Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
CUPS is affected by CVE-2017-18190: remote attackers could execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. This was caused by a whitelisted "localhost.localdomain" entry. According to the Security Team it doesn't warrant a DSA, but still makes sense to be addressed on Stretch (and Jessie). It was fixed independently on wheezy already. The proposed debdiff is attached; can I upload to stretch? Do you need another bug for Jessie ? Cheers, OdyX
diff -Nru cups-2.2.1/debian/changelog cups-2.2.1/debian/changelog --- cups-2.2.1/debian/changelog 2017-01-31 08:00:49.000000000 +0100 +++ cups-2.2.1/debian/changelog 2018-02-22 17:51:44.000000000 +0100 @@ -1,3 +1,12 @@ +cups (2.2.1-8+deb9u1) stretch; urgency=low + + * CVE-2017-18190: Prevent an issue where remote attackers could execute + arbitrary IPP commands by sending POST requests to the CUPS daemon in + conjunction with DNS rebinding. This was caused by a whitelisted + "localhost.localdomain" entry. + + -- Didier Raboud <o...@debian.org> Thu, 22 Feb 2018 17:51:44 +0100 + cups (2.2.1-8) unstable; urgency=medium [ JP Guillonneau ] diff -Nru cups-2.2.1/debian/.git-dpm cups-2.2.1/debian/.git-dpm --- cups-2.2.1/debian/.git-dpm 2017-01-18 14:02:35.000000000 +0100 +++ cups-2.2.1/debian/.git-dpm 2018-02-22 17:51:44.000000000 +0100 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -96d42e942cf2c930c3b535317bafd886c775a160 -96d42e942cf2c930c3b535317bafd886c775a160 +63883f6c2d0ebbb3e7499799b727fdb7d3f52d72 +63883f6c2d0ebbb3e7499799b727fdb7d3f52d72 a3ed22ee480a278acc27433ecbc16eaa63cf2b2e a3ed22ee480a278acc27433ecbc16eaa63cf2b2e cups_2.2.1.orig.tar.gz diff -Nru cups-2.2.1/debian/patches/0048-Don-t-treat-localhost.localdomain-as-an-allowed-repl.patch cups-2.2.1/debian/patches/0048-Don-t-treat-localhost.localdomain-as-an-allowed-repl.patch --- cups-2.2.1/debian/patches/0048-Don-t-treat-localhost.localdomain-as-an-allowed-repl.patch 1970-01-01 01:00:00.000000000 +0100 +++ cups-2.2.1/debian/patches/0048-Don-t-treat-localhost.localdomain-as-an-allowed-repl.patch 2018-02-22 17:51:44.000000000 +0100 @@ -0,0 +1,25 @@ +From 63883f6c2d0ebbb3e7499799b727fdb7d3f52d72 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet <michaelrsw...@gmail.com> +Date: Tue, 3 Jan 2017 13:52:47 -0500 +Subject: Don't treat "localhost.localdomain" as an allowed replacement for + localhost, since it isn't. + +Fixes: CVE-2017-18190 +--- + scheduler/client.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/scheduler/client.c b/scheduler/client.c +index 42010def1..20ccf11a9 100644 +--- a/scheduler/client.c ++++ b/scheduler/client.c +@@ -3890,9 +3890,6 @@ valid_host(cupsd_client_t *con) /* I - Client connection */ + + return (!_cups_strcasecmp(con->clientname, "localhost") || + !_cups_strcasecmp(con->clientname, "localhost.") || +-#ifdef __linux +- !_cups_strcasecmp(con->clientname, "localhost.localdomain") || +-#endif /* __linux */ + !strcmp(con->clientname, "127.0.0.1") || + !strcmp(con->clientname, "[::1]")); + } diff -Nru cups-2.2.1/debian/patches/series cups-2.2.1/debian/patches/series --- cups-2.2.1/debian/patches/series 2017-01-18 14:02:35.000000000 +0100 +++ cups-2.2.1/debian/patches/series 2018-02-22 17:51:44.000000000 +0100 @@ -45,3 +45,4 @@ 0045-Build-mantohtml-with-the-build-architecture-compiler.patch 0046-Do-not-execute-genstrings-during-build.patch manpage-translations.patch +0048-Don-t-treat-localhost.localdomain-as-an-allowed-repl.patch