[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1036548: unblock: cups-filters/1.28.17-3



Hi,

On Tue, May 23, 2023 at 03:55:26PM +0200, Salvatore Bonaccorso wrote:
> Hi,
> 
> On Mon, May 22, 2023 at 09:39:34AM +0000, Thorsten Alteholz wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian.org@packages.debian.org
> > Usertags: unblock
> > 
> > Please unblock and age package cups-filters
> > 
> > [ Reason ]
> > CVE-2023-24805 (RCE due to missing input sanitising)
> > 
> > [ Impact ]
> > The user would be vulnerable to remote code execution.
> > 
> > [ Tests ]
> > There is no special test for this patch, only a POC that no
> > longer worked after applying the patch.
> > 
> > [ Risks ]
> > The patch was provided by upstream and approved by the security team
> > (upload to Bullseye already done).
> > 
> > [ Checklist ]
> >   [x] all changes are documented in the d/changelog
> >   [x] I reviewed all changes and I approve them
> >   [x] attach debdiff against the package in testing
> > 
> > unblock cups-filters/1.28.17-3
> 
> FWIW, is was as well for bullseye released via a DSA. Thorsten, there
> seems to be as well a piuparts regression blocking it, can you have a
> look?

Looking at the log from
https://piuparts.debian.org/sid/fail/cups-browsed_1.28.17-3.log it
looks this can be ignored, as it is due to the adduser and piuparts
situation.

Regards,
Salvatore


Reply to: