Bug#891142: stretch-pu: package cups/2.2.1-8+
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
CUPS is affected by CVE-2017-18190: remote attackers could execute arbitrary
IPP commands by sending POST requests to the CUPS daemon in conjunction with
DNS rebinding. This was caused by a whitelisted "localhost.localdomain" entry.
According to the Security Team it doesn't warrant a DSA, but still makes sense
to be addressed on Stretch (and Jessie). It was fixed independently on wheezy
already.
The proposed debdiff is attached; can I upload to stretch? Do you need another
bug for Jessie ?
Cheers,
OdyX
diff -Nru cups-2.2.1/debian/changelog cups-2.2.1/debian/changelog
--- cups-2.2.1/debian/changelog 2017-01-31 08:00:49.000000000 +0100
+++ cups-2.2.1/debian/changelog 2018-02-22 17:51:44.000000000 +0100
@@ -1,3 +1,12 @@
+cups (2.2.1-8+deb9u1) stretch; urgency=low
+
+ * CVE-2017-18190: Prevent an issue where remote attackers could execute
+ arbitrary IPP commands by sending POST requests to the CUPS daemon in
+ conjunction with DNS rebinding. This was caused by a whitelisted
+ "localhost.localdomain" entry.
+
+ -- Didier Raboud <odyx@debian.org> Thu, 22 Feb 2018 17:51:44 +0100
+
cups (2.2.1-8) unstable; urgency=medium
[ JP Guillonneau ]
diff -Nru cups-2.2.1/debian/.git-dpm cups-2.2.1/debian/.git-dpm
--- cups-2.2.1/debian/.git-dpm 2017-01-18 14:02:35.000000000 +0100
+++ cups-2.2.1/debian/.git-dpm 2018-02-22 17:51:44.000000000 +0100
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-96d42e942cf2c930c3b535317bafd886c775a160
-96d42e942cf2c930c3b535317bafd886c775a160
+63883f6c2d0ebbb3e7499799b727fdb7d3f52d72
+63883f6c2d0ebbb3e7499799b727fdb7d3f52d72
a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
cups_2.2.1.orig.tar.gz
diff -Nru cups-2.2.1/debian/patches/0048-Don-t-treat-localhost.localdomain-as-an-allowed-repl.patch cups-2.2.1/debian/patches/0048-Don-t-treat-localhost.localdomain-as-an-allowed-repl.patch
--- cups-2.2.1/debian/patches/0048-Don-t-treat-localhost.localdomain-as-an-allowed-repl.patch 1970-01-01 01:00:00.000000000 +0100
+++ cups-2.2.1/debian/patches/0048-Don-t-treat-localhost.localdomain-as-an-allowed-repl.patch 2018-02-22 17:51:44.000000000 +0100
@@ -0,0 +1,25 @@
+From 63883f6c2d0ebbb3e7499799b727fdb7d3f52d72 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <michaelrsweet@gmail.com>
+Date: Tue, 3 Jan 2017 13:52:47 -0500
+Subject: Don't treat "localhost.localdomain" as an allowed replacement for
+ localhost, since it isn't.
+
+Fixes: CVE-2017-18190
+---
+ scheduler/client.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/scheduler/client.c b/scheduler/client.c
+index 42010def1..20ccf11a9 100644
+--- a/scheduler/client.c
++++ b/scheduler/client.c
+@@ -3890,9 +3890,6 @@ valid_host(cupsd_client_t *con) /* I - Client connection */
+
+ return (!_cups_strcasecmp(con->clientname, "localhost") ||
+ !_cups_strcasecmp(con->clientname, "localhost.") ||
+-#ifdef __linux
+- !_cups_strcasecmp(con->clientname, "localhost.localdomain") ||
+-#endif /* __linux */
+ !strcmp(con->clientname, "127.0.0.1") ||
+ !strcmp(con->clientname, "[::1]"));
+ }
diff -Nru cups-2.2.1/debian/patches/series cups-2.2.1/debian/patches/series
--- cups-2.2.1/debian/patches/series 2017-01-18 14:02:35.000000000 +0100
+++ cups-2.2.1/debian/patches/series 2018-02-22 17:51:44.000000000 +0100
@@ -45,3 +45,4 @@
0045-Build-mantohtml-with-the-build-architecture-compiler.patch
0046-Do-not-execute-genstrings-during-build.patch
manpage-translations.patch
+0048-Don-t-treat-localhost.localdomain-as-an-allowed-repl.patch
Reply to: