[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1039862: marked as done (bookworm-pu: cpdb-libs/1.2.0-2+deb12u1)

Your message dated Sat, 22 Jul 2023 13:19:42 +0000
with message-id <E1qNCWM-005rqM-4R@coccia.debian.org>
and subject line Released with 12.1
has caused the Debian Bug report #1039862,
regarding bookworm-pu: cpdb-libs/1.2.0-2+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1039862: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039862
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
The attached debdiff for cpdb-libs fixes CVE-2023-34095 Bookworm. This CVE has been marked as no-dsa by the security team. 

The fix just restricts the usable buffer and should have no side effects.

  Thorsten

diff -Nru cpdb-libs-1.2.0/debian/changelog cpdb-libs-1.2.0/debian/changelog
--- cpdb-libs-1.2.0/debian/changelog	2023-01-12 22:03:02.000000000 +0100
+++ cpdb-libs-1.2.0/debian/changelog	2023-06-27 22:03:02.000000000 +0200
@@ -1,3 +1,10 @@
+cpdb-libs (1.2.0-2+deb12u1) bookworm; urgency=medium
+
+  * CVE-2023-34095 (Closes: #1038253)
+    buffer overflow via improper use of scanf()/fscanf()
+
+ -- Thorsten Alteholz <debian@alteholz.de>  Tue, 27 Jun 2023 22:03:02 +0200
+
 cpdb-libs (1.2.0-2) unstable; urgency=medium
 
   * source upload
diff -Nru cpdb-libs-1.2.0/debian/patches/CVE-2023-34095.patch cpdb-libs-1.2.0/debian/patches/CVE-2023-34095.patch
--- cpdb-libs-1.2.0/debian/patches/CVE-2023-34095.patch	1970-01-01 01:00:00.000000000 +0100
+++ cpdb-libs-1.2.0/debian/patches/CVE-2023-34095.patch	2023-06-27 22:03:02.000000000 +0200
@@ -0,0 +1,161 @@
+Description: backported fix for CVE-2023-34095
+Index: cpdb-libs/demo/print_frontend.c
+===================================================================
+--- cpdb-libs.orig/demo/print_frontend.c	2023-06-28 06:57:31.699739106 +0200
++++ cpdb-libs/demo/print_frontend.c	2023-06-28 08:01:19.416613086 +0200
+@@ -48,7 +48,7 @@
+     {
+         printf("> ");
+         fflush(stdout);
+-        scanf("%s", buf);
++        scanf("%99s", buf);
+         if (strcmp(buf, "stop") == 0)
+         {
+             disconnect_from_dbus(f);
+@@ -84,7 +84,7 @@
+         {
+             char printer_id[100];
+             char backend_name[100];
+-            scanf("%s%s", printer_id, backend_name);
++            scanf("%99s%99s", printer_id, backend_name);
+             g_message("Getting all attributes ..\n");
+             PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+ 
+@@ -106,7 +106,7 @@
+         else if (strcmp(buf, "get-default") == 0)
+         {
+             char printer_id[100], backend_name[100], option_name[100];
+-            scanf("%s%s%s", option_name, printer_id, backend_name);
++            scanf("%99s%99s%99s", option_name, printer_id, backend_name);
+             PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+             char *ans = get_default(p, option_name);
+             if (!ans)
+@@ -117,7 +117,7 @@
+         else if (strcmp(buf, "get-setting") == 0)
+         {
+             char printer_id[100], backend_name[100], setting_name[100];
+-            scanf("%s%s%s", setting_name, printer_id, backend_name);
++            scanf("%99s%99s%99s", setting_name, printer_id, backend_name);
+             PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+             char *ans = get_setting(p, setting_name);
+             if (!ans)
+@@ -128,7 +128,7 @@
+         else if (strcmp(buf, "get-current") == 0)
+         {
+             char printer_id[100], backend_name[100], option_name[100];
+-            scanf("%s%s%s", option_name, printer_id, backend_name);
++            scanf("%99s%99s%99s", option_name, printer_id, backend_name);
+             PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+             char *ans = get_current(p, option_name);
+             if (!ans)
+@@ -139,7 +139,7 @@
+         else if (strcmp(buf, "add-setting") == 0)
+         {
+             char printer_id[100], backend_name[100], option_name[100], option_val[100];
+-            scanf("%s %s %s %s", option_name, option_val, printer_id, backend_name);
++            scanf("%99s %99s %99s %99s", option_name, option_val, printer_id, backend_name);
+             PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+             printf("%s : %s\n", option_name, option_val);
+             add_setting_to_printer(p, get_string_copy(option_name), get_string_copy(option_val));
+@@ -147,7 +147,7 @@
+         else if (strcmp(buf, "clear-setting") == 0)
+         {
+             char printer_id[100], backend_name[100], option_name[100];
+-            scanf("%s%s%s", option_name, printer_id, backend_name);
++            scanf("%99s%99s%99s", option_name, printer_id, backend_name);
+             PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+             clear_setting_from_printer(p, option_name);
+         }
+@@ -155,7 +155,7 @@
+         {
+             char printer_id[100];
+             char backend_name[100];
+-            scanf("%s%s", printer_id, backend_name);
++            scanf("%99s%99s", printer_id, backend_name);
+             PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+             printf("%s\n", get_state(p));
+         }
+@@ -163,7 +163,7 @@
+         {
+             char printer_id[100];
+             char backend_name[100];
+-            scanf("%s%s", printer_id, backend_name);
++            scanf("%99s%99s", printer_id, backend_name);
+             PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+             printf("Accepting jobs ? : %d \n", is_accepting_jobs(p));
+         }
+@@ -174,14 +174,14 @@
+         else if (strcmp(buf, "ping") == 0)
+         {
+             char printer_id[100], backend_name[100];
+-            scanf("%s%s", printer_id, backend_name);
++            scanf("%99s%99s", printer_id, backend_name);
+             PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+             print_backend_call_ping_sync(p->backend_proxy, p->id, NULL, NULL);
+         }
+         else if (strcmp(buf, "get-default-printer") == 0)
+         {
+             char backend_name[100];
+-            scanf("%s", backend_name);
++            scanf("%99s", backend_name);
+             /**
+              * Backend name = The last part of the backend dbus service
+              * Eg. "CUPS" or "GCP"
+@@ -191,7 +191,7 @@
+         else if (strcmp(buf, "print-file") == 0)
+         {
+             char printer_id[100], backend_name[100], file_path[200];
+-            scanf("%s%s%s", file_path, printer_id, backend_name);
++            scanf("%199s%99s%99s", file_path, printer_id, backend_name);
+             /**
+              * Try adding some settings here .. change them and experiment
+              */
+@@ -201,7 +201,7 @@
+             {
+               char final_file_path[200];
+               printf("Please give the final file path: ");
+-              scanf("%s", final_file_path);
++              scanf("%199s", final_file_path);
+               print_file_path(p, file_path, final_file_path);
+               continue;
+             }
+@@ -213,7 +213,7 @@
+         {
+             char printer_id[100];
+             char backend_name[100];
+-            scanf("%s%s", printer_id, backend_name);
++            scanf("%99s%99s", printer_id, backend_name);
+             PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+             printf("%d jobs currently active.\n", get_active_jobs_count(p));
+         }
+@@ -235,7 +235,7 @@
+             char printer_id[100];
+             char backend_name[100];
+             char job_id[100];
+-            scanf("%s%s%s", job_id, printer_id, backend_name);
++            scanf("%99s%99s%99s", job_id, printer_id, backend_name);
+             PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+             if (cancel_job(p, job_id))
+                 printf("Job %s has been cancelled.\n", job_id);
+@@ -247,7 +247,7 @@
+             char printer_id[100];
+             char backend_name[100];
+             char job_id[100];
+-            scanf("%s%s", printer_id, backend_name);
++            scanf("%99s%99s", printer_id, backend_name);
+             PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+             pickle_printer_to_file(p, "/tmp/.printer-pickle", f);
+         }
+Index: cpdb-libs/lib/frontend_helper.c
+===================================================================
+--- cpdb-libs.orig/lib/frontend_helper.c	2023-06-28 06:57:31.699739106 +0200
++++ cpdb-libs/lib/frontend_helper.c	2023-06-28 07:57:11.168548682 +0200
+@@ -171,7 +171,7 @@
+ 
+     FILE *file = fopen(path, "r");
+     char obj_path[200];
+-    fscanf(file, "%s", obj_path);
++    fscanf(file, "%199s", obj_path);
+     fclose(file);
+     free(path);
+     GError *error = NULL;
diff -Nru cpdb-libs-1.2.0/debian/patches/series cpdb-libs-1.2.0/debian/patches/series
--- cpdb-libs-1.2.0/debian/patches/series	2023-01-08 19:03:02.000000000 +0100
+++ cpdb-libs-1.2.0/debian/patches/series	2023-06-27 22:03:02.000000000 +0200
@@ -1,2 +1,3 @@
+CVE-2023-34095.patch
 no-profiling.patch
 manually-hardening.patch

--- End Message ---
--- Begin Message --- 
Version: 12.1

The upload requested in this bug has been released as part of 12.1.

--- End Message ---
Reply to: