[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#958814: marked as done (buster-pu: package cups/2.2.10-6+deb10u3)

Your message dated Sat, 09 May 2020 11:53:52 +0100
with message-id <fd7fa4d56896c35aab49a5a51cb69727dc60e87a.camel@adam-barratt.org.uk>
and subject line Closing requests included in 10.4 point release
has caused the Debian Bug report #958814,
regarding buster-pu: package cups/2.2.10-6+deb10u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
958814: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=958814
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

CVE-2020-3898 and CVE-2019-8842 got fixed in unstable, after coordinated
disclosure.

I'd like to fix these in a stable upload too.

cups (2.2.10-6+deb10u3) buster; urgency=medium

  * Backport upstream security fixes:
    - CVE-2020-3898: heap-buffer-overflow in libcups’s ppdFindOption()
      function in ppd-mark.c
    - CVE-2019-8842: The `ippReadIO` function may under-read an extension
      field

 -- Didier Raboud <odyx@debian.org>  Sat, 25 Apr 2020 16:27:21 +0200

Debdiff and direct patches attached.

Regards,

OdyX


-- System Information:
Debian Release: bullseye/sid
  APT prefers buildd-unstable
  APT policy: (990, 'buildd-unstable'), (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (100, 'experimental'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.5.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_CH.UTF-8, LC_CTYPE=fr_CH.UTF-8 (charmap=UTF-8), LANGUAGE=fr_CH:fr (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru cups-2.2.10/debian/changelog cups-2.2.10/debian/changelog
--- cups-2.2.10/debian/changelog	2020-01-19 09:36:31.000000000 +0100
+++ cups-2.2.10/debian/changelog	2020-04-25 16:27:21.000000000 +0200
@@ -1,3 +1,13 @@
+cups (2.2.10-6+deb10u3) buster; urgency=medium
+
+  * Backport upstream security fixes:
+    - CVE-2020-3898: heap-buffer-overflow in libcups’s ppdFindOption()
+      function in ppd-mark.c
+    - CVE-2019-8842: The `ippReadIO` function may under-read an extension
+      field
+
+ -- Didier Raboud <odyx@debian.org>  Sat, 25 Apr 2020 16:27:21 +0200
+
 cups (2.2.10-6+deb10u2) buster; urgency=medium
 
   * Backport upstream security fixes:
diff -Nru cups-2.2.10/debian/.git-dpm cups-2.2.10/debian/.git-dpm
--- cups-2.2.10/debian/.git-dpm	2020-01-19 09:36:31.000000000 +0100
+++ cups-2.2.10/debian/.git-dpm	2020-04-25 16:25:37.000000000 +0200
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-1b21a83376cee1f213faf7f4b4d89dd766c28975
-1b21a83376cee1f213faf7f4b4d89dd766c28975
+f1b7b7e074291c85366a60f7a197dea19e62c9cf
+f1b7b7e074291c85366a60f7a197dea19e62c9cf
 25b2338346ef3abbb93ea88476887cba7b2b86f8
 25b2338346ef3abbb93ea88476887cba7b2b86f8
 cups_2.2.10.orig.tar.gz
diff -Nru cups-2.2.10/debian/patches/0050-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch cups-2.2.10/debian/patches/0050-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch
--- cups-2.2.10/debian/patches/0050-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch	1970-01-01 01:00:00.000000000 +0100
+++ cups-2.2.10/debian/patches/0050-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch	2020-04-25 16:25:37.000000000 +0200
@@ -0,0 +1,56 @@
+From 1668f3bdc68101d44d0d18c85ba3e6572b517ff4 Mon Sep 17 00:00:00 2001
+From: Stephan Zeisberg <stephan.zeisberg@splone.com>
+Date: Fri, 10 Apr 2020 17:14:34 +0200
+Subject: =?UTF-8?q?CVE-2020-3898=20-=20heap-buffer-overflow=20in=20libcups?=
+ =?UTF-8?q?=E2=80=99s=20ppdFindOption()=20function=20in=20ppd-mark.c?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+---
+ cups/ppd.c           |  3 +--
+ ppdc/ppdc-source.cxx | 14 ++++++++------
+ 2 files changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/cups/ppd.c b/cups/ppd.c
+index b823d17b4..8d3eb8a3b 100644
+--- a/cups/ppd.c
++++ b/cups/ppd.c
+@@ -1705,8 +1705,7 @@ _ppdOpen(
+                      constraint->choice1, constraint->option2,
+ 		     constraint->choice2))
+       {
+-        case 0 : /* Error */
+-	case 1 : /* Error */
++        default : /* Error */
+ 	    pg->ppd_status = PPD_BAD_UI_CONSTRAINTS;
+ 	    goto error;
+ 
+diff --git a/ppdc/ppdc-source.cxx b/ppdc/ppdc-source.cxx
+index 5add81002..383f0183d 100644
+--- a/ppdc/ppdc-source.cxx
++++ b/ppdc/ppdc-source.cxx
+@@ -1746,15 +1746,17 @@ ppdcSource::get_resolution(ppdcFile *fp)// I - File to read
+ 
+   switch (sscanf(name, "%dx%d", &xdpi, &ydpi))
+   {
+-    case 0 :
+-        _cupsLangPrintf(stderr,
+-	                _("ppdc: Bad resolution name \"%s\" on line %d of "
+-			  "%s."), name, fp->line, fp->filename);
+-        break;
+     case 1 :
+         ydpi = xdpi;
+ 	break;
+-  }
++    case 2 :
++        break;
++    default :
++        _cupsLangPrintf(stderr,
++                  _("ppdc: Bad resolution name \"%s\" on line %d of "
++        "%s."), name, fp->line, fp->filename);
++        break;
++}
+ 
+   // Create the necessary PS commands...
+   snprintf(command, sizeof(command),
diff -Nru cups-2.2.10/debian/patches/0051-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch cups-2.2.10/debian/patches/0051-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch
--- cups-2.2.10/debian/patches/0051-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch	1970-01-01 01:00:00.000000000 +0100
+++ cups-2.2.10/debian/patches/0051-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch	2020-04-25 16:25:37.000000000 +0200
@@ -0,0 +1,23 @@
+From f1b7b7e074291c85366a60f7a197dea19e62c9cf Mon Sep 17 00:00:00 2001
+From: Didier Raboud <odyx@debian.org>
+Date: Sat, 25 Apr 2020 16:02:12 +0200
+Subject: CVE-2019-8842: The `ippReadIO` function may under-read an extension
+ field
+
+---
+ cups/ipp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cups/ipp.c b/cups/ipp.c
+index 98b499716..4ebb1da9c 100644
+--- a/cups/ipp.c
++++ b/cups/ipp.c
+@@ -2960,7 +2960,7 @@ ippReadIO(void       *src,		/* I - Data source */
+             * Read 32-bit "extension" tag...
+             */
+ 
+-	    if ((*cb)(src, buffer, 4) < 1)
++	    if ((*cb)(src, buffer, 4) < 4)
+ 	    {
+ 	      DEBUG_puts("1ippReadIO: Callback returned EOF/error");
+ 	      _cupsBufferRelease((char *)buffer);
diff -Nru cups-2.2.10/debian/patches/series cups-2.2.10/debian/patches/series
--- cups-2.2.10/debian/patches/series	2020-01-19 09:36:31.000000000 +0100
+++ cups-2.2.10/debian/patches/series	2020-04-25 16:25:37.000000000 +0200
@@ -47,3 +47,5 @@
 0047-Fix-multiple-security-disclosure-issues.patch
 0048-Fix-memory-leak-in-ppdOpen.patch
 0049-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch
+0050-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch
+0051-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch

>From 1668f3bdc68101d44d0d18c85ba3e6572b517ff4 Mon Sep 17 00:00:00 2001
From: Stephan Zeisberg <stephan.zeisberg@splone.com>
Date: Fri, 10 Apr 2020 17:14:34 +0200
Subject: =?UTF-8?q?CVE-2020-3898=20-=20heap-buffer-overflow=20in=20libcups?=
 =?UTF-8?q?=E2=80=99s=20ppdFindOption()=20function=20in=20ppd-mark.c?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 cups/ppd.c           |  3 +--
 ppdc/ppdc-source.cxx | 14 ++++++++------
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/cups/ppd.c b/cups/ppd.c
index b823d17b4..8d3eb8a3b 100644
--- a/cups/ppd.c
+++ b/cups/ppd.c
@@ -1705,8 +1705,7 @@ _ppdOpen(
                      constraint->choice1, constraint->option2,
 		     constraint->choice2))
       {
-        case 0 : /* Error */
-	case 1 : /* Error */
+        default : /* Error */
 	    pg->ppd_status = PPD_BAD_UI_CONSTRAINTS;
 	    goto error;
 
diff --git a/ppdc/ppdc-source.cxx b/ppdc/ppdc-source.cxx
index 5add81002..383f0183d 100644
--- a/ppdc/ppdc-source.cxx
+++ b/ppdc/ppdc-source.cxx
@@ -1746,15 +1746,17 @@ ppdcSource::get_resolution(ppdcFile *fp)// I - File to read
 
   switch (sscanf(name, "%dx%d", &xdpi, &ydpi))
   {
-    case 0 :
-        _cupsLangPrintf(stderr,
-	                _("ppdc: Bad resolution name \"%s\" on line %d of "
-			  "%s."), name, fp->line, fp->filename);
-        break;
     case 1 :
         ydpi = xdpi;
 	break;
-  }
+    case 2 :
+        break;
+    default :
+        _cupsLangPrintf(stderr,
+                  _("ppdc: Bad resolution name \"%s\" on line %d of "
+        "%s."), name, fp->line, fp->filename);
+        break;
+}
 
   // Create the necessary PS commands...
   snprintf(command, sizeof(command),

>From f1b7b7e074291c85366a60f7a197dea19e62c9cf Mon Sep 17 00:00:00 2001
From: Didier Raboud <odyx@debian.org>
Date: Sat, 25 Apr 2020 16:02:12 +0200
Subject: CVE-2019-8842: The `ippReadIO` function may under-read an extension
 field

---
 cups/ipp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cups/ipp.c b/cups/ipp.c
index 98b499716..4ebb1da9c 100644
--- a/cups/ipp.c
+++ b/cups/ipp.c
@@ -2960,7 +2960,7 @@ ippReadIO(void       *src,		/* I - Data source */
             * Read 32-bit "extension" tag...
             */
 
-	    if ((*cb)(src, buffer, 4) < 1)
+	    if ((*cb)(src, buffer, 4) < 4)
 	    {
 	      DEBUG_puts("1ippReadIO: Callback returned EOF/error");
 	      _cupsBufferRelease((char *)buffer);

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.4

Hi,

Each of the uploads referred to by these bugs was included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: