Bug#891251: marked as done (jessie-pu: package cups/1.7.5-11+deb8u3)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 17 Jun 2018 19:11:21 +0100
with message-id <20180617181121.nwe3v6evbqjdhp2a@powdarrmonkey.net>
and subject line Re: Bug#891251: jessie-pu: package cups/1.7.5-11+deb8u3
has caused the Debian Bug report #891251,
regarding jessie-pu: package cups/1.7.5-11+deb8u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
891251: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891251
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: jessie-pu: package cups/1.7.5-11+deb8u3
• From: Didier 'OdyX' Raboud <odyx@debian.org>
• Date: Fri, 23 Feb 2018 20:03:34 +0100
• Message-id: <151941261494.25244.6627359278464114319.reportbug@gyllingar>

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

(Mirroring #891142 for stretch):

CUPS is affected by CVE-2017-18190: remote attackers could execute arbitrary
IPP commands by sending POST requests to the CUPS daemon in conjunction with
DNS rebinding. This was caused by a whitelisted "localhost.localdomain" entry.

According to the Security Team it doesn't warrant a DSA, but still makes sense
to be addressed on Jessie (and Stretch). It was fixed independently on wheezy
already.

The proposed debdiff is attached; can I upload to jessie?

diff -Nru cups-1.7.5/debian/changelog cups-1.7.5/debian/changelog
--- cups-1.7.5/debian/changelog	2017-07-21 14:44:00.000000000 +0200
+++ cups-1.7.5/debian/changelog	2018-02-23 19:34:51.000000000 +0100
@@ -1,3 +1,12 @@
+cups (1.7.5-11+deb8u3) jessie; urgency=low
+
+  * CVE-2017-18190: Prevent an issue where remote attackers could execute
+    arbitrary IPP commands by sending POST requests to the CUPS daemon in
+    conjunction with DNS rebinding. This was caused by a whitelisted
+    "localhost.localdomain" entry.
+
+ -- Didier Raboud <odyx@debian.org>  Fri, 23 Feb 2018 19:34:51 +0100
+
 cups (1.7.5-11+deb8u2) jessie; urgency=high
 
   * Disable SSLv3 and RC4 by default to address POODLE vulnerability
diff -Nru cups-1.7.5/debian/patches/CVE-2017-18190-Dont-treat-localhost.localdomain-as-replacement-for-localhost.patch cups-1.7.5/debian/patches/CVE-2017-18190-Dont-treat-localhost.localdomain-as-replacement-for-localhost.patch
--- cups-1.7.5/debian/patches/CVE-2017-18190-Dont-treat-localhost.localdomain-as-replacement-for-localhost.patch	1970-01-01 01:00:00.000000000 +0100
+++ cups-1.7.5/debian/patches/CVE-2017-18190-Dont-treat-localhost.localdomain-as-replacement-for-localhost.patch	2018-02-23 19:34:51.000000000 +0100
@@ -0,0 +1,23 @@
+From afa80cb2b457bf8d64f775bed307588610476c41 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <michaelrsweet@gmail.com>
+Date: Tue, 3 Jan 2017 13:52:47 -0500
+Subject: [PATCH] Don't treat "localhost.localdomain" as an allowed replacement
+ for localhost, since it isn't.
+
+Fixes: CVE-2017-18190
+---
+ scheduler/client.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/scheduler/client.c
++++ b/scheduler/client.c
+@@ -4220,9 +4220,6 @@
+ 
+     return (!_cups_strcasecmp(con->clientname, "localhost") ||
+ 	    !_cups_strcasecmp(con->clientname, "localhost.") ||
+-#ifdef __linux
+-	    !_cups_strcasecmp(con->clientname, "localhost.localdomain") ||
+-#endif /* __linux */
+             !strcmp(con->clientname, "127.0.0.1") ||
+ 	    !strcmp(con->clientname, "[::1]"));
+   }
diff -Nru cups-1.7.5/debian/patches/series cups-1.7.5/debian/patches/series
--- cups-1.7.5/debian/patches/series	2017-07-21 13:32:05.000000000 +0200
+++ cups-1.7.5/debian/patches/series	2018-02-23 19:34:51.000000000 +0100
@@ -66,3 +66,4 @@
 # po4a might not be appropriate. It also needs to be high on the patch
 # queue to catch all Debian-specific changes
 manpage-translations.patch
+CVE-2017-18190-Dont-treat-localhost.localdomain-as-replacement-for-localhost.patch

--- End Message ---

--- Begin Message ---

• To: Didier 'OdyX' Raboud <odyx@debian.org>, 891251-done@bugs.debian.org
• Subject: Re: Bug#891251: jessie-pu: package cups/1.7.5-11+deb8u3
• From: Jonathan Wiltshire <jmw@debian.org>
• Date: Sun, 17 Jun 2018 19:11:21 +0100
• Message-id: <20180617181121.nwe3v6evbqjdhp2a@powdarrmonkey.net>
• In-reply-to: <151941261494.25244.6627359278464114319.reportbug@gyllingar>
• References: <151941261494.25244.6627359278464114319.reportbug@gyllingar>

Control: tag -1 wontfix

Hi,

This request was approved and tagged 'confirmed', but no upload was
subsequently made. With the final point release for Jessie now being
prepared, it's unfortunately too late for this package to be updated.

Thanks,

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

--- End Message ---