957531 – (CVE-2015-8327) VUL-0: CVE-2015-8327 CVE-2015-8560: foomatic-filters,cups-filters: foomatic-rip did not consider back tick and semicolon as illegal shell escape characters

Bug 957531 (CVE-2015-8327) - VUL-0: CVE-2015-8327 CVE-2015-8560: foomatic-filters,cups-filters: foomatic-rip did not consider back tick and semicolon as illegal shell escape characters

Summary: VUL-0: CVE-2015-8327 CVE-2015-8560: foomatic-filters,cups-filters: foomatic-...

Status:	RESOLVED FIXED

Alias:	CVE-2015-8327

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Deadline:	2017-03-08
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/159340/
Whiteboard:	CVSSv2:SUSE:CVE-2015-8327:5.8:(A...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-12-02 10:54 UTC by Marcus Meissner
Modified:	2017-08-10 15:39 UTC (History)
CC List:	6 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2015-12-02 10:54:29 UTC

via

https://lists.debian.org/debian-printing/2015/11/msg00020.html

I have released cups-filters 1.2.0 now, with the following changes:

        - cups-browsed: When using IP-address-based device URIs via
          the "IPBasedDeviceURIs" directive in cups-browsed.conf, add
          two additional settings to restrict the used IP addresses to
          either only IPv4 addresses or only IPv6 addresses.
        - foomatic-rip: SECURITY FIX: Also consider the back tick
          ('`') as an illegal shell escape character. Thanks to Michal
          Kowalczyk from the Google Security Team for the hint
          (CVE-2015-8327).

I would appreciate if you could upload it to Debian soon so that it syncs into Ubuntu, as it is needed for further development work on Ubuntu.

   Till


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1287523
https://lists.debian.org/debian-printing/2015/11/msg00020.html

Comment 1 Marcus Meissner 2015-12-02 10:55:20 UTC

foomatic-filters is also affected:

foomatic-rip.in

sub removeshellescapes {
    # Remove shell escape characters
    my $str = $_[0];
    $str =~ s/[\|<>&!\$\'\"\#\*\?\(\)\[\]\{\}]//g;
    return $str;
}

is also missing the ` backtick character in the list.

Comment 2 SMASH SMASH 2015-12-02 11:01:41 UTC

An update workflow for this issue was started.

This issue was rated as "moderate".
Please submit fixed packages until "Dec. 16, 2015".

When done, reassign the bug to "security-team@suse.de".
/update/121074/.

Comment 3 Swamp Workflow Management 2015-12-02 23:00:21 UTC

bugbot adjusting priority

Comment 4 Marcus Meissner 2015-12-14 09:20:39 UTC

There was another commit in cups-filters upstream (revision 7419) as well adding (;) to the set of illegal shell escape characters:

http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7419
an was found by Adam Chester.

(will get an additional CVE)

Comment 5 Johannes Meixner 2015-12-14 09:25:29 UTC

How good that last week was Hack Week
so that I did not yet have worked on it :-)

Perhaps we should wait a bit more until really
all illegal shell escape characters had been found ;-)

Seriously:
I start now working on it...

Comment 6 Johannes Meixner 2015-12-14 09:38:56 UTC

Marcus Meissner,
I need the additional CVE as soon as you know it
to make a proper patch and RPM changelog entry.

Comment 7 Johannes Meixner 2015-12-14 11:01:21 UTC

I checked whether or not HPLIP is also affected
cf. https://bugzilla.suse.com/show_bug.cgi?id=59233#c20
----------------------------------------------------------------------------
$ isc maintained hplip
SUSE:SLE-11-SP1:Update/hplip
SUSE:SLE-11:Update/hplip
SUSE:SLE-12:Update/hplip


$ isc cat SUSE:SLE-12:Update hplip hplip.spec
...
# Because foomatic-rip-hplip has CVE-2011-2697 (bnc#698451)
 plus a leftover in CVE-2004-0801 (bnc#59233)
# which are fixed up to openSUSE 11.4 with patches, after openSUSE 11.4
 (i.e. since openSUSE 12.1)
# foomatic-rip-hplip is no longer installed and foomatic-rip from
# foomatic-filters or cups-filters-foomatic-rip is used instead so that
# --disable-foomatic-rip-hplip-install is explicitly set and as a
 consequence the "cupsFilter" entries
# in the static PPDs are changed in the install section to use foomatic-rip.
...
            --disable-foomatic-rip-hplip-install \
...
# To be backward compatible with PPDs in /etc/cups/ppd/ for existing
 print queues
# a compatibility link /usr/lib/cups/filter/foomatic-rip-hplip is installed
# which points to the actual foomatic-rip executable.


$ isc cat SUSE:SLE-11-SP1:Update hplip hplip.spec
...
# Because foomatic-rip-hplip has CVE-2011-2697 (bnc#698451)
 plus a leftover in CVE-2004-0801 (bnc#59233)
# which are fixed up to openSUSE 11.4 with patches, after openSUSE 11.4
 (i.e. since openSUSE 12.1)
# foomatic-rip-hplip is no longer installed and foomatic-rip from
 foomatic-filters is used instead so that 
# --disable-foomatic-rip-hplip-install is explicitly set and as a
 consequence the "cupsFilter" entries
# in the static PPDs are changed in the install section to use foomatic-rip.
...
            --disable-foomatic-rip-hplip-install \
...
# To be backward compatible with PPDs in /etc/cups/ppd/
# for existing print queues a compatibility link
# /usr/lib/cups/filter/foomatic-rip-hplip
# which points to foomatic-rip is installed


$ isc cat SUSE:SLE-11:Update hplip hplip.spec
...
# Static "hpijs" PPD files via enable-foomatic-ppd-install
# require foomatic-rip-hplip via their cupsFilter entries
# so that enable-foomatic-rip-hplip-install is also needed:
...
            --enable-foomatic-rip-hplip-install \
----------------------------------------------------------------------------

This means
SUSE:SLE-12:Update/hplip and
SUSE:SLE-11-SP1:Update/hplip
are not affected
but
SUSE:SLE-11:Update/hplip
is affected.

Comment 8 Johannes Meixner 2015-12-14 11:16:26 UTC

Submitted fixed cups-filters:
-----------------------------------------------------------------------------
$ isc maintained cups-filters
SUSE:SLE-12:Update/cups-filters

$ isc branch -M SUSE:SLE-12:Update/cups-filters

...

jsmeix:/ibs/home:jsmeix:branches:SUSE:SLE-12:Update/cups-filters.SUSE_SLE-12_Update $ isc sr
WARNING:
WARNING: Project does not accept submit request, request to open a NEW maintenance incident instead
WARNING:
created request id 85194

$ isc request show 85194
Request: #85194

  maintenance_incident: home:jsmeix:branches:SUSE:SLE-12:Update/cups-filters.SUSE_SLE-12_Update@d38af1521dceb845b4efb425d9d3b400 -> SUSE:Maintenance (release in SUSE:SLE-12:Update)

Message:
- cups-filters-1.0.58-CVE-2015-8327-et_alii.patch adds back tick
  and semicolon to the list of illegal shell escape characters
  to fix CVE-2015-8327 and similar additional CVE(s) (bsc#957531).

State:   review     2015-12-14T11:07:17 jsmeix
Comment: <no comment>

Review:  new        Group: autobuild-team
         new        Group: maintenance-team
         new        Group: legal-auto

History: 2015-12-14T11:07:18 jsmeix       Request created
-----------------------------------------------------------------------------

FYT why I "just use" 'isc sr' from my local checked out branch drirectory:
Here an excerpt from Stephan Barth's mail
how I can submit a maintenance request
-----------------------------------------------------------------------------
Date: Wed, 2 Dec 2015 17:14:28 +0100
From: Stephan Barth <snbarth@suse.com>
...
Subject: [devel] SLE 12 SP1 and Maintenance Updates
...
1. First check where your sources are. With:

    $ iosc maintained <package>

you can see where the sources for an update are.
...
2. From there you branch -M ... and
   make the changes
...
3. Then finally issue the maintenance request ...
...
Alternatively, if the branch contains only the packages you want to submit,
you can just use:

    $ iosc sr

if it was branched correctly as above.
-----------------------------------------------------------------------------

Comment 9 Johannes Meixner 2015-12-14 11:22:04 UTC

Submitted fixed foomatic-filters:
-----------------------------------------------------------------------------
$ isc maintained foomatic-filters
SUSE:SLE-11:Update/foomatic-filters

$ isc branch -M SUSE:SLE-11:Update/foomatic-filters
...

$ isc maintenancerequest home:jsmeix:branches:SUSE:SLE-11:Update \
 foomatic-filters.SUSE_SLE-11_Update SUSE:SLE-11:Update
Using target project 'SUSE:Maintenance'
85198

$ isc request show 85198
Request: #85198

  maintenance_incident: home:jsmeix:branches:SUSE:SLE-11:Update/foomatic-filters.SUSE_SLE-11_Update@e318445cb422088100f56f31a1a58038 -> SUSE:Maintenance (release in SUSE:SLE-11:Update)


Message:
- foomatic-rip-3.CVE-2015-8327-et_alii.patch adds back tick
  and semicolon to the list of illegal shell escape characters
  to fix CVE-2015-8327 and similar additional CVE(s) (bsc#957531).

State:   review     2015-12-14T11:19:20 jsmeix
Comment: <no comment>

Review:  new        Group: autobuild-team
         new        Group: maintenance-team
         new        Group: legal-auto

History: 2015-12-14T11:19:20 jsmeix       Request created
-----------------------------------------------------------------------------

Comment 14 Johannes Meixner 2015-12-14 13:00:48 UTC

Regarding fixed cups-filters for openSUSE Leap:

I learned via
http://bugzilla.opensuse.org/show_bug.cgi?id=898327#c9
that this will happen automatically:
-----------------------------------------------------------------------
$ osc cat openSUSE:Leap:42.1 00Meta lookup.yml | grep '^cups-filters'
cups-filters: SUSE:SLE-12:Update
-----------------------------------------------------------------------

Comment 17 Johannes Meixner 2015-12-14 13:27:27 UTC

Regarding comment#7 "SUSE:SLE-11:Update/hplip is affected":

HPLIP in SLE11-SP0 (i.e. SUSE:SLE-11:Update/hplip) is affected
but
SLE11-SP0 is no longer maintained (no 11-SP0 product lives anymore).

Therefore it is now fixed for all maintained SLE products.

Comment 18 Johannes Meixner 2015-12-14 13:34:53 UTC

Submitted fixed cups-filters for openSUSE:13.2:
--------------------------------------------------------------------------
$ osc maintained cups-filters
openSUSE:13.2:Update/cups-filters
openSUSE:Leap:42.1:Update/cups-filters

$ osc branch -M openSUSE:13.2:Update/cups-filters
.
.
.
home:jsmeix:branches:openSUSE:13.2:Update/cups-filters.openSUSE_13.2_Update
 $ osc mr
Using target project 'openSUSE:Maintenance'
348830
--------------------------------------------------------------------------

For openSUSE:Leap:42.1 it will happen automatically (see comment#14).

Therefore it is now fixed for all maintained SUSE and openSUSE products.


Nevertheless I keep it in state "in progress" for now
because I like to add the second CVE to the RPM changelog.

Comment 19 Bernhard Wiedemann 2015-12-14 14:00:24 UTC

This is an autogenerated message for OBS integration:
This bug (957531) was mentioned in
https://build.opensuse.org/request/show/348830 13.2 / cups-filters

Comment 20 Marcus Meissner 2015-12-15 07:33:32 UTC

CVE-2015-8560 was assigned to the ; issue.

Comment 21 Johannes Meixner 2015-12-15 09:20:33 UTC

Re-submitted cups-filters with "CVE-2015-8560" in RPM changelog:
----------------------------------------------------------------------------
$ isc maintained cups-filters
SUSE:SLE-12:Update/cups-filters using sources from
 SUSE:Maintenance:1694/cups-filters.SUSE_SLE-12_Update

$ isc branch -M SUSE:SLE-12:Update/cups-filters
Server returned an error: HTTP Error 400: Bad Request
branch target package already exists:
 home:jsmeix:branches:SUSE:SLE-12:Update/cups-filters.SUSE_SLE-12_Update

$ isc branch -M SUSE:Maintenance:1694/cups-filters.SUSE_SLE-12_Update
A working copy of the branched package can be checked out with:
osc -A https://api.suse.de co home:jsmeix:branches:SUSE:Maintenance:1694/cups-filters.SUSE_SLE-12_Update.SUSE_Maintenance_1694

...

$ isc maintenancerequest home:jsmeix:branches:SUSE:Maintenance:1694
 cups-filters.SUSE_SLE-12_Update.SUSE_Maintenance_1694
 SUSE:SLE-12:Update
Using target project 'SUSE:Maintenance'
85330
----------------------------------------------------------------------------

Comment 22 Johannes Meixner 2015-12-15 09:37:19 UTC

Re-submitted foomatic-filters with "CVE-2015-8560" in RPM changelog:
----------------------------------------------------------------------------
$ isc maintained foomatic-filters
SUSE:SLE-11:Update/foomatic-filters using sources from
 SUSE:Maintenance:1695/foomatic-filters.SUSE_SLE-11_Update

$ isc branch -M SUSE:SLE-11:Update/foomatic-filters
A working copy of the branched package can be checked out with:
osc -A https://api.suse.de co home:jsmeix:branches:SUSE:SLE-11:Update/foomatic-filters.SUSE_SLE-11_Update

...

$ isc maintenancerequest home:jsmeix:branches:SUSE:SLE-11:Update
 foomatic-filters.SUSE_SLE-11_Update
 SUSE:SLE-11:Update
Using target project 'SUSE:Maintenance'
85334
----------------------------------------------------------------------------

Comment 23 Marcus Meissner 2015-12-15 09:41:55 UTC

*sigh* please don't branch from active maintenance projects.

you can:
branch from the regular update project, this will auto-pickup the changes from the active maintenance projects.
and submit back

e.g. 85330 needs to be redone. 

or just  add cups-filters and use sr

isc sr home:jsmeix:branches:SUSE:Maintenance:1694
 cups-filters.SUSE_SLE-12_Update.SUSE_Maintenance_1694
 SUSE:SLE-12:Update cups-filters

should work.

Comment 24 Johannes Meixner 2015-12-15 09:59:33 UTC

Re-submitted cups-filters for openSUSE 13.2
with "CVE-2015-8560" in RPM changelog:
--------------------------------------------------------------------------
$ osc maintained cups-filters
openSUSE:13.2:Update/cups-filters using sources
 from openSUSE:Maintenance:4392/cups-filters.openSUSE_13.2_Update
openSUSE:Leap:42.1:Update/cups-filters

$ osc branch -M openSUSE:13.2:Update/cups-filters
A working copy of the branched package can be checked out with:
osc co home:jsmeix:branches:openSUSE:13.2:Update/cups-filters.openSUSE_13.2_Update

...

$ osc maintenancerequest home:jsmeix:branches:openSUSE:13.2:Update cups-filters.openSUSE_13.2_Update openSUSE:13.2:Update
Using target project 'openSUSE:Maintenance'
348937
--------------------------------------------------------------------------

Comment 25 Johannes Meixner 2015-12-15 10:03:29 UTC

Marcus Meissner,
didn't you see in my comment#21 that I had first tried
  isc branch -M SUSE:SLE-12:Update/cups-filters
but got an "error: HTTP Error 400: Bad Request"?

Didn't you see in my comment#21 that
  isc maintained cups-filters
had told me
"using sources from SUSE:Maintenance:1694/cups-filters.SUSE_SLE-12_Update"

And now you tell me not to use sources from
SUSE:Maintenance:1694/cups-filters.SUSE_SLE-12_Update
???

Comment 26 Marcus Meissner 2015-12-15 10:12:49 UTC

I did not see this , sorry.

The error 400 means that there is already something on home:jsmeix:branches:SUSE:SLE-12:Update/cups-filters.SUSE_SLE-12_Update

(that is just says error 400 is a bug I reported to the autobuild folks already)

you could work on top of home:jsmeix:branches:SUSE:SLE-12:Update/cups-filters.SUSE_SLE-12_Update

and resubmit from there.



  isc maintained cups-filters

the line
SUSE:SLE-12:Update/cups-filters using sources from SUSE:Maintenance:1694/cups-filters.SUSE_SLE-12_Update

shows that branching from SUSE:SLE-12:Update/cups-filters would pick up the curent update sources from the above maintenance incident.

Comment 27 Johannes Meixner 2015-12-16 10:22:23 UTC

I re-submitted cups-filters with "CVE-2015-8560" in RPM changelog:
------------------------------------------------------------------------------
home:jsmeix:branches:SUSE:SLE-12:Update/cups-filters.SUSE_SLE-12_Update $ isc
 commit
Sending    cups-filters.changes
Sending    cups-filters.spec

$ isc submitrequest home:jsmeix:branches:SUSE:SLE-12:Update
 cups-filters.SUSE_SLE-12_Update SUSE:SLE-12:Update cups-filters
WARNING:
WARNING: Project does not accept submit request, request to open a NEW maintenance incident instead
WARNING:
created request id 85738

$ isc request show 85738
Request: #85738

  maintenance_incident: home:jsmeix:branches:SUSE:SLE-12:Update/cups-filters.SUSE_SLE-12_Update@1851824159706c4e81cb903ebfa08a81 -> SUSE:Maintenance (release in SUSE:SLE-12:Update)

Message:
added "CVE-2015-8560" to RPM changelog and spec file see https://bugzilla.suse.com/show_bug.cgi?id=957531#c20

State:   review     2015-12-16T10:09:15 jsmeix
Comment: <no comment>

Review:  new        Group:  autobuild-team
         new        Group:  maintenance-team
         new        Group:  legal-auto

History: 2015-12-16T10:09:15 jsmeix       Request created
------------------------------------------------------------------------------

According to what you suggested in comment#23 I used

isc submitrequest
 home:jsmeix:branches:SUSE:SLE-12:Update
 cups-filters.SUSE_SLE-12_Update
 SUSE:SLE-12:Update
 cups-filters

I wonder if I also could have used

isc submitrequest
 home:jsmeix:branches:SUSE:SLE-12:Update
 cups-filters.SUSE_SLE-12_Update
 SUSE:Maintenance:1694
 cups-filters.SUSE_SLE-12_Update

or

isc maintenancerequest
 home:jsmeix:branches:SUSE:SLE-12:Update
 cups-filters.SUSE_SLE-12_Update
 SUSE:SLE-12:Update

or if one of the latter would have been even better?


FYI:

I think the actual root cause is that
home:jsmeix:branches:SUSE:SLE-12:Update/cups-filters.SUSE_SLE-12_Update
still exists regardless that my request 85194 was accepted.

According to "osc help submitrequest"
-----------------------------------------------------------------------------
  --cleanup    remove package if submission gets accepted
               (default for home:<id>:branch projects)
-----------------------------------------------------------------------------
I would expect that
home:jsmeix:branches:SUSE:SLE-12:Update/cups-filters.SUSE_SLE-12_Update
got automatically deleted after my request 85194 was accepted.

Because I was not deleted regardless that my request 85194 was accepted
I assume it is somehow still needed.
At least _I_ would never manually delete it because I cannot know
if there is a valid reason why it must still exist.

Comment 28 Johannes Meixner 2015-12-16 10:25:56 UTC

Only for the log:
I revoked my wrong and therefore declined request 85330:
---------------------------------------------------------------------------
$ isc request revoke -m 'supersededed by request 85738' 85330
Result of change request state: ok
---------------------------------------------------------------------------

Comment 29 Johannes Meixner 2015-12-16 11:21:46 UTC

Found interesting typo in comment#27:

"... I was not deleted regardless ..."
should read
"... it was not deleted regardless ..."

I am glad that I was not deleted ;-)


It seems request 85738 is o.k. to get accepted which means
the issue is now fixed for all maintained SUSE and openSUSE products.

Comment 30 Johannes Meixner 2015-12-16 11:24:27 UTC

From its currrent status "RESOLVED FIXED"
I reopen it and re-assign it to security-team@suse.de
for further processing and releasing the updates.

Comment 31 Swamp Workflow Management 2015-12-27 00:11:08 UTC

openSUSE-SU-2015:2367-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 957531
CVE References: CVE-2015-8327,CVE-2015-8560
Sources used:
openSUSE 13.2 (src):    cups-filters-1.0.58-2.11.1

Comment 32 Swamp Workflow Management 2016-01-12 21:11:23 UTC

SUSE-SU-2016:0092-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 957531
CVE References: CVE-2015-8327
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    cups-filters-1.0.58-13.1
SUSE Linux Enterprise Server 12 (src):    cups-filters-1.0.58-13.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    cups-filters-1.0.58-13.1
SUSE Linux Enterprise Desktop 12 (src):    cups-filters-1.0.58-13.1

Comment 33 Swamp Workflow Management 2016-01-13 17:09:07 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-01-27.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62431

Comment 34 Swamp Workflow Management 2016-01-13 20:12:22 UTC

SUSE-SU-2016:0112-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 957531
CVE References: CVE-2015-8327,CVE-2015-8560
Sources used:
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    foomatic-filters-3.0.2-269.39.1
SUSE Linux Enterprise Server 11-SP4 (src):    foomatic-filters-3.0.2-269.39.1
SUSE Linux Enterprise Server 11-SP3 (src):    foomatic-filters-3.0.2-269.39.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    foomatic-filters-3.0.2-269.39.1
SUSE Linux Enterprise Desktop 11-SP3 (src):    foomatic-filters-3.0.2-269.39.1

Comment 36 Swamp Workflow Management 2016-01-20 16:12:15 UTC

openSUSE-SU-2016:0179-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 957531
CVE References: CVE-2015-8327
Sources used:
openSUSE Leap 42.1 (src):    cups-filters-1.0.58-12.1

Comment 43 Swamp Workflow Management 2017-02-22 12:05:35 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-03-08.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63440

Comment 44 Johannes Segitz 2017-08-10 15:39:08 UTC

fixed