Package: release.debian.org Severity: normal Tags: wheezy squeeze User: release.debian....@packages.debian.org Usertags: pu
Dear release team, I've noticed through the PTS/security-tracker that CVE-2014-2856 wasn't fixed in {old,}stable for src:cups. I went with these patches to the security team who directed me to {old,}stable updates. Debdiffs against the respective versions are attached. I'd also like to take the opportunity to fix #737709 in stable (severity: important), please advise. Thanks in advance, cheers, OdyX
diff --git a/debian/changelog b/debian/changelog index 4dc5f32..d679a97 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +cups (1.4.4-7+squeeze5) oldstable-security; urgency=high + + * Import upstream patch to fix XSS in the CUPS webinterface (STR #4356), + fixes CVE-2014-2856 + + -- Didier Raboud <o...@debian.org> Mon, 28 Apr 2014 22:26:57 +0200 + cups (1.4.4-7+squeeze4) oldstable-security; urgency=high * Backport security fix from cups-filters 1.0.47: diff --git a/debian/patches/00list b/debian/patches/00list index c6a7d40..bec5b98 100644 --- a/debian/patches/00list +++ b/debian/patches/00list @@ -1,4 +1,5 @@ -# patches backported from upstream SVN trunk for 1.5: +# patches backported from upstream SVN trunk for 1.6: +fix-xss-in-cups-webinterface-str43576.dpatch # patches accepted and committed upstream for next 1.4: CVE-2010-2941.dpatch diff --git a/debian/patches/fix-xss-in-cups-webinterface-str43576.dpatch b/debian/patches/fix-xss-in-cups-webinterface-str43576.dpatch new file mode 100755 index 0000000..b425f05 --- /dev/null +++ b/debian/patches/fix-xss-in-cups-webinterface-str43576.dpatch @@ -0,0 +1,25 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +# Description: Fix XSS in CUPS web interface +# Author: Michael Sweet <msw...@apple.com> +# Bug-CVE: https://security-tracker.debian.org/tracker/CVE-2014-2856 +# Bug: http://www.cups.org/str.php?L4356 +# Last-Update: 2014-02-19 + +@DPATCH@ +--- a/scheduler/client.c ++++ b/scheduler/client.c +@@ -4075,6 +4075,14 @@ + return (0); + + /* ++ * Check for "<" or quotes in the path and reject since this is probably ++ * someone trying to inject HTML... ++ */ ++ ++ if (strchr(path, '<') != NULL || strchr(path, '\"') != NULL || strchr(path, '\'') != NULL) ++ return (0); ++ ++ /* + * Check for "/.." in the path... + */ +
diff --git a/debian/changelog b/debian/changelog index f945070..808459d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +cups (1.5.3-5+deb7u2) wheezy-security; urgency=high + + * Add patch to fix hungarian templates syntax typos (Closes: #737709) + * Import upstream patch to fix XSS in the CUPS webinterface (STR #4356), + fixes CVE-2014-2856 + + -- Didier Raboud <o...@debian.org> Mon, 28 Apr 2014 22:28:04 +0200 + cups (1.5.3-5+deb7u1) stable; urgency=low [ Tim Waugh ] diff --git a/debian/patches/fix-xss-in-cups-webinterface-str43576.patch b/debian/patches/fix-xss-in-cups-webinterface-str43576.patch new file mode 100644 index 0000000..a89ff23 --- /dev/null +++ b/debian/patches/fix-xss-in-cups-webinterface-str43576.patch @@ -0,0 +1,22 @@ +Description: Fix XSS in CUPS web interface +Author: Michael Sweet <msw...@apple.com> +Bug-CVE: https://security-tracker.debian.org/tracker/CVE-2014-2856 +Bug: http://www.cups.org/str.php?L4356 +Last-Update: 2014-02-19 +--- a/scheduler/client.c ++++ b/scheduler/client.c +@@ -4075,6 +4075,14 @@ + return (0); + + /* ++ * Check for "<" or quotes in the path and reject since this is probably ++ * someone trying to inject HTML... ++ */ ++ ++ if (strchr(path, '<') != NULL || strchr(path, '\"') != NULL || strchr(path, '\'') != NULL) ++ return (0); ++ ++ /* + * Check for "/.." in the path... + */ + diff --git a/debian/patches/fix_hungarian_templates.patch b/debian/patches/fix_hungarian_templates.patch new file mode 100644 index 0000000..ff9920c --- /dev/null +++ b/debian/patches/fix_hungarian_templates.patch @@ -0,0 +1,25 @@ +Description: Fix Hungarian templates translations syntax errors. +Bug-Debian: http://bugs.debian.org/737709 +Origin: vendor +Forwarded: https://cups.org/str.php?L4362 +Author: Didier Raboud <o...@debian.org> +Last-Update: 2014-02-05 + +--- a/templates/hu/printers-header.tmpl ++++ b/templates/hu/printers-header.tmpl +@@ -1 +1 @@ +-<P ALIGN="CENTER">{total=0?Nincsenek nyomtatók:{total} nyomtatóból {#printer_name} megjelenítve.</P> ++<P ALIGN="CENTER">{total=0?Nincsenek nyomtatók:{total} nyomtatóból {#printer_name} megjelenítve}.</P> +--- a/templates/hu/classes-header.tmpl ++++ b/templates/hu/classes-header.tmpl +@@ -1 +1 @@ +-<P ALIGN="CENTER">{total=0?Nincsenek osztályok:{total} osztályból {#printer_name} megjelenítve.</P> ++<P ALIGN="CENTER">{total=0?Nincsenek osztályok:{total} osztályból {#printer_name} megjelenítve}.</P> +--- a/templates/hu/jobs-header.tmpl ++++ b/templates/hu/jobs-header.tmpl +@@ -4,4 +4,4 @@ + + <P ALIGN="CENTER">{total=0?Nincsenek feladatok:{total} + {?which_jobs=?aktív:{which_jobs=all?:befejezett}} feladatból {#job_id} +-megjelenítve.</P> ++megjelenítve}.</P> diff --git a/debian/patches/series b/debian/patches/series index eabd6dc..3e576cc 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,4 +1,5 @@ # patches accepted and committed upstream: +fix-xss-in-cups-webinterface-str43576.patch split-configuration-files-STR4223.patch # patches sent upstream @@ -31,6 +32,7 @@ cups-deviced-allow-device-ids-with-newline.patch cups-snmp-oids-device-id-hp-ricoh.patch configure-default-browse-protocols.patch fix_russian_japanese_templates.patch +fix_hungarian_templates.patch # Debian patches add-ipp-backend-of-cups-1.4.patch