Bug#935253: buster-pu: package cups/2.2.10-6+deb10u1

To: 935253@bugs.debian.org
Subject: Bug#935253: buster-pu: package cups/2.2.10-6+deb10u1
From: Didier 'OdyX' Raboud <odyx@debian.org>
Date: Wed, 21 Aug 2019 10:01:37 +0200
Message-id: <[🔎] 1912835.3QV3VHHxeC@odyx.org>
Reply-to: Didier 'OdyX' Raboud <odyx@debian.org>, 935253@bugs.debian.org
References: <156603444191.24224.13571315068334315667.reportbug@eldamar.local>

Hi there,

sorry for the bug cloning mess; I hope things are as they should now. This bug 
is about fixing the CVE-2019-8696, CVE-2019-8675 and other security bugs fixed 
by CUPS upstream in [0] in buster.

The Security Team has declined fixing these in a security upload; so here I 
come for a Stable update. The Stretch counterpart bug is #935254.

The debdiff for Buster is attached. Can I (source-only) upload?

Cheers,
    OdyX

[0] https://github.com/apple/cups/commit/
f24e6cf6a39300ad0c3726a41a4aab51ad54c109

diff -Nru cups-2.2.10/debian/changelog cups-2.2.10/debian/changelog
--- cups-2.2.10/debian/changelog	2019-04-23 08:33:01.000000000 +0200
+++ cups-2.2.10/debian/changelog	2019-08-21 09:43:13.000000000 +0200
@@ -1,3 +1,13 @@
+cups (2.2.10-6+deb10u1) buster; urgency=medium
+
+  * Fix multiple security/disclosure issues (Closes: #934957)
+    - CVE-2019-8696 and CVE-2019-8675: Fixed SNMP buffer overflows
+    - Fixed IPP buffer overflow
+    - Fixed memory disclosure issue in the scheduler
+    - Fixed DoS issues in the scheduler
+
+ -- Didier Raboud <odyx@debian.org>  Wed, 21 Aug 2019 09:43:13 +0200
+
 cups (2.2.10-6) unstable; urgency=medium
 
   * Backport patch from upstream's 2.2 "stable" branch:
diff -Nru cups-2.2.10/debian/.git-dpm cups-2.2.10/debian/.git-dpm
--- cups-2.2.10/debian/.git-dpm	2019-04-23 08:33:01.000000000 +0200
+++ cups-2.2.10/debian/.git-dpm	2019-08-21 09:43:13.000000000 +0200
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-9615ef5f2b8374bfe2816f8ff4314234362ce841
-9615ef5f2b8374bfe2816f8ff4314234362ce841
+9af82602a9fe2523ceeef46f2d6e6378e2dc7eb7
+9af82602a9fe2523ceeef46f2d6e6378e2dc7eb7
 25b2338346ef3abbb93ea88476887cba7b2b86f8
 25b2338346ef3abbb93ea88476887cba7b2b86f8
 cups_2.2.10.orig.tar.gz
diff -Nru cups-2.2.10/debian/patches/0047-Fix-multiple-security-disclosure-issues.patch cups-2.2.10/debian/patches/0047-Fix-multiple-security-disclosure-issues.patch
--- cups-2.2.10/debian/patches/0047-Fix-multiple-security-disclosure-issues.patch	1970-01-01 01:00:00.000000000 +0100
+++ cups-2.2.10/debian/patches/0047-Fix-multiple-security-disclosure-issues.patch	2019-08-21 09:43:13.000000000 +0200
@@ -0,0 +1,188 @@
+From 9af82602a9fe2523ceeef46f2d6e6378e2dc7eb7 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Thu, 15 Aug 2019 14:08:31 -0400
+Subject: Fix multiple security/disclosure issues:
+
+- CVE-2019-8696 and CVE-2019-8675: Fixed SNMP buffer overflows (rdar://51685251)
+- Fixed IPP buffer overflow (rdar://50035411)
+- Fixed memory disclosure issue in the scheduler (rdar://51373853)
+- Fixed DoS issues in the scheduler (rdar://51373929)
+
+This is a backport of f24e6cf6a39300ad0c3726a41a4aab51ad54c109 on top of 2.2.10.
+---
+ cups/http.c        |  9 +++++++--
+ cups/ipp.c         |  9 ++-------
+ cups/snmp.c        | 20 +++++++++++++++++++-
+ scheduler/client.c | 23 ++++++++++++-----------
+ 4 files changed, 40 insertions(+), 21 deletions(-)
+
+diff --git a/cups/http.c b/cups/http.c
+index 5c14ef68e..3fadb5acb 100644
+--- a/cups/http.c
++++ b/cups/http.c
+@@ -1905,7 +1905,7 @@ httpPrintf(http_t     *http,		/* I - HTTP connection */
+ 	   ...)				/* I - Additional args as needed */
+ {
+   ssize_t	bytes;			/* Number of bytes to write */
+-  char		buf[16384];		/* Buffer for formatted string */
++  char		buf[65536];		/* Buffer for formatted string */
+   va_list	ap;			/* Variable argument pointer */
+ 
+ 
+@@ -1917,7 +1917,12 @@ httpPrintf(http_t     *http,		/* I - HTTP connection */
+ 
+   DEBUG_printf(("3httpPrintf: (" CUPS_LLFMT " bytes) %s", CUPS_LLCAST bytes, buf));
+ 
+-  if (http->data_encoding == HTTP_ENCODING_FIELDS)
++  if (bytes > (ssize_t)(sizeof(buf) - 1))
++  {
++    http->error = ENOMEM;
++    return (-1);
++  }
++  else if (http->data_encoding == HTTP_ENCODING_FIELDS)
+     return ((int)httpWrite2(http, buf, (size_t)bytes));
+   else
+   {
+diff --git a/cups/ipp.c b/cups/ipp.c
+index 2c09f2703..cc9c6af50 100644
+--- a/cups/ipp.c
++++ b/cups/ipp.c
+@@ -4548,9 +4548,7 @@ ippSetValueTag(
+         break;
+ 
+     case IPP_TAG_NAME :
+-        if (temp_tag != IPP_TAG_KEYWORD && temp_tag != IPP_TAG_URI &&
+-            temp_tag != IPP_TAG_URISCHEME && temp_tag != IPP_TAG_LANGUAGE &&
+-            temp_tag != IPP_TAG_MIMETYPE)
++        if (temp_tag != IPP_TAG_KEYWORD)
+           return (0);
+ 
+         (*attr)->value_tag = (ipp_tag_t)(IPP_TAG_NAME | ((*attr)->value_tag & IPP_TAG_CUPS_CONST));
+@@ -4558,10 +4556,7 @@ ippSetValueTag(
+ 
+     case IPP_TAG_NAMELANG :
+     case IPP_TAG_TEXTLANG :
+-        if (value_tag == IPP_TAG_NAMELANG &&
+-            (temp_tag != IPP_TAG_NAME && temp_tag != IPP_TAG_KEYWORD &&
+-             temp_tag != IPP_TAG_URI && temp_tag != IPP_TAG_URISCHEME &&
+-             temp_tag != IPP_TAG_LANGUAGE && temp_tag != IPP_TAG_MIMETYPE))
++        if (value_tag == IPP_TAG_NAMELANG && (temp_tag != IPP_TAG_NAME && temp_tag != IPP_TAG_KEYWORD))
+           return (0);
+ 
+         if (value_tag == IPP_TAG_TEXTLANG && temp_tag != IPP_TAG_TEXT)
+diff --git a/cups/snmp.c b/cups/snmp.c
+index 8437528dd..fc9396177 100644
+--- a/cups/snmp.c
++++ b/cups/snmp.c
+@@ -1233,6 +1233,9 @@ asn1_get_integer(
+   int	value;				/* Integer value */
+ 
+ 
++  if (*buffer >= bufend)
++    return (0);
++
+   if (length > sizeof(int))
+   {
+     (*buffer) += length;
+@@ -1259,6 +1262,9 @@ asn1_get_length(unsigned char **buffer,	/* IO - Pointer in buffer */
+   unsigned	length;			/* Length */
+ 
+ 
++  if (*buffer >= bufend)
++    return (0);
++
+   length = **buffer;
+   (*buffer) ++;
+ 
+@@ -1301,6 +1307,9 @@ asn1_get_oid(
+   int		number;			/* OID number */
+ 
+ 
++  if (*buffer >= bufend)
++    return (0);
++
+   valend = *buffer + length;
+   oidptr = oid;
+   oidend = oid + oidsize - 1;
+@@ -1349,9 +1358,12 @@ asn1_get_packed(
+   int	value;				/* Value */
+ 
+ 
++  if (*buffer >= bufend)
++    return (0);
++
+   value = 0;
+ 
+-  while ((**buffer & 128) && *buffer < bufend)
++  while (*buffer < bufend && (**buffer & 128))
+   {
+     value = (value << 7) | (**buffer & 127);
+     (*buffer) ++;
+@@ -1379,6 +1391,9 @@ asn1_get_string(
+     char          *string,		/* I  - String buffer */
+     size_t        strsize)		/* I  - String buffer size */
+ {
++  if (*buffer >= bufend)
++    return (NULL);
++
+   if (length > (unsigned)(bufend - *buffer))
+     length = (unsigned)(bufend - *buffer);
+ 
+@@ -1421,6 +1436,9 @@ asn1_get_type(unsigned char **buffer,	/* IO - Pointer in buffer */
+   int	type;				/* Type */
+ 
+ 
++  if (*buffer >= bufend)
++    return (0);
++
+   type = **buffer;
+   (*buffer) ++;
+ 
+diff --git a/scheduler/client.c b/scheduler/client.c
+index a21b909a8..680508047 100644
+--- a/scheduler/client.c
++++ b/scheduler/client.c
+@@ -568,6 +568,17 @@ cupsdReadClient(cupsd_client_t *con)	/* I - Client to read from */
+ 
+   cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cupsdReadClient: error=%d, used=%d, state=%s, data_encoding=HTTP_ENCODING_%s, data_remaining=" CUPS_LLFMT ", request=%p(%s), file=%d", httpError(con->http), (int)httpGetReady(con->http), httpStateString(httpGetState(con->http)), httpIsChunked(con->http) ? "CHUNKED" : "LENGTH", CUPS_LLCAST httpGetRemaining(con->http), con->request, con->request ? ippStateString(ippGetState(con->request)) : "", con->file);
+ 
++  if (httpError(con->http) == EPIPE && !httpGetReady(con->http) && recv(httpGetFd(con->http), buf, 1, MSG_PEEK) < 1)
++  {
++   /*
++    * Connection closed...
++    */
++
++    cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing on EOF.");
++    cupsdCloseClient(con);
++    return;
++  }
++
+   if (httpGetState(con->http) == HTTP_STATE_GET_SEND ||
+       httpGetState(con->http) == HTTP_STATE_POST_SEND ||
+       httpGetState(con->http) == HTTP_STATE_STATUS)
+@@ -577,17 +588,6 @@ cupsdReadClient(cupsd_client_t *con)	/* I - Client to read from */
+     * connection and we need to shut it down...
+     */
+ 
+-    if (!httpGetReady(con->http) && recv(httpGetFd(con->http), buf, 1, MSG_PEEK) < 1)
+-    {
+-     /*
+-      * Connection closed...
+-      */
+-
+-      cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing on EOF.");
+-      cupsdCloseClient(con);
+-      return;
+-    }
+-
+     cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing on unexpected HTTP read state %s.", httpStateString(httpGetState(con->http)));
+     cupsdCloseClient(con);
+     return;
+@@ -2209,6 +2209,7 @@ cupsdSendError(cupsd_client_t *con,	/* I - Connection */
+   strlcpy(location, httpGetField(con->http, HTTP_FIELD_LOCATION), sizeof(location));
+ 
+   httpClearFields(con->http);
++  httpClearCookie(con->http);
+ 
+   httpSetField(con->http, HTTP_FIELD_LOCATION, location);
+ 
diff -Nru cups-2.2.10/debian/patches/series cups-2.2.10/debian/patches/series
--- cups-2.2.10/debian/patches/series	2019-04-23 08:33:01.000000000 +0200
+++ cups-2.2.10/debian/patches/series	2019-08-21 09:43:13.000000000 +0200
@@ -44,3 +44,4 @@
 0044-Fix-potential-unaligned-accesses-in-the-string-pool-.patch
 0045-Fix-an-issue-with-PreserveJobHistory-and-time-values.patch
 manpage-translations.patch
+0047-Fix-multiple-security-disclosure-issues.patch

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Follow-Ups:
- Bug#935253: buster-pu: package cups/2.2.10-6+deb10u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: Haskell binnmus is there a problem?
Next by Date: Bug#934928: Bug#933829: win32-loader: Checksums need to be updated for new stable release, download fails to validate Release file.
Previous by thread: Processed: reopening 935253, tagging 935253, severity of 935253 is normal
Next by thread: Bug#935253: buster-pu: package cups/2.2.10-6+deb10u1
Index(es):
- Date
- Thread