Control: retitle -1 stretch-pu: package cups/2.2.1-8+deb9u4
Hi there,
sorry for the bug cloning mess; I hope things are as they should now. This bug
is about fixing the CVE-2019-8696, CVE-2019-8675 and other security bugs fixed
by CUPS upstream in [0] in stretch.
The Security Team has declined fixing these in a security upload; so here I
come for an Oldstable update. The Buster counterpart bug is #935253.
The debdiff for Stretch is attached. Can I (source-only) upload?
Cheers,
OdyX
[0] https://github.com/apple/cups/commit/
f24e6cf6a39300ad0c3726a41a4aab51ad54c109diff -Nru cups-2.2.1/debian/changelog cups-2.2.1/debian/changelog
--- cups-2.2.1/debian/changelog 2018-12-14 13:58:47.000000000 +0100
+++ cups-2.2.1/debian/changelog 2019-08-21 09:51:54.000000000 +0200
@@ -1,3 +1,13 @@
+cups (2.2.1-8+deb9u4) stretch; urgency=low
+
+ * Fix multiple security/disclosure issues (Closes: #934957)
+ - CVE-2019-8696 and CVE-2019-8675: Fixed SNMP buffer overflows
+ - Fixed IPP buffer overflow
+ - Fixed memory disclosure issue in the scheduler
+ - Fixed DoS issues in the scheduler
+
+ -- Didier Raboud <odyx@debian.org> Wed, 21 Aug 2019 09:51:54 +0200
+
cups (2.2.1-8+deb9u3) stretch; urgency=low
* Backport upstream fixes for:
diff -Nru cups-2.2.1/debian/.git-dpm cups-2.2.1/debian/.git-dpm
--- cups-2.2.1/debian/.git-dpm 2018-12-14 13:58:47.000000000 +0100
+++ cups-2.2.1/debian/.git-dpm 2019-08-21 09:51:54.000000000 +0200
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-a40147f12081943df6c85b6b1f4d302633a6995c
-a40147f12081943df6c85b6b1f4d302633a6995c
+8d6c8479d69d091ee83bbf7e10249f98cdaefa99
+8d6c8479d69d091ee83bbf7e10249f98cdaefa99
a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
cups_2.2.1.orig.tar.gz
diff -Nru cups-2.2.1/debian/patches/0054-Fix-multiple-security-disclosure-issues.patch cups-2.2.1/debian/patches/0054-Fix-multiple-security-disclosure-issues.patch
--- cups-2.2.1/debian/patches/0054-Fix-multiple-security-disclosure-issues.patch 1970-01-01 01:00:00.000000000 +0100
+++ cups-2.2.1/debian/patches/0054-Fix-multiple-security-disclosure-issues.patch 2019-08-21 09:51:54.000000000 +0200
@@ -0,0 +1,188 @@
+From 8d6c8479d69d091ee83bbf7e10249f98cdaefa99 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Thu, 15 Aug 2019 14:08:31 -0400
+Subject: Fix multiple security/disclosure issues:
+
+- CVE-2019-8696 and CVE-2019-8675: Fixed SNMP buffer overflows (rdar://51685251)
+- Fixed IPP buffer overflow (rdar://50035411)
+- Fixed memory disclosure issue in the scheduler (rdar://51373853)
+- Fixed DoS issues in the scheduler (rdar://51373929)
+
+This is a backport of f24e6cf6a39300ad0c3726a41a4aab51ad54c109 on top of 2.2.1.
+---
+ cups/http.c | 9 +++++++--
+ cups/ipp.c | 9 ++-------
+ cups/snmp.c | 20 +++++++++++++++++++-
+ scheduler/client.c | 23 ++++++++++++-----------
+ 4 files changed, 40 insertions(+), 21 deletions(-)
+
+diff --git a/cups/http.c b/cups/http.c
+index b3abbe73e..7ac773ad2 100644
+--- a/cups/http.c
++++ b/cups/http.c
+@@ -1891,7 +1891,7 @@ httpPrintf(http_t *http, /* I - HTTP connection */
+ ...) /* I - Additional args as needed */
+ {
+ ssize_t bytes; /* Number of bytes to write */
+- char buf[16384]; /* Buffer for formatted string */
++ char buf[65536]; /* Buffer for formatted string */
+ va_list ap; /* Variable argument pointer */
+
+
+@@ -1903,7 +1903,12 @@ httpPrintf(http_t *http, /* I - HTTP connection */
+
+ DEBUG_printf(("3httpPrintf: (" CUPS_LLFMT " bytes) %s", CUPS_LLCAST bytes, buf));
+
+- if (http->data_encoding == HTTP_ENCODING_FIELDS)
++ if (bytes > (ssize_t)(sizeof(buf) - 1))
++ {
++ http->error = ENOMEM;
++ return (-1);
++ }
++ else if (http->data_encoding == HTTP_ENCODING_FIELDS)
+ return ((int)httpWrite2(http, buf, (size_t)bytes));
+ else
+ {
+diff --git a/cups/ipp.c b/cups/ipp.c
+index 5ed31f53d..843b4d997 100644
+--- a/cups/ipp.c
++++ b/cups/ipp.c
+@@ -4706,9 +4706,7 @@ ippSetValueTag(
+ break;
+
+ case IPP_TAG_NAME :
+- if (temp_tag != IPP_TAG_KEYWORD && temp_tag != IPP_TAG_URI &&
+- temp_tag != IPP_TAG_URISCHEME && temp_tag != IPP_TAG_LANGUAGE &&
+- temp_tag != IPP_TAG_MIMETYPE)
++ if (temp_tag != IPP_TAG_KEYWORD)
+ return (0);
+
+ (*attr)->value_tag = (ipp_tag_t)(IPP_TAG_NAME | ((*attr)->value_tag & IPP_TAG_CUPS_CONST));
+@@ -4716,10 +4714,7 @@ ippSetValueTag(
+
+ case IPP_TAG_NAMELANG :
+ case IPP_TAG_TEXTLANG :
+- if (value_tag == IPP_TAG_NAMELANG &&
+- (temp_tag != IPP_TAG_NAME && temp_tag != IPP_TAG_KEYWORD &&
+- temp_tag != IPP_TAG_URI && temp_tag != IPP_TAG_URISCHEME &&
+- temp_tag != IPP_TAG_LANGUAGE && temp_tag != IPP_TAG_MIMETYPE))
++ if (value_tag == IPP_TAG_NAMELANG && (temp_tag != IPP_TAG_NAME && temp_tag != IPP_TAG_KEYWORD))
+ return (0);
+
+ if (value_tag == IPP_TAG_TEXTLANG && temp_tag != IPP_TAG_TEXT)
+diff --git a/cups/snmp.c b/cups/snmp.c
+index fffa2182b..3c4387e40 100644
+--- a/cups/snmp.c
++++ b/cups/snmp.c
+@@ -1229,6 +1229,9 @@ asn1_get_integer(
+ int value; /* Integer value */
+
+
++ if (*buffer >= bufend)
++ return (0);
++
+ if (length > sizeof(int))
+ {
+ (*buffer) += length;
+@@ -1255,6 +1258,9 @@ asn1_get_length(unsigned char **buffer, /* IO - Pointer in buffer */
+ unsigned length; /* Length */
+
+
++ if (*buffer >= bufend)
++ return (0);
++
+ length = **buffer;
+ (*buffer) ++;
+
+@@ -1297,6 +1303,9 @@ asn1_get_oid(
+ int number; /* OID number */
+
+
++ if (*buffer >= bufend)
++ return (0);
++
+ valend = *buffer + length;
+ oidptr = oid;
+ oidend = oid + oidsize - 1;
+@@ -1345,9 +1354,12 @@ asn1_get_packed(
+ int value; /* Value */
+
+
++ if (*buffer >= bufend)
++ return (0);
++
+ value = 0;
+
+- while ((**buffer & 128) && *buffer < bufend)
++ while (*buffer < bufend && (**buffer & 128))
+ {
+ value = (value << 7) | (**buffer & 127);
+ (*buffer) ++;
+@@ -1375,6 +1387,9 @@ asn1_get_string(
+ char *string, /* I - String buffer */
+ size_t strsize) /* I - String buffer size */
+ {
++ if (*buffer >= bufend)
++ return (NULL);
++
+ if (length > (unsigned)(bufend - *buffer))
+ length = (unsigned)(bufend - *buffer);
+
+@@ -1417,6 +1432,9 @@ asn1_get_type(unsigned char **buffer, /* IO - Pointer in buffer */
+ int type; /* Type */
+
+
++ if (*buffer >= bufend)
++ return (0);
++
+ type = **buffer;
+ (*buffer) ++;
+
+diff --git a/scheduler/client.c b/scheduler/client.c
+index 20ccf11a9..ebb35e1ab 100644
+--- a/scheduler/client.c
++++ b/scheduler/client.c
+@@ -566,6 +566,17 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */
+
+ cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cupsdReadClient: error=%d, used=%d, state=%s, data_encoding=HTTP_ENCODING_%s, data_remaining=" CUPS_LLFMT ", request=%p(%s), file=%d", httpError(con->http), (int)httpGetReady(con->http), httpStateString(httpGetState(con->http)), httpIsChunked(con->http) ? "CHUNKED" : "LENGTH", CUPS_LLCAST httpGetRemaining(con->http), con->request, con->request ? ippStateString(ippGetState(con->request)) : "", con->file);
+
++ if (httpError(con->http) == EPIPE && !httpGetReady(con->http) && recv(httpGetFd(con->http), buf, 1, MSG_PEEK) < 1)
++ {
++ /*
++ * Connection closed...
++ */
++
++ cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing on EOF.");
++ cupsdCloseClient(con);
++ return;
++ }
++
+ if (httpGetState(con->http) == HTTP_STATE_GET_SEND ||
+ httpGetState(con->http) == HTTP_STATE_POST_SEND ||
+ httpGetState(con->http) == HTTP_STATE_STATUS)
+@@ -575,17 +586,6 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */
+ * connection and we need to shut it down...
+ */
+
+- if (!httpGetReady(con->http) && recv(httpGetFd(con->http), buf, 1, MSG_PEEK) < 1)
+- {
+- /*
+- * Connection closed...
+- */
+-
+- cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing on EOF.");
+- cupsdCloseClient(con);
+- return;
+- }
+-
+ cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing on unexpected HTTP read state %s.", httpStateString(httpGetState(con->http)));
+ cupsdCloseClient(con);
+ return;
+@@ -2195,6 +2195,7 @@ cupsdSendError(cupsd_client_t *con, /* I - Connection */
+ strlcpy(location, httpGetField(con->http, HTTP_FIELD_LOCATION), sizeof(location));
+
+ httpClearFields(con->http);
++ httpClearCookie(con->http);
+
+ httpSetField(con->http, HTTP_FIELD_LOCATION, location);
+
diff -Nru cups-2.2.1/debian/patches/add-ipp-backend-of-cups-1.4.patch cups-2.2.1/debian/patches/add-ipp-backend-of-cups-1.4.patch
--- cups-2.2.1/debian/patches/add-ipp-backend-of-cups-1.4.patch 2018-12-14 13:58:47.000000000 +0100
+++ cups-2.2.1/debian/patches/add-ipp-backend-of-cups-1.4.patch 2019-08-21 09:51:54.000000000 +0200
@@ -15,7 +15,7 @@
Patch-Name: add-ipp-backend-of-cups-1.4.patch
---
backend/Makefile | 13 +
- backend/ipp14.c | 1953 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ backend/ipp14.c | 1953 ++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 1966 insertions(+)
create mode 100644 backend/ipp14.c
@@ -39,10 +39,11 @@
lpd.o \
dnssd.o \
snmp.o \
-@@ -268,6 +270,17 @@ ipp: ipp.o ../cups/$(LIBCUPS) libbackend.a
+@@ -267,6 +269,17 @@ ipp: ipp.o ../cups/$(LIBCUPS) libbackend.a
+ $(LN) ipp http
- #
++#
+# ipp14
+#
+
@@ -53,10 +54,9 @@
+ #$(LN) ipp14 http
+
+
-+#
+ #
# lpd
#
-
diff --git a/backend/ipp14.c b/backend/ipp14.c
new file mode 100644
index 000000000..dae5d13a5
diff -Nru cups-2.2.1/debian/patches/cupsd-upstart-support.patch cups-2.2.1/debian/patches/cupsd-upstart-support.patch
--- cups-2.2.1/debian/patches/cupsd-upstart-support.patch 2018-12-14 13:58:47.000000000 +0100
+++ cups-2.2.1/debian/patches/cupsd-upstart-support.patch 2019-08-21 09:51:54.000000000 +0200
@@ -21,7 +21,7 @@
Last-Update: 2015-10-02
Patch-Name: cupsd-upstart-support.patch
---
- scheduler/main.c | 109 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ scheduler/main.c | 109 +++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 109 insertions(+)
diff --git a/scheduler/main.c b/scheduler/main.c
@@ -51,32 +51,32 @@
if (!ConfigurationFile)
cupsdSetString(&ConfigurationFile, CUPS_SERVERROOT "/cupsd.conf");
-@@ -594,6 +603,11 @@ main(int argc, /* I - Number of command-line args */
+@@ -593,6 +602,11 @@ main(int argc, /* I - Number of command-line args */
+ }
#endif /* HAVE_ONDEMAND */
- /*
++ /*
+ * If we were started by Upstart get the listen sockets file descriptors...
+ */
+ upstart_checkin();
+
-+ /*
+ /*
* Startup the server...
*/
-
-@@ -782,6 +796,13 @@ main(int argc, /* I - Number of command-line args */
+@@ -781,6 +795,13 @@ main(int argc, /* I - Number of command-line args */
+ break;
}
- /*
++ /*
+ * If we were started by Upstart get the listen sockets file
+ * descriptors...
+ */
+
+ upstart_checkin();
+
-+ /*
+ /*
* Startup the server...
*/
-
@@ -1590,6 +1611,94 @@ process_children(void)
}
diff -Nru cups-2.2.1/debian/patches/cups-snmp-oids-device-id-hp-ricoh.patch cups-2.2.1/debian/patches/cups-snmp-oids-device-id-hp-ricoh.patch
--- cups-2.2.1/debian/patches/cups-snmp-oids-device-id-hp-ricoh.patch 2018-12-14 13:58:47.000000000 +0100
+++ cups-2.2.1/debian/patches/cups-snmp-oids-device-id-hp-ricoh.patch 2019-08-21 09:51:54.000000000 +0200
@@ -30,13 +30,14 @@
static const int XeroxProductOID[] = { 1,3,6,1,4,1,128,2,1,3,1,2,0,-1 };
static cups_array_t *DeviceURIs = NULL;
static int HostNameLookups = 0;
-@@ -975,8 +977,14 @@ read_snmp_response(int fd) /* I - SNMP socket file descriptor */
+@@ -974,9 +976,15 @@ read_snmp_response(int fd) /* I - SNMP socket file descriptor */
+ _cupsSNMPWrite(fd, &(packet.address), CUPS_SNMP_VERSION_1,
packet.community, CUPS_ASN1_GET_REQUEST,
DEVICE_ID, LexmarkDeviceIdOID);
- _cupsSNMPWrite(fd, &(packet.address), CUPS_SNMP_VERSION_1,
++ _cupsSNMPWrite(fd, &(packet.address), CUPS_SNMP_VERSION_1,
+ packet.community, CUPS_ASN1_GET_REQUEST,
+ DEVICE_ID, RicohDeviceIdOID);
-+ _cupsSNMPWrite(fd, &(packet.address), CUPS_SNMP_VERSION_1,
+ _cupsSNMPWrite(fd, &(packet.address), CUPS_SNMP_VERSION_1,
packet.community, CUPS_ASN1_GET_REQUEST,
DEVICE_PRODUCT, XeroxProductOID);
+ _cupsSNMPWrite(fd, &(packet.address), CUPS_SNMP_VERSION_1,
diff -Nru cups-2.2.1/debian/patches/logfiles_adm_readable.patch cups-2.2.1/debian/patches/logfiles_adm_readable.patch
--- cups-2.2.1/debian/patches/logfiles_adm_readable.patch 2018-12-14 13:58:47.000000000 +0100
+++ cups-2.2.1/debian/patches/logfiles_adm_readable.patch 2019-08-21 09:51:54.000000000 +0200
@@ -31,18 +31,18 @@
/*
-@@ -133,6 +135,11 @@ cupsdCheckLogFile(cups_file_t **lf, /* IO - Log file */
+@@ -132,6 +134,11 @@ cupsdCheckLogFile(cups_file_t **lf, /* IO - Log file */
+ return (1);
}
- /*
++ /*
+ * Use adm group if possible, fall back to Group
+ */
+ loggrp = getgrnam("adm");
+
-+ /*
+ /*
* Format the filename as needed...
*/
-
@@ -253,7 +260,7 @@ cupsdCheckLogFile(cups_file_t **lf, /* IO - Log file */
* Change ownership and permissions of non-device logs...
*/
diff -Nru cups-2.2.1/debian/patches/manpage-translations.patch cups-2.2.1/debian/patches/manpage-translations.patch
--- cups-2.2.1/debian/patches/manpage-translations.patch 2018-12-14 13:58:47.000000000 +0100
+++ cups-2.2.1/debian/patches/manpage-translations.patch 2019-08-21 09:51:54.000000000 +0200
@@ -13,8 +13,8 @@
Patch-Name: manpage-translations.patch
---
- man/Makefile | 15 +++-
- man/Makefile.l10n | 248 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ man/Makefile | 15 ++-
+ man/Makefile.l10n | 248 ++++++++++++++++++++++++++++++++++++++++++++++
man/de/Makefile | 13 +++
man/fr/Makefile | 13 +++
4 files changed, 288 insertions(+), 1 deletion(-)
diff -Nru cups-2.2.1/debian/patches/printer-filtering.patch cups-2.2.1/debian/patches/printer-filtering.patch
--- cups-2.2.1/debian/patches/printer-filtering.patch 2018-12-14 13:58:47.000000000 +0100
+++ cups-2.2.1/debian/patches/printer-filtering.patch 2019-08-21 09:51:54.000000000 +0200
@@ -9,7 +9,7 @@
=== modified file 'cups-1.3.9/cups/ipp.c'
Patch-Name: printer-filtering.patch
---
- cups/ipp.c | 116 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ cups/ipp.c | 116 +++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 116 insertions(+)
diff --git a/cups/ipp.c b/cups/ipp.c
diff -Nru cups-2.2.1/debian/patches/pwg-raster-attributes.patch cups-2.2.1/debian/patches/pwg-raster-attributes.patch
--- cups-2.2.1/debian/patches/pwg-raster-attributes.patch 2018-12-14 13:58:47.000000000 +0100
+++ cups-2.2.1/debian/patches/pwg-raster-attributes.patch 2019-08-21 09:51:54.000000000 +0200
@@ -10,7 +10,7 @@
Last-Update: 2015-02-10
Patch-Name: pwg-raster-attributes.patch
---
- scheduler/printers.c | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++-
+ scheduler/printers.c | 77 +++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 76 insertions(+), 1 deletion(-)
diff --git a/scheduler/printers.c b/scheduler/printers.c
diff -Nru cups-2.2.1/debian/patches/reactivate_recommended_driver.patch cups-2.2.1/debian/patches/reactivate_recommended_driver.patch
--- cups-2.2.1/debian/patches/reactivate_recommended_driver.patch 2018-12-14 13:58:47.000000000 +0100
+++ cups-2.2.1/debian/patches/reactivate_recommended_driver.patch 2019-08-21 09:51:54.000000000 +0200
@@ -24,10 +24,11 @@
/*
-@@ -285,15 +284,6 @@ add_ppd(const char *filename, /* I - PPD filename */
+@@ -284,15 +283,6 @@ add_ppd(const char *filename, /* I - PPD filename */
+ strlcpy(ppd->record.device_id, device_id, sizeof(ppd->record.device_id));
strlcpy(ppd->record.scheme, scheme, sizeof(ppd->record.scheme));
- /*
+- /*
- * Strip confusing (and often wrong) "recommended" suffix added by
- * Foomatic drivers...
- */
@@ -36,7 +37,6 @@
- " (recommended)")) != NULL)
- *recommended = '\0';
-
-- /*
+ /*
* Add the PPD to the PPD arrays...
*/
-
diff -Nru cups-2.2.1/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch cups-2.2.1/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch
--- cups-2.2.1/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch 2018-12-14 13:58:47.000000000 +0100
+++ cups-2.2.1/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch 2019-08-21 09:51:54.000000000 +0200
@@ -15,7 +15,7 @@
Patch-Name: read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch
---
- scheduler/ipp.c | 84 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ scheduler/ipp.c | 84 +++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 84 insertions(+)
diff --git a/scheduler/ipp.c b/scheduler/ipp.c
@@ -34,10 +34,11 @@
/*
-@@ -8719,6 +8724,85 @@ read_job_ticket(cupsd_client_t *con) /* I - Client connection */
+@@ -8718,6 +8723,85 @@ read_job_ticket(cupsd_client_t *con) /* I - Client connection */
+ num_options = cupsParseOptions(line + 15, num_options, &options);
}
- /*
++ /*
+ * Read option settings embedded in the file...
+ */
+
@@ -116,7 +117,6 @@
+ }
+ }
+
-+ /*
+ /*
* Done with the file; see if we have any options...
*/
-
diff -Nru cups-2.2.1/debian/patches/series cups-2.2.1/debian/patches/series
--- cups-2.2.1/debian/patches/series 2018-12-14 13:58:47.000000000 +0100
+++ cups-2.2.1/debian/patches/series 2019-08-21 09:51:54.000000000 +0200
@@ -51,3 +51,4 @@
0051-Fix-local-privilege-escalation-to-root-and-sandbox-b.patch
0052-DBUS-notifications-could-crash-the-scheduler-Issue-5.patch
0053-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch
+0054-Fix-multiple-security-disclosure-issues.patch
diff -Nru cups-2.2.1/debian/changelog cups-2.2.1/debian/changelog
--- cups-2.2.1/debian/changelog 2018-12-14 13:58:47.000000000 +0100
+++ cups-2.2.1/debian/changelog 2019-08-21 09:51:54.000000000 +0200
@@ -1,3 +1,13 @@
+cups (2.2.1-8+deb9u4) stretch; urgency=low
+
+ * Fix multiple security/disclosure issues (Closes: #934957)
+ - CVE-2019-8696 and CVE-2019-8675: Fixed SNMP buffer overflows
+ - Fixed IPP buffer overflow
+ - Fixed memory disclosure issue in the scheduler
+ - Fixed DoS issues in the scheduler
+
+ -- Didier Raboud <odyx@debian.org> Wed, 21 Aug 2019 09:51:54 +0200
+
cups (2.2.1-8+deb9u3) stretch; urgency=low
* Backport upstream fixes for:
diff -Nru cups-2.2.1/debian/.git-dpm cups-2.2.1/debian/.git-dpm
--- cups-2.2.1/debian/.git-dpm 2018-12-14 13:58:47.000000000 +0100
+++ cups-2.2.1/debian/.git-dpm 2019-08-21 09:51:54.000000000 +0200
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-a40147f12081943df6c85b6b1f4d302633a6995c
-a40147f12081943df6c85b6b1f4d302633a6995c
+8d6c8479d69d091ee83bbf7e10249f98cdaefa99
+8d6c8479d69d091ee83bbf7e10249f98cdaefa99
a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
cups_2.2.1.orig.tar.gz
diff -Nru cups-2.2.1/debian/patches/0054-Fix-multiple-security-disclosure-issues.patch cups-2.2.1/debian/patches/0054-Fix-multiple-security-disclosure-issues.patch
--- cups-2.2.1/debian/patches/0054-Fix-multiple-security-disclosure-issues.patch 1970-01-01 01:00:00.000000000 +0100
+++ cups-2.2.1/debian/patches/0054-Fix-multiple-security-disclosure-issues.patch 2019-08-21 09:51:54.000000000 +0200
@@ -0,0 +1,188 @@
+From 8d6c8479d69d091ee83bbf7e10249f98cdaefa99 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Thu, 15 Aug 2019 14:08:31 -0400
+Subject: Fix multiple security/disclosure issues:
+
+- CVE-2019-8696 and CVE-2019-8675: Fixed SNMP buffer overflows (rdar://51685251)
+- Fixed IPP buffer overflow (rdar://50035411)
+- Fixed memory disclosure issue in the scheduler (rdar://51373853)
+- Fixed DoS issues in the scheduler (rdar://51373929)
+
+This is a backport of f24e6cf6a39300ad0c3726a41a4aab51ad54c109 on top of 2.2.1.
+---
+ cups/http.c | 9 +++++++--
+ cups/ipp.c | 9 ++-------
+ cups/snmp.c | 20 +++++++++++++++++++-
+ scheduler/client.c | 23 ++++++++++++-----------
+ 4 files changed, 40 insertions(+), 21 deletions(-)
+
+diff --git a/cups/http.c b/cups/http.c
+index b3abbe73e..7ac773ad2 100644
+--- a/cups/http.c
++++ b/cups/http.c
+@@ -1891,7 +1891,7 @@ httpPrintf(http_t *http, /* I - HTTP connection */
+ ...) /* I - Additional args as needed */
+ {
+ ssize_t bytes; /* Number of bytes to write */
+- char buf[16384]; /* Buffer for formatted string */
++ char buf[65536]; /* Buffer for formatted string */
+ va_list ap; /* Variable argument pointer */
+
+
+@@ -1903,7 +1903,12 @@ httpPrintf(http_t *http, /* I - HTTP connection */
+
+ DEBUG_printf(("3httpPrintf: (" CUPS_LLFMT " bytes) %s", CUPS_LLCAST bytes, buf));
+
+- if (http->data_encoding == HTTP_ENCODING_FIELDS)
++ if (bytes > (ssize_t)(sizeof(buf) - 1))
++ {
++ http->error = ENOMEM;
++ return (-1);
++ }
++ else if (http->data_encoding == HTTP_ENCODING_FIELDS)
+ return ((int)httpWrite2(http, buf, (size_t)bytes));
+ else
+ {
+diff --git a/cups/ipp.c b/cups/ipp.c
+index 5ed31f53d..843b4d997 100644
+--- a/cups/ipp.c
++++ b/cups/ipp.c
+@@ -4706,9 +4706,7 @@ ippSetValueTag(
+ break;
+
+ case IPP_TAG_NAME :
+- if (temp_tag != IPP_TAG_KEYWORD && temp_tag != IPP_TAG_URI &&
+- temp_tag != IPP_TAG_URISCHEME && temp_tag != IPP_TAG_LANGUAGE &&
+- temp_tag != IPP_TAG_MIMETYPE)
++ if (temp_tag != IPP_TAG_KEYWORD)
+ return (0);
+
+ (*attr)->value_tag = (ipp_tag_t)(IPP_TAG_NAME | ((*attr)->value_tag & IPP_TAG_CUPS_CONST));
+@@ -4716,10 +4714,7 @@ ippSetValueTag(
+
+ case IPP_TAG_NAMELANG :
+ case IPP_TAG_TEXTLANG :
+- if (value_tag == IPP_TAG_NAMELANG &&
+- (temp_tag != IPP_TAG_NAME && temp_tag != IPP_TAG_KEYWORD &&
+- temp_tag != IPP_TAG_URI && temp_tag != IPP_TAG_URISCHEME &&
+- temp_tag != IPP_TAG_LANGUAGE && temp_tag != IPP_TAG_MIMETYPE))
++ if (value_tag == IPP_TAG_NAMELANG && (temp_tag != IPP_TAG_NAME && temp_tag != IPP_TAG_KEYWORD))
+ return (0);
+
+ if (value_tag == IPP_TAG_TEXTLANG && temp_tag != IPP_TAG_TEXT)
+diff --git a/cups/snmp.c b/cups/snmp.c
+index fffa2182b..3c4387e40 100644
+--- a/cups/snmp.c
++++ b/cups/snmp.c
+@@ -1229,6 +1229,9 @@ asn1_get_integer(
+ int value; /* Integer value */
+
+
++ if (*buffer >= bufend)
++ return (0);
++
+ if (length > sizeof(int))
+ {
+ (*buffer) += length;
+@@ -1255,6 +1258,9 @@ asn1_get_length(unsigned char **buffer, /* IO - Pointer in buffer */
+ unsigned length; /* Length */
+
+
++ if (*buffer >= bufend)
++ return (0);
++
+ length = **buffer;
+ (*buffer) ++;
+
+@@ -1297,6 +1303,9 @@ asn1_get_oid(
+ int number; /* OID number */
+
+
++ if (*buffer >= bufend)
++ return (0);
++
+ valend = *buffer + length;
+ oidptr = oid;
+ oidend = oid + oidsize - 1;
+@@ -1345,9 +1354,12 @@ asn1_get_packed(
+ int value; /* Value */
+
+
++ if (*buffer >= bufend)
++ return (0);
++
+ value = 0;
+
+- while ((**buffer & 128) && *buffer < bufend)
++ while (*buffer < bufend && (**buffer & 128))
+ {
+ value = (value << 7) | (**buffer & 127);
+ (*buffer) ++;
+@@ -1375,6 +1387,9 @@ asn1_get_string(
+ char *string, /* I - String buffer */
+ size_t strsize) /* I - String buffer size */
+ {
++ if (*buffer >= bufend)
++ return (NULL);
++
+ if (length > (unsigned)(bufend - *buffer))
+ length = (unsigned)(bufend - *buffer);
+
+@@ -1417,6 +1432,9 @@ asn1_get_type(unsigned char **buffer, /* IO - Pointer in buffer */
+ int type; /* Type */
+
+
++ if (*buffer >= bufend)
++ return (0);
++
+ type = **buffer;
+ (*buffer) ++;
+
+diff --git a/scheduler/client.c b/scheduler/client.c
+index 20ccf11a9..ebb35e1ab 100644
+--- a/scheduler/client.c
++++ b/scheduler/client.c
+@@ -566,6 +566,17 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */
+
+ cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cupsdReadClient: error=%d, used=%d, state=%s, data_encoding=HTTP_ENCODING_%s, data_remaining=" CUPS_LLFMT ", request=%p(%s), file=%d", httpError(con->http), (int)httpGetReady(con->http), httpStateString(httpGetState(con->http)), httpIsChunked(con->http) ? "CHUNKED" : "LENGTH", CUPS_LLCAST httpGetRemaining(con->http), con->request, con->request ? ippStateString(ippGetState(con->request)) : "", con->file);
+
++ if (httpError(con->http) == EPIPE && !httpGetReady(con->http) && recv(httpGetFd(con->http), buf, 1, MSG_PEEK) < 1)
++ {
++ /*
++ * Connection closed...
++ */
++
++ cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing on EOF.");
++ cupsdCloseClient(con);
++ return;
++ }
++
+ if (httpGetState(con->http) == HTTP_STATE_GET_SEND ||
+ httpGetState(con->http) == HTTP_STATE_POST_SEND ||
+ httpGetState(con->http) == HTTP_STATE_STATUS)
+@@ -575,17 +586,6 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */
+ * connection and we need to shut it down...
+ */
+
+- if (!httpGetReady(con->http) && recv(httpGetFd(con->http), buf, 1, MSG_PEEK) < 1)
+- {
+- /*
+- * Connection closed...
+- */
+-
+- cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing on EOF.");
+- cupsdCloseClient(con);
+- return;
+- }
+-
+ cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing on unexpected HTTP read state %s.", httpStateString(httpGetState(con->http)));
+ cupsdCloseClient(con);
+ return;
+@@ -2195,6 +2195,7 @@ cupsdSendError(cupsd_client_t *con, /* I - Connection */
+ strlcpy(location, httpGetField(con->http, HTTP_FIELD_LOCATION), sizeof(location));
+
+ httpClearFields(con->http);
++ httpClearCookie(con->http);
+
+ httpSetField(con->http, HTTP_FIELD_LOCATION, location);
+
diff -Nru cups-2.2.1/debian/patches/series cups-2.2.1/debian/patches/series
--- cups-2.2.1/debian/patches/series 2018-12-14 13:58:47.000000000 +0100
+++ cups-2.2.1/debian/patches/series 2019-08-21 09:51:54.000000000 +0200
@@ -51,3 +51,4 @@
0051-Fix-local-privilege-escalation-to-root-and-sandbox-b.patch
0052-DBUS-notifications-could-crash-the-scheduler-Issue-5.patch
0053-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch
+0054-Fix-multiple-security-disclosure-issues.patch
Attachment:
signature.asc
Description: This is a digitally signed message part.