Debians sikkerhedsbulletin
DSA-2007-1 cups -- formatstrengssårbarhed
- Rapporteret den:
- 3. mar 2010
- Berørte pakker:
- cups
- Sårbar:
- Ja
- Referencer i sikkerhedsdatabaser:
- I Mitres CVE-ordbog: CVE-2010-0393.
- Yderligere oplysninger:
-
Ronald Volgers opdagede at komponenten lppasswd i cups-programsamlingen, Common UNIX Printing System, var sårbar over for formatstrengangreb på grund af usikker anvendelse af miljøvariablen LOCALEDIR. En angriber kunne misbruge denne virkemåde, til at udføre vilkårlig kode gennem fabrikerede lokaltilpasningsfiler og dermed udløse kald til _cupsLangprintf(). Det virkede fordi den binære lppasswd-fil tilfældigvis er installeret med setuid 0-rettigheder.
I den stabile distribution (lenny), er dette problem rettet i version 1.3.8-1+lenny8.
I distributionen testing (squeeze) vil dette problem snart blive rettet.
I den ustabile distribution (sid) er dette problem rettet i version 1.4.2-9.1.
Vi anbefaler at du opgraderer dine cups-pakker.
- Rettet i:
-
Debian GNU/Linux 5.0 (lenny)
- Kildekode:
- http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny8.dsc
- http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny8.diff.gz
- http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8.orig.tar.gz
- http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny8.diff.gz
- Arkitekturuafhængig komponent:
- http://security.debian.org/pool/updates/main/c/cups/cups-common_1.3.8-1+lenny8_all.deb
- http://security.debian.org/pool/updates/main/c/cups/cupsys-common_1.3.8-1+lenny8_all.deb
- http://security.debian.org/pool/updates/main/c/cups/cupsys-bsd_1.3.8-1+lenny8_all.deb
- http://security.debian.org/pool/updates/main/c/cups/libcupsys2-dev_1.3.8-1+lenny8_all.deb
- http://security.debian.org/pool/updates/main/c/cups/cupsys-dbg_1.3.8-1+lenny8_all.deb
- http://security.debian.org/pool/updates/main/c/cups/libcupsys2_1.3.8-1+lenny8_all.deb
- http://security.debian.org/pool/updates/main/c/cups/cupsys-client_1.3.8-1+lenny8_all.deb
- http://security.debian.org/pool/updates/main/c/cups/cupsys_1.3.8-1+lenny8_all.deb
- http://security.debian.org/pool/updates/main/c/cups/cupsys-common_1.3.8-1+lenny8_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1+lenny8_alpha.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1+lenny8_alpha.deb
- http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1+lenny8_alpha.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1+lenny8_alpha.deb
- http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1+lenny8_alpha.deb
- http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1+lenny8_alpha.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1+lenny8_alpha.deb
- http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny8_alpha.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1+lenny8_alpha.deb
- AMD64:
- http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny8_amd64.deb
- http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1+lenny8_amd64.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1+lenny8_amd64.deb
- http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1+lenny8_amd64.deb
- http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1+lenny8_amd64.deb
- http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1+lenny8_amd64.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1+lenny8_amd64.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1+lenny8_amd64.deb
- http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1+lenny8_amd64.deb
- ARM:
- http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1+lenny8_arm.deb
- http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny8_arm.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1+lenny8_arm.deb
- http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1+lenny8_arm.deb
- http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1+lenny8_arm.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1+lenny8_arm.deb
- http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1+lenny8_arm.deb
- http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1+lenny8_arm.deb
- http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny8_arm.deb
- ARM EABI:
- http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1+lenny8_armel.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1+lenny8_armel.deb
- http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1+lenny8_armel.deb
- http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny8_armel.deb
- http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1+lenny8_armel.deb
- http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1+lenny8_armel.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1+lenny8_armel.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1+lenny8_armel.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1+lenny8_armel.deb
- HP Precision:
- http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1+lenny8_hppa.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1+lenny8_hppa.deb
- http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1+lenny8_hppa.deb
- http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1+lenny8_hppa.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1+lenny8_hppa.deb
- http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny8_hppa.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1+lenny8_hppa.deb
- http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1+lenny8_hppa.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1+lenny8_hppa.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1+lenny8_i386.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1+lenny8_i386.deb
- http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1+lenny8_i386.deb
- http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1+lenny8_i386.deb
- http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1+lenny8_i386.deb
- http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1+lenny8_i386.deb
- http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny8_i386.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1+lenny8_i386.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1+lenny8_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1+lenny8_ia64.deb
- http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1+lenny8_ia64.deb
- http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1+lenny8_ia64.deb
- http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny8_ia64.deb
- http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1+lenny8_ia64.deb
- http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1+lenny8_ia64.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1+lenny8_ia64.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1+lenny8_ia64.deb
- http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1+lenny8_ia64.deb
- Little-endian MIPS:
- http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1+lenny8_mipsel.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1+lenny8_mipsel.deb
- http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1+lenny8_mipsel.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1+lenny8_mipsel.deb
- http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1+lenny8_mipsel.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1+lenny8_mipsel.deb
- http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny8_mipsel.deb
- http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1+lenny8_mipsel.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1+lenny8_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1+lenny8_powerpc.deb
- http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1+lenny8_powerpc.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1+lenny8_powerpc.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1+lenny8_powerpc.deb
- http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1+lenny8_powerpc.deb
- http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1+lenny8_powerpc.deb
- http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny8_powerpc.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1+lenny8_powerpc.deb
- http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1+lenny8_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1+lenny8_s390.deb
- http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1+lenny8_s390.deb
- http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1+lenny8_s390.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1+lenny8_s390.deb
- http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny8_s390.deb
- http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1+lenny8_s390.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1+lenny8_s390.deb
- http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1+lenny8_s390.deb
- http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1+lenny8_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1+lenny8_sparc.deb
- http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny8_sparc.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1+lenny8_sparc.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1+lenny8_sparc.deb
- http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1+lenny8_sparc.deb
- http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1+lenny8_sparc.deb
- http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1+lenny8_sparc.deb
- http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1+lenny8_sparc.deb
- http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny8_sparc.deb
MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.