Bug#916435: marked as done (stretch-pu: package cups/2.2.1-8+deb9u3)

[Debian Bug Tracking System]

Your message dated Sat, 16 Feb 2019 11:36:33 +0000
with message-id <1550316993.21192.50.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 9.8
has caused the Debian Bug report #916435,
regarding stretch-pu: package cups/2.2.1-8+deb9u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
916435: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916435
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu

CUPS in stable has two no-dsa security issues in stretch which I'd like to fix:

- CVE-2017-18248: DBUS notifications could crash the scheduler
- CVE-2018-4700: Linux session cookies used a predictable random number seed

My proposed changelog entry is the following:

cups (2.2.1-8+deb9u3) stretch; urgency=low

  * Backport upstream fixes for:
    - CVE-2017-18248: DBUS notifications could crash the scheduler
    - CVE-2018-4700: Linux session cookies used a predictable random
      number seed (Closes: #915909)

I'm attaching the two upstream patches (mere cherry-picks from the
upstream-2.2 branch) and the proposed debdiff.

Thanks for your consideration, cheers,
   OdyX
 

diff -Nru cups-2.2.1/debian/changelog cups-2.2.1/debian/changelog
--- cups-2.2.1/debian/changelog 2018-07-03 07:45:20.000000000 +0200
+++ cups-2.2.1/debian/changelog 2018-12-14 13:58:47.000000000 +0100
@@ -1,7 +1,16 @@
+cups (2.2.1-8+deb9u3) stretch; urgency=low
+
+  * Backport upstream fixes for:
+    - CVE-2017-18248: DBUS notifications could crash the scheduler
+    - CVE-2018-4700: Linux session cookies used a predictable random
+      number seed (Closes: #915909)
+
+ -- Didier Raboud <o...@debian.org>  Fri, 14 Dec 2018 13:58:47 +0100
+
 cups (2.2.1-8+deb9u2) stretch-security; urgency=low
 
   * CVE-2018-6553: Fix AppArmor cupsd sandbox bypass due to use of hard links
-  * Backport upstream fix for:
+  * Backport upstream fixes for:
     - CVE-2018-4180 Local Privilege Escalation to Root in dnssd Backend 
(CUPS_SERVERBIN)
     - CVE-2018-4181 Limited Local File Reads as Root via cupsd.conf Include 
Directive
     - CVE-2018-4182 cups-exec Sandbox Bypass Due to Insecure Error Handling
@@ -9,7 +18,7 @@
     - CVE-2017-15400: Restrict IPP Everywhere filters to only list supported 
PDLs
       to fix CRLF and Code Injection in Printer Zeroconfig
 
- -- Didier Raboud <o...@debian.org>  Tue, 03 Jul 2018 07:45:20 +0200
+ -- Didier Raboud <o...@debian.org>  Wed, 11 Jul 2018 11:29:27 +0200
 
 cups (2.2.1-8+deb9u1) stretch; urgency=low
 
diff -Nru cups-2.2.1/debian/.git-dpm cups-2.2.1/debian/.git-dpm
--- cups-2.2.1/debian/.git-dpm  2018-07-03 07:45:20.000000000 +0200
+++ cups-2.2.1/debian/.git-dpm  2018-12-14 13:57:48.000000000 +0100
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-ed0d3345b936ea9d88356965770ddf5eecba46be
-ed0d3345b936ea9d88356965770ddf5eecba46be
+a40147f12081943df6c85b6b1f4d302633a6995c
+a40147f12081943df6c85b6b1f4d302633a6995c
 a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
 a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
 cups_2.2.1.orig.tar.gz
diff -Nru 
cups-2.2.1/debian/patches/0052-DBUS-notifications-could-crash-the-scheduler-Issue-5.patch
 
cups-2.2.1/debian/patches/0052-DBUS-notifications-could-crash-the-scheduler-Issue-5.patch
--- 
cups-2.2.1/debian/patches/0052-DBUS-notifications-could-crash-the-scheduler-Issue-5.patch
   1970-01-01 01:00:00.000000000 +0100
+++ 
cups-2.2.1/debian/patches/0052-DBUS-notifications-could-crash-the-scheduler-Issue-5.patch
   2018-12-14 13:57:46.000000000 +0100
@@ -0,0 +1,42 @@
+From f083e69ad83bd9445c1c3bfdf6878096ceb54113 Mon Sep 17 00:00:00 2001
+From: Michael Sweet <michael.r.sw...@gmail.com>
+Date: Mon, 23 Oct 2017 16:23:43 -0400
+Subject: DBUS notifications could crash the scheduler (Issue #5143)
+
+- scheduler/ipp.c: Make sure requesting-user-name string is valid UTF-8.
+
+Fixes: CVE-2017-18248
+---
+ scheduler/ipp.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/scheduler/ipp.c b/scheduler/ipp.c
+index dde976c72..50f5004b7 100644
+--- a/scheduler/ipp.c
++++ b/scheduler/ipp.c
+@@ -1576,6 +1576,16 @@ add_job(cupsd_client_t  *con,           /* I - Client 
connection */
+     return (NULL);
+   }
+ 
++  attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME);
++
++  if (attr && !ippValidateAttribute(attr))
++  {
++    send_ipp_status(con, IPP_ATTRIBUTES, _("Bad requesting-user-name value: 
%s"), cupsLastErrorString());
++    if ((attr = ippCopyAttribute(con->response, attr, 0)) != NULL)
++      attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
++    return (NULL);
++  }
++
+   if ((job = cupsdAddJob(priority, printer->name)) == NULL)
+   {
+     send_ipp_status(con, IPP_INTERNAL_ERROR,
+@@ -1594,8 +1604,6 @@ add_job(cupsd_client_t  *con,            /* I - Client 
connection */
+   add_job_uuid(job);
+   apply_printer_defaults(printer, job);
+ 
+-  attr = ippFindAttribute(job->attrs, "requesting-user-name", IPP_TAG_NAME);
+-
+   if (con->username[0])
+   {
+     cupsdSetString(&job->username, con->username);
diff -Nru 
cups-2.2.1/debian/patches/0053-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch
 
cups-2.2.1/debian/patches/0053-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch
--- 
cups-2.2.1/debian/patches/0053-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch
   1970-01-01 01:00:00.000000000 +0100
+++ 
cups-2.2.1/debian/patches/0053-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch
   2018-12-14 13:57:48.000000000 +0100
@@ -0,0 +1,32 @@
+From a40147f12081943df6c85b6b1f4d302633a6995c Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <michael.r.sw...@gmail.com>
+Date: Fri, 7 Dec 2018 12:09:00 -0500
+Subject: CVE-2018-4700: Linux session cookies used a predictable random number
+ seed.
+
+---
+ cgi-bin/var.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/cgi-bin/var.c b/cgi-bin/var.c
+index 6d02e1079..fb879a783 100644
+--- a/cgi-bin/var.c
++++ b/cgi-bin/var.c
+@@ -1209,6 +1209,7 @@ cgi_set_sid(void)
+   const char          *remote_addr,   /* REMOTE_ADDR */
+                       *server_name,   /* SERVER_NAME */
+                       *server_port;   /* SERVER_PORT */
++  struct timeval      curtime;        /* Current time */
+ 
+ 
+   if ((remote_addr = getenv("REMOTE_ADDR")) == NULL)
+@@ -1218,7 +1219,8 @@ cgi_set_sid(void)
+   if ((server_port = getenv("SERVER_PORT")) == NULL)
+     server_port = "SERVER_PORT";
+ 
+-  CUPS_SRAND(time(NULL));
++  gettimeofday(&curtime, NULL);
++  CUPS_SRAND(curtime.tv_sec + curtime.tv_usec);
+   snprintf(buffer, sizeof(buffer), 
"%s:%s:%s:%02X%02X%02X%02X%02X%02X%02X%02X",
+            remote_addr, server_name, server_port,
+          (unsigned)CUPS_RAND() & 255, (unsigned)CUPS_RAND() & 255,
diff -Nru cups-2.2.1/debian/patches/series cups-2.2.1/debian/patches/series
--- cups-2.2.1/debian/patches/series    2018-07-03 07:45:20.000000000 +0200
+++ cups-2.2.1/debian/patches/series    2018-12-14 13:57:48.000000000 +0100
@@ -49,3 +49,5 @@
 0049-Tweak-the-PDL-priority-Issue-4932.patch
 0050-Only-list-supported-PDLs-Issue-4923.patch
 0051-Fix-local-privilege-escalation-to-root-and-sandbox-b.patch
+0052-DBUS-notifications-could-crash-the-scheduler-Issue-5.patch
+0053-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch

>From f083e69ad83bd9445c1c3bfdf6878096ceb54113 Mon Sep 17 00:00:00 2001
From: Michael Sweet <michael.r.sw...@gmail.com>
Date: Mon, 23 Oct 2017 16:23:43 -0400
Subject: DBUS notifications could crash the scheduler (Issue #5143)

- scheduler/ipp.c: Make sure requesting-user-name string is valid UTF-8.

Fixes: CVE-2017-18248
---
 scheduler/ipp.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/scheduler/ipp.c b/scheduler/ipp.c
index dde976c72..50f5004b7 100644
--- a/scheduler/ipp.c
+++ b/scheduler/ipp.c
@@ -1576,6 +1576,16 @@ add_job(cupsd_client_t  *con,            /* I - Client 
connection */
     return (NULL);
   }
 
+  attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME);
+
+  if (attr && !ippValidateAttribute(attr))
+  {
+    send_ipp_status(con, IPP_ATTRIBUTES, _("Bad requesting-user-name value: 
%s"), cupsLastErrorString());
+    if ((attr = ippCopyAttribute(con->response, attr, 0)) != NULL)
+      attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
+    return (NULL);
+  }
+
   if ((job = cupsdAddJob(priority, printer->name)) == NULL)
   {
     send_ipp_status(con, IPP_INTERNAL_ERROR,
@@ -1594,8 +1604,6 @@ add_job(cupsd_client_t  *con,             /* I - Client 
connection */
   add_job_uuid(job);
   apply_printer_defaults(printer, job);
 
-  attr = ippFindAttribute(job->attrs, "requesting-user-name", IPP_TAG_NAME);
-
   if (con->username[0])
   {
     cupsdSetString(&job->username, con->username);

>From a40147f12081943df6c85b6b1f4d302633a6995c Mon Sep 17 00:00:00 2001
From: Michael R Sweet <michael.r.sw...@gmail.com>
Date: Fri, 7 Dec 2018 12:09:00 -0500
Subject: CVE-2018-4700: Linux session cookies used a predictable random number
 seed.

---
 cgi-bin/var.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/cgi-bin/var.c b/cgi-bin/var.c
index 6d02e1079..fb879a783 100644
--- a/cgi-bin/var.c
+++ b/cgi-bin/var.c
@@ -1209,6 +1209,7 @@ cgi_set_sid(void)
   const char           *remote_addr,   /* REMOTE_ADDR */
                        *server_name,   /* SERVER_NAME */
                        *server_port;   /* SERVER_PORT */
+  struct timeval       curtime;        /* Current time */
 
 
   if ((remote_addr = getenv("REMOTE_ADDR")) == NULL)
@@ -1218,7 +1219,8 @@ cgi_set_sid(void)
   if ((server_port = getenv("SERVER_PORT")) == NULL)
     server_port = "SERVER_PORT";
 
-  CUPS_SRAND(time(NULL));
+  gettimeofday(&curtime, NULL);
+  CUPS_SRAND(curtime.tv_sec + curtime.tv_usec);
   snprintf(buffer, sizeof(buffer), "%s:%s:%s:%02X%02X%02X%02X%02X%02X%02X%02X",
            remote_addr, server_name, server_port,
           (unsigned)CUPS_RAND() & 255, (unsigned)CUPS_RAND() & 255,

--- End Message ---

--- Begin Message ---

Version: 9.8

Hi,

The update referenced by each of these bugs was included in this
morning's stretch point release.

Regards,

Adam

--- End Message ---