Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu

(Mirroring #891142 for stretch):

CUPS is affected by CVE-2017-18190: remote attackers could execute arbitrary
IPP commands by sending POST requests to the CUPS daemon in conjunction with
DNS rebinding. This was caused by a whitelisted "localhost.localdomain" entry.

According to the Security Team it doesn't warrant a DSA, but still makes sense
to be addressed on Jessie (and Stretch). It was fixed independently on wheezy
already.

The proposed debdiff is attached; can I upload to jessie?
diff -Nru cups-1.7.5/debian/changelog cups-1.7.5/debian/changelog
--- cups-1.7.5/debian/changelog 2017-07-21 14:44:00.000000000 +0200
+++ cups-1.7.5/debian/changelog 2018-02-23 19:34:51.000000000 +0100
@@ -1,3 +1,12 @@
+cups (1.7.5-11+deb8u3) jessie; urgency=low
+
+  * CVE-2017-18190: Prevent an issue where remote attackers could execute
+    arbitrary IPP commands by sending POST requests to the CUPS daemon in
+    conjunction with DNS rebinding. This was caused by a whitelisted
+    "localhost.localdomain" entry.
+
+ -- Didier Raboud <o...@debian.org>  Fri, 23 Feb 2018 19:34:51 +0100
+
 cups (1.7.5-11+deb8u2) jessie; urgency=high
 
   * Disable SSLv3 and RC4 by default to address POODLE vulnerability
diff -Nru 
cups-1.7.5/debian/patches/CVE-2017-18190-Dont-treat-localhost.localdomain-as-replacement-for-localhost.patch
 
cups-1.7.5/debian/patches/CVE-2017-18190-Dont-treat-localhost.localdomain-as-replacement-for-localhost.patch
--- 
cups-1.7.5/debian/patches/CVE-2017-18190-Dont-treat-localhost.localdomain-as-replacement-for-localhost.patch
        1970-01-01 01:00:00.000000000 +0100
+++ 
cups-1.7.5/debian/patches/CVE-2017-18190-Dont-treat-localhost.localdomain-as-replacement-for-localhost.patch
        2018-02-23 19:34:51.000000000 +0100
@@ -0,0 +1,23 @@
+From afa80cb2b457bf8d64f775bed307588610476c41 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <michaelrsw...@gmail.com>
+Date: Tue, 3 Jan 2017 13:52:47 -0500
+Subject: [PATCH] Don't treat "localhost.localdomain" as an allowed replacement
+ for localhost, since it isn't.
+
+Fixes: CVE-2017-18190
+---
+ scheduler/client.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/scheduler/client.c
++++ b/scheduler/client.c
+@@ -4220,9 +4220,6 @@
+ 
+     return (!_cups_strcasecmp(con->clientname, "localhost") ||
+           !_cups_strcasecmp(con->clientname, "localhost.") ||
+-#ifdef __linux
+-          !_cups_strcasecmp(con->clientname, "localhost.localdomain") ||
+-#endif /* __linux */
+             !strcmp(con->clientname, "127.0.0.1") ||
+           !strcmp(con->clientname, "[::1]"));
+   }
diff -Nru cups-1.7.5/debian/patches/series cups-1.7.5/debian/patches/series
--- cups-1.7.5/debian/patches/series    2017-07-21 13:32:05.000000000 +0200
+++ cups-1.7.5/debian/patches/series    2018-02-23 19:34:51.000000000 +0100
@@ -66,3 +66,4 @@
 # po4a might not be appropriate. It also needs to be high on the patch
 # queue to catch all Debian-specific changes
 manpage-translations.patch
+CVE-2017-18190-Dont-treat-localhost.localdomain-as-replacement-for-localhost.patch

Reply via email to