Bug#947834: stretch-pu: package cups/2.2.1-8+deb9u5

[Didier 'OdyX' Raboud <odyx@debian.org>]

Le mardi, 31 décembre 2019, 14.33:54 h CET Didier 'OdyX' Raboud a écrit :
> CVE-2019-2228 affects oldstable's cups (see #946782); and I'd also like to
> fix another memory leak (#946941). (See #947832 for the stable/buster pu)

It turns out I can't easily backport the fix for #946941; so here's a reduced 
proposal:

cups (2.2.1-8+deb9u5) stretch; urgency=medium

  * Backport upstream security fix:
    - CVE-2019-2228: The `ippSetValuetag` function did not validate the
      default language value (Closes: #946782)

 -- Didier Raboud <odyx@debian.org>  Tue, 31 Dec 2019 17:02:30 +0100

debdiff attached.

Cheers,
    OdyX

diff -Nru cups-2.2.1/debian/changelog cups-2.2.1/debian/changelog
--- cups-2.2.1/debian/changelog	2019-08-21 09:51:54.000000000 +0200
+++ cups-2.2.1/debian/changelog	2019-12-31 17:02:30.000000000 +0100
@@ -1,3 +1,11 @@
+cups (2.2.1-8+deb9u5) stretch; urgency=medium
+
+  * Backport upstream security fix:
+    - CVE-2019-2228: The `ippSetValuetag` function did not validate the
+      default language value (Closes: #946782)
+
+ -- Didier Raboud <odyx@debian.org>  Tue, 31 Dec 2019 17:02:30 +0100
+
 cups (2.2.1-8+deb9u4) stretch; urgency=low
 
   * Fix multiple security/disclosure issues (Closes: #934957)
diff -Nru cups-2.2.1/debian/.git-dpm cups-2.2.1/debian/.git-dpm
--- cups-2.2.1/debian/.git-dpm	2019-08-21 09:51:54.000000000 +0200
+++ cups-2.2.1/debian/.git-dpm	2019-12-31 17:02:18.000000000 +0100
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-8d6c8479d69d091ee83bbf7e10249f98cdaefa99
-8d6c8479d69d091ee83bbf7e10249f98cdaefa99
+44f7d84856de97443c6785cd9ab9c6915224b7a2
+44f7d84856de97443c6785cd9ab9c6915224b7a2
 a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
 a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
 cups_2.2.1.orig.tar.gz
diff -Nru cups-2.2.1/debian/patches/0055-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch cups-2.2.1/debian/patches/0055-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch
--- cups-2.2.1/debian/patches/0055-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch	1970-01-01 01:00:00.000000000 +0100
+++ cups-2.2.1/debian/patches/0055-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch	2019-12-31 17:02:18.000000000 +0100
@@ -0,0 +1,23 @@
+From 44f7d84856de97443c6785cd9ab9c6915224b7a2 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Fri, 13 Dec 2019 09:30:46 -0500
+Subject: CVE-2019-2228: Fix ippSetValueTag validation of default language
+
+Closes: #946782
+---
+ cups/ipp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cups/ipp.c b/cups/ipp.c
+index 843b4d997..8840a1d09 100644
+--- a/cups/ipp.c
++++ b/cups/ipp.c
+@@ -4721,7 +4721,7 @@ ippSetValueTag(
+           return (0);
+ 
+         if (ipp->attrs && ipp->attrs->next && ipp->attrs->next->name &&
+-            !strcmp(ipp->attrs->next->name, "attributes-natural-language"))
++            !strcmp(ipp->attrs->next->name, "attributes-natural-language") && (ipp->attrs->next->value_tag & IPP_TAG_CUPS_MASK) == IPP_TAG_LANGUAGE)
+         {
+          /*
+           * Use the language code from the IPP message...
diff -Nru cups-2.2.1/debian/patches/series cups-2.2.1/debian/patches/series
--- cups-2.2.1/debian/patches/series	2019-08-21 09:51:54.000000000 +0200
+++ cups-2.2.1/debian/patches/series	2019-12-31 17:02:18.000000000 +0100
@@ -52,3 +52,4 @@
 0052-DBUS-notifications-could-crash-the-scheduler-Issue-5.patch
 0053-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch
 0054-Fix-multiple-security-disclosure-issues.patch
+0055-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch

Attachment: signature.asc
Description: This is a digitally signed message part.