Bug#947834: stretch-pu: package cups/2.2.1-8+deb9u5

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#947834: stretch-pu: package cups/2.2.1-8+deb9u5
From: Didier 'OdyX' Raboud <odyx@debian.org>
Date: Tue, 31 Dec 2019 14:33:54 +0100
Message-id: <[🔎] 157779923439.355008.16551301390936076026.reportbug@gyllingar>
Reply-to: Didier 'OdyX' Raboud <odyx@debian.org>, 947834@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Dear Oldstable Release Team,

CVE-2019-2228 affects oldstable's cups (see #946782); and I'd also like to fix
another memory leak (#946941). (See #947832 for the stable/buster pu)

My proposed changelog would be:

  cups (2.2.1-8+deb9u5) stretch; urgency=medium
  
    * Backport upstream security fixes:
      - Fix memory leak in ppdOpen (Closes: #946941)
      - CVE-2019-2228: The `ippSetValuetag` function did not validate the
        default language value (Closes: #946782)
  
   -- Didier Raboud <odyx@debian.org>  Tue, 31 Dec 2019 14:25:30 +0100

… the proposed debdiff is attached.

Cheers,
    OdyX

diff -Nru cups-2.2.1/debian/changelog cups-2.2.1/debian/changelog
--- cups-2.2.1/debian/changelog	2019-08-21 09:51:54.000000000 +0200
+++ cups-2.2.1/debian/changelog	2019-12-31 14:25:30.000000000 +0100
@@ -1,3 +1,12 @@
+cups (2.2.1-8+deb9u5) stretch; urgency=medium
+
+  * Backport upstream security fixes:
+    - Fix memory leak in ppdOpen (Closes: #946941)
+    - CVE-2019-2228: The `ippSetValuetag` function did not validate the
+      default language value (Closes: #946782)
+
+ -- Didier Raboud <odyx@debian.org>  Tue, 31 Dec 2019 14:25:30 +0100
+
 cups (2.2.1-8+deb9u4) stretch; urgency=low
 
   * Fix multiple security/disclosure issues (Closes: #934957)
diff -Nru cups-2.2.1/debian/.git-dpm cups-2.2.1/debian/.git-dpm
--- cups-2.2.1/debian/.git-dpm	2019-08-21 09:51:54.000000000 +0200
+++ cups-2.2.1/debian/.git-dpm	2019-12-31 14:25:08.000000000 +0100
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-8d6c8479d69d091ee83bbf7e10249f98cdaefa99
-8d6c8479d69d091ee83bbf7e10249f98cdaefa99
+c60d0154b20313af2bdec051ab5473320a6de1e8
+c60d0154b20313af2bdec051ab5473320a6de1e8
 a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
 a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
 cups_2.2.1.orig.tar.gz
diff -Nru cups-2.2.1/debian/patches/0055-Fix-memory-leak-in-ppdOpen.patch cups-2.2.1/debian/patches/0055-Fix-memory-leak-in-ppdOpen.patch
--- cups-2.2.1/debian/patches/0055-Fix-memory-leak-in-ppdOpen.patch	1970-01-01 01:00:00.000000000 +0100
+++ cups-2.2.1/debian/patches/0055-Fix-memory-leak-in-ppdOpen.patch	2019-12-31 14:25:08.000000000 +0100
@@ -0,0 +1,32 @@
+From bf1d779750f63fd2519865ac5cd5656cbdd9e3e0 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Thu, 1 Aug 2019 13:02:35 -0400
+Subject: Fix memory leak in ppdOpen
+
+Closes: #946941
+---
+ cups/ppd.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/cups/ppd.c b/cups/ppd.c
+index 44a22c5cb..42fff3509 100644
+--- a/cups/ppd.c
++++ b/cups/ppd.c
+@@ -719,6 +719,8 @@ _ppdOpen(
+ 	   strncmp(ll, keyword, ll_len)))
+       {
+ 	DEBUG_printf(("2_ppdOpen: Ignoring localization: \"%s\"\n", keyword));
++	free(string);
++	string = NULL;
+ 	continue;
+       }
+       else if (localization == _PPD_LOCALIZATION_ICC_PROFILES)
+@@ -738,6 +740,8 @@ _ppdOpen(
+ 	if (i >= (int)(sizeof(color_keywords) / sizeof(color_keywords[0])))
+ 	{
+ 	  DEBUG_printf(("2_ppdOpen: Ignoring localization: \"%s\"\n", keyword));
++	  free(string);
++	  string = NULL;
+ 	  continue;
+ 	}
+       }
diff -Nru cups-2.2.1/debian/patches/0056-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch cups-2.2.1/debian/patches/0056-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch
--- cups-2.2.1/debian/patches/0056-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch	1970-01-01 01:00:00.000000000 +0100
+++ cups-2.2.1/debian/patches/0056-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch	2019-12-31 14:25:08.000000000 +0100
@@ -0,0 +1,23 @@
+From c60d0154b20313af2bdec051ab5473320a6de1e8 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Fri, 13 Dec 2019 09:30:46 -0500
+Subject: CVE-2019-2228: Fix ippSetValueTag validation of default language
+
+Closes: #946782
+---
+ cups/ipp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cups/ipp.c b/cups/ipp.c
+index 843b4d997..8840a1d09 100644
+--- a/cups/ipp.c
++++ b/cups/ipp.c
+@@ -4721,7 +4721,7 @@ ippSetValueTag(
+           return (0);
+ 
+         if (ipp->attrs && ipp->attrs->next && ipp->attrs->next->name &&
+-            !strcmp(ipp->attrs->next->name, "attributes-natural-language"))
++            !strcmp(ipp->attrs->next->name, "attributes-natural-language") && (ipp->attrs->next->value_tag & IPP_TAG_CUPS_MASK) == IPP_TAG_LANGUAGE)
+         {
+          /*
+           * Use the language code from the IPP message...
diff -Nru cups-2.2.1/debian/patches/series cups-2.2.1/debian/patches/series
--- cups-2.2.1/debian/patches/series	2019-08-21 09:51:54.000000000 +0200
+++ cups-2.2.1/debian/patches/series	2019-12-31 14:25:08.000000000 +0100
@@ -52,3 +52,5 @@
 0052-DBUS-notifications-could-crash-the-scheduler-Issue-5.patch
 0053-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch
 0054-Fix-multiple-security-disclosure-issues.patch
+0055-Fix-memory-leak-in-ppdOpen.patch
+0056-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch

Reply to:

Prev by Date: Bug#947832: buster-pu: package cups/2.2.10-6+deb10u2
Previous by thread: Bug#947832: buster-pu: package cups/2.2.10-6+deb10u2
Index(es):
- Date
- Thread