--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: bookworm-pu: cups/2.4.2-3+deb12u1
- From: Thorsten Alteholz <debian@alteholz.de>
- Date: Sat, 24 Jun 2023 17:44:43 +0000 (UTC)
- Message-id: <alpine.DEB.2.21.2306241739070.18212@postfach.intern.alteholz.me>
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
The attached debdiff for cups fixes CVE-2023-32324 and CVE-2023-34241 in
Bookworm. Both CVE have been marked as no-dsa by the security team.
The same fixes have been already uploaded to Unstable and nobody
complained yet.
Thorsten
diff -Nru cups-2.4.2/debian/changelog cups-2.4.2/debian/changelog
--- cups-2.4.2/debian/changelog 2023-03-26 10:54:05.000000000 +0200
+++ cups-2.4.2/debian/changelog 2023-06-24 10:54:05.000000000 +0200
@@ -1,3 +1,14 @@
+cups (2.4.2-3+deb12u1) bookworm; urgency=medium
+
+ * CVE-2023-34241 (Closes: #1038885)
+ use-after-free in cupsdAcceptClient()
+
+ * CVE-2023-32324
+ A heap buffer overflow vulnerability would allow a remote attacker to
+ lauch a dos attack.
+
+ -- Thorsten Alteholz <debian@alteholz.de> Sat, 24 Jun 2023 10:54:05 +0200
+
cups (2.4.2-3) unstable; urgency=medium
[ Helge Kreutzmann ]
diff -Nru cups-2.4.2/debian/patches/0013-CVE-2023-32324.patch cups-2.4.2/debian/patches/0013-CVE-2023-32324.patch
--- cups-2.4.2/debian/patches/0013-CVE-2023-32324.patch 1970-01-01 01:00:00.000000000 +0100
+++ cups-2.4.2/debian/patches/0013-CVE-2023-32324.patch 2023-06-24 10:54:05.000000000 +0200
@@ -0,0 +1,29 @@
+From: Thorsten Alteholz <debian@alteholz.de>
+Date: Sat, 24 Jun 2023 11:06:49 +0200
+Subject: CVE-2023-32324
+
+---
+ cups/string.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/cups/string.c b/cups/string.c
+index 93cdad1..1f81d60 100644
+--- a/cups/string.c
++++ b/cups/string.c
+@@ -1,6 +1,7 @@
+ /*
+ * String functions for CUPS.
+ *
++ * Copyright © 2023 by OpenPrinting.
+ * Copyright © 2007-2019 by Apple Inc.
+ * Copyright © 1997-2007 by Easy Software Products.
+ *
+@@ -729,6 +730,8 @@ _cups_strlcpy(char *dst, /* O - Destination string */
+ {
+ size_t srclen; /* Length of source string */
+
++ if (size == 0)
++ return (0);
+
+ /*
+ * Figure out how much room is needed...
diff -Nru cups-2.4.2/debian/patches/0014-CVE-2023-34241.patch cups-2.4.2/debian/patches/0014-CVE-2023-34241.patch
--- cups-2.4.2/debian/patches/0014-CVE-2023-34241.patch 1970-01-01 01:00:00.000000000 +0100
+++ cups-2.4.2/debian/patches/0014-CVE-2023-34241.patch 2023-06-24 10:54:05.000000000 +0200
@@ -0,0 +1,57 @@
+From: Thorsten Alteholz <debian@alteholz.de>
+Date: Sat, 24 Jun 2023 11:07:10 +0200
+Subject: CVE-2023-34241
+
+---
+ scheduler/client.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/scheduler/client.c b/scheduler/client.c
+index e7e419f..441c1d7 100644
+--- a/scheduler/client.c
++++ b/scheduler/client.c
+@@ -193,13 +193,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
+ /*
+ * Can't have an unresolved IP address with double-lookups enabled...
+ */
+-
+- httpClose(con->http);
+-
+ cupsdLogClient(con, CUPSD_LOG_WARN,
+- "Name lookup failed - connection from %s closed!",
++ "Name lookup failed - closing connection from %s!",
+ httpGetHostname(con->http, NULL, 0));
+
++ httpClose(con->http);
+ free(con);
+ return;
+ }
+@@ -235,11 +233,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
+ * with double-lookups enabled...
+ */
+
+- httpClose(con->http);
+-
+ cupsdLogClient(con, CUPSD_LOG_WARN,
+- "IP lookup failed - connection from %s closed!",
++ "IP lookup failed - closing connection from %s!",
+ httpGetHostname(con->http, NULL, 0));
++
++ httpClose(con->http);
+ free(con);
+ return;
+ }
+@@ -256,11 +254,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
+
+ if (!hosts_access(&wrap_req))
+ {
+- httpClose(con->http);
+-
+ cupsdLogClient(con, CUPSD_LOG_WARN,
+ "Connection from %s refused by /etc/hosts.allow and "
+ "/etc/hosts.deny rules.", httpGetHostname(con->http, NULL, 0));
++
++ httpClose(con->http);
+ free(con);
+ return;
+ }
diff -Nru cups-2.4.2/debian/patches/series cups-2.4.2/debian/patches/series
--- cups-2.4.2/debian/patches/series 2023-03-26 10:54:05.000000000 +0200
+++ cups-2.4.2/debian/patches/series 2023-06-24 10:54:05.000000000 +0200
@@ -10,3 +10,5 @@
0015-Debian-Reproducibility-Do-not-run-stp-tests-as-root.patch
0016-Debian-po4a-infrastructure-and-translations-for-manp.patch
0012-add-pt.patch
+0013-CVE-2023-32324.patch
+0014-CVE-2023-34241.patch
--- End Message ---