--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu
CVE-2020-3898 and CVE-2019-8842 got fixed in unstable, after coordinated
disclosure.
I'd like to fix these in a stable upload too.
cups (2.2.10-6+deb10u3) buster; urgency=medium
* Backport upstream security fixes:
- CVE-2020-3898: heap-buffer-overflow in libcups’s ppdFindOption()
function in ppd-mark.c
- CVE-2019-8842: The `ippReadIO` function may under-read an extension
field
-- Didier Raboud <[email protected]> Sat, 25 Apr 2020 16:27:21 +0200
Debdiff and direct patches attached.
Regards,
OdyX
-- System Information:
Debian Release: bullseye/sid
APT prefers buildd-unstable
APT policy: (990, 'buildd-unstable'), (500, 'unstable-debug'), (500,
'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (100,
'experimental'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.5.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=fr_CH.UTF-8, LC_CTYPE=fr_CH.UTF-8 (charmap=UTF-8),
LANGUAGE=fr_CH:fr (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru cups-2.2.10/debian/changelog cups-2.2.10/debian/changelog
--- cups-2.2.10/debian/changelog 2020-01-19 09:36:31.000000000 +0100
+++ cups-2.2.10/debian/changelog 2020-04-25 16:27:21.000000000 +0200
@@ -1,3 +1,13 @@
+cups (2.2.10-6+deb10u3) buster; urgency=medium
+
+ * Backport upstream security fixes:
+ - CVE-2020-3898: heap-buffer-overflow in libcups’s ppdFindOption()
+ function in ppd-mark.c
+ - CVE-2019-8842: The `ippReadIO` function may under-read an extension
+ field
+
+ -- Didier Raboud <[email protected]> Sat, 25 Apr 2020 16:27:21 +0200
+
cups (2.2.10-6+deb10u2) buster; urgency=medium
* Backport upstream security fixes:
diff -Nru cups-2.2.10/debian/.git-dpm cups-2.2.10/debian/.git-dpm
--- cups-2.2.10/debian/.git-dpm 2020-01-19 09:36:31.000000000 +0100
+++ cups-2.2.10/debian/.git-dpm 2020-04-25 16:25:37.000000000 +0200
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-1b21a83376cee1f213faf7f4b4d89dd766c28975
-1b21a83376cee1f213faf7f4b4d89dd766c28975
+f1b7b7e074291c85366a60f7a197dea19e62c9cf
+f1b7b7e074291c85366a60f7a197dea19e62c9cf
25b2338346ef3abbb93ea88476887cba7b2b86f8
25b2338346ef3abbb93ea88476887cba7b2b86f8
cups_2.2.10.orig.tar.gz
diff -Nru
cups-2.2.10/debian/patches/0050-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch
cups-2.2.10/debian/patches/0050-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch
---
cups-2.2.10/debian/patches/0050-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch
1970-01-01 01:00:00.000000000 +0100
+++
cups-2.2.10/debian/patches/0050-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch
2020-04-25 16:25:37.000000000 +0200
@@ -0,0 +1,56 @@
+From 1668f3bdc68101d44d0d18c85ba3e6572b517ff4 Mon Sep 17 00:00:00 2001
+From: Stephan Zeisberg <[email protected]>
+Date: Fri, 10 Apr 2020 17:14:34 +0200
+Subject: =?UTF-8?q?CVE-2020-3898=20-=20heap-buffer-overflow=20in=20libcups?=
+ =?UTF-8?q?=E2=80=99s=20ppdFindOption()=20function=20in=20ppd-mark.c?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+---
+ cups/ppd.c | 3 +--
+ ppdc/ppdc-source.cxx | 14 ++++++++------
+ 2 files changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/cups/ppd.c b/cups/ppd.c
+index b823d17b4..8d3eb8a3b 100644
+--- a/cups/ppd.c
++++ b/cups/ppd.c
+@@ -1705,8 +1705,7 @@ _ppdOpen(
+ constraint->choice1, constraint->option2,
+ constraint->choice2))
+ {
+- case 0 : /* Error */
+- case 1 : /* Error */
++ default : /* Error */
+ pg->ppd_status = PPD_BAD_UI_CONSTRAINTS;
+ goto error;
+
+diff --git a/ppdc/ppdc-source.cxx b/ppdc/ppdc-source.cxx
+index 5add81002..383f0183d 100644
+--- a/ppdc/ppdc-source.cxx
++++ b/ppdc/ppdc-source.cxx
+@@ -1746,15 +1746,17 @@ ppdcSource::get_resolution(ppdcFile *fp)// I - File to
read
+
+ switch (sscanf(name, "%dx%d", &xdpi, &ydpi))
+ {
+- case 0 :
+- _cupsLangPrintf(stderr,
+- _("ppdc: Bad resolution name \"%s\" on line %d of "
+- "%s."), name, fp->line, fp->filename);
+- break;
+ case 1 :
+ ydpi = xdpi;
+ break;
+- }
++ case 2 :
++ break;
++ default :
++ _cupsLangPrintf(stderr,
++ _("ppdc: Bad resolution name \"%s\" on line %d of "
++ "%s."), name, fp->line, fp->filename);
++ break;
++}
+
+ // Create the necessary PS commands...
+ snprintf(command, sizeof(command),
diff -Nru
cups-2.2.10/debian/patches/0051-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch
cups-2.2.10/debian/patches/0051-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch
---
cups-2.2.10/debian/patches/0051-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch
1970-01-01 01:00:00.000000000 +0100
+++
cups-2.2.10/debian/patches/0051-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch
2020-04-25 16:25:37.000000000 +0200
@@ -0,0 +1,23 @@
+From f1b7b7e074291c85366a60f7a197dea19e62c9cf Mon Sep 17 00:00:00 2001
+From: Didier Raboud <[email protected]>
+Date: Sat, 25 Apr 2020 16:02:12 +0200
+Subject: CVE-2019-8842: The `ippReadIO` function may under-read an extension
+ field
+
+---
+ cups/ipp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cups/ipp.c b/cups/ipp.c
+index 98b499716..4ebb1da9c 100644
+--- a/cups/ipp.c
++++ b/cups/ipp.c
+@@ -2960,7 +2960,7 @@ ippReadIO(void *src, /* I - Data
source */
+ * Read 32-bit "extension" tag...
+ */
+
+- if ((*cb)(src, buffer, 4) < 1)
++ if ((*cb)(src, buffer, 4) < 4)
+ {
+ DEBUG_puts("1ippReadIO: Callback returned EOF/error");
+ _cupsBufferRelease((char *)buffer);
diff -Nru cups-2.2.10/debian/patches/series cups-2.2.10/debian/patches/series
--- cups-2.2.10/debian/patches/series 2020-01-19 09:36:31.000000000 +0100
+++ cups-2.2.10/debian/patches/series 2020-04-25 16:25:37.000000000 +0200
@@ -47,3 +47,5 @@
0047-Fix-multiple-security-disclosure-issues.patch
0048-Fix-memory-leak-in-ppdOpen.patch
0049-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch
+0050-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch
+0051-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch
>From 1668f3bdc68101d44d0d18c85ba3e6572b517ff4 Mon Sep 17 00:00:00 2001
From: Stephan Zeisberg <[email protected]>
Date: Fri, 10 Apr 2020 17:14:34 +0200
Subject: =?UTF-8?q?CVE-2020-3898=20-=20heap-buffer-overflow=20in=20libcups?=
=?UTF-8?q?=E2=80=99s=20ppdFindOption()=20function=20in=20ppd-mark.c?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
cups/ppd.c | 3 +--
ppdc/ppdc-source.cxx | 14 ++++++++------
2 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/cups/ppd.c b/cups/ppd.c
index b823d17b4..8d3eb8a3b 100644
--- a/cups/ppd.c
+++ b/cups/ppd.c
@@ -1705,8 +1705,7 @@ _ppdOpen(
constraint->choice1, constraint->option2,
constraint->choice2))
{
- case 0 : /* Error */
- case 1 : /* Error */
+ default : /* Error */
pg->ppd_status = PPD_BAD_UI_CONSTRAINTS;
goto error;
diff --git a/ppdc/ppdc-source.cxx b/ppdc/ppdc-source.cxx
index 5add81002..383f0183d 100644
--- a/ppdc/ppdc-source.cxx
+++ b/ppdc/ppdc-source.cxx
@@ -1746,15 +1746,17 @@ ppdcSource::get_resolution(ppdcFile *fp)// I - File to
read
switch (sscanf(name, "%dx%d", &xdpi, &ydpi))
{
- case 0 :
- _cupsLangPrintf(stderr,
- _("ppdc: Bad resolution name \"%s\" on line %d of "
- "%s."), name, fp->line, fp->filename);
- break;
case 1 :
ydpi = xdpi;
break;
- }
+ case 2 :
+ break;
+ default :
+ _cupsLangPrintf(stderr,
+ _("ppdc: Bad resolution name \"%s\" on line %d of "
+ "%s."), name, fp->line, fp->filename);
+ break;
+}
// Create the necessary PS commands...
snprintf(command, sizeof(command),
>From f1b7b7e074291c85366a60f7a197dea19e62c9cf Mon Sep 17 00:00:00 2001
From: Didier Raboud <[email protected]>
Date: Sat, 25 Apr 2020 16:02:12 +0200
Subject: CVE-2019-8842: The `ippReadIO` function may under-read an extension
field
---
cups/ipp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cups/ipp.c b/cups/ipp.c
index 98b499716..4ebb1da9c 100644
--- a/cups/ipp.c
+++ b/cups/ipp.c
@@ -2960,7 +2960,7 @@ ippReadIO(void *src, /* I - Data
source */
* Read 32-bit "extension" tag...
*/
- if ((*cb)(src, buffer, 4) < 1)
+ if ((*cb)(src, buffer, 4) < 4)
{
DEBUG_puts("1ippReadIO: Callback returned EOF/error");
_cupsBufferRelease((char *)buffer);
--- End Message ---
