[lsb-discuss] foomatic-rip in SUSE: Updates needed

Till Kamppeter till.kamppeter at gmail.com
Wed Dec 19 02:33:46 PST 2007


Hi,

during the tests for the LSB 3.2 release we have found out that there 
are enterprise editions of SUSE Linux which ship an outdated version of 
foomatic-rip of 3 years ago.

The problems are the follwing:

- Security bug CAN-2004-0801: By sending a print job with appropriately 
made option settings one can run arbitrary commands as the printing 
system user "lp". This was fixed three years ago.

- Support for Ricoh printers: Ricoh printers need job parameters like 
user name, time and date of the job being sent, job title, ... to 
provide their full functionality, especially for secured 
(password-protected) printing. Appropiate functionality was added to 
foomatic-rip two years ago.

- During the last three years many major and minor bug fixes were applied.

The SUSE distros with outdated foomatic-rip are SLED/SLES 10 and 
earlier, SUSE Professional 10.1 and earlier.

See also the mail cited below.

I highly recommend to provide an update of foomatic-rip for these 
distributions, preferrably to the current version to get all bug fixes, 
but at least to the version from July 29, 2005:

-----------------------------------------------------------------------
2005-07-29  Till Kamppeter <till.kamppeter at gmx.net>

         * foomatic-rip.in: Added substitution of special XML entities by
           job data, as date, time, job ID, user name, ... (in function
           "unhtmlify()"). This was suggested by George Liu from Ricoh
           (george dot liu at ussj dot ricoh dot com), to support jobs
           with submission of login/password to the printer.
-----------------------------------------------------------------------

This way maximum security and compatibility for users of the mentioned 
distributions is assured. This is especially important for enterprise 
distributions.

    Till

-----------------------------------------------------------------------
The outdated foomatic-rip version SUSE ships is 3.43.2.6. (2004-06-15)

 > > Can you post a list of all distros which ship with outdated
foomatic-rip?
SLED/SLES 10 and earlier, SUSE Professional 10.1 and earlier.
At least RHEL5, FC5, Mandriva 2006, Kubuntu 6.10 have updated
foomatic-rip.

 > > Can you also tell which security bugs they have?
 >From ChangeLog of foomatic-rip, there's a security fix on 2004-08-26.
(Advisory ID: CAN-2004-0801)





More information about the lsb-discuss mailing list