Bug#916435: stretch-pu: package cups/2.2.1-8+deb9u3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#916435: stretch-pu: package cups/2.2.1-8+deb9u3
From: Didier 'OdyX' Raboud <odyx@debian.org>
Date: Fri, 14 Dec 2018 14:09:39 +0100
Message-id: <[🔎] 154479297980.5865.2026399091412966502.reportbug@gyllingar>
Reply-to: Didier 'OdyX' Raboud <odyx@debian.org>, 916435@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

CUPS in stable has two no-dsa security issues in stretch which I'd like to fix:

- CVE-2017-18248: DBUS notifications could crash the scheduler
- CVE-2018-4700: Linux session cookies used a predictable random number seed

My proposed changelog entry is the following:

cups (2.2.1-8+deb9u3) stretch; urgency=low

  * Backport upstream fixes for:
    - CVE-2017-18248: DBUS notifications could crash the scheduler
    - CVE-2018-4700: Linux session cookies used a predictable random
      number seed (Closes: #915909)

I'm attaching the two upstream patches (mere cherry-picks from the
upstream-2.2 branch) and the proposed debdiff.

Thanks for your consideration, cheers,
   OdyX

diff -Nru cups-2.2.1/debian/changelog cups-2.2.1/debian/changelog
--- cups-2.2.1/debian/changelog	2018-07-03 07:45:20.000000000 +0200
+++ cups-2.2.1/debian/changelog	2018-12-14 13:58:47.000000000 +0100
@@ -1,7 +1,16 @@
+cups (2.2.1-8+deb9u3) stretch; urgency=low
+
+  * Backport upstream fixes for:
+    - CVE-2017-18248: DBUS notifications could crash the scheduler
+    - CVE-2018-4700: Linux session cookies used a predictable random
+      number seed (Closes: #915909)
+
+ -- Didier Raboud <odyx@debian.org>  Fri, 14 Dec 2018 13:58:47 +0100
+
 cups (2.2.1-8+deb9u2) stretch-security; urgency=low
 
   * CVE-2018-6553: Fix AppArmor cupsd sandbox bypass due to use of hard links
-  * Backport upstream fix for:
+  * Backport upstream fixes for:
     - CVE-2018-4180 Local Privilege Escalation to Root in dnssd Backend (CUPS_SERVERBIN)
     - CVE-2018-4181 Limited Local File Reads as Root via cupsd.conf Include Directive
     - CVE-2018-4182 cups-exec Sandbox Bypass Due to Insecure Error Handling
@@ -9,7 +18,7 @@
     - CVE-2017-15400: Restrict IPP Everywhere filters to only list supported PDLs
       to fix CRLF and Code Injection in Printer Zeroconfig
 
- -- Didier Raboud <odyx@debian.org>  Tue, 03 Jul 2018 07:45:20 +0200
+ -- Didier Raboud <odyx@debian.org>  Wed, 11 Jul 2018 11:29:27 +0200
 
 cups (2.2.1-8+deb9u1) stretch; urgency=low
 
diff -Nru cups-2.2.1/debian/.git-dpm cups-2.2.1/debian/.git-dpm
--- cups-2.2.1/debian/.git-dpm	2018-07-03 07:45:20.000000000 +0200
+++ cups-2.2.1/debian/.git-dpm	2018-12-14 13:57:48.000000000 +0100
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-ed0d3345b936ea9d88356965770ddf5eecba46be
-ed0d3345b936ea9d88356965770ddf5eecba46be
+a40147f12081943df6c85b6b1f4d302633a6995c
+a40147f12081943df6c85b6b1f4d302633a6995c
 a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
 a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
 cups_2.2.1.orig.tar.gz
diff -Nru cups-2.2.1/debian/patches/0052-DBUS-notifications-could-crash-the-scheduler-Issue-5.patch cups-2.2.1/debian/patches/0052-DBUS-notifications-could-crash-the-scheduler-Issue-5.patch
--- cups-2.2.1/debian/patches/0052-DBUS-notifications-could-crash-the-scheduler-Issue-5.patch	1970-01-01 01:00:00.000000000 +0100
+++ cups-2.2.1/debian/patches/0052-DBUS-notifications-could-crash-the-scheduler-Issue-5.patch	2018-12-14 13:57:46.000000000 +0100
@@ -0,0 +1,42 @@
+From f083e69ad83bd9445c1c3bfdf6878096ceb54113 Mon Sep 17 00:00:00 2001
+From: Michael Sweet <michael.r.sweet@gmail.com>
+Date: Mon, 23 Oct 2017 16:23:43 -0400
+Subject: DBUS notifications could crash the scheduler (Issue #5143)
+
+- scheduler/ipp.c: Make sure requesting-user-name string is valid UTF-8.
+
+Fixes: CVE-2017-18248
+---
+ scheduler/ipp.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/scheduler/ipp.c b/scheduler/ipp.c
+index dde976c72..50f5004b7 100644
+--- a/scheduler/ipp.c
++++ b/scheduler/ipp.c
+@@ -1576,6 +1576,16 @@ add_job(cupsd_client_t  *con,		/* I - Client connection */
+     return (NULL);
+   }
+ 
++  attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME);
++
++  if (attr && !ippValidateAttribute(attr))
++  {
++    send_ipp_status(con, IPP_ATTRIBUTES, _("Bad requesting-user-name value: %s"), cupsLastErrorString());
++    if ((attr = ippCopyAttribute(con->response, attr, 0)) != NULL)
++      attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
++    return (NULL);
++  }
++
+   if ((job = cupsdAddJob(priority, printer->name)) == NULL)
+   {
+     send_ipp_status(con, IPP_INTERNAL_ERROR,
+@@ -1594,8 +1604,6 @@ add_job(cupsd_client_t  *con,		/* I - Client connection */
+   add_job_uuid(job);
+   apply_printer_defaults(printer, job);
+ 
+-  attr = ippFindAttribute(job->attrs, "requesting-user-name", IPP_TAG_NAME);
+-
+   if (con->username[0])
+   {
+     cupsdSetString(&job->username, con->username);
diff -Nru cups-2.2.1/debian/patches/0053-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch cups-2.2.1/debian/patches/0053-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch
--- cups-2.2.1/debian/patches/0053-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch	1970-01-01 01:00:00.000000000 +0100
+++ cups-2.2.1/debian/patches/0053-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch	2018-12-14 13:57:48.000000000 +0100
@@ -0,0 +1,32 @@
+From a40147f12081943df6c85b6b1f4d302633a6995c Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Fri, 7 Dec 2018 12:09:00 -0500
+Subject: CVE-2018-4700: Linux session cookies used a predictable random number
+ seed.
+
+---
+ cgi-bin/var.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/cgi-bin/var.c b/cgi-bin/var.c
+index 6d02e1079..fb879a783 100644
+--- a/cgi-bin/var.c
++++ b/cgi-bin/var.c
+@@ -1209,6 +1209,7 @@ cgi_set_sid(void)
+   const char		*remote_addr,	/* REMOTE_ADDR */
+ 			*server_name,	/* SERVER_NAME */
+ 			*server_port;	/* SERVER_PORT */
++  struct timeval	curtime;	/* Current time */
+ 
+ 
+   if ((remote_addr = getenv("REMOTE_ADDR")) == NULL)
+@@ -1218,7 +1219,8 @@ cgi_set_sid(void)
+   if ((server_port = getenv("SERVER_PORT")) == NULL)
+     server_port = "SERVER_PORT";
+ 
+-  CUPS_SRAND(time(NULL));
++  gettimeofday(&curtime, NULL);
++  CUPS_SRAND(curtime.tv_sec + curtime.tv_usec);
+   snprintf(buffer, sizeof(buffer), "%s:%s:%s:%02X%02X%02X%02X%02X%02X%02X%02X",
+            remote_addr, server_name, server_port,
+ 	   (unsigned)CUPS_RAND() & 255, (unsigned)CUPS_RAND() & 255,
diff -Nru cups-2.2.1/debian/patches/series cups-2.2.1/debian/patches/series
--- cups-2.2.1/debian/patches/series	2018-07-03 07:45:20.000000000 +0200
+++ cups-2.2.1/debian/patches/series	2018-12-14 13:57:48.000000000 +0100
@@ -49,3 +49,5 @@
 0049-Tweak-the-PDL-priority-Issue-4932.patch
 0050-Only-list-supported-PDLs-Issue-4923.patch
 0051-Fix-local-privilege-escalation-to-root-and-sandbox-b.patch
+0052-DBUS-notifications-could-crash-the-scheduler-Issue-5.patch
+0053-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch

>From f083e69ad83bd9445c1c3bfdf6878096ceb54113 Mon Sep 17 00:00:00 2001
From: Michael Sweet <michael.r.sweet@gmail.com>
Date: Mon, 23 Oct 2017 16:23:43 -0400
Subject: DBUS notifications could crash the scheduler (Issue #5143)

- scheduler/ipp.c: Make sure requesting-user-name string is valid UTF-8.

Fixes: CVE-2017-18248
---
 scheduler/ipp.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/scheduler/ipp.c b/scheduler/ipp.c
index dde976c72..50f5004b7 100644
--- a/scheduler/ipp.c
+++ b/scheduler/ipp.c
@@ -1576,6 +1576,16 @@ add_job(cupsd_client_t  *con,		/* I - Client connection */
     return (NULL);
   }
 
+  attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME);
+
+  if (attr && !ippValidateAttribute(attr))
+  {
+    send_ipp_status(con, IPP_ATTRIBUTES, _("Bad requesting-user-name value: %s"), cupsLastErrorString());
+    if ((attr = ippCopyAttribute(con->response, attr, 0)) != NULL)
+      attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
+    return (NULL);
+  }
+
   if ((job = cupsdAddJob(priority, printer->name)) == NULL)
   {
     send_ipp_status(con, IPP_INTERNAL_ERROR,
@@ -1594,8 +1604,6 @@ add_job(cupsd_client_t  *con,		/* I - Client connection */
   add_job_uuid(job);
   apply_printer_defaults(printer, job);
 
-  attr = ippFindAttribute(job->attrs, "requesting-user-name", IPP_TAG_NAME);
-
   if (con->username[0])
   {
     cupsdSetString(&job->username, con->username);

>From a40147f12081943df6c85b6b1f4d302633a6995c Mon Sep 17 00:00:00 2001
From: Michael R Sweet <michael.r.sweet@gmail.com>
Date: Fri, 7 Dec 2018 12:09:00 -0500
Subject: CVE-2018-4700: Linux session cookies used a predictable random number
 seed.

---
 cgi-bin/var.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/cgi-bin/var.c b/cgi-bin/var.c
index 6d02e1079..fb879a783 100644
--- a/cgi-bin/var.c
+++ b/cgi-bin/var.c
@@ -1209,6 +1209,7 @@ cgi_set_sid(void)
   const char		*remote_addr,	/* REMOTE_ADDR */
 			*server_name,	/* SERVER_NAME */
 			*server_port;	/* SERVER_PORT */
+  struct timeval	curtime;	/* Current time */
 
 
   if ((remote_addr = getenv("REMOTE_ADDR")) == NULL)
@@ -1218,7 +1219,8 @@ cgi_set_sid(void)
   if ((server_port = getenv("SERVER_PORT")) == NULL)
     server_port = "SERVER_PORT";
 
-  CUPS_SRAND(time(NULL));
+  gettimeofday(&curtime, NULL);
+  CUPS_SRAND(curtime.tv_sec + curtime.tv_usec);
   snprintf(buffer, sizeof(buffer), "%s:%s:%s:%02X%02X%02X%02X%02X%02X%02X%02X",
            remote_addr, server_name, server_port,
 	   (unsigned)CUPS_RAND() & 255, (unsigned)CUPS_RAND() & 255,

Reply to:

Prev by Date: Bug#913768: transition: glibc
Next by Date: Processed: affects 916435
Previous by thread: Bug#913768: transition: glibc
Next by thread: Processed: affects 916435
Index(es):
- Date
- Thread