Bug#1073002: marked as done (cups: CVE-2024-35235)

To: Thorsten Alteholz <debian@alteholz.de>
Subject: Bug#1073002: marked as done (cups: CVE-2024-35235)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 22 Jun 2024 10:33:35 +0000
Message-id: <[🔎] handler.1073002.D1073002.1719052360384290.ackdone@bugs.debian.org>
Reply-to: 1073002@bugs.debian.org
References: <E1sKy2u-004yzX-Si@fasolo.debian.org> <[🔎] 171812427471.1721565.285646832795140440.reportbug@eldamar.lan>

Your message dated Sat, 22 Jun 2024 10:32:36 +0000
with message-id <E1sKy2u-004yzX-Si@fasolo.debian.org>
and subject line Bug#1073002: fixed in cups 2.3.3op2-3+deb11u7
has caused the Debian Bug report #1073002,
regarding cups: CVE-2024-35235
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1073002: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073002
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: cups: CVE-2024-35235
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 11 Jun 2024 18:44:34 +0200
Message-id: <[🔎] 171812427471.1721565.285646832795140440.reportbug@eldamar.lan>

Source: cups
Version: 2.4.7-1.2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for cups.

CVE-2024-35235[0]:
| OpenPrinting CUPS is an open source printing system for Linux and
| other Unix-like operating systems. In versions 2.4.8 and earlier,
| when starting the cupsd server with a Listen configuration item
| pointing to a symbolic link, the cupsd process can be caused to
| perform an arbitrary chmod of the provided argument, providing
| world-writable access to the target. Given that cupsd is often
| running as root, this can result in the change of permission of any
| user or system files to be world writable. Given the aforementioned
| Ubuntu AppArmor context, on such systems this vulnerability is
| limited to those files modifiable by the cupsd process. In that
| specific case it was found to be possible to turn the configuration
| of the Listen argument into full control over the cupsd.conf and
| cups-files.conf configuration files. By later setting the User and
| Group arguments in cups-files.conf, and printing with a printer
| configured by PPD with a `FoomaticRIPCommandLine` argument,
| arbitrary user and group (not root) command execution could be
| achieved, which can further be used on Ubuntu systems to achieve
| full root command execution. Commit
| ff1f8a623e090dee8a8aadf12a6a4b25efac143d contains a patch for the
| issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-35235
    https://www.cve.org/CVERecord?id=CVE-2024-35235
[1] https://www.openwall.com/lists/oss-security/2024/06/11/1
[2] https://github.com/OpenPrinting/cups/commit/a436956f374b0fd7f5da9df482e4f5840fa1c0d2

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

To: 1073002-close@bugs.debian.org
Subject: Bug#1073002: fixed in cups 2.3.3op2-3+deb11u7
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Sat, 22 Jun 2024 10:32:36 +0000
Message-id: <E1sKy2u-004yzX-Si@fasolo.debian.org>
Reply-to: Thorsten Alteholz <debian@alteholz.de>

Source: cups
Source-Version: 2.3.3op2-3+deb11u7
Done: Thorsten Alteholz <debian@alteholz.de>

We believe that the bug you reported is fixed in the latest version of
cups, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1073002@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Alteholz <debian@alteholz.de> (supplier of updated cups package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 11 Jun 2024 22:16:49 +0200
Source: cups
Architecture: source
Version: 2.3.3op2-3+deb11u7
Distribution: bullseye
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Thorsten Alteholz <debian@alteholz.de>
Closes: 1073002
Changes:
 cups (2.3.3op2-3+deb11u7) bullseye; urgency=medium
 .
   * CVE-2024-35235 (Closes: #1073002)
     fix domain socket handling
Checksums-Sha1:
 6fad001d754fdd5e4ca0808cadbba70c0029867a 3412 cups_2.3.3op2-3+deb11u7.dsc
 1eb9eb76b339295dd9a41be4c4eace1815d00d9a 349260 cups_2.3.3op2-3+deb11u7.debian.tar.xz
 1274e1cef5dabd86fbde2375b7671c9d14cd0fcf 14381 cups_2.3.3op2-3+deb11u7_amd64.buildinfo
Checksums-Sha256:
 b9b7cc43dc97fdbcac5bcaca64e6c4f8d03598f9ee8c18b454df20934835dcb1 3412 cups_2.3.3op2-3+deb11u7.dsc
 f2a567cc44717ac4989030e06682d4ae1760660704486f73887c3e87e4ffe4e7 349260 cups_2.3.3op2-3+deb11u7.debian.tar.xz
 a4a1692a3a39c03a6ceeba3cceea01cdc0d516002cc0edd33b512af6a1f97225 14381 cups_2.3.3op2-3+deb11u7_amd64.buildinfo
Files:
 4d86b9db03d0d75be74e24e5e9c951bb 3412 net optional cups_2.3.3op2-3+deb11u7.dsc
 479ef7c3926477e01f2d82eae2ca38cd 349260 net optional cups_2.3.3op2-3+deb11u7.debian.tar.xz
 32ed5e0b37dfeec985059534fa057ff0 14381 net optional cups_2.3.3op2-3+deb11u7_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmZ18CdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh
bHRlaG9sei5kZQAKCRCW/KwNOHtYR86LEACbDCeVG4vieIPdCQNcDpj3iA4QGX+g
uR2we9kbojgwKSCBlMuJ8QW6oe5Z/ccTSMmityv+YPi2/DCJkCWFdR0B7keadodl
g72JpvOKDzWnj7caA2Y1iQr20kZavpOpvaJaezs+lprTAk6Jr18rxBNYjTilEXGh
wXLnOyaGdx3ha0We2PApOKP1YWhQF1wm61xm74kMopmiMXeGGXYsOD2ZUNr+rlv4
6O5vaR3EXJJyBDjkcQLynGOTrB4yH3fJXHOSnjW123JBKjj8ZuLGblYpALO6nTtB
Gum3zWRzENMR07iEtz12qS3HV77esNR+JkRWp+TAZOqsIqBVmIon7zm2X6RWHjza
bnMHB1N5DVfSzcSJNePUpAldikEa6BkmOORFONhGUl6D9TjxdvQGDgA1Avk94r67
N3jETGVK+fWfS2m4UpZzQ019X7K6A4Huc4q2KzeFkzUFAtLTFzm4dwdSPoQPirFt
uqnOajSagt6pebRUcy3Nn+7T8zby5VznwFmi0xkuLp+Sw9lmuUpHtIvdYyiXA8pQ
2mba3T0xbs1uqgZmtBZRz+LMFoMyKAVg1xQ7CIgMCdeGvD2NeAuBzMdTvp1vprDy
Y8vcoTTeHiT7awJxzMknR1GmnPWYOhyAfFIqoPcXIkrzY5w3dTCFD9PqK+4NwrHf
zbDqP7eGyzBmrA==
=oq/l
-----END PGP SIGNATURE-----

Attachment: pgpdc7sboxPdC.pgp
Description: PGP signature

--- End Message ---

Reply to:

References:
- Bug#1073002: cups: CVE-2024-35235
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#1073002: marked as done (cups: CVE-2024-35235)
Next by Date: Bug#1074074: cups-daemon: cupsd fails to start after upgrade ("No valid Listen or Port lines")
Previous by thread: Bug#1073002: marked as done (cups: CVE-2024-35235)
Next by thread: cups_2.4.7-2_source.changes ACCEPTED into unstable
Index(es):
- Date
- Thread