Re: Vulnerabilities in Oki CUPS printer drivers

[Guido Berhoerster <guido+openwall.com () berhoerster name>]

* Kurt Seifried <kseifried () redhat com> [2012-11-14 18:42]:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/18/2012 02:21 AM, Guido Berhoerster wrote:
> > Vulnerabilities in Oki CUPS printer drivers
> >
> > The following describes a security vulnerability in several Oki 
> > CUPS drivers. While I'm not aware that these drivers are packaged 
> > in any ditribution, they are free software (licensed under the GPL 
> > v2 or later) and made available via the Oki website and their FTP 
> > server so I hope this is on topic here.
>
> Apologies for the delay on this, the files are no longer available on
> the Oki ftpsite, so I assume the vendor "fixed" this by removing them?
> I managed to dig up some copies of the file through google but they
> don't contain the okijobaccounting script or the
> rastertookimonochrome. So I can't confirm this (can anyone other than
> the original reporter? (e.g. iSIGHT or iDefense? I'm pretty sure you
> guys cover Oki as a vendor =).

AFAICS all drivers have been replaced now, the new filter scripts
seem to use /bin/mktemp and $TMPDIR which is set by CUPS.
I have the vulnerable driver versions archieved and can make them
available on request.
-- 
Guido Berhoerster