Package: release.debian.org Severity: normal Tags: jessie User: [email protected] Usertags: pu
(Mirroring #891142 for stretch): CUPS is affected by CVE-2017-18190: remote attackers could execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. This was caused by a whitelisted "localhost.localdomain" entry. According to the Security Team it doesn't warrant a DSA, but still makes sense to be addressed on Jessie (and Stretch). It was fixed independently on wheezy already. The proposed debdiff is attached; can I upload to jessie?
diff -Nru cups-1.7.5/debian/changelog cups-1.7.5/debian/changelog --- cups-1.7.5/debian/changelog 2017-07-21 14:44:00.000000000 +0200 +++ cups-1.7.5/debian/changelog 2018-02-23 19:34:51.000000000 +0100 @@ -1,3 +1,12 @@ +cups (1.7.5-11+deb8u3) jessie; urgency=low + + * CVE-2017-18190: Prevent an issue where remote attackers could execute + arbitrary IPP commands by sending POST requests to the CUPS daemon in + conjunction with DNS rebinding. This was caused by a whitelisted + "localhost.localdomain" entry. + + -- Didier Raboud <[email protected]> Fri, 23 Feb 2018 19:34:51 +0100 + cups (1.7.5-11+deb8u2) jessie; urgency=high * Disable SSLv3 and RC4 by default to address POODLE vulnerability diff -Nru cups-1.7.5/debian/patches/CVE-2017-18190-Dont-treat-localhost.localdomain-as-replacement-for-localhost.patch cups-1.7.5/debian/patches/CVE-2017-18190-Dont-treat-localhost.localdomain-as-replacement-for-localhost.patch --- cups-1.7.5/debian/patches/CVE-2017-18190-Dont-treat-localhost.localdomain-as-replacement-for-localhost.patch 1970-01-01 01:00:00.000000000 +0100 +++ cups-1.7.5/debian/patches/CVE-2017-18190-Dont-treat-localhost.localdomain-as-replacement-for-localhost.patch 2018-02-23 19:34:51.000000000 +0100 @@ -0,0 +1,23 @@ +From afa80cb2b457bf8d64f775bed307588610476c41 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet <[email protected]> +Date: Tue, 3 Jan 2017 13:52:47 -0500 +Subject: [PATCH] Don't treat "localhost.localdomain" as an allowed replacement + for localhost, since it isn't. + +Fixes: CVE-2017-18190 +--- + scheduler/client.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/scheduler/client.c ++++ b/scheduler/client.c +@@ -4220,9 +4220,6 @@ + + return (!_cups_strcasecmp(con->clientname, "localhost") || + !_cups_strcasecmp(con->clientname, "localhost.") || +-#ifdef __linux +- !_cups_strcasecmp(con->clientname, "localhost.localdomain") || +-#endif /* __linux */ + !strcmp(con->clientname, "127.0.0.1") || + !strcmp(con->clientname, "[::1]")); + } diff -Nru cups-1.7.5/debian/patches/series cups-1.7.5/debian/patches/series --- cups-1.7.5/debian/patches/series 2017-07-21 13:32:05.000000000 +0200 +++ cups-1.7.5/debian/patches/series 2018-02-23 19:34:51.000000000 +0100 @@ -66,3 +66,4 @@ # po4a might not be appropriate. It also needs to be high on the patch # queue to catch all Debian-specific changes manpage-translations.patch +CVE-2017-18190-Dont-treat-localhost.localdomain-as-replacement-for-localhost.patch
