* [PATCH 0/2][jethro] jethro-next Foomatic-filter security fixes
@ 2016-02-01 17:54 Armin Kuster
2016-02-01 17:54 ` [PATCH 1/2] foomatic-filters: Security fix CVE-2015-8560 Armin Kuster
2016-02-01 17:54 ` [PATCH 2/2] foomatic-filters: Security fixes CVE-2015-8327 Armin Kuster
0 siblings, 2 replies; 3+ messages in thread
From: Armin Kuster @ 2016-02-01 17:54 UTC (permalink / raw)
To: openembedded-core, liezhi.yang
From: Armin Kuster <akuster@mvista.com>
Please consider these for an upcoming release
The following changes since commit fbfe937ab7effcacd1dae558a667eaa0e0500637:
git: Security fix CVE-2015-7545 (2016-01-31 14:28:42 -0800)
are available in the git repository at:
git://git.yoctoproject.org/poky-contrib akuster/jethro_cve_fixes
http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=akuster/jethro_cve_fixes
Armin Kuster (2):
foomatic-filters: Security fix CVE-2015-8560
foomatic-filters: Security fixes CVE-2015-8327
.../foomatic-filters-4.0.17/CVE-2015-8327.patch | 23 ++++++++++++++++++++++
.../foomatic-filters-4.0.17/CVE-2015-8560.patch | 23 ++++++++++++++++++++++
.../foomatic/foomatic-filters_4.0.17.bb | 3 +++
3 files changed, 49 insertions(+)
create mode 100644 meta/recipes-extended/foomatic/foomatic-filters-4.0.17/CVE-2015-8327.patch
create mode 100644 meta/recipes-extended/foomatic/foomatic-filters-4.0.17/CVE-2015-8560.patch
--
2.3.5
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 1/2] foomatic-filters: Security fix CVE-2015-8560
2016-02-01 17:54 [PATCH 0/2][jethro] jethro-next Foomatic-filter security fixes Armin Kuster
@ 2016-02-01 17:54 ` Armin Kuster
2016-02-01 17:54 ` [PATCH 2/2] foomatic-filters: Security fixes CVE-2015-8327 Armin Kuster
1 sibling, 0 replies; 3+ messages in thread
From: Armin Kuster @ 2016-02-01 17:54 UTC (permalink / raw)
To: openembedded-core, liezhi.yang
From: Armin Kuster <akuster@mvista.com>
CVE-2015-8560 cups-filters: foomatic-rip did not consider semicolon as illegal shell escape character
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
.../foomatic-filters-4.0.17/CVE-2015-8560.patch | 23 ++++++++++++++++++++++
.../foomatic/foomatic-filters_4.0.17.bb | 3 +++
2 files changed, 26 insertions(+)
create mode 100644 meta/recipes-extended/foomatic/foomatic-filters-4.0.17/CVE-2015-8560.patch
diff --git a/meta/recipes-extended/foomatic/foomatic-filters-4.0.17/CVE-2015-8560.patch b/meta/recipes-extended/foomatic/foomatic-filters-4.0.17/CVE-2015-8560.patch
new file mode 100644
index 0000000..dc973c4
--- /dev/null
+++ b/meta/recipes-extended/foomatic/foomatic-filters-4.0.17/CVE-2015-8560.patch
@@ -0,0 +1,23 @@
+Upstream-Status: Backport
+
+
+http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7419
+
+Hand applied change to util.c. Fix was for cups-filters but also applied to foomatic-filters.
+
+CVE: CVE-2015-8560
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: util.c
+===================================================================
+--- a/util.c
++++ b/util.c
+@@ -31,7 +31,7 @@
+ #include <assert.h>
+
+
+-const char* shellescapes = "|<>&!$\'\"#*?()[]{}";
++const char* shellescapes = "|;<>&!$\'\"#*?()[]{}";
+
+ const char * temp_dir()
+ {
diff --git a/meta/recipes-extended/foomatic/foomatic-filters_4.0.17.bb b/meta/recipes-extended/foomatic/foomatic-filters_4.0.17.bb
index 790c981..7d0d717 100644
--- a/meta/recipes-extended/foomatic/foomatic-filters_4.0.17.bb
+++ b/meta/recipes-extended/foomatic/foomatic-filters_4.0.17.bb
@@ -17,6 +17,9 @@ LIC_FILES_CHKSUM = "file://${WORKDIR}/foomatic-filters-${PV}/COPYING;md5=393a5ca
SRC_URI = "http://www.openprinting.org/download/foomatic/foomatic-filters-${PV}.tar.gz"
+SRC_URI += "file://CVE-2015-8560.patch \
+ "
+
SRC_URI[md5sum] = "b05f5dcbfe359f198eef3df5b283d896"
SRC_URI[sha256sum] = "a2e2e53e502571e88eeb9010c45a0d54671f15707ee104f5c9c22b59ea7a33e3"
--
2.3.5
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH 2/2] foomatic-filters: Security fixes CVE-2015-8327
2016-02-01 17:54 [PATCH 0/2][jethro] jethro-next Foomatic-filter security fixes Armin Kuster
2016-02-01 17:54 ` [PATCH 1/2] foomatic-filters: Security fix CVE-2015-8560 Armin Kuster
@ 2016-02-01 17:54 ` Armin Kuster
1 sibling, 0 replies; 3+ messages in thread
From: Armin Kuster @ 2016-02-01 17:54 UTC (permalink / raw)
To: openembedded-core, liezhi.yang
From: Armin Kuster <akuster@mvista.com>
CVE-2015-8327 cups-filters: foomatic-rip did not consider the back tick as an illegal shell escape character
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
.../foomatic-filters-4.0.17/CVE-2015-8327.patch | 23 ++++++++++++++++++++++
1 file changed, 23 insertions(+)
create mode 100644 meta/recipes-extended/foomatic/foomatic-filters-4.0.17/CVE-2015-8327.patch
diff --git a/meta/recipes-extended/foomatic/foomatic-filters-4.0.17/CVE-2015-8327.patch b/meta/recipes-extended/foomatic/foomatic-filters-4.0.17/CVE-2015-8327.patch
new file mode 100644
index 0000000..aaedc88
--- /dev/null
+++ b/meta/recipes-extended/foomatic/foomatic-filters-4.0.17/CVE-2015-8327.patch
@@ -0,0 +1,23 @@
+Upstream-Status: Backport
+
+
+http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7406
+
+Hand applied change to util.c. Fix was for cups-filters but also applied to foomatic-filters.
+
+CVE: CVE-2015-8327
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: util.c
+===================================================================
+--- a/util.c
++++ b/util.c
+@@ -31,7 +31,7 @@
+ #include <assert.h>
+
+
+-const char* shellescapes = "|;<>&!$\'\"#*?()[]{}";
++const char* shellescapes = "|;<>&!$\'\"`#*?()[]{}";
+
+ const char * temp_dir()
+ {
--
2.3.5
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-02-01 17:54 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-02-01 17:54 [PATCH 0/2][jethro] jethro-next Foomatic-filter security fixes Armin Kuster
2016-02-01 17:54 ` [PATCH 1/2] foomatic-filters: Security fix CVE-2015-8560 Armin Kuster
2016-02-01 17:54 ` [PATCH 2/2] foomatic-filters: Security fixes CVE-2015-8327 Armin Kuster
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox