Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock and age package cups-filters
[ Reason ]
CVE-2023-24805 (RCE due to missing input sanitising)
[ Impact ]
The user would be vulnerable to remote code execution.
[ Tests ]
There is no special test for this patch, only a POC that no
longer worked after applying the patch.
[ Risks ]
The patch was provided by upstream and approved by the security team
(upload to Bullseye already done).
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock cups-filters/1.28.17-3
diff -Nru cups-filters-1.28.17/debian/changelog
cups-filters-1.28.17/debian/changelog
--- cups-filters-1.28.17/debian/changelog 2023-03-10 19:25:20.000000000
+0100
+++ cups-filters-1.28.17/debian/changelog 2023-05-19 18:25:20.000000000
+0200
@@ -1,3 +1,14 @@
+cups-filters (1.28.17-3) unstable; urgency=medium
+
+ * CVE-2023-24805
+ prevent arbitrary command execution by escaping the quoting
+ of the arguments in a job with a forged job title
+ more information are available in the commit message at:
+ https://github.com/OpenPrinting/cups-filters/commit/93e60d3df35
+ (Closes: #1036224)
+
+ -- Thorsten Alteholz <deb...@alteholz.de> Fri, 19 May 2023 18:25:20 +0200
+
cups-filters (1.28.17-2) unstable; urgency=medium
* qpdf needs at least c++17
diff -Nru cups-filters-1.28.17/debian/patches/0003-fix-CVE-2023-24805.patch
cups-filters-1.28.17/debian/patches/0003-fix-CVE-2023-24805.patch
--- cups-filters-1.28.17/debian/patches/0003-fix-CVE-2023-24805.patch
1970-01-01 01:00:00.000000000 +0100
+++ cups-filters-1.28.17/debian/patches/0003-fix-CVE-2023-24805.patch
2023-05-19 10:50:03.000000000 +0200
@@ -0,0 +1,176 @@
+From: Thorsten Alteholz <deb...@alteholz.de>
+Date: Fri, 19 May 2023 10:49:35 +0200
+Subject: fix CVE-2023-24805
+
+---
+ backend/beh.c | 107 +++++++++++++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 84 insertions(+), 23 deletions(-)
+
+diff --git a/backend/beh.c b/backend/beh.c
+index 225fd27..8d51235 100644
+--- a/backend/beh.c
++++ b/backend/beh.c
+@@ -22,12 +22,13 @@
+ #include "backend-private.h"
+ #include <cups/array.h>
+ #include <ctype.h>
++#include <sys/wait.h>
+
+ /*
+ * Local globals...
+ */
+
+-static int job_canceled = 0; /* Set to 1 on SIGTERM */
++static volatile int job_canceled = 0; /* Set to 1 on SIGTERM */
+
+ /*
+ * Local functions...
+@@ -213,21 +214,40 @@ call_backend(char *uri, /* I - URI of
final destination */
+ char **argv, /* I - Command-line arguments */
+ char *filename) { /* I - File name of input data */
+ const char *cups_serverbin; /* Location of programs */
++ char *backend_argv[8]; /* Arguments for backend */
+ char scheme[1024], /* Scheme from URI */
+ *ptr, /* Pointer into scheme */
+- cmdline[65536]; /* Backend command line */
+- int retval;
++ backend_path[2048]; /* Backend path */
++ int pid = 0, /* Process ID of backend */
++ wait_pid, /* Process ID from wait() */
++ wait_status, /* Status from child */
++ retval = 0;
++ int bytes;
+
+ /*
+ * Build the backend command line...
+ */
+
+- strncpy(scheme, uri, sizeof(scheme) - 1);
+- if (strlen(uri) > 1023)
+- scheme[1023] = '\0';
++ scheme[0] = '\0';
++ strncat(scheme, uri, sizeof(scheme) - 1);
+ if ((ptr = strchr(scheme, ':')) != NULL)
+ *ptr = '\0';
+-
++ else {
++ fprintf(stderr,
++ "ERROR: beh: Invalid URI, no colon (':') to mark end of scheme
part.\n");
++ exit (CUPS_BACKEND_FAILED);
++ }
++ if (strchr(scheme, '/')) {
++ fprintf(stderr,
++ "ERROR: beh: Invalid URI, scheme contains a slash ('/').\n");
++ exit (CUPS_BACKEND_FAILED);
++ }
++ if (!strcmp(scheme, ".") || !strcmp(scheme, "..")) {
++ fprintf(stderr,
++ "ERROR: beh: Invalid URI, scheme (\"%s\") is a directory.\n",
++ scheme);
++ exit (CUPS_BACKEND_FAILED);
++ }
+ if ((cups_serverbin = getenv("CUPS_SERVERBIN")) == NULL)
+ cups_serverbin = CUPS_SERVERBIN;
+
+@@ -235,16 +255,29 @@ call_backend(char *uri, /* I - URI of
final destination */
+ fprintf(stderr,
+ "ERROR: beh: Direct output into a file not supported.\n");
+ exit (CUPS_BACKEND_FAILED);
+- } else
+- snprintf(cmdline, sizeof(cmdline),
+- "%s/backend/%s '%s' '%s' '%s' '%s' '%s' %s",
+- cups_serverbin, scheme, argv[1], argv[2], argv[3],
+- /* Apply number of copies only if beh was called with a
+- file name and not with the print data in stdin, as
+- backends should handle copies only if they are called
+- with a file name */
+- (argc == 6 ? "1" : argv[4]),
+- argv[5], filename);
++ }
++
++ backend_argv[0] = uri;
++ backend_argv[1] = argv[1];
++ backend_argv[2] = argv[2];
++ backend_argv[3] = argv[3];
++ /* Apply number of copies only if beh was called with a file name
++ and not with the print data in stdin, as backends should handle
++ copies only if they are called with a file name */
++ backend_argv[4] = (argc == 6 ? "1" : argv[4]);
++ backend_argv[5] = argv[5];
++ backend_argv[6] = filename;
++ backend_argv[7] = NULL;
++
++ bytes = snprintf(backend_path, sizeof(backend_path),
++ "%s/backend/%s", cups_serverbin, scheme);
++ if (bytes < 0 || bytes >= sizeof(backend_path))
++ {
++ fprintf(stderr,
++ "ERROR: beh: Invalid scheme (\"%s\"), could not determing backend
path.\n",
++ scheme);
++ return (CUPS_BACKEND_FAILED);
++ }
+
+ /*
+ * Overwrite the device URI and run the actual backend...
+@@ -253,18 +286,44 @@ call_backend(char *uri, /* I - URI of
final destination */
+ setenv("DEVICE_URI", uri, 1);
+
+ fprintf(stderr,
+- "DEBUG: beh: Executing backend command line \"%s\"...\n",
+- cmdline);
++ "DEBUG: beh: Executing backend command line \"%s '%s' '%s' '%s' '%s'
'%s' %s\"...\n",
++ backend_path, backend_argv[1], backend_argv[2], backend_argv[3],
++ backend_argv[4], backend_argv[5], backend_argv[6]);
+ fprintf(stderr,
+ "DEBUG: beh: Using device URI: %s\n",
+ uri);
+
+- retval = system(cmdline) >> 8;
++ if ((pid = fork()) == 0) {
++ /*
++ * Child comes here...
++ */
++
++ /* Run the backend */
++ execv(backend_path, backend_argv);
+
+- if (retval == -1)
+ fprintf(stderr, "ERROR: Unable to execute backend command line: %s\n",
+ strerror(errno));
+
++ exit(1);
++ } else if (pid < 0) {
++ /*
++ * Unable to fork!
++ */
++
++ return (CUPS_BACKEND_FAILED);
++ }
++
++ while ((wait_pid = wait(&wait_status)) < 0 && errno == EINTR);
++
++ if (wait_pid >= 0 && wait_status) {
++ if (WIFEXITED(wait_status))
++ retval = WEXITSTATUS(wait_status);
++ else if (WTERMSIG(wait_status) != SIGTERM)
++ retval = WTERMSIG(wait_status);
++ else
++ retval = 0;
++ }
++
+ return (retval);
+ }
+
+@@ -277,8 +336,10 @@ static void
+ sigterm_handler(int sig) { /* I - Signal number (unused) */
+ (void)sig;
+
+- fprintf(stderr,
+- "DEBUG: beh: Job canceled.\n");
++ const char * const msg = "DEBUG: beh: Job canceled.\n";
++ /* The if() is to eliminate the return value and silence the warning
++ about an unused return value. */
++ if (write(2, msg, strlen(msg)));
+
+ if (job_canceled)
+ _exit(CUPS_BACKEND_OK);
diff -Nru cups-filters-1.28.17/debian/patches/series
cups-filters-1.28.17/debian/patches/series
--- cups-filters-1.28.17/debian/patches/series 2023-03-10 19:25:20.000000000
+0100
+++ cups-filters-1.28.17/debian/patches/series 2023-05-19 10:50:03.000000000
+0200
@@ -1,2 +1,3 @@
0001-Force-set-INITDIR-in-configure.ac-instead-of-relying.patch
0002-qpdf-needs-at-least-c-17.patch
+0003-fix-CVE-2023-24805.patch