-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandrakelinux Security Update Advisory _______________________________________________________________________ Package name: cups Advisory ID: MDKSA-2004:116 Date: October 21st, 2004 Affected versions: 10.0, 9.2, Corporate Server 2.1, Multi Network Firewall 8.2 ______________________________________________________________________ Problem Description: Chris Evans discovered numerous vulnerabilities in the xpdf package, which also effect software using embedded xpdf code: Multiple integer overflow issues affecting xpdf-2.0 and xpdf-3.0. Also programs like cups which have embedded versions of xpdf. These can result in writing an arbitrary byte to an attacker controlled location which probably could lead to arbitrary code execution. (CAN-2004-0888) Also, when CUPS debugging is enabled, device URIs containing username and password end up in error_log. This information is also visible via "ps". (CAN-2004-0923) The updated packages are patched to protect against these vulnerabilities. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0888 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0923 http://www.cups.org/str.php?L920 ______________________________________________________________________ Updated Packages: Mandrakelinux 10.0: 404f47bf2e48e0fe5e6351fb0a51e482 10.0/RPMS/cups-1.1.20-5.3.100mdk.i586.rpm 7b4b06f845f94a076c7a5e86ac1ebd0f 10.0/RPMS/cups-common-1.1.20-5.3.100mdk.i586.rpm 86c01887240c7dc25eaa0584f6f286e0 10.0/RPMS/cups-serial-1.1.20-5.3.100mdk.i586.rpm 0817ea1f56f41c96361723bd010f08dd 10.0/RPMS/libcups2-1.1.20-5.3.100mdk.i586.rpm 604d96d4fc8d5590310b0dfdaf95c9da 10.0/RPMS/libcups2-devel-1.1.20-5.3.100mdk.i586.rpm f56a2a9b631ff34c6a2e1a8eb01f3690 10.0/SRPMS/cups-1.1.20-5.3.100mdk.src.rpm Mandrakelinux 10.0/AMD64: e8e41e0ad06ea13c49aa4097778ef251 amd64/10.0/RPMS/cups-1.1.20-5.3.100mdk.amd64.rpm 2c76ce0c7f6985fd6cedd2b0f6ba0f67 amd64/10.0/RPMS/cups-common-1.1.20-5.3.100mdk.amd64.rpm 0f993cd224e36539c1c9938877850385 amd64/10.0/RPMS/cups-serial-1.1.20-5.3.100mdk.amd64.rpm ff9d25d91c01c44760aac8d1f7f36f79 amd64/10.0/RPMS/lib64cups2-1.1.20-5.3.100mdk.amd64.rpm e72d698c6ac954e51aa05f746bbe9365 amd64/10.0/RPMS/lib64cups2-devel-1.1.20-5.3.100mdk.amd64.rpm f56a2a9b631ff34c6a2e1a8eb01f3690 amd64/10.0/SRPMS/cups-1.1.20-5.3.100mdk.src.rpm Corporate Server 2.1: 93ff5afeb1743f9e72ab3307b392b534 corporate/2.1/RPMS/cups-1.1.18-2.5.C21mdk.i586.rpm b29b8d51b7c0dcca6dc45143d7903cb3 corporate/2.1/RPMS/cups-common-1.1.18-2.5.C21mdk.i586.rpm 5e3c5468ea0ab2fae1aec809daa894de corporate/2.1/RPMS/cups-serial-1.1.18-2.5.C21mdk.i586.rpm 8faf77a298ac1421bcf6c95c618303ab corporate/2.1/RPMS/libcups1-1.1.18-2.5.C21mdk.i586.rpm c7ac9f8314bccd7bc4b1104af279e0f1 corporate/2.1/RPMS/libcups1-devel-1.1.18-2.5.C21mdk.i586.rpm 39b6eb02f3df6a8ac7b6ec1d9a0642a4 corporate/2.1/SRPMS/cups-1.1.18-2.5.C21mdk.src.rpm Corporate Server 2.1/x86_64: 067a8b88cf8c1377c9c6412136fc7d6b x86_64/corporate/2.1/RPMS/cups-1.1.18-2.5.C21mdk.x86_64.rpm 51a15362e5f756aff3211ad343588487 x86_64/corporate/2.1/RPMS/cups-common-1.1.18-2.5.C21mdk.x86_64.rpm 525f0dc8a7ef4db2ffcbe9b7d2a7d677 x86_64/corporate/2.1/RPMS/cups-serial-1.1.18-2.5.C21mdk.x86_64.rpm 72375896902c44ee2d5d3b3297ff8909 x86_64/corporate/2.1/RPMS/libcups1-1.1.18-2.5.C21mdk.x86_64.rpm 58dd73863448021e52fbd9bf2536e4c1 x86_64/corporate/2.1/RPMS/libcups1-devel-1.1.18-2.5.C21mdk.x86_64.rpm 39b6eb02f3df6a8ac7b6ec1d9a0642a4 x86_64/corporate/2.1/SRPMS/cups-1.1.18-2.5.C21mdk.src.rpm Mandrakelinux 9.2: 73897a45c5474c390adc09c32c52073e 9.2/RPMS/cups-1.1.19-10.3.92mdk.i586.rpm 35ab026be5795ef537d996dd50b3ec59 9.2/RPMS/cups-common-1.1.19-10.3.92mdk.i586.rpm 34bd630f0656b7eefa331001ebe46d07 9.2/RPMS/cups-serial-1.1.19-10.3.92mdk.i586.rpm dd362e1edc0774593cbb564d2fcedffb 9.2/RPMS/libcups2-1.1.19-10.3.92mdk.i586.rpm 04119307b9e5e37f36f502f3e299880c 9.2/RPMS/libcups2-devel-1.1.19-10.3.92mdk.i586.rpm 264f7c4310ff0c0bf1166374d49f5ea3 9.2/SRPMS/cups-1.1.19-10.3.92mdk.src.rpm Mandrakelinux 9.2/AMD64: a5a6317fc35c0c7ec51da2074ea59cdb amd64/9.2/RPMS/cups-1.1.19-10.3.92mdk.amd64.rpm 2de8b565958236a4cf299967187aaad1 amd64/9.2/RPMS/cups-common-1.1.19-10.3.92mdk.amd64.rpm 944995579621ce5a986459a47924370c amd64/9.2/RPMS/cups-serial-1.1.19-10.3.92mdk.amd64.rpm 82c5aed6ab6c81a8fab48b0bd2997eb7 amd64/9.2/RPMS/lib64cups2-1.1.19-10.3.92mdk.amd64.rpm 0b99ed51e2b24aac0747334044a5730e amd64/9.2/RPMS/lib64cups2-devel-1.1.19-10.3.92mdk.amd64.rpm 264f7c4310ff0c0bf1166374d49f5ea3 amd64/9.2/SRPMS/cups-1.1.19-10.3.92mdk.src.rpm Multi Network Firewall 8.2: 8bfd1913756558cac4e58e7e22f2d67f mnf8.2/RPMS/libcups1-1.1.18-2.3.M82mdk.i586.rpm a47dcb23ef45908945eff6977b4387e2 mnf8.2/SRPMS/cups-1.1.18-2.3.M82mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandrakelinux at: http://www.mandrakesoft.com/security/advisories If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBeHhtmqjQ0CJFipgRApe4AJ49l+Mk3uhuHR/dc9bADAIOOpht2gCg5U26 xs17BzSOHPyi+u4v7h5ciq8= =kGLV -----END PGP SIGNATURE-----