Bug#746367: wheezy-pu: package cups/1.5.3-5+deb7u2; squeeze-pu: package cups/1.4.4-7+squeeze5
Package: release.debian.org
Severity: normal
Tags: wheezy squeeze
User: release.debian.org@packages.debian.org
Usertags: pu
Dear release team,
I've noticed through the PTS/security-tracker that CVE-2014-2856 wasn't
fixed in {old,}stable for src:cups. I went with these patches to the security
team who directed me to {old,}stable updates.
Debdiffs against the respective versions are attached.
I'd also like to take the opportunity to fix #737709 in stable (severity:
important), please advise.
Thanks in advance, cheers,
OdyX
diff --git a/debian/changelog b/debian/changelog
index 4dc5f32..d679a97 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+cups (1.4.4-7+squeeze5) oldstable-security; urgency=high
+
+ * Import upstream patch to fix XSS in the CUPS webinterface (STR #4356),
+ fixes CVE-2014-2856
+
+ -- Didier Raboud <odyx@debian.org> Mon, 28 Apr 2014 22:26:57 +0200
+
cups (1.4.4-7+squeeze4) oldstable-security; urgency=high
* Backport security fix from cups-filters 1.0.47:
diff --git a/debian/patches/00list b/debian/patches/00list
index c6a7d40..bec5b98 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -1,4 +1,5 @@
-# patches backported from upstream SVN trunk for 1.5:
+# patches backported from upstream SVN trunk for 1.6:
+fix-xss-in-cups-webinterface-str43576.dpatch
# patches accepted and committed upstream for next 1.4:
CVE-2010-2941.dpatch
diff --git a/debian/patches/fix-xss-in-cups-webinterface-str43576.dpatch b/debian/patches/fix-xss-in-cups-webinterface-str43576.dpatch
new file mode 100755
index 0000000..b425f05
--- /dev/null
+++ b/debian/patches/fix-xss-in-cups-webinterface-str43576.dpatch
@@ -0,0 +1,25 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+# Description: Fix XSS in CUPS web interface
+# Author: Michael Sweet <msweet@apple.com>
+# Bug-CVE: https://security-tracker.debian.org/tracker/CVE-2014-2856
+# Bug: http://www.cups.org/str.php?L4356
+# Last-Update: 2014-02-19
+
+@DPATCH@
+--- a/scheduler/client.c
++++ b/scheduler/client.c
+@@ -4075,6 +4075,14 @@
+ return (0);
+
+ /*
++ * Check for "<" or quotes in the path and reject since this is probably
++ * someone trying to inject HTML...
++ */
++
++ if (strchr(path, '<') != NULL || strchr(path, '\"') != NULL || strchr(path, '\'') != NULL)
++ return (0);
++
++ /*
+ * Check for "/.." in the path...
+ */
+
diff --git a/debian/changelog b/debian/changelog
index f945070..808459d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+cups (1.5.3-5+deb7u2) wheezy-security; urgency=high
+
+ * Add patch to fix hungarian templates syntax typos (Closes: #737709)
+ * Import upstream patch to fix XSS in the CUPS webinterface (STR #4356),
+ fixes CVE-2014-2856
+
+ -- Didier Raboud <odyx@debian.org> Mon, 28 Apr 2014 22:28:04 +0200
+
cups (1.5.3-5+deb7u1) stable; urgency=low
[ Tim Waugh ]
diff --git a/debian/patches/fix-xss-in-cups-webinterface-str43576.patch b/debian/patches/fix-xss-in-cups-webinterface-str43576.patch
new file mode 100644
index 0000000..a89ff23
--- /dev/null
+++ b/debian/patches/fix-xss-in-cups-webinterface-str43576.patch
@@ -0,0 +1,22 @@
+Description: Fix XSS in CUPS web interface
+Author: Michael Sweet <msweet@apple.com>
+Bug-CVE: https://security-tracker.debian.org/tracker/CVE-2014-2856
+Bug: http://www.cups.org/str.php?L4356
+Last-Update: 2014-02-19
+--- a/scheduler/client.c
++++ b/scheduler/client.c
+@@ -4075,6 +4075,14 @@
+ return (0);
+
+ /*
++ * Check for "<" or quotes in the path and reject since this is probably
++ * someone trying to inject HTML...
++ */
++
++ if (strchr(path, '<') != NULL || strchr(path, '\"') != NULL || strchr(path, '\'') != NULL)
++ return (0);
++
++ /*
+ * Check for "/.." in the path...
+ */
+
diff --git a/debian/patches/fix_hungarian_templates.patch b/debian/patches/fix_hungarian_templates.patch
new file mode 100644
index 0000000..ff9920c
--- /dev/null
+++ b/debian/patches/fix_hungarian_templates.patch
@@ -0,0 +1,25 @@
+Description: Fix Hungarian templates translations syntax errors.
+Bug-Debian: http://bugs.debian.org/737709
+Origin: vendor
+Forwarded: https://cups.org/str.php?L4362
+Author: Didier Raboud <odyx@debian.org>
+Last-Update: 2014-02-05
+
+--- a/templates/hu/printers-header.tmpl
++++ b/templates/hu/printers-header.tmpl
+@@ -1 +1 @@
+-<P ALIGN="CENTER">{total=0?Nincsenek nyomtatók:{total} nyomtatóból {#printer_name} megjelenítve.</P>
++<P ALIGN="CENTER">{total=0?Nincsenek nyomtatók:{total} nyomtatóból {#printer_name} megjelenítve}.</P>
+--- a/templates/hu/classes-header.tmpl
++++ b/templates/hu/classes-header.tmpl
+@@ -1 +1 @@
+-<P ALIGN="CENTER">{total=0?Nincsenek osztályok:{total} osztályból {#printer_name} megjelenítve.</P>
++<P ALIGN="CENTER">{total=0?Nincsenek osztályok:{total} osztályból {#printer_name} megjelenítve}.</P>
+--- a/templates/hu/jobs-header.tmpl
++++ b/templates/hu/jobs-header.tmpl
+@@ -4,4 +4,4 @@
+
+ <P ALIGN="CENTER">{total=0?Nincsenek feladatok:{total}
+ {?which_jobs=?aktív:{which_jobs=all?:befejezett}} feladatból {#job_id}
+-megjelenítve.</P>
++megjelenítve}.</P>
diff --git a/debian/patches/series b/debian/patches/series
index eabd6dc..3e576cc 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,4 +1,5 @@
# patches accepted and committed upstream:
+fix-xss-in-cups-webinterface-str43576.patch
split-configuration-files-STR4223.patch
# patches sent upstream
@@ -31,6 +32,7 @@ cups-deviced-allow-device-ids-with-newline.patch
cups-snmp-oids-device-id-hp-ricoh.patch
configure-default-browse-protocols.patch
fix_russian_japanese_templates.patch
+fix_hungarian_templates.patch
# Debian patches
add-ipp-backend-of-cups-1.4.patch
Reply to: