Bug#1052361: bookworm-pu: cups/2.4.2-3+deb12u2
Control: tags 1052361 - moreinfo
Hi Adam,
On Sat, 23 Sep 2023, Adam D. Barratt wrote:
Hmm. Is there a better way we can point users to the required change
here that doesn't require them knowing how to find patches applied to
the source package?
yes, *sigh* the wording was bad and I also mangled the version numbers,
sorry.
What do you think of this version, which was thankfully provided by
IOhannes?
Thorsten
diff -Nru cups-2.4.2/debian/changelog cups-2.4.2/debian/changelog
--- cups-2.4.2/debian/changelog 2023-06-24 10:54:05.000000000 +0200
+++ cups-2.4.2/debian/changelog 2023-09-19 21:20:27.000000000 +0200
@@ -1,3 +1,12 @@
+cups (2.4.2-3+deb12u2) bookworm; urgency=medium
+
+ * CVE-2023-4504
+ Postscript parsing heap-based buffer overflow
+ * CVE-2023-32360 (Closes: #1051953)
+ authentication issue
+
+ -- Thorsten Alteholz <debian@alteholz.de> Tue, 19 Sep 2023 21:20:27 +0200
+
cups (2.4.2-3+deb12u1) bookworm; urgency=medium
* CVE-2023-34241 (Closes: #1038885)
diff -Nru cups-2.4.2/debian/cups-daemon.NEWS cups-2.4.2/debian/cups-daemon.NEWS
--- cups-2.4.2/debian/cups-daemon.NEWS 2023-06-22 23:22:40.000000000 +0200
+++ cups-2.4.2/debian/cups-daemon.NEWS 2023-09-19 21:20:27.000000000 +0200
@@ -1,3 +1,20 @@
+cups (2.4.2-3+deb12u2) bookworm; urgency=medium
+
+ This release addresses a security issue (CVE-2023-32360) which allows
+ unauthorized users to fetch documents over local or remote networks.
+ Since this is a configuration fix, it might be that it does not reach you if you
+ are updating 'cups-daemon' (rather than doing a fresh installation).
+ Please double check your /etc/cups/cupds.conf file, whether it limits the access
+ to CUPS-Get-Document with something like the following
+ > <Limit CUPS-Get-Document>
+ > AuthType Default
+ > Require user @OWNER @SYSTEM
+ > Order deny,allow
+ > </Limit>
+ (The important line is the 'AuthType Default' in this section)
+
+ -- Thorsten Alteholz <debian@alteholz.de> Tue, 19 Sep 2023 21:20:27 +0200
+
cups (2.1.4-3) unstable; urgency=low
The default ErrorPolicy is changed from 'stop-printer' to 'retry-job',
diff -Nru cups-2.4.2/debian/NEWS.Debian cups-2.4.2/debian/NEWS.Debian
--- cups-2.4.2/debian/NEWS.Debian 1970-01-01 01:00:00.000000000 +0100
+++ cups-2.4.2/debian/NEWS.Debian 2023-09-19 21:20:27.000000000 +0200
@@ -0,0 +1,16 @@
+cups (2.4.2-3+deb12u2) bookworm; urgency=medium
+
+ This release addresses a security issue (CVE-2023-32360) which allows
+ unauthorized users to fetch documents over local or remote networks.
+ Since this is a configuration fix, it might be that it does not reach you if you
+ are updating 'cups-daemon' (rather than doing a fresh installation).
+ Please double check your /etc/cups/cupds.conf file, whether it limits the access
+ to CUPS-Get-Document with something like the following
+ > <Limit CUPS-Get-Document>
+ > AuthType Default
+ > Require user @OWNER @SYSTEM
+ > Order deny,allow
+ > </Limit>
+ (The important line is the 'AuthType Default' in this section)
+
+ -- Thorsten Alteholz <debian@alteholz.de> Tue, 19 Sep 2023 21:20:27 +0200
diff -Nru cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch
--- cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch 1970-01-01 01:00:00.000000000 +0100
+++ cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch 2023-09-19 21:20:27.000000000 +0200
@@ -0,0 +1,33 @@
+From: Thorsten Alteholz <debian@alteholz.de>
+Date: Wed, 20 Sep 2023 04:55:44 +0200
+Subject: CVE-2023-4504
+
+---
+ cups/raster-interpret.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
+index fbe52f3..89ef158 100644
+--- a/cups/raster-interpret.c
++++ b/cups/raster-interpret.c
+@@ -1113,7 +1113,19 @@ scan_ps(_cups_ps_stack_t *st, /* I - Stack */
+
+ cur ++;
+
+- if (*cur == 'b')
++ /*
++ * Return NULL if we reached NULL terminator, a lone backslash
++ * is not a valid character in PostScript.
++ */
++
++ if (!*cur)
++ {
++ *ptr = NULL;
++
++ return (NULL);
++ }
++
++ if (*cur == 'b')
+ *valptr++ = '\b';
+ else if (*cur == 'f')
+ *valptr++ = '\f';
diff -Nru cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch
--- cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch 1970-01-01 01:00:00.000000000 +0100
+++ cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch 2023-09-19 21:20:27.000000000 +0200
@@ -0,0 +1,27 @@
+From: Thorsten Alteholz <debian@alteholz.de>
+Date: Wed, 20 Sep 2023 04:56:47 +0200
+Subject: CVE-2023-32360
+
+---
+ conf/cupsd.conf.in | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in
+index b258849..a07536f 100644
+--- a/conf/cupsd.conf.in
++++ b/conf/cupsd.conf.in
+@@ -68,7 +68,13 @@ IdleExitTimeout @EXIT_TIMEOUT@
+ Order deny,allow
+ </Limit>
+
+- <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
++ <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job>
++ Require user @OWNER @SYSTEM
++ Order deny,allow
++ </Limit>
++
++ <Limit CUPS-Get-Document>
++ AuthType Default
+ Require user @OWNER @SYSTEM
+ Order deny,allow
+ </Limit>
diff -Nru cups-2.4.2/debian/patches/series cups-2.4.2/debian/patches/series
--- cups-2.4.2/debian/patches/series 2023-06-24 10:54:05.000000000 +0200
+++ cups-2.4.2/debian/patches/series 2023-09-19 21:20:27.000000000 +0200
@@ -12,3 +12,5 @@
0012-add-pt.patch
0013-CVE-2023-32324.patch
0014-CVE-2023-34241.patch
+0015-CVE-2023-4504.patch
+0016-CVE-2023-32360.patch
Reply to: