--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: stretch-pu: package cups/2.2.1-8+deb9u3
- From: Didier 'OdyX' Raboud <odyx@debian.org>
- Date: Fri, 14 Dec 2018 14:09:39 +0100
- Message-id: <154479297980.5865.2026399091412966502.reportbug@gyllingar>
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
CUPS in stable has two no-dsa security issues in stretch which I'd like to fix:
- CVE-2017-18248: DBUS notifications could crash the scheduler
- CVE-2018-4700: Linux session cookies used a predictable random number seed
My proposed changelog entry is the following:
cups (2.2.1-8+deb9u3) stretch; urgency=low
* Backport upstream fixes for:
- CVE-2017-18248: DBUS notifications could crash the scheduler
- CVE-2018-4700: Linux session cookies used a predictable random
number seed (Closes: #915909)
I'm attaching the two upstream patches (mere cherry-picks from the
upstream-2.2 branch) and the proposed debdiff.
Thanks for your consideration, cheers,
OdyX
diff -Nru cups-2.2.1/debian/changelog cups-2.2.1/debian/changelog
--- cups-2.2.1/debian/changelog 2018-07-03 07:45:20.000000000 +0200
+++ cups-2.2.1/debian/changelog 2018-12-14 13:58:47.000000000 +0100
@@ -1,7 +1,16 @@
+cups (2.2.1-8+deb9u3) stretch; urgency=low
+
+ * Backport upstream fixes for:
+ - CVE-2017-18248: DBUS notifications could crash the scheduler
+ - CVE-2018-4700: Linux session cookies used a predictable random
+ number seed (Closes: #915909)
+
+ -- Didier Raboud <odyx@debian.org> Fri, 14 Dec 2018 13:58:47 +0100
+
cups (2.2.1-8+deb9u2) stretch-security; urgency=low
* CVE-2018-6553: Fix AppArmor cupsd sandbox bypass due to use of hard links
- * Backport upstream fix for:
+ * Backport upstream fixes for:
- CVE-2018-4180 Local Privilege Escalation to Root in dnssd Backend (CUPS_SERVERBIN)
- CVE-2018-4181 Limited Local File Reads as Root via cupsd.conf Include Directive
- CVE-2018-4182 cups-exec Sandbox Bypass Due to Insecure Error Handling
@@ -9,7 +18,7 @@
- CVE-2017-15400: Restrict IPP Everywhere filters to only list supported PDLs
to fix CRLF and Code Injection in Printer Zeroconfig
- -- Didier Raboud <odyx@debian.org> Tue, 03 Jul 2018 07:45:20 +0200
+ -- Didier Raboud <odyx@debian.org> Wed, 11 Jul 2018 11:29:27 +0200
cups (2.2.1-8+deb9u1) stretch; urgency=low
diff -Nru cups-2.2.1/debian/.git-dpm cups-2.2.1/debian/.git-dpm
--- cups-2.2.1/debian/.git-dpm 2018-07-03 07:45:20.000000000 +0200
+++ cups-2.2.1/debian/.git-dpm 2018-12-14 13:57:48.000000000 +0100
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-ed0d3345b936ea9d88356965770ddf5eecba46be
-ed0d3345b936ea9d88356965770ddf5eecba46be
+a40147f12081943df6c85b6b1f4d302633a6995c
+a40147f12081943df6c85b6b1f4d302633a6995c
a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
cups_2.2.1.orig.tar.gz
diff -Nru cups-2.2.1/debian/patches/0052-DBUS-notifications-could-crash-the-scheduler-Issue-5.patch cups-2.2.1/debian/patches/0052-DBUS-notifications-could-crash-the-scheduler-Issue-5.patch
--- cups-2.2.1/debian/patches/0052-DBUS-notifications-could-crash-the-scheduler-Issue-5.patch 1970-01-01 01:00:00.000000000 +0100
+++ cups-2.2.1/debian/patches/0052-DBUS-notifications-could-crash-the-scheduler-Issue-5.patch 2018-12-14 13:57:46.000000000 +0100
@@ -0,0 +1,42 @@
+From f083e69ad83bd9445c1c3bfdf6878096ceb54113 Mon Sep 17 00:00:00 2001
+From: Michael Sweet <michael.r.sweet@gmail.com>
+Date: Mon, 23 Oct 2017 16:23:43 -0400
+Subject: DBUS notifications could crash the scheduler (Issue #5143)
+
+- scheduler/ipp.c: Make sure requesting-user-name string is valid UTF-8.
+
+Fixes: CVE-2017-18248
+---
+ scheduler/ipp.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/scheduler/ipp.c b/scheduler/ipp.c
+index dde976c72..50f5004b7 100644
+--- a/scheduler/ipp.c
++++ b/scheduler/ipp.c
+@@ -1576,6 +1576,16 @@ add_job(cupsd_client_t *con, /* I - Client connection */
+ return (NULL);
+ }
+
++ attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME);
++
++ if (attr && !ippValidateAttribute(attr))
++ {
++ send_ipp_status(con, IPP_ATTRIBUTES, _("Bad requesting-user-name value: %s"), cupsLastErrorString());
++ if ((attr = ippCopyAttribute(con->response, attr, 0)) != NULL)
++ attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
++ return (NULL);
++ }
++
+ if ((job = cupsdAddJob(priority, printer->name)) == NULL)
+ {
+ send_ipp_status(con, IPP_INTERNAL_ERROR,
+@@ -1594,8 +1604,6 @@ add_job(cupsd_client_t *con, /* I - Client connection */
+ add_job_uuid(job);
+ apply_printer_defaults(printer, job);
+
+- attr = ippFindAttribute(job->attrs, "requesting-user-name", IPP_TAG_NAME);
+-
+ if (con->username[0])
+ {
+ cupsdSetString(&job->username, con->username);
diff -Nru cups-2.2.1/debian/patches/0053-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch cups-2.2.1/debian/patches/0053-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch
--- cups-2.2.1/debian/patches/0053-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch 1970-01-01 01:00:00.000000000 +0100
+++ cups-2.2.1/debian/patches/0053-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch 2018-12-14 13:57:48.000000000 +0100
@@ -0,0 +1,32 @@
+From a40147f12081943df6c85b6b1f4d302633a6995c Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Fri, 7 Dec 2018 12:09:00 -0500
+Subject: CVE-2018-4700: Linux session cookies used a predictable random number
+ seed.
+
+---
+ cgi-bin/var.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/cgi-bin/var.c b/cgi-bin/var.c
+index 6d02e1079..fb879a783 100644
+--- a/cgi-bin/var.c
++++ b/cgi-bin/var.c
+@@ -1209,6 +1209,7 @@ cgi_set_sid(void)
+ const char *remote_addr, /* REMOTE_ADDR */
+ *server_name, /* SERVER_NAME */
+ *server_port; /* SERVER_PORT */
++ struct timeval curtime; /* Current time */
+
+
+ if ((remote_addr = getenv("REMOTE_ADDR")) == NULL)
+@@ -1218,7 +1219,8 @@ cgi_set_sid(void)
+ if ((server_port = getenv("SERVER_PORT")) == NULL)
+ server_port = "SERVER_PORT";
+
+- CUPS_SRAND(time(NULL));
++ gettimeofday(&curtime, NULL);
++ CUPS_SRAND(curtime.tv_sec + curtime.tv_usec);
+ snprintf(buffer, sizeof(buffer), "%s:%s:%s:%02X%02X%02X%02X%02X%02X%02X%02X",
+ remote_addr, server_name, server_port,
+ (unsigned)CUPS_RAND() & 255, (unsigned)CUPS_RAND() & 255,
diff -Nru cups-2.2.1/debian/patches/series cups-2.2.1/debian/patches/series
--- cups-2.2.1/debian/patches/series 2018-07-03 07:45:20.000000000 +0200
+++ cups-2.2.1/debian/patches/series 2018-12-14 13:57:48.000000000 +0100
@@ -49,3 +49,5 @@
0049-Tweak-the-PDL-priority-Issue-4932.patch
0050-Only-list-supported-PDLs-Issue-4923.patch
0051-Fix-local-privilege-escalation-to-root-and-sandbox-b.patch
+0052-DBUS-notifications-could-crash-the-scheduler-Issue-5.patch
+0053-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch
>From f083e69ad83bd9445c1c3bfdf6878096ceb54113 Mon Sep 17 00:00:00 2001
From: Michael Sweet <michael.r.sweet@gmail.com>
Date: Mon, 23 Oct 2017 16:23:43 -0400
Subject: DBUS notifications could crash the scheduler (Issue #5143)
- scheduler/ipp.c: Make sure requesting-user-name string is valid UTF-8.
Fixes: CVE-2017-18248
---
scheduler/ipp.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/scheduler/ipp.c b/scheduler/ipp.c
index dde976c72..50f5004b7 100644
--- a/scheduler/ipp.c
+++ b/scheduler/ipp.c
@@ -1576,6 +1576,16 @@ add_job(cupsd_client_t *con, /* I - Client connection */
return (NULL);
}
+ attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME);
+
+ if (attr && !ippValidateAttribute(attr))
+ {
+ send_ipp_status(con, IPP_ATTRIBUTES, _("Bad requesting-user-name value: %s"), cupsLastErrorString());
+ if ((attr = ippCopyAttribute(con->response, attr, 0)) != NULL)
+ attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
+ return (NULL);
+ }
+
if ((job = cupsdAddJob(priority, printer->name)) == NULL)
{
send_ipp_status(con, IPP_INTERNAL_ERROR,
@@ -1594,8 +1604,6 @@ add_job(cupsd_client_t *con, /* I - Client connection */
add_job_uuid(job);
apply_printer_defaults(printer, job);
- attr = ippFindAttribute(job->attrs, "requesting-user-name", IPP_TAG_NAME);
-
if (con->username[0])
{
cupsdSetString(&job->username, con->username);
>From a40147f12081943df6c85b6b1f4d302633a6995c Mon Sep 17 00:00:00 2001
From: Michael R Sweet <michael.r.sweet@gmail.com>
Date: Fri, 7 Dec 2018 12:09:00 -0500
Subject: CVE-2018-4700: Linux session cookies used a predictable random number
seed.
---
cgi-bin/var.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/cgi-bin/var.c b/cgi-bin/var.c
index 6d02e1079..fb879a783 100644
--- a/cgi-bin/var.c
+++ b/cgi-bin/var.c
@@ -1209,6 +1209,7 @@ cgi_set_sid(void)
const char *remote_addr, /* REMOTE_ADDR */
*server_name, /* SERVER_NAME */
*server_port; /* SERVER_PORT */
+ struct timeval curtime; /* Current time */
if ((remote_addr = getenv("REMOTE_ADDR")) == NULL)
@@ -1218,7 +1219,8 @@ cgi_set_sid(void)
if ((server_port = getenv("SERVER_PORT")) == NULL)
server_port = "SERVER_PORT";
- CUPS_SRAND(time(NULL));
+ gettimeofday(&curtime, NULL);
+ CUPS_SRAND(curtime.tv_sec + curtime.tv_usec);
snprintf(buffer, sizeof(buffer), "%s:%s:%s:%02X%02X%02X%02X%02X%02X%02X%02X",
remote_addr, server_name, server_port,
(unsigned)CUPS_RAND() & 255, (unsigned)CUPS_RAND() & 255,
--- End Message ---