Bug#1039862: marked as done (bookworm-pu: cpdb-libs/1.2.0-2+deb12u1)

Debian Bug Tracking System Sat, 22 Jul 2023 06:32:22 -0700

Your message dated Sat, 22 Jul 2023 13:19:42 +0000
with message-id <[email protected]>
and subject line Released with 12.1
has caused the Debian Bug report #1039862,
regarding bookworm-pu: cpdb-libs/1.2.0-2+deb12u1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1039862: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039862
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bookworm
User: [email protected]
Usertags: pu

The attached debdiff for cpdb-libs fixes CVE-2023-34095 Bookworm. This CVEhas been marked as no-dsa by the security team.


The fix just restricts the usable buffer and should have no side effects.

  Thorsten

diff -Nru cpdb-libs-1.2.0/debian/changelog cpdb-libs-1.2.0/debian/changelog
--- cpdb-libs-1.2.0/debian/changelog    2023-01-12 22:03:02.000000000 +0100
+++ cpdb-libs-1.2.0/debian/changelog    2023-06-27 22:03:02.000000000 +0200
@@ -1,3 +1,10 @@
+cpdb-libs (1.2.0-2+deb12u1) bookworm; urgency=medium
+
+  * CVE-2023-34095 (Closes: #1038253)
+    buffer overflow via improper use of scanf()/fscanf()
+
+ -- Thorsten Alteholz <[email protected]>  Tue, 27 Jun 2023 22:03:02 +0200
+
 cpdb-libs (1.2.0-2) unstable; urgency=medium
 
   * source upload
diff -Nru cpdb-libs-1.2.0/debian/patches/CVE-2023-34095.patch 
cpdb-libs-1.2.0/debian/patches/CVE-2023-34095.patch
--- cpdb-libs-1.2.0/debian/patches/CVE-2023-34095.patch 1970-01-01 
01:00:00.000000000 +0100
+++ cpdb-libs-1.2.0/debian/patches/CVE-2023-34095.patch 2023-06-27 
22:03:02.000000000 +0200
@@ -0,0 +1,161 @@
+Description: backported fix for CVE-2023-34095
+Index: cpdb-libs/demo/print_frontend.c
+===================================================================
+--- cpdb-libs.orig/demo/print_frontend.c       2023-06-28 06:57:31.699739106 
+0200
++++ cpdb-libs/demo/print_frontend.c    2023-06-28 08:01:19.416613086 +0200
+@@ -48,7 +48,7 @@
+     {
+         printf("> ");
+         fflush(stdout);
+-        scanf("%s", buf);
++        scanf("%99s", buf);
+         if (strcmp(buf, "stop") == 0)
+         {
+             disconnect_from_dbus(f);
+@@ -84,7 +84,7 @@
+         {
+             char printer_id[100];
+             char backend_name[100];
+-            scanf("%s%s", printer_id, backend_name);
++            scanf("%99s%99s", printer_id, backend_name);
+             g_message("Getting all attributes ..\n");
+             PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+ 
+@@ -106,7 +106,7 @@
+         else if (strcmp(buf, "get-default") == 0)
+         {
+             char printer_id[100], backend_name[100], option_name[100];
+-            scanf("%s%s%s", option_name, printer_id, backend_name);
++            scanf("%99s%99s%99s", option_name, printer_id, backend_name);
+             PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+             char *ans = get_default(p, option_name);
+             if (!ans)
+@@ -117,7 +117,7 @@
+         else if (strcmp(buf, "get-setting") == 0)
+         {
+             char printer_id[100], backend_name[100], setting_name[100];
+-            scanf("%s%s%s", setting_name, printer_id, backend_name);
++            scanf("%99s%99s%99s", setting_name, printer_id, backend_name);
+             PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+             char *ans = get_setting(p, setting_name);
+             if (!ans)
+@@ -128,7 +128,7 @@
+         else if (strcmp(buf, "get-current") == 0)
+         {
+             char printer_id[100], backend_name[100], option_name[100];
+-            scanf("%s%s%s", option_name, printer_id, backend_name);
++            scanf("%99s%99s%99s", option_name, printer_id, backend_name);
+             PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+             char *ans = get_current(p, option_name);
+             if (!ans)
+@@ -139,7 +139,7 @@
+         else if (strcmp(buf, "add-setting") == 0)
+         {
+             char printer_id[100], backend_name[100], option_name[100], 
option_val[100];
+-            scanf("%s %s %s %s", option_name, option_val, printer_id, 
backend_name);
++            scanf("%99s %99s %99s %99s", option_name, option_val, printer_id, 
backend_name);
+             PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+             printf("%s : %s\n", option_name, option_val);
+             add_setting_to_printer(p, get_string_copy(option_name), 
get_string_copy(option_val));
+@@ -147,7 +147,7 @@
+         else if (strcmp(buf, "clear-setting") == 0)
+         {
+             char printer_id[100], backend_name[100], option_name[100];
+-            scanf("%s%s%s", option_name, printer_id, backend_name);
++            scanf("%99s%99s%99s", option_name, printer_id, backend_name);
+             PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+             clear_setting_from_printer(p, option_name);
+         }
+@@ -155,7 +155,7 @@
+         {
+             char printer_id[100];
+             char backend_name[100];
+-            scanf("%s%s", printer_id, backend_name);
++            scanf("%99s%99s", printer_id, backend_name);
+             PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+             printf("%s\n", get_state(p));
+         }
+@@ -163,7 +163,7 @@
+         {
+             char printer_id[100];
+             char backend_name[100];
+-            scanf("%s%s", printer_id, backend_name);
++            scanf("%99s%99s", printer_id, backend_name);
+             PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+             printf("Accepting jobs ? : %d \n", is_accepting_jobs(p));
+         }
+@@ -174,14 +174,14 @@
+         else if (strcmp(buf, "ping") == 0)
+         {
+             char printer_id[100], backend_name[100];
+-            scanf("%s%s", printer_id, backend_name);
++            scanf("%99s%99s", printer_id, backend_name);
+             PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+             print_backend_call_ping_sync(p->backend_proxy, p->id, NULL, NULL);
+         }
+         else if (strcmp(buf, "get-default-printer") == 0)
+         {
+             char backend_name[100];
+-            scanf("%s", backend_name);
++            scanf("%99s", backend_name);
+             /**
+              * Backend name = The last part of the backend dbus service
+              * Eg. "CUPS" or "GCP"
+@@ -191,7 +191,7 @@
+         else if (strcmp(buf, "print-file") == 0)
+         {
+             char printer_id[100], backend_name[100], file_path[200];
+-            scanf("%s%s%s", file_path, printer_id, backend_name);
++            scanf("%199s%99s%99s", file_path, printer_id, backend_name);
+             /**
+              * Try adding some settings here .. change them and experiment
+              */
+@@ -201,7 +201,7 @@
+             {
+               char final_file_path[200];
+               printf("Please give the final file path: ");
+-              scanf("%s", final_file_path);
++              scanf("%199s", final_file_path);
+               print_file_path(p, file_path, final_file_path);
+               continue;
+             }
+@@ -213,7 +213,7 @@
+         {
+             char printer_id[100];
+             char backend_name[100];
+-            scanf("%s%s", printer_id, backend_name);
++            scanf("%99s%99s", printer_id, backend_name);
+             PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+             printf("%d jobs currently active.\n", get_active_jobs_count(p));
+         }
+@@ -235,7 +235,7 @@
+             char printer_id[100];
+             char backend_name[100];
+             char job_id[100];
+-            scanf("%s%s%s", job_id, printer_id, backend_name);
++            scanf("%99s%99s%99s", job_id, printer_id, backend_name);
+             PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+             if (cancel_job(p, job_id))
+                 printf("Job %s has been cancelled.\n", job_id);
+@@ -247,7 +247,7 @@
+             char printer_id[100];
+             char backend_name[100];
+             char job_id[100];
+-            scanf("%s%s", printer_id, backend_name);
++            scanf("%99s%99s", printer_id, backend_name);
+             PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+             pickle_printer_to_file(p, "/tmp/.printer-pickle", f);
+         }
+Index: cpdb-libs/lib/frontend_helper.c
+===================================================================
+--- cpdb-libs.orig/lib/frontend_helper.c       2023-06-28 06:57:31.699739106 
+0200
++++ cpdb-libs/lib/frontend_helper.c    2023-06-28 07:57:11.168548682 +0200
+@@ -171,7 +171,7 @@
+ 
+     FILE *file = fopen(path, "r");
+     char obj_path[200];
+-    fscanf(file, "%s", obj_path);
++    fscanf(file, "%199s", obj_path);
+     fclose(file);
+     free(path);
+     GError *error = NULL;
diff -Nru cpdb-libs-1.2.0/debian/patches/series 
cpdb-libs-1.2.0/debian/patches/series
--- cpdb-libs-1.2.0/debian/patches/series       2023-01-08 19:03:02.000000000 
+0100
+++ cpdb-libs-1.2.0/debian/patches/series       2023-06-27 22:03:02.000000000 
+0200
@@ -1,2 +1,3 @@
+CVE-2023-34095.patch
 no-profiling.patch
 manually-hardening.patch

--- End Message ---

--- Begin Message ---
Version: 12.1

The upload requested in this bug has been released as part of 12.1.
--- End Message ---

Bug#1039862: marked as done (bookworm-pu: cpdb-libs/1.2.0-2+deb12u1)

Reply via email to