Ranjivosti paketa foomatic

Uočene su i ispravljene sigurnosne ranjivosti u radu programskog paketa foomatic koje je potencijalni napadač mogao iskoristiti za prepisivanje proizvoljnih datoteka.

Paket:	foomatic 4.x
Operacijski sustavi:	Fedora 14, Fedora 15
Kritičnost:	5
Problem:	pogreška u programskoj komponenti
Iskorištavanje:	udaljeno
Posljedica:	izmjena podataka
Rješenje:	programska zakrpa proizvođača
CVE:	CVE-2011-2924, CVE-2011-2697, CVE-2011-2923
Izvorni ID preporuke:	FEDORA-2011-11205
Izvor:	Fedora

Problem:
Do ranjivosti dolazi jer foomatic-rip filter koristi nesigurno napravljene privremene datoteke za pohranu PostScript podataka.
Posljedica:
Napadač je mogao iskoristiti nepravilnosti za prepisivanje proizvoljne datoteke s ovlastima korisnika koji pokreće foomatic-rip filter.
Rješenje:
Savjetuje se primjena izdanih nadogradnji.

Izvorni tekst preporuke

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-11205
2011-08-19 21:17:25
--------------------------------------------------------------------------------

Name        : foomatic
Product     : Fedora 14
Version     : 4.0.8
Release     : 3.fc14
URL         : http://www.linuxprinting.org
Summary     : Tools for using the foomatic database of printers and printer drivers
Description :
Foomatic is a comprehensive, spooler-independent database of printers,
printer drivers, and driver descriptions. This package contains
utilities to generate driver description files and printer queues for
CUPS, LPD, LPRng, and PDQ using the database (packaged separately).
There is also the possibility to read the PJL options out of PJL-capable
laser printers and take them into account at the driver description
file generation.

There are spooler-independent command line interfaces to manipulate
queues (foomatic-configure) and to print files/manipulate jobs
(foomatic printjob).

The site http://www.linuxprinting.org/ is based on this database.

--------------------------------------------------------------------------------
Update Information:

This package fixes CVE-2011-2924 by using mktemp when creating a debug log file in debug mode.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Aug 18 2011 Tim Waugh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 4.0.8-3
- Another fix for CVE-2011-2924 (bug #726426).
* Thu Aug 18 2011 Tim Waugh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 4.0.8-2
- Use mktemp when creating debug log file in foomatic-rip
  (CVE-2011-2924, bug #726426).
* Mon Jul 25 2011 Jiri Popelka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 4.0.8-1
- 4.0.8 (all patches merged upstream)
* Wed Jul 20 2011 Tim Waugh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 4.0.7-2
- Fix improper sanitization of command line options (bug #721001,
  CVE-2011-2697).
* Mon Feb 21 2011 Jiri Popelka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 4.0.7-1
- 4.0.7
* Tue Dec 21 2010 Tim Waugh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 4.0.6-2
- Use perl_vendorlib macro instead of defining our own.
* Thu Dec 16 2010 Jiri Popelka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 4.0.6-1
- 4.0.6
* Thu Dec  9 2010 Tim Waugh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 4.0.5-4
- Rebuilt for new device IDs.
* Fri Oct 15 2010 Tim Waugh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 4.0.5-3
- Removed hard-coded perl paths from spec file.
* Tue Oct  5 2010 Tim Waugh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 4.0.5-2
- Updated summary and description to more accurately reflect package
  contents (bug #630651).
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #726426 - CVE-2011-2923 CVE-2011-2924 foomatic: foomatic-rip (debug mode) insecure temporary file use in renderer command line by processing PostScript data
        https://bugzilla.redhat.com/show_bug.cgi?id=726426
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use
su -c 'yum update foomatic' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-11196
2011-08-19 21:17:06
--------------------------------------------------------------------------------

Name        : foomatic
Product     : Fedora 15
Version     : 4.0.8
Release     : 3.fc15
URL         : http://www.linuxprinting.org
Summary     : Tools for using the foomatic database of printers and printer drivers
Description :
Foomatic is a comprehensive, spooler-independent database of printers,
printer drivers, and driver descriptions. This package contains
utilities to generate driver description files and printer queues for
CUPS, LPD, LPRng, and PDQ using the database (packaged separately).
There is also the possibility to read the PJL options out of PJL-capable
laser printers and take them into account at the driver description
file generation.

There are spooler-independent command line interfaces to manipulate
queues (foomatic-configure) and to print files/manipulate jobs
(foomatic printjob).

The site http://www.linuxprinting.org/ is based on this database.

--------------------------------------------------------------------------------
Update Information:

This package fixes CVE-2011-2924 by using mktemp when creating a debug log file in debug mode.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Aug 18 2011 Tim Waugh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 4.0.8-3
- Another fix for CVE-2011-2924 (bug #726426).
* Thu Aug 18 2011 Tim Waugh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 4.0.8-2
- Use mktemp when creating debug log file in foomatic-rip
  (CVE-2011-2924, bug #726426).
* Mon Jul 25 2011 Jiri Popelka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 4.0.8-1
- 4.0.8 (all patches merged upstream)
* Wed Jul 20 2011 Tim Waugh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 4.0.7-3
- Fix improper sanitization of command line options (bug #721001,
  CVE-2011-2697).
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #726426 - CVE-2011-2923 CVE-2011-2924 foomatic: foomatic-rip (debug mode) insecure temporary file use in renderer command line by processing PostScript data
        https://bugzilla.redhat.com/show_bug.cgi?id=726426
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use
su -c 'yum update foomatic' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce

Ranjivosti paketa foomatic

Tražilica portala

Aktivnosti

O CIS-u

Posljednje vijesti

Posljednji dokumenti

Ranjivosti paketa foomatic

Tražilica portala

Aktivnosti

O CIS-u

Posljednje sigurnosne preporuke

Posljednje vijesti

Popularni članci

Posljednji dokumenti