs.opensuse.org/ # # norootforbuild @@ -18,10 +18,10 @@ Requires: perl, a2ps Autoreqprov: on Version: 3.0.2 -Release: 7 +Release: 20 Source0: %{name}-%{cvsdate}.tar.bz2 # Source0: %{name}-%{version}.tar.bz2 -# Patch0: %{name}-%{version}-exec.patch +Patch0: %{name}-3.0.1-exec.patch URL: http://www.linuxprinting.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary: Filter Scripts Used by Printer Spoolers @@ -29,8 +29,8 @@ %description Filter scripts used by the printer spoolers to convert the incoming -PostScript data into the printer's native format using a printer/driver -specific, but spooler-independent PPD file. +PostScript data into the printer's native format using a printer and +driver-specific, but spooler-independent PPD file. @@ -42,7 +42,7 @@ %prep %setup -n %{name}-%{cvsdate} # %setup -# %patch0 -p1 +%patch0 -p1 %build export CFLAGS="$RPM_OPT_FLAGS -fstack-protector" @@ -84,6 +84,8 @@ %doc COPYING ChangeLog README TODO USAGE %changelog -n foomatic-filters +* Tue May 23 2006 - kssingvo@suse.de +- fixed remote command execution vulnerability SWAMP#4432 (bugzilla#59233) * Wed Jan 25 2006 - mls@suse.de - converted neededforbuild to BuildRequires * Fri Jan 13 2006 - meissner@suse.de ++++++ foomatic-filters-3.0.1-exec.patch ++++++ --- foomatic-filters-3.0.1/foomatic-rip.in.orig 2004-01-22 04:42:35.000000000 +0100 +++ foomatic-filters-3.0.1/foomatic-rip.in 2004-08-25 19:59:06.221371554 +0200 @@ -124,6 +124,15 @@ # USA. # +# strip out dangerous \x01 chars in arguments to avoid a security hole in cups. +for (my $i=0; $i<=$#ARGV; $i++) +{ + if (defined($ARGV[$i])) + { + $ARGV[$i] =~ s/\001//g; + } +} + my $added_lf = "\n"; # Flush everything immediately. @@ -936,7 +945,7 @@ # Load the PPD file and build a data structure for the renderer's # command line and the options -open PPD, "$ppdfile" || do { +open PPD, "< $ppdfile" || do { print $logh "error opening $ppdfile.\n"; rip_die ("Unable to open PPD file $ppdfile", $EXIT_PRNERR_NORETRY_BAD_SETTINGS); --- foomatic-filters-3.0.1/foomatic-rip.in.orig 2004-08-30 19:05:55.086453941 +0200 +++ foomatic-filters-3.0.1/foomatic-rip.in 2004-08-30 19:06:13.151591298 +0200 @@ -248,13 +248,14 @@ '-f -P- -'); # spooler-specific file converters, default for the specific spooler when -# none of the converters above is chosen. -my @fixed_args = ( - defined($ARGV[0])?$ARGV[0]:"", - defined($ARGV[1])?$ARGV[1]:"", - defined($ARGV[2])?$ARGV[2]:"", - defined($ARGV[3])?$ARGV[3]:"", - defined($ARGV[4])?$ARGV[4]:"" ); +# none of the converters above is chosen. Remove weird characters from the +# command line arguments to enhance security +my @fixed_args = + (defined($ARGV[0])?removespecialchars($ARGV[0]):"", + defined($ARGV[1])?removespecialchars($ARGV[1]):"", + defined($ARGV[2])?removespecialchars($ARGV[2]):"", + defined($ARGV[3])?removespecialchars($ARGV[3]):"", + defined($ARGV[4])?removespecialchars($ARGV[4]):""); my $spoolerfileconverters = { 'cups' => "${programdir}texttops '$fixed_args[0]' '$fixed_args[1]' '$fixed_args[2]' " . "'$fixed_args[3]' '$fixed_args[4] page-top=36 page-bottom=36 " . @@ -292,10 +293,12 @@ # "PPD": PPD file name for CUPS or PPR (if we run as PPR RIP) if (defined($ENV{'PPD'})) { - $ppdfile = $ENV{'PPD'}; + # Clean the file name from weird characters which could cause + # unexpected behaviour + $ppdfile = removespecialchars($ENV{'PPD'}); # CUPS and PPR (RIP filter) use the "PPD" environment variable to # make the PPD file name available (we set CUPS here preliminarily, - # in the next step we check for PPR + # in the next step we check for PPR) $spooler = 'cups'; } @@ -310,14 +313,16 @@ # PPR 1.5 allows the user to specify options for the PPR RIP with the # "--ripopts" option on the "ppr" command line. They are provided to # the RIP via the "PPR_RIPOPTS" environment variable. - $optstr .= "$ENV{'PPR_RIPOPTS'} "; + # Clean the option string from weird characters which could cause + # unexpected behaviour + $optstr .= removespecialchars("$ENV{'PPR_RIPOPTS'} "); # We have PPR $spooler = 'ppr'; } # "LPOPTS": Option settings for some LPD implementations (ex: GNUlpr) if (defined($ENV{'LPOPTS'})) { - my @lpopts = split(/,/, $ENV{'LPOPTS'}); + my @lpopts = split(/,/, removespecialchars($ENV{'LPOPTS'})); foreach my $opt (@lpopts) { $opt =~ s/^\s+//; $opt =~ s/\s+$//; @@ -340,8 +345,16 @@ # options this way when printing without spooler. # Make one option string with a non-printable character as separator, -# So we can parse it more easily -my $argstr = "\x01" . join("\x01",@ARGV) . "\x01"; +# So we can parse it more easily. + +# To avoid the separator to be in the options itselves, it is filters +# out of the options. This does not break anything as having non +# printable characters in the command line options does not make sense +# nor is this needed. This way misinterpretation and even abuse is +# prevented. + +my $argstr = "\x01" . + join("\x01", map { removeunprintables($_) } @ARGV) . "\x01"; # Debug mode activated via command line if ($argstr =~ s/\x01--debug\x01/\x01/) { @@ -382,7 +395,7 @@ ## Start debug logging if ($debug) { - # If we are not debug mode, we do this later, as we must find out at + # If we are not in debug mode, we do this later, as we must find out at # first which spooler is used. When printing without spooler we # suppress logging because foomatic-rip is called directly on the # command line and so we avoid logging onto the console. @@ -414,7 +427,7 @@ shift @pc; foreach (@pc) { if( /^ppd=(.*)$/ or /^ppdfile=(.*)$/ ){ - $ppdfile = $1 if $1; + $ppdfile = removespecialchars($1) if $1; } } } elsif ($argstr =~ s/\x01--lprng\x01/\x01/g) { @@ -426,10 +439,10 @@ # PPD file name given via the command line # allow duplicates, and use the last specified one while ( ($spooler ne 'lprng') and ($argstr =~ s/\x01-p(\x01|)([^\x01]+)\x01/\x01/)) { - $ppdfile = $2; + $ppdfile = removeshellescapes($2); } while ($argstr =~ s/\x01--ppd(\x01|=|)([^\x01]+)\x01/\x01/) { - $ppdfile = $2; + $ppdfile = removeshellescapes($2); } # Check for LPD/GNUlpr by typical options which the spooler puts onto @@ -456,6 +469,7 @@ foreach my $opt (@lpopts) { $opt =~ s/^\s+//; $opt =~ s/\s+$//; + $opt = removeshellescapes($opt); if ($opt =~ /\s+/) { $opt = "\"$opt\""; } @@ -468,7 +482,7 @@ # Job title and options for stock LPD if ($argstr =~ s/\x01-[jJ](\x01|)([^\x01]+)\x01/\x01/) { # An LPD - $jobtitle = $2; + $jobtitle = removeshellescapes($2); # Classic LPD hack if ($spooler eq "lpd") { $optstr .= "$jobtitle "; @@ -486,6 +500,7 @@ my $opt = $2; $opt =~ s/^\s+//; $opt =~ s/\s+$//; + $opt = removeshellescapes($opt); if ($opt =~ /\s+/) { $opt = "\"$opt\""; } @@ -499,11 +514,11 @@ # Printer for spooler-less printing or PDQ if ($argstr =~ s/\x01-d(\x01|)([^\x01]+)\x01/\x01/) { - $printer = $2; + $printer = removeshellescapes($2); } # Printer for spooler-less printing, PDQ, or LPRng if ($argstr =~ s/\x01-P(\x01|)([^\x01]+)\x01/\x01/) { - $printer = $2; + $printer = removeshellescapes($2); } # Were we called from a PDQ wrapper? @@ -524,9 +539,9 @@ $genpdqfile = ">&STDOUT"; } else { if ($1 eq 'gen') { - $genpdqfile = "> $4"; + $genpdqfile = "> " . removeshellescapes($4); } else { - $genpdqfile = ">> $4"; + $genpdqfile = ">> " . removeshellescapes($4); } } # Do we want to have a PDQ driver declaration for a raw printer? @@ -580,7 +595,7 @@ my @definitions; for my $file (("lib/interface.sh", "lib/signal.sh")) { - open FILE, "$file" || do { + open FILE, "< $file" || do { print $logh "error opening $file.\n"; next; }; @@ -617,17 +632,17 @@ # PPR directory. # Get all command line parameters - $ppr_printer = $rargs[0]; + $ppr_printer = removeshellescapes($rargs[0]); $ppr_address = $rargs[1]; - $ppr_options = $rargs[2]; + $ppr_options = removeshellescapes($rargs[2]); $ppr_jobbreak = $rargs[3]; $ppr_feedback = $rargs[4]; $ppr_codes = $rargs[5]; - $ppr_jobname = $rargs[6]; - $ppr_routing = $rargs[7]; + $ppr_jobname = removeshellescapes($rargs[6]); + $ppr_routing = removeshellescapes($rargs[7]); $ppr_for = $rargs[8]; $ppr_filetype = $rargs[9]; - $ppr_filetoprint = $rargs[10]; + $ppr_filetoprint = removeshellescapes($rargs[10]); # Common job parameters $printer = $ppr_printer; @@ -639,6 +654,7 @@ # Get the path of the PPD file from the queue configuration $ppdfile = `LANG=en_US; ppad show $ppr_printer | grep PPDFile`; + $ppdfile = removeshellescapes($ppdfile); $ppdfile =~ s/PPDFile:\s+//; if ($ppdfile !~ m!^/!) { $ppdfile = "../../share/ppr/PPDFiles/$ppdfile"; @@ -655,12 +671,12 @@ $cups_filename ); if ($spooler eq 'cups') { # Get all command line parameters - $cups_jobid = $rargs[0]; - $cups_user = $rargs[1]; - $cups_jobtitle = $rargs[2]; - $cups_copies = $rargs[3]; - $cups_options = $rargs[4]; - $cups_filename = $rargs[5]; + $cups_jobid = removeshellescapes($rargs[0]); + $cups_user = removeshellescapes($rargs[1]); + $cups_jobtitle = removeshellescapes($rargs[2]); + $cups_copies = removeshellescapes($rargs[3]); + $cups_options = removeshellescapes($rargs[4]); + $cups_filename = removeshellescapes($rargs[5]); # Common job parameters #$printer = $cups_printer; @@ -682,7 +698,7 @@ ($spooler eq 'gnulpr')) { # Get PPD file name as the last command line argument - $ppdfile = $rargs[$#rargs]; + $ppdfile = removeshellescapes($rargs[$#rargs]); } @@ -690,7 +706,7 @@ # No spooler, CPS, or PDQ if (($spooler eq 'direct') || ($spooler eq 'cps') || ($spooler eq 'pdq')) { # Which files do we want to print? - @filelist = @rargs; + @filelist = map { removeshellescapes($_) } @rargs; } @@ -4707,6 +4723,25 @@ return %conf; } +sub removeunprintables { + # Remove unprintable characters + my $str = $_[0]; + $str =~ s/[\x00-\x1f]//g; + return $str; +} + +sub removeshellescapes { + # Remove shell escape characters + my $str = $_[0]; + $str =~ s/[\|<>&!\$\'\"\#\*\?\(\)\[\]\{\}]//g; + return $str; +} + +sub removespecialchars { + # Remove unprintable and shell escape characters + return removeshellescapes(removeunprintables($_[0])); +} + sub unhtmlify { # Replace HTML/XML entities by the original characters my $str = $_[0]; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun...