CVE-2015-8560

Name	CVE-2015-8560
Description	Incomplete blacklist vulnerability in util.c in foomatic-rip in cups-filters 1.0.42 before 1.4.0 and in foomatic-filters in Foomatic 4.0.x allows remote attackers to execute arbitrary commands via a ; (semicolon) character in a print job, a different vulnerability than CVE-2015-8327.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-371-1, DSA-3419-1, DSA-3429-1
Debian Bugs	807930, 807993

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
cups-filters (PTS)	jessie, jessie (lts)	1.0.61-5+deb8u5	fixed
	stretch (security)	1.11.6-3+deb9u1	fixed
	stretch (lts), stretch	1.11.6-3+deb9u3	fixed
	buster, buster (lts)	1.21.6-5+deb10u2	fixed
	buster (security)	1.21.6-5+deb10u1	fixed
	bullseye	1.28.7-1+deb11u2	fixed
	bullseye (security)	1.28.7-1+deb11u3	fixed
	bookworm (security), bookworm	1.28.17-3+deb12u1	fixed
	sid, trixie	1.28.17-5	fixed
foomatic-filters (PTS)	jessie, jessie (lts)	4.0.17-5+deb8u1	fixed
	stretch	4.0.17-9	fixed
	buster	4.0.17-11	fixed
	bullseye	4.0.17-12	fixed
	sid, trixie, bookworm	4.0.17-16	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
cups-filters	source	wheezy	(not affected)
cups-filters	source	jessie	1.0.61-5+deb8u3	DSA-3419-1
cups-filters	source	(unstable)	1.4.0-1		807930
foomatic-filters	source	squeeze	4.0.5-6+squeeze2+deb6u12	DLA-371-1
foomatic-filters	source	wheezy	4.0.17-1+deb7u1	DSA-3429-1
foomatic-filters	source	jessie	4.0.17-5+deb8u1	DSA-3429-1
foomatic-filters	source	(unstable)	4.0.17-7		807993

Notes

[wheezy] - cups-filters <not-affected> (Vulnerable code not present; introduced in 1.0.42)
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7419
https://www.openwall.com/lists/oss-security/2015/12/13/2