Bug#947832: buster-pu: package cups/2.2.10-6+deb10u2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#947832: buster-pu: package cups/2.2.10-6+deb10u2
From: Didier 'OdyX' Raboud <odyx@debian.org>
Date: Tue, 31 Dec 2019 14:22:20 +0100
Message-id: <[🔎] 157779854057.352132.17343004904141581791.reportbug@gyllingar>
Reply-to: Didier 'OdyX' Raboud <odyx@debian.org>, 947832@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Dear Stable Release Team,

CVE-2019-2228 affects stable's cups (see #946782); and I'd also like to fix
another memory leak (#946941).

My proposed changelog would be:

  cups (2.2.10-6+deb10u2) buster; urgency=medium
  
    * Backport upstream security fixes:
      - Fix memory leak in ppdOpen (Closes: #946941)
      - CVE-2019-2228: The `ippSetValuetag` function did not validate the
        default language value (Closes: #946782)
  
   -- Didier Raboud <odyx@debian.org>  Tue, 31 Dec 2019 14:16:46 +0100


… the proposed debdiff is attached.

Cheers,
    OdyX

diff -Nru cups-2.2.10/debian/changelog cups-2.2.10/debian/changelog
--- cups-2.2.10/debian/changelog	2019-08-21 09:43:13.000000000 +0200
+++ cups-2.2.10/debian/changelog	2019-12-31 13:54:34.000000000 +0100
@@ -1,3 +1,12 @@
+cups (2.2.10-6+deb10u2) buster-security; urgency=high
+
+  * Backport upstream security fixes:
+    - Fix memory leak in ppdOpen (Closes: #946941)
+    - CVE-2019-2228: The `ippSetValuetag` function did not validate the
+      default language value (Closes: #946782)
+
+ -- Didier Raboud <odyx@debian.org>  Tue, 31 Dec 2019 13:54:34 +0100
+
 cups (2.2.10-6+deb10u1) buster; urgency=medium
 
   * Fix multiple security/disclosure issues (Closes: #934957)
diff -Nru cups-2.2.10/debian/.git-dpm cups-2.2.10/debian/.git-dpm
--- cups-2.2.10/debian/.git-dpm	2019-08-21 09:43:13.000000000 +0200
+++ cups-2.2.10/debian/.git-dpm	2019-12-31 13:53:45.000000000 +0100
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-9af82602a9fe2523ceeef46f2d6e6378e2dc7eb7
-9af82602a9fe2523ceeef46f2d6e6378e2dc7eb7
+1b21a83376cee1f213faf7f4b4d89dd766c28975
+1b21a83376cee1f213faf7f4b4d89dd766c28975
 25b2338346ef3abbb93ea88476887cba7b2b86f8
 25b2338346ef3abbb93ea88476887cba7b2b86f8
 cups_2.2.10.orig.tar.gz
diff -Nru cups-2.2.10/debian/patches/0048-Fix-memory-leak-in-ppdOpen.patch cups-2.2.10/debian/patches/0048-Fix-memory-leak-in-ppdOpen.patch
--- cups-2.2.10/debian/patches/0048-Fix-memory-leak-in-ppdOpen.patch	1970-01-01 01:00:00.000000000 +0100
+++ cups-2.2.10/debian/patches/0048-Fix-memory-leak-in-ppdOpen.patch	2019-12-31 13:53:45.000000000 +0100
@@ -0,0 +1,32 @@
+From 545d46fb0bf1cd8414ab28148f3a3126c3cf75fe Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Thu, 1 Aug 2019 13:02:35 -0400
+Subject: Fix memory leak in ppdOpen
+
+Closes: #946941
+---
+ cups/ppd.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/cups/ppd.c b/cups/ppd.c
+index 435b992f4..b823d17b4 100644
+--- a/cups/ppd.c
++++ b/cups/ppd.c
+@@ -716,6 +716,8 @@ _ppdOpen(
+ 	   strncmp(ll, keyword, ll_len)))
+       {
+ 	DEBUG_printf(("2_ppdOpen: Ignoring localization: \"%s\"\n", keyword));
++	free(string);
++	string = NULL;
+ 	continue;
+       }
+       else if (localization == _PPD_LOCALIZATION_ICC_PROFILES)
+@@ -735,6 +737,8 @@ _ppdOpen(
+ 	if (i >= (int)(sizeof(color_keywords) / sizeof(color_keywords[0])))
+ 	{
+ 	  DEBUG_printf(("2_ppdOpen: Ignoring localization: \"%s\"\n", keyword));
++	  free(string);
++	  string = NULL;
+ 	  continue;
+ 	}
+       }
diff -Nru cups-2.2.10/debian/patches/0049-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch cups-2.2.10/debian/patches/0049-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch
--- cups-2.2.10/debian/patches/0049-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch	1970-01-01 01:00:00.000000000 +0100
+++ cups-2.2.10/debian/patches/0049-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch	2019-12-31 13:53:45.000000000 +0100
@@ -0,0 +1,23 @@
+From 1b21a83376cee1f213faf7f4b4d89dd766c28975 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Fri, 13 Dec 2019 09:30:46 -0500
+Subject: CVE-2019-2228: Fix ippSetValueTag validation of default language
+
+Closes: #946782
+---
+ cups/ipp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cups/ipp.c b/cups/ipp.c
+index cc9c6af50..98b499716 100644
+--- a/cups/ipp.c
++++ b/cups/ipp.c
+@@ -4563,7 +4563,7 @@ ippSetValueTag(
+           return (0);
+ 
+         if (ipp->attrs && ipp->attrs->next && ipp->attrs->next->name &&
+-            !strcmp(ipp->attrs->next->name, "attributes-natural-language"))
++            !strcmp(ipp->attrs->next->name, "attributes-natural-language") && (ipp->attrs->next->value_tag & IPP_TAG_CUPS_MASK) == IPP_TAG_LANGUAGE)
+         {
+          /*
+           * Use the language code from the IPP message...
diff -Nru cups-2.2.10/debian/patches/series cups-2.2.10/debian/patches/series
--- cups-2.2.10/debian/patches/series	2019-08-21 09:43:13.000000000 +0200
+++ cups-2.2.10/debian/patches/series	2019-12-31 13:53:45.000000000 +0100
@@ -45,3 +45,5 @@
 0045-Fix-an-issue-with-PreserveJobHistory-and-time-values.patch
 manpage-translations.patch
 0047-Fix-multiple-security-disclosure-issues.patch
+0048-Fix-memory-leak-in-ppdOpen.patch
+0049-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch

Reply to:

Prev by Date: Bug#946559: buster-pu: package proftpd-dfsg/1.3.6-4+deb10u3
Next by Date: Bug#947834: stretch-pu: package cups/2.2.1-8+deb9u5
Previous by thread: Processed: unblock 947805 with 942343, block 942428 with 942343
Next by thread: Bug#947834: stretch-pu: package cups/2.2.1-8+deb9u5
Index(es):
- Date
- Thread