Bug 921753 - (CVE-2015-2265) VUL-0: CVE-2015-2265: cups-filters: remote command execution in remove_bad_chars() (incomplete fix for CVE-2014-2707)
(CVE-2015-2265)
VUL-0: CVE-2015-2265: cups-filters: remote command execution in remove_bad_ch...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
All SLES 12
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/114580/
:
Depends on: CVE-2014-2707
Blocks:
  Show dependency treegraph
 
Reported: 2015-03-11 13:15 UTC by Marcus Meissner
Modified: 2017-07-05 11:45 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-03-11 13:15:27 UTC
spotted by redhat rh#1199130

  cups-browsed: SECURITY FIX: Fixed a bug in the remove_bad_chars()
  failing to reliably filter out illegal characters if there are two
  or more subsequent illegal characters, allowing execution of
  arbitrary commands with the rights of the "lp" user, using forged
  print service announcements on DNS-SD servers (Bug #1265).

http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7333
https://bugs.linuxfoundation.org/show_bug.cgi?id=1265

https://bugzilla.redhat.com/show_bug.cgi?id=1199130
Comment 4 Johannes Meixner 2015-03-12 11:48:02 UTC
openSUSE Factory has already the fixed cups-filters version 1.0.66.

From cups-filters version 1.0.66 NEWS file:
--------------------------------------------------------------------------
CHANGES IN V1.0.66
 - cups-browsed: SECURITY FIX: Fixed a bug in the remove_bad_chars()
   failing to reliably filter out illegal characters if there are two
   or more subsequent illegal characters, allowing execution of
   arbitrary commands with the rights of the "lp" user, using forged
   print service announcements on DNS-SD servers (Bug #1265).
--------------------------------------------------------------------------
where "Bug #1265" means
https://bugs.linuxfoundation.org/show_bug.cgi?id=1265
Comment 11 Swamp Workflow Management 2015-04-29 16:06:38 UTC
SUSE-SU-2015:0805-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 915545,921753
CVE References: CVE-2015-2265
Sources used:
SUSE Linux Enterprise Server 12 (src):    cups-filters-1.0.58-5.1
SUSE Linux Enterprise Desktop 12 (src):    cups-filters-1.0.58-5.1
Comment 12 Andreas Stieger 2015-07-03 12:11:19 UTC
(In reply to Johannes Meixner from comment #4)
> openSUSE Factory has already the fixed cups-filters version 1.0.66.
> 
> From cups-filters version 1.0.66 NEWS file:
> --------------------------------------------------------------------------
> CHANGES IN V1.0.66
>  - cups-browsed: SECURITY FIX: Fixed a bug in the remove_bad_chars()
>    failing to reliably filter out illegal characters if there are two
>    or more subsequent illegal characters, allowing execution of
>    arbitrary commands with the rights of the "lp" user, using forged
>    print service announcements on DNS-SD servers (Bug #1265).
> --------------------------------------------------------------------------
> where "Bug #1265" means
> https://bugs.linuxfoundation.org/show_bug.cgi?id=1265

openSUSE 13.2 has 1.0.58, please fix (with others that may be outstanding).
Comment 14 Johannes Meixner 2015-07-06 12:27:32 UTC
Fixed and submitted for openSUSE:13.2:Update
----------------------------------------------------------------------------
$ osc maintenancerequest -m 'fixed CVE-2015-2265 (boo#921753)
 and CVE-2015-3258 (bsc#936281) plus CVE-2015-3279 (bsc#937018)'
 home:jsmeix:branches:openSUSE:13.2:Update
 cups-filters.openSUSE_13.2_Update openSUSE:13.2:Update
Using target project 'openSUSE:Maintenance'
315210
----------------------------------------------------------------------------
Comment 15 Johannes Meixner 2015-07-06 12:29:09 UTC
For further processig for the maintenance update for openSUSE:13.2
I re-asssign it to our security team.
Comment 17 Bernhard Wiedemann 2015-07-06 13:00:11 UTC
This is an autogenerated message for OBS integration:
This bug (921753) was mentioned in
https://build.opensuse.org/request/show/315210 13.2 / cups-filters
Comment 18 Andreas Stieger 2015-07-06 14:36:38 UTC
Thanks, we'll handle the submissions.
Comment 19 Swamp Workflow Management 2015-07-14 16:16:03 UTC
openSUSE-SU-2015:1244-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 921753,936281,937018
CVE References: CVE-2015-2265,CVE-2015-3258,CVE-2015-3279
Sources used:
openSUSE 13.2 (src):    cups-filters-1.0.58-2.7.1
Comment 20 Marcus Meissner 2017-07-05 11:45:18 UTC
i think this is resolved