Bug#1039862: bookworm-pu: cpdb-libs/1.2.0-2+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
The attached debdiff for cpdb-libs fixes CVE-2023-34095 Bookworm. This CVE
has been marked as no-dsa by the security team.
The fix just restricts the usable buffer and should have no side effects.
Thorsten
diff -Nru cpdb-libs-1.2.0/debian/changelog cpdb-libs-1.2.0/debian/changelog
--- cpdb-libs-1.2.0/debian/changelog 2023-01-12 22:03:02.000000000 +0100
+++ cpdb-libs-1.2.0/debian/changelog 2023-06-27 22:03:02.000000000 +0200
@@ -1,3 +1,10 @@
+cpdb-libs (1.2.0-2+deb12u1) bookworm; urgency=medium
+
+ * CVE-2023-34095 (Closes: #1038253)
+ buffer overflow via improper use of scanf()/fscanf()
+
+ -- Thorsten Alteholz <debian@alteholz.de> Tue, 27 Jun 2023 22:03:02 +0200
+
cpdb-libs (1.2.0-2) unstable; urgency=medium
* source upload
diff -Nru cpdb-libs-1.2.0/debian/patches/CVE-2023-34095.patch cpdb-libs-1.2.0/debian/patches/CVE-2023-34095.patch
--- cpdb-libs-1.2.0/debian/patches/CVE-2023-34095.patch 1970-01-01 01:00:00.000000000 +0100
+++ cpdb-libs-1.2.0/debian/patches/CVE-2023-34095.patch 2023-06-27 22:03:02.000000000 +0200
@@ -0,0 +1,161 @@
+Description: backported fix for CVE-2023-34095
+Index: cpdb-libs/demo/print_frontend.c
+===================================================================
+--- cpdb-libs.orig/demo/print_frontend.c 2023-06-28 06:57:31.699739106 +0200
++++ cpdb-libs/demo/print_frontend.c 2023-06-28 08:01:19.416613086 +0200
+@@ -48,7 +48,7 @@
+ {
+ printf("> ");
+ fflush(stdout);
+- scanf("%s", buf);
++ scanf("%99s", buf);
+ if (strcmp(buf, "stop") == 0)
+ {
+ disconnect_from_dbus(f);
+@@ -84,7 +84,7 @@
+ {
+ char printer_id[100];
+ char backend_name[100];
+- scanf("%s%s", printer_id, backend_name);
++ scanf("%99s%99s", printer_id, backend_name);
+ g_message("Getting all attributes ..\n");
+ PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+
+@@ -106,7 +106,7 @@
+ else if (strcmp(buf, "get-default") == 0)
+ {
+ char printer_id[100], backend_name[100], option_name[100];
+- scanf("%s%s%s", option_name, printer_id, backend_name);
++ scanf("%99s%99s%99s", option_name, printer_id, backend_name);
+ PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+ char *ans = get_default(p, option_name);
+ if (!ans)
+@@ -117,7 +117,7 @@
+ else if (strcmp(buf, "get-setting") == 0)
+ {
+ char printer_id[100], backend_name[100], setting_name[100];
+- scanf("%s%s%s", setting_name, printer_id, backend_name);
++ scanf("%99s%99s%99s", setting_name, printer_id, backend_name);
+ PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+ char *ans = get_setting(p, setting_name);
+ if (!ans)
+@@ -128,7 +128,7 @@
+ else if (strcmp(buf, "get-current") == 0)
+ {
+ char printer_id[100], backend_name[100], option_name[100];
+- scanf("%s%s%s", option_name, printer_id, backend_name);
++ scanf("%99s%99s%99s", option_name, printer_id, backend_name);
+ PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+ char *ans = get_current(p, option_name);
+ if (!ans)
+@@ -139,7 +139,7 @@
+ else if (strcmp(buf, "add-setting") == 0)
+ {
+ char printer_id[100], backend_name[100], option_name[100], option_val[100];
+- scanf("%s %s %s %s", option_name, option_val, printer_id, backend_name);
++ scanf("%99s %99s %99s %99s", option_name, option_val, printer_id, backend_name);
+ PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+ printf("%s : %s\n", option_name, option_val);
+ add_setting_to_printer(p, get_string_copy(option_name), get_string_copy(option_val));
+@@ -147,7 +147,7 @@
+ else if (strcmp(buf, "clear-setting") == 0)
+ {
+ char printer_id[100], backend_name[100], option_name[100];
+- scanf("%s%s%s", option_name, printer_id, backend_name);
++ scanf("%99s%99s%99s", option_name, printer_id, backend_name);
+ PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+ clear_setting_from_printer(p, option_name);
+ }
+@@ -155,7 +155,7 @@
+ {
+ char printer_id[100];
+ char backend_name[100];
+- scanf("%s%s", printer_id, backend_name);
++ scanf("%99s%99s", printer_id, backend_name);
+ PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+ printf("%s\n", get_state(p));
+ }
+@@ -163,7 +163,7 @@
+ {
+ char printer_id[100];
+ char backend_name[100];
+- scanf("%s%s", printer_id, backend_name);
++ scanf("%99s%99s", printer_id, backend_name);
+ PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+ printf("Accepting jobs ? : %d \n", is_accepting_jobs(p));
+ }
+@@ -174,14 +174,14 @@
+ else if (strcmp(buf, "ping") == 0)
+ {
+ char printer_id[100], backend_name[100];
+- scanf("%s%s", printer_id, backend_name);
++ scanf("%99s%99s", printer_id, backend_name);
+ PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+ print_backend_call_ping_sync(p->backend_proxy, p->id, NULL, NULL);
+ }
+ else if (strcmp(buf, "get-default-printer") == 0)
+ {
+ char backend_name[100];
+- scanf("%s", backend_name);
++ scanf("%99s", backend_name);
+ /**
+ * Backend name = The last part of the backend dbus service
+ * Eg. "CUPS" or "GCP"
+@@ -191,7 +191,7 @@
+ else if (strcmp(buf, "print-file") == 0)
+ {
+ char printer_id[100], backend_name[100], file_path[200];
+- scanf("%s%s%s", file_path, printer_id, backend_name);
++ scanf("%199s%99s%99s", file_path, printer_id, backend_name);
+ /**
+ * Try adding some settings here .. change them and experiment
+ */
+@@ -201,7 +201,7 @@
+ {
+ char final_file_path[200];
+ printf("Please give the final file path: ");
+- scanf("%s", final_file_path);
++ scanf("%199s", final_file_path);
+ print_file_path(p, file_path, final_file_path);
+ continue;
+ }
+@@ -213,7 +213,7 @@
+ {
+ char printer_id[100];
+ char backend_name[100];
+- scanf("%s%s", printer_id, backend_name);
++ scanf("%99s%99s", printer_id, backend_name);
+ PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+ printf("%d jobs currently active.\n", get_active_jobs_count(p));
+ }
+@@ -235,7 +235,7 @@
+ char printer_id[100];
+ char backend_name[100];
+ char job_id[100];
+- scanf("%s%s%s", job_id, printer_id, backend_name);
++ scanf("%99s%99s%99s", job_id, printer_id, backend_name);
+ PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+ if (cancel_job(p, job_id))
+ printf("Job %s has been cancelled.\n", job_id);
+@@ -247,7 +247,7 @@
+ char printer_id[100];
+ char backend_name[100];
+ char job_id[100];
+- scanf("%s%s", printer_id, backend_name);
++ scanf("%99s%99s", printer_id, backend_name);
+ PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+ pickle_printer_to_file(p, "/tmp/.printer-pickle", f);
+ }
+Index: cpdb-libs/lib/frontend_helper.c
+===================================================================
+--- cpdb-libs.orig/lib/frontend_helper.c 2023-06-28 06:57:31.699739106 +0200
++++ cpdb-libs/lib/frontend_helper.c 2023-06-28 07:57:11.168548682 +0200
+@@ -171,7 +171,7 @@
+
+ FILE *file = fopen(path, "r");
+ char obj_path[200];
+- fscanf(file, "%s", obj_path);
++ fscanf(file, "%199s", obj_path);
+ fclose(file);
+ free(path);
+ GError *error = NULL;
diff -Nru cpdb-libs-1.2.0/debian/patches/series cpdb-libs-1.2.0/debian/patches/series
--- cpdb-libs-1.2.0/debian/patches/series 2023-01-08 19:03:02.000000000 +0100
+++ cpdb-libs-1.2.0/debian/patches/series 2023-06-27 22:03:02.000000000 +0200
@@ -1,2 +1,3 @@
+CVE-2023-34095.patch
no-profiling.patch
manually-hardening.patch
Reply to: