Package: release.debian.org Severity: normal Tags: bookworm User: [email protected] Usertags: pu
The attached debdiff for cpdb-libs fixes CVE-2023-34095 Bookworm. This CVE has been marked as no-dsa by the security team.
The fix just restricts the usable buffer and should have no side effects. Thorsten
diff -Nru cpdb-libs-1.2.0/debian/changelog cpdb-libs-1.2.0/debian/changelog --- cpdb-libs-1.2.0/debian/changelog 2023-01-12 22:03:02.000000000 +0100 +++ cpdb-libs-1.2.0/debian/changelog 2023-06-27 22:03:02.000000000 +0200 @@ -1,3 +1,10 @@ +cpdb-libs (1.2.0-2+deb12u1) bookworm; urgency=medium + + * CVE-2023-34095 (Closes: #1038253) + buffer overflow via improper use of scanf()/fscanf() + + -- Thorsten Alteholz <[email protected]> Tue, 27 Jun 2023 22:03:02 +0200 + cpdb-libs (1.2.0-2) unstable; urgency=medium * source upload diff -Nru cpdb-libs-1.2.0/debian/patches/CVE-2023-34095.patch cpdb-libs-1.2.0/debian/patches/CVE-2023-34095.patch --- cpdb-libs-1.2.0/debian/patches/CVE-2023-34095.patch 1970-01-01 01:00:00.000000000 +0100 +++ cpdb-libs-1.2.0/debian/patches/CVE-2023-34095.patch 2023-06-27 22:03:02.000000000 +0200 @@ -0,0 +1,161 @@ +Description: backported fix for CVE-2023-34095 +Index: cpdb-libs/demo/print_frontend.c +=================================================================== +--- cpdb-libs.orig/demo/print_frontend.c 2023-06-28 06:57:31.699739106 +0200 ++++ cpdb-libs/demo/print_frontend.c 2023-06-28 08:01:19.416613086 +0200 +@@ -48,7 +48,7 @@ + { + printf("> "); + fflush(stdout); +- scanf("%s", buf); ++ scanf("%99s", buf); + if (strcmp(buf, "stop") == 0) + { + disconnect_from_dbus(f); +@@ -84,7 +84,7 @@ + { + char printer_id[100]; + char backend_name[100]; +- scanf("%s%s", printer_id, backend_name); ++ scanf("%99s%99s", printer_id, backend_name); + g_message("Getting all attributes ..\n"); + PrinterObj *p = find_PrinterObj(f, printer_id, backend_name); + +@@ -106,7 +106,7 @@ + else if (strcmp(buf, "get-default") == 0) + { + char printer_id[100], backend_name[100], option_name[100]; +- scanf("%s%s%s", option_name, printer_id, backend_name); ++ scanf("%99s%99s%99s", option_name, printer_id, backend_name); + PrinterObj *p = find_PrinterObj(f, printer_id, backend_name); + char *ans = get_default(p, option_name); + if (!ans) +@@ -117,7 +117,7 @@ + else if (strcmp(buf, "get-setting") == 0) + { + char printer_id[100], backend_name[100], setting_name[100]; +- scanf("%s%s%s", setting_name, printer_id, backend_name); ++ scanf("%99s%99s%99s", setting_name, printer_id, backend_name); + PrinterObj *p = find_PrinterObj(f, printer_id, backend_name); + char *ans = get_setting(p, setting_name); + if (!ans) +@@ -128,7 +128,7 @@ + else if (strcmp(buf, "get-current") == 0) + { + char printer_id[100], backend_name[100], option_name[100]; +- scanf("%s%s%s", option_name, printer_id, backend_name); ++ scanf("%99s%99s%99s", option_name, printer_id, backend_name); + PrinterObj *p = find_PrinterObj(f, printer_id, backend_name); + char *ans = get_current(p, option_name); + if (!ans) +@@ -139,7 +139,7 @@ + else if (strcmp(buf, "add-setting") == 0) + { + char printer_id[100], backend_name[100], option_name[100], option_val[100]; +- scanf("%s %s %s %s", option_name, option_val, printer_id, backend_name); ++ scanf("%99s %99s %99s %99s", option_name, option_val, printer_id, backend_name); + PrinterObj *p = find_PrinterObj(f, printer_id, backend_name); + printf("%s : %s\n", option_name, option_val); + add_setting_to_printer(p, get_string_copy(option_name), get_string_copy(option_val)); +@@ -147,7 +147,7 @@ + else if (strcmp(buf, "clear-setting") == 0) + { + char printer_id[100], backend_name[100], option_name[100]; +- scanf("%s%s%s", option_name, printer_id, backend_name); ++ scanf("%99s%99s%99s", option_name, printer_id, backend_name); + PrinterObj *p = find_PrinterObj(f, printer_id, backend_name); + clear_setting_from_printer(p, option_name); + } +@@ -155,7 +155,7 @@ + { + char printer_id[100]; + char backend_name[100]; +- scanf("%s%s", printer_id, backend_name); ++ scanf("%99s%99s", printer_id, backend_name); + PrinterObj *p = find_PrinterObj(f, printer_id, backend_name); + printf("%s\n", get_state(p)); + } +@@ -163,7 +163,7 @@ + { + char printer_id[100]; + char backend_name[100]; +- scanf("%s%s", printer_id, backend_name); ++ scanf("%99s%99s", printer_id, backend_name); + PrinterObj *p = find_PrinterObj(f, printer_id, backend_name); + printf("Accepting jobs ? : %d \n", is_accepting_jobs(p)); + } +@@ -174,14 +174,14 @@ + else if (strcmp(buf, "ping") == 0) + { + char printer_id[100], backend_name[100]; +- scanf("%s%s", printer_id, backend_name); ++ scanf("%99s%99s", printer_id, backend_name); + PrinterObj *p = find_PrinterObj(f, printer_id, backend_name); + print_backend_call_ping_sync(p->backend_proxy, p->id, NULL, NULL); + } + else if (strcmp(buf, "get-default-printer") == 0) + { + char backend_name[100]; +- scanf("%s", backend_name); ++ scanf("%99s", backend_name); + /** + * Backend name = The last part of the backend dbus service + * Eg. "CUPS" or "GCP" +@@ -191,7 +191,7 @@ + else if (strcmp(buf, "print-file") == 0) + { + char printer_id[100], backend_name[100], file_path[200]; +- scanf("%s%s%s", file_path, printer_id, backend_name); ++ scanf("%199s%99s%99s", file_path, printer_id, backend_name); + /** + * Try adding some settings here .. change them and experiment + */ +@@ -201,7 +201,7 @@ + { + char final_file_path[200]; + printf("Please give the final file path: "); +- scanf("%s", final_file_path); ++ scanf("%199s", final_file_path); + print_file_path(p, file_path, final_file_path); + continue; + } +@@ -213,7 +213,7 @@ + { + char printer_id[100]; + char backend_name[100]; +- scanf("%s%s", printer_id, backend_name); ++ scanf("%99s%99s", printer_id, backend_name); + PrinterObj *p = find_PrinterObj(f, printer_id, backend_name); + printf("%d jobs currently active.\n", get_active_jobs_count(p)); + } +@@ -235,7 +235,7 @@ + char printer_id[100]; + char backend_name[100]; + char job_id[100]; +- scanf("%s%s%s", job_id, printer_id, backend_name); ++ scanf("%99s%99s%99s", job_id, printer_id, backend_name); + PrinterObj *p = find_PrinterObj(f, printer_id, backend_name); + if (cancel_job(p, job_id)) + printf("Job %s has been cancelled.\n", job_id); +@@ -247,7 +247,7 @@ + char printer_id[100]; + char backend_name[100]; + char job_id[100]; +- scanf("%s%s", printer_id, backend_name); ++ scanf("%99s%99s", printer_id, backend_name); + PrinterObj *p = find_PrinterObj(f, printer_id, backend_name); + pickle_printer_to_file(p, "/tmp/.printer-pickle", f); + } +Index: cpdb-libs/lib/frontend_helper.c +=================================================================== +--- cpdb-libs.orig/lib/frontend_helper.c 2023-06-28 06:57:31.699739106 +0200 ++++ cpdb-libs/lib/frontend_helper.c 2023-06-28 07:57:11.168548682 +0200 +@@ -171,7 +171,7 @@ + + FILE *file = fopen(path, "r"); + char obj_path[200]; +- fscanf(file, "%s", obj_path); ++ fscanf(file, "%199s", obj_path); + fclose(file); + free(path); + GError *error = NULL; diff -Nru cpdb-libs-1.2.0/debian/patches/series cpdb-libs-1.2.0/debian/patches/series --- cpdb-libs-1.2.0/debian/patches/series 2023-01-08 19:03:02.000000000 +0100 +++ cpdb-libs-1.2.0/debian/patches/series 2023-06-27 22:03:02.000000000 +0200 @@ -1,2 +1,3 @@ +CVE-2023-34095.patch no-profiling.patch manually-hardening.patch
