Bug#1007938: buster-pu: package cups/2.2.10-6+deb10u5
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
The attached debdiff for cups fixes CVE-2020-10001 in Buster. This CVE has
been marked as no-dsa by the security team.
The same patch has been uploaded to Stretch already and nobody complained
yet.
Thorsten
diff -Nru cups-2.2.10/debian/changelog cups-2.2.10/debian/changelog
--- cups-2.2.10/debian/changelog 2020-11-28 12:09:48.000000000 +0100
+++ cups-2.2.10/debian/changelog 2022-02-23 22:03:02.000000000 +0100
@@ -1,3 +1,12 @@
+cups (2.2.10-6+deb10u5) buster; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2020-10001.patch
+ An input validation issue might allow a malicious application
+ to read restricted memory.
+
+ -- Thorsten Alteholz <debian@alteholz.de> Wed, 23 Feb 2022 22:03:02 +0100
+
cups (2.2.10-6+deb10u4) buster; urgency=medium
* Backport upstream fix:
diff -Nru cups-2.2.10/debian/.git-dpm cups-2.2.10/debian/.git-dpm
--- cups-2.2.10/debian/.git-dpm 2020-11-28 12:09:48.000000000 +0100
+++ cups-2.2.10/debian/.git-dpm 2022-02-23 22:03:02.000000000 +0100
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-e512765460ec633ad43872436b243021f252a69a
-e512765460ec633ad43872436b243021f252a69a
+cd650ee595b7905afba01cfe9c4479823f22704d
+cd650ee595b7905afba01cfe9c4479823f22704d
25b2338346ef3abbb93ea88476887cba7b2b86f8
25b2338346ef3abbb93ea88476887cba7b2b86f8
cups_2.2.10.orig.tar.gz
diff -Nru cups-2.2.10/debian/patches/0053-CVE-2020-10001.patch cups-2.2.10/debian/patches/0053-CVE-2020-10001.patch
--- cups-2.2.10/debian/patches/0053-CVE-2020-10001.patch 1970-01-01 01:00:00.000000000 +0100
+++ cups-2.2.10/debian/patches/0053-CVE-2020-10001.patch 2022-02-23 22:03:02.000000000 +0100
@@ -0,0 +1,49 @@
+From cd650ee595b7905afba01cfe9c4479823f22704d Mon Sep 17 00:00:00 2001
+From: Thorsten Alteholz <debian@alteholz.de>
+Date: Sat, 26 Feb 2022 02:20:21 +0100
+Subject: CVE-2020-10001
+
+---
+ cups/ipp.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/cups/ipp.c b/cups/ipp.c
+index 4ebb1da9c..ead8856c5 100644
+--- a/cups/ipp.c
++++ b/cups/ipp.c
+@@ -2870,7 +2870,8 @@ ippReadIO(void *src, /* I - Data source */
+ unsigned char *buffer, /* Data buffer */
+ string[IPP_MAX_TEXT],
+ /* Small string buffer */
+- *bufptr; /* Pointer into buffer */
++ *bufptr, /* Pointer into buffer */
++ *bufend; /* End of buffer */
+ ipp_attribute_t *attr; /* Current attribute */
+ ipp_tag_t tag; /* Current tag */
+ ipp_tag_t value_tag; /* Current value tag */
+@@ -3440,6 +3441,7 @@ ippReadIO(void *src, /* I - Data source */
+ }
+
+ bufptr = buffer;
++ bufend = buffer + n;
+
+ /*
+ * text-with-language and name-with-language are composite
+@@ -3453,7 +3455,7 @@ ippReadIO(void *src, /* I - Data source */
+
+ n = (bufptr[0] << 8) | bufptr[1];
+
+- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string))
++ if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string))
+ {
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
+ _("IPP language length overflows value."), 1);
+@@ -3480,7 +3482,7 @@ ippReadIO(void *src, /* I - Data source */
+ bufptr += 2 + n;
+ n = (bufptr[0] << 8) | bufptr[1];
+
+- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE))
++ if ((bufptr + 2 + n) > bufend)
+ {
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
+ _("IPP string length overflows value."), 1);
diff -Nru cups-2.2.10/debian/patches/series cups-2.2.10/debian/patches/series
--- cups-2.2.10/debian/patches/series 2020-11-28 12:09:48.000000000 +0100
+++ cups-2.2.10/debian/patches/series 2022-02-23 22:03:02.000000000 +0100
@@ -50,3 +50,4 @@
0050-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch
0051-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch
0052-backend-scheduler-ipp.c-Fix-printer-alert-invalid-fr.patch
+0053-CVE-2020-10001.patch
Reply to: