cups jessie update

To: security@debian.org
Cc: debian-lts@lists.debian.org
Subject: cups jessie update
From: Antoine Beaupré <anarcat@orangeseeds.org>
Date: Thu, 07 Jun 2018 10:13:39 -0400
Message-id: <[🔎] 87po127kh8.fsf@angela.anarc.at>

Hi again,

Next in line: cups. Two fairly simple patches and this time the test
suite passes without a fuss, provided that the local hostname resolves
within the chroot. ;)

Packages, as usual, are available here, signed by me:

https://people.debian.org/~anarcat/debian/jessie-lts/

Debdiff also available above and attached.

A.
-- 
Arguing for surveillance because you have nothing to hide is no
different than making the claim, "I don't care about freedom of speech
because I have nothing to say."
                        - Edward Snowden

diff -Nru cups-1.7.5/debian/changelog cups-1.7.5/debian/changelog
--- cups-1.7.5/debian/changelog	2017-07-21 08:44:00.000000000 -0400
+++ cups-1.7.5/debian/changelog	2018-06-07 09:23:48.000000000 -0400
@@ -1,3 +1,11 @@
+cups (1.7.5-11+deb8u3) UNRELEASED; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * CVE-2017-18190: fix remote code execution through DNS rebinding
+  * CVE-2017-18248: fix remote crash through invalid username
+
+ -- Antoine Beaupré <anarcat@debian.org>  Thu, 07 Jun 2018 09:23:48 -0400
+
 cups (1.7.5-11+deb8u2) jessie; urgency=high
 
   * Disable SSLv3 and RC4 by default to address POODLE vulnerability
diff -Nru cups-1.7.5/debian/patches/CVE-2017-18190-0476c41.patch cups-1.7.5/debian/patches/CVE-2017-18190-0476c41.patch
--- cups-1.7.5/debian/patches/CVE-2017-18190-0476c41.patch	1969-12-31 19:00:00.000000000 -0500
+++ cups-1.7.5/debian/patches/CVE-2017-18190-0476c41.patch	2018-06-07 09:21:42.000000000 -0400
@@ -0,0 +1,24 @@
+From afa80cb2b457bf8d64f775bed307588610476c41 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <michaelrsweet@gmail.com>
+Date: Tue, 3 Jan 2017 13:52:47 -0500
+Subject: [PATCH] Don't treat "localhost.localdomain" as an allowed replacement
+ for localhost, since it isn't.
+
+---
+ scheduler/client.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+Index: b/scheduler/client.c
+===================================================================
+--- a/scheduler/client.c	2018-06-07 09:21:37.599660741 -0400
++++ b/scheduler/client.c	2018-06-07 09:21:37.599660741 -0400
+@@ -4220,9 +4220,6 @@ valid_host(cupsd_client_t *con)		/* I -
+ 
+     return (!_cups_strcasecmp(con->clientname, "localhost") ||
+ 	    !_cups_strcasecmp(con->clientname, "localhost.") ||
+-#ifdef __linux
+-	    !_cups_strcasecmp(con->clientname, "localhost.localdomain") ||
+-#endif /* __linux */
+             !strcmp(con->clientname, "127.0.0.1") ||
+ 	    !strcmp(con->clientname, "[::1]"));
+   }
diff -Nru cups-1.7.5/debian/patches/CVE-2017-18248-6007df3.patch cups-1.7.5/debian/patches/CVE-2017-18248-6007df3.patch
--- cups-1.7.5/debian/patches/CVE-2017-18248-6007df3.patch	1969-12-31 19:00:00.000000000 -0500
+++ cups-1.7.5/debian/patches/CVE-2017-18248-6007df3.patch	2018-06-07 09:23:48.000000000 -0400
@@ -0,0 +1,41 @@
+From 49fa4983f25b64ec29d548ffa3b9782426007df3 Mon Sep 17 00:00:00 2001
+From: Michael Sweet <michael.r.sweet@gmail.com>
+Date: Mon, 23 Oct 2017 16:23:43 -0400
+Subject: [PATCH] DBUS notifications could crash the scheduler (Issue #5143)
+
+- scheduler/ipp.c: Make sure requesting-user-name string is valid UTF-8.
+---
+ CHANGES.md      |  5 +++--
+ scheduler/ipp.c | 12 ++++++++++--
+ 2 files changed, 13 insertions(+), 4 deletions(-)
+
+Index: b/scheduler/ipp.c
+===================================================================
+--- a/scheduler/ipp.c	2018-06-07 09:27:21.594226134 -0400
++++ b/scheduler/ipp.c	2018-06-07 09:27:21.590226104 -0400
+@@ -1551,6 +1551,16 @@ add_job(cupsd_client_t  *con,		/* I - Cl
+     return (NULL);
+   }
+ 
++  attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME);
++
++  if (attr && !ippValidateAttribute(attr))
++  {
++    send_ipp_status(con, IPP_ATTRIBUTES, _("Bad requesting-user-name value: %s"), cupsLastErrorString());
++    if ((attr = ippCopyAttribute(con->response, attr, 0)) != NULL)
++      attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
++    return (NULL);
++  }
++
+   if ((job = cupsdAddJob(priority, printer->name)) == NULL)
+   {
+     send_ipp_status(con, IPP_INTERNAL_ERROR,
+@@ -1569,8 +1579,6 @@ add_job(cupsd_client_t  *con,		/* I - Cl
+   add_job_uuid(job);
+   apply_printer_defaults(printer, job);
+ 
+-  attr = ippFindAttribute(job->attrs, "requesting-user-name", IPP_TAG_NAME);
+-
+   if (con->username[0])
+   {
+     cupsdSetString(&job->username, con->username);
diff -Nru cups-1.7.5/debian/patches/series cups-1.7.5/debian/patches/series
--- cups-1.7.5/debian/patches/series	2017-07-21 07:32:05.000000000 -0400
+++ cups-1.7.5/debian/patches/series	2018-06-07 09:23:48.000000000 -0400
@@ -66,3 +66,5 @@
 # po4a might not be appropriate. It also needs to be high on the patch
 # queue to catch all Debian-specific changes
 manpage-translations.patch
+CVE-2017-18248-6007df3.patch
+CVE-2017-18190-0476c41.patch

Reply to:

Follow-Ups:
- Re: cups jessie update
  - From: Didier 'OdyX' Raboud <odyx@debian.org>

Prev by Date: Re: jessie update for mercurial
Next by Date: Re: cups jessie update
Previous by thread: Re: jessie update for mercurial
Next by thread: Re: cups jessie update
Index(es):
- Date
- Thread