Bug#635549: Stable update of hplip for CVE-2011-2722 (#635549) ?

Fri, 25 Nov 2011 06:03:35 -0800 

Dear Release Team,

after taking a closer look to #635549 and an IRC chat with the Security 
people, I propose to upload hplip to stable with the following changelog 
entry: 

    hplip (3.10.6-2+squeeze0) stable; urgency=low
    
      * Fix CVE-2011-2722 "Insecure tempfile handling" by patching the culprit
        code out. (Closes: #635549)
    
     -- Didier Raboud <o...@debian.org>  Fri, 25 Nov 2011 14:53:50 +0100

Debdiff and dpatch are attached; please comment.

Cheers,

-- 
OdyX

diff -u hplip-3.10.6/debian/changelog hplip-3.10.6/debian/changelog
--- hplip-3.10.6/debian/changelog
+++ hplip-3.10.6/debian/changelog
@@ -1,3 +1,10 @@
+hplip (3.10.6-2+squeeze0) stable; urgency=low
+
+  * Fix CVE-2011-2722 "Insecure tempfile handling" by patching the culprit
+    code out. (Closes: #635549)
+
+ -- Didier Raboud <o...@debian.org>  Fri, 25 Nov 2011 14:53:50 +0100
+
 hplip (3.10.6-2) unstable; urgency=high
 
   * SECURITY UPDATE: denial of service and possible arbitrary code
diff -u hplip-3.10.6/debian/patches/00list hplip-3.10.6/debian/patches/00list
--- hplip-3.10.6/debian/patches/00list
+++ hplip-3.10.6/debian/patches/00list
@@ -22,0 +23 @@
+CVE-2011-2722.dpatch
only in patch2:
unchanged:
--- hplip-3.10.6.orig/debian/patches/CVE-2011-2722.dpatch
+++ hplip-3.10.6/debian/patches/CVE-2011-2722.dpatch
@@ -0,0 +1,51 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2011-2722.dpatch by Didier Raboud <o...@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix "Insecure tempfile handling" CVE-2011-2722 by backporting from
+## DP: 3.11.10 the removal of the culprit code by upstream.
+#
+# Bug-Debian: http://bugs.debian.org/635549
+# Author: Didier Raboud <o...@debian.org>
+
+@DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' hplip-3.10.6~/prnt/hpijs/hpcupsfax.cpp hplip-3.10.6/prnt/hpijs/hpcupsfax.cpp
+--- hplip-3.10.6~/prnt/hpijs/hpcupsfax.cpp	2010-07-19 04:15:17.000000000 +0200
++++ hplip-3.10.6/prnt/hpijs/hpcupsfax.cpp	2011-11-25 13:13:29.000000000 +0100
+@@ -582,7 +582,6 @@
+     int     iSize, i;
+     int     len;
+     BYTE    *pTmp = NULL;
+-    FILE    *fp = NULL;
+ 
+     iSize = lseek (fromFD, 0, SEEK_END);
+     lseek (fromFD, 0, SEEK_SET);
+@@ -602,28 +601,12 @@
+         }
+     }
+ 
+-    fp = NULL;
+-    if (iLogLevel & SAVE_PCL_FILE)
+-    {
+-        fp = fopen ("/tmp/hpcupsfax.out", "w");
+-        system ("chmod 666 /tmp/hpcupsfax.out");
+-    }
+-    
+     while ((len = read (fromFD, pTmp, iSize)) > 0)
+     {
+         write (STDOUT_FILENO, pTmp, len);
+-        if (iLogLevel & SAVE_PCL_FILE && fp)
+-        {
+-            fwrite (pTmp, 1, len, fp);
+-        }
+     }
+     free (pTmp);
+ 
+-    if (fp)
+-    {
+-        fclose (fp);
+-    }
+-
+     return 0;
+ }
+

Attachment: CVE-2011-2722.dpatch
Description: application/shellscript

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to