Bug#946782: marked as done (cups: CVE-2019-2228)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Mon, 20 Jan 2020 23:17:15 +0000
with message-id <E1itgIF-000Dw1-Ue@fasolo.debian.org>
and subject line Bug#946782: fixed in cups 2.2.10-6+deb10u2
has caused the Debian Bug report #946782,
regarding cups: CVE-2019-2228
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
946782: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946782
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: cups: CVE-2019-2228
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Sun, 15 Dec 2019 21:06:42 +0100
• Message-id: <157644040276.697720.2529793640389677681.reportbug@eldamar.local>

Source: cups
Version: 2.3.0-7
Severity: important
Tags: security upstream
Control: found -1 2.2.10-6+deb10u1
Control: found -1 2.2.1-8+deb9u2
Control: found -1 2.2.1-8+deb9u4
Control: found -1 2.2.1-8

Hi,

The following vulnerability was published for cups.

CVE-2019-2228[0]:
| In array_find of array.c, there is a possible out-of-bounds read due
| to an incorrect bounds check. This could lead to local information
| disclosure in the printer spooler with no additional execution
| privileges needed. User interaction is not needed for
| exploitation.Product: AndroidVersions: Android-8.0 Android-8.1
| Android-9 Android-10Android ID: A-111210196


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-2228
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2228

Please adjust the affected versions in the BTS as needed.



-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.3.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---

--- Begin Message ---

• To: 946782-close@bugs.debian.org
• Subject: Bug#946782: fixed in cups 2.2.10-6+deb10u2
• From: Didier Raboud <odyx@debian.org>
• Date: Mon, 20 Jan 2020 23:17:15 +0000
• Message-id: <E1itgIF-000Dw1-Ue@fasolo.debian.org>

Source: cups
Source-Version: 2.2.10-6+deb10u2

We believe that the bug you reported is fixed in the latest version of
cups, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 946782@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Didier Raboud <odyx@debian.org> (supplier of updated cups package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 19 Jan 2020 09:36:31 +0100
Source: cups
Architecture: source
Version: 2.2.10-6+deb10u2
Distribution: buster
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Didier Raboud <odyx@debian.org>
Closes: 946782 946941
Changes:
 cups (2.2.10-6+deb10u2) buster; urgency=medium
 .
   * Backport upstream security fixes:
     - Fix memory leak in ppdOpen (Closes: #946941)
     - CVE-2019-2228: The `ippSetValuetag` function did not validate the
       default language value (Closes: #946782)
Checksums-Sha1:
 0d1c1a1e54ed58c990bd67042ce80bc21a7762b9 3472 cups_2.2.10-6+deb10u2.dsc
 4f1adef4a0879adbd051db12f8d736a54111efc2 360016 cups_2.2.10-6+deb10u2.debian.tar.xz
Checksums-Sha256:
 5bee91b9c8c35ad211d67e2dfe250787dd4bb3a2f5c67db1b2b3f3794a0ec331 3472 cups_2.2.10-6+deb10u2.dsc
 86f8f8acfd8251602e3f629b5561775a05f41ed9b472752e46eec1e2c930bb33 360016 cups_2.2.10-6+deb10u2.debian.tar.xz
Files:
 daeb4c9b84eac7b91f0ffc967eb253ee 3472 net optional cups_2.2.10-6+deb10u2.dsc
 b8c941b468c64e3ed26486d646a9ffef 360016 net optional cups_2.2.10-6+deb10u2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEJ3k7rA0YCplkx4gZqcb6xg1jAWkFAl4kHBQACgkQqcb6xg1j
AWkENRAApiTyxftpUPJLKJRmC5JOKlAxZKokuIOp1opZWbx0aq0iWfnTlB6Cuq5f
8lQvBs3XTMAxO7acFDfYMzh1H51M6clBOPLmjVtZGZ9bngB1SKwyOFMJe+0SGEWj
bqm9Fad44McAxFI36mKVRTIaBKguXwk+3knGNvwiBXkWGi+q+3ZgrnkUiAZVfTdk
ikeRngsYWJ/S6q6HZXTFLskpYDkwV5wW0p8w6Kvl81rbi49+2oMYpl+Qm+83cspl
UnAazScux22IMilhjLXwZ2CqmnjlSaPflYd1jgxg/vF9CFA/OCPf+AFJFeVcFqAF
YmpHMyulYlkcT6iV+HJb12pwOm3da+SkTMrVOUqDTHUZAhq93qSZFu2xKCvUaUZr
PA/Abjg+B1vcYaBexeyP4MNBQCKJxPfZRR5QRQWsSTWZfOUrPNaCN8FgLFlaQGbG
mm2CY4HagqzCFvqb7Y0zLSdmgrEZLfvfna0BlpP3qDeXf9oftuI4SWedeWAagO13
IUjGuDx4K60QcJXkanXctypfM2WRCZTmnDrcuB+DRAYUE+5BnZj8I1wJdI5+EoVt
e8w0QQb7T8ZDjVLxiHfWQVNawgst4zXcgGZHtISmADYHdoFACVv2zbn5JVJdTyQg
qxr/exQlra1KYYzHSLdfdWYE115sO2g2UOZ/pWystgRA/5OULTY=
=7rM5
-----END PGP SIGNATURE-----

--- End Message ---