Bug#1036548: marked as done (unblock: cups-filters/1.28.17-3)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Tue, 23 May 2023 21:44:16 +0200
with message-id <a24bedd4-86f0-069c-871b-78c334aa6ce6@debian.org>
and subject line Re: Bug#1036548: unblock: cups-filters/1.28.17-3
has caused the Debian Bug report #1036548,
regarding unblock: cups-filters/1.28.17-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1036548: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036548
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: unblock: cups-filters/1.28.17-3
• From: Thorsten Alteholz <debian@alteholz.de>
• Date: Mon, 22 May 2023 09:39:34 +0000 (UTC)
• Message-id: <[🔎] alpine.DEB.2.21.2305220938470.18066@postfach.intern.alteholz.me>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock and age package cups-filters

[ Reason ]
CVE-2023-24805 (RCE due to missing input sanitising)

[ Impact ]
The user would be vulnerable to remote code execution.

[ Tests ]
There is no special test for this patch, only a POC that no
longer worked after applying the patch.

[ Risks ]
The patch was provided by upstream and approved by the security team
(upload to Bullseye already done).

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock cups-filters/1.28.17-3

diff -Nru cups-filters-1.28.17/debian/changelog cups-filters-1.28.17/debian/changelog
--- cups-filters-1.28.17/debian/changelog	2023-03-10 19:25:20.000000000 +0100
+++ cups-filters-1.28.17/debian/changelog	2023-05-19 18:25:20.000000000 +0200
@@ -1,3 +1,14 @@
+cups-filters (1.28.17-3) unstable; urgency=medium
+
+  * CVE-2023-24805 
+    prevent arbitrary command execution by escaping the quoting
+    of the arguments in a job with a forged job title
+    more information are available in the commit message at:
+    https://github.com/OpenPrinting/cups-filters/commit/93e60d3df35
+    (Closes: #1036224)
+
+ -- Thorsten Alteholz <debian@alteholz.de>  Fri, 19 May 2023 18:25:20 +0200
+
 cups-filters (1.28.17-2) unstable; urgency=medium
 
   * qpdf needs at least c++17
diff -Nru cups-filters-1.28.17/debian/patches/0003-fix-CVE-2023-24805.patch cups-filters-1.28.17/debian/patches/0003-fix-CVE-2023-24805.patch
--- cups-filters-1.28.17/debian/patches/0003-fix-CVE-2023-24805.patch	1970-01-01 01:00:00.000000000 +0100
+++ cups-filters-1.28.17/debian/patches/0003-fix-CVE-2023-24805.patch	2023-05-19 10:50:03.000000000 +0200
@@ -0,0 +1,176 @@
+From: Thorsten Alteholz <debian@alteholz.de>
+Date: Fri, 19 May 2023 10:49:35 +0200
+Subject: fix CVE-2023-24805
+
+---
+ backend/beh.c | 107 +++++++++++++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 84 insertions(+), 23 deletions(-)
+
+diff --git a/backend/beh.c b/backend/beh.c
+index 225fd27..8d51235 100644
+--- a/backend/beh.c
++++ b/backend/beh.c
+@@ -22,12 +22,13 @@
+ #include "backend-private.h"
+ #include <cups/array.h>
+ #include <ctype.h>
++#include <sys/wait.h>
+ 
+ /*
+  * Local globals...
+  */
+ 
+-static int		job_canceled = 0; /* Set to 1 on SIGTERM */
++static volatile int	job_canceled = 0; /* Set to 1 on SIGTERM */
+ 
+ /*
+  * Local functions...
+@@ -213,21 +214,40 @@ call_backend(char *uri,                 /* I - URI of final destination */
+ 	     char **argv,		/* I - Command-line arguments */
+ 	     char *filename) {          /* I - File name of input data */
+   const char	*cups_serverbin;	/* Location of programs */
++  char          *backend_argv[8];	/* Arguments for backend */
+   char		scheme[1024],           /* Scheme from URI */
+                 *ptr,			/* Pointer into scheme */
+-		cmdline[65536];		/* Backend command line */
+-  int           retval;
++		backend_path[2048];	/* Backend path */
++  int           pid = 0, 		/* Process ID of backend */
++                wait_pid,		/* Process ID from wait() */
++                wait_status, 		/* Status from child */
++                retval = 0;
++  int           bytes;
+ 
+  /*
+   * Build the backend command line...
+   */
+ 
+-  strncpy(scheme, uri, sizeof(scheme) - 1);
+-  if (strlen(uri) > 1023)
+-    scheme[1023] = '\0';
++  scheme[0] = '\0';
++  strncat(scheme, uri, sizeof(scheme) - 1);
+   if ((ptr = strchr(scheme, ':')) != NULL)
+     *ptr = '\0';
+-
++  else {
++    fprintf(stderr,
++	    "ERROR: beh: Invalid URI, no colon (':') to mark end of scheme part.\n");
++    exit (CUPS_BACKEND_FAILED);
++  }
++  if (strchr(scheme, '/')) {
++    fprintf(stderr,
++	    "ERROR: beh: Invalid URI, scheme contains a slash ('/').\n");
++    exit (CUPS_BACKEND_FAILED);
++  }
++  if (!strcmp(scheme, ".") || !strcmp(scheme, "..")) {
++    fprintf(stderr,
++	    "ERROR: beh: Invalid URI, scheme (\"%s\") is a directory.\n",
++	    scheme);
++    exit (CUPS_BACKEND_FAILED);
++  }
+   if ((cups_serverbin = getenv("CUPS_SERVERBIN")) == NULL)
+     cups_serverbin = CUPS_SERVERBIN;
+ 
+@@ -235,16 +255,29 @@ call_backend(char *uri,                 /* I - URI of final destination */
+     fprintf(stderr,
+ 	    "ERROR: beh: Direct output into a file not supported.\n");
+     exit (CUPS_BACKEND_FAILED);
+-  } else
+-    snprintf(cmdline, sizeof(cmdline),
+-	     "%s/backend/%s '%s' '%s' '%s' '%s' '%s' %s",
+-	     cups_serverbin, scheme, argv[1], argv[2], argv[3],
+-	     /* Apply number of copies only if beh was called with a
+-		file name and not with the print data in stdin, as
+-	        backends should handle copies only if they are called
+-	        with a file name */
+-	     (argc == 6 ? "1" : argv[4]),
+-	     argv[5], filename);
++  }
++
++  backend_argv[0] = uri;
++  backend_argv[1] = argv[1];
++  backend_argv[2] = argv[2];
++  backend_argv[3] = argv[3];
++  /* Apply number of copies only if beh was called with a file name
++     and not with the print data in stdin, as backends should handle
++     copies only if they are called with a file name */
++  backend_argv[4] = (argc == 6 ? "1" : argv[4]);
++  backend_argv[5] = argv[5];
++  backend_argv[6] = filename;
++  backend_argv[7] = NULL;
++
++  bytes = snprintf(backend_path, sizeof(backend_path),
++		   "%s/backend/%s", cups_serverbin, scheme);
++  if (bytes < 0 || bytes >= sizeof(backend_path))
++  {
++    fprintf(stderr,
++	    "ERROR: beh: Invalid scheme (\"%s\"), could not determing backend path.\n",
++	    scheme);
++    return (CUPS_BACKEND_FAILED);
++  }
+ 
+  /*
+   * Overwrite the device URI and run the actual backend...
+@@ -253,18 +286,44 @@ call_backend(char *uri,                 /* I - URI of final destination */
+   setenv("DEVICE_URI", uri, 1);
+ 
+   fprintf(stderr,
+-	  "DEBUG: beh: Executing backend command line \"%s\"...\n",
+-	  cmdline);
++	  "DEBUG: beh: Executing backend command line \"%s '%s' '%s' '%s' '%s' '%s' %s\"...\n",
++	  backend_path, backend_argv[1], backend_argv[2], backend_argv[3],
++	  backend_argv[4], backend_argv[5], backend_argv[6]);
+   fprintf(stderr,
+ 	  "DEBUG: beh: Using device URI: %s\n",
+ 	  uri);
+ 
+-  retval = system(cmdline) >> 8;
++  if ((pid = fork()) == 0) {
++   /*
++    * Child comes here...
++    */
++
++    /* Run the backend */
++    execv(backend_path, backend_argv);
+ 
+-  if (retval == -1)
+     fprintf(stderr, "ERROR: Unable to execute backend command line: %s\n",
+ 	    strerror(errno));
+ 
++    exit(1);
++  } else if (pid < 0) {
++   /*
++    * Unable to fork!
++    */
++
++    return (CUPS_BACKEND_FAILED);
++  }
++
++  while ((wait_pid = wait(&wait_status)) < 0 && errno == EINTR);
++
++  if (wait_pid >= 0 && wait_status) {
++    if (WIFEXITED(wait_status))
++      retval = WEXITSTATUS(wait_status);
++    else if (WTERMSIG(wait_status) != SIGTERM)
++      retval = WTERMSIG(wait_status);
++    else
++      retval = 0;
++  }
++
+   return (retval);
+ }
+ 
+@@ -277,8 +336,10 @@ static void
+ sigterm_handler(int sig) {		/* I - Signal number (unused) */
+   (void)sig;
+ 
+-  fprintf(stderr,
+-	  "DEBUG: beh: Job canceled.\n");
++  const char * const msg = "DEBUG: beh: Job canceled.\n";
++  /* The if() is to eliminate the return value and silence the warning
++     about an unused return value. */
++  if (write(2, msg, strlen(msg)));
+ 
+   if (job_canceled)
+     _exit(CUPS_BACKEND_OK);
diff -Nru cups-filters-1.28.17/debian/patches/series cups-filters-1.28.17/debian/patches/series
--- cups-filters-1.28.17/debian/patches/series	2023-03-10 19:25:20.000000000 +0100
+++ cups-filters-1.28.17/debian/patches/series	2023-05-19 10:50:03.000000000 +0200
@@ -1,2 +1,3 @@
 0001-Force-set-INITDIR-in-configure.ac-instead-of-relying.patch
 0002-qpdf-needs-at-least-c-17.patch
+0003-fix-CVE-2023-24805.patch

--- End Message ---

--- Begin Message ---

• To: Thorsten Alteholz <debian@alteholz.de>, 1036548-done@bugs.debian.org
• Subject: Re: Bug#1036548: unblock: cups-filters/1.28.17-3
• From: Paul Gevers <elbrus@debian.org>
• Date: Tue, 23 May 2023 21:44:16 +0200
• Message-id: <a24bedd4-86f0-069c-871b-78c334aa6ce6@debian.org>
• In-reply-to: <[🔎] alpine.DEB.2.21.2305220938470.18066@postfach.intern.alteholz.me>
• References: <[🔎] alpine.DEB.2.21.2305220938470.18066@postfach.intern.alteholz.me>

Hi,

On 22-05-2023 11:39, Thorsten Alteholz wrote:

unblock cups-filters/1.28.17-3

unblocked, aged, and piuparts-ignored

Paul

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

--- End Message ---