Bug#1052363: bullseye-pu: cups/2.3.3op2-3+deb11u4
On Fri, 29 Sep 2023, Adam D. Barratt wrote: I should have spotted this before (particularly as we recently had the same issue with another package) but debian/NEWS.Debian should simply be debian/NEWS. dh_installchangelogs then renames it to NEWS.Debian in the binary package. ok, uploaded, I keep my fingers crossed. Thorsten
Bug#1052363: bullseye-pu: cups/2.3.3op2-3+deb11u4
On Thu, 2023-09-28 at 19:51 +0200, Thorsten Alteholz wrote: > > On 27.09.23 20:33, Adam D. Barratt wrote: > > Thanks; please go ahead. > > great, thanks, ... > > ... and uploaded. > I should have spotted this before (particularly as we recently had the same issue with another package) but debian/NEWS.Debian should simply be debian/NEWS. dh_installchangelogs then renames it to NEWS.Debian in the binary package. Regards, Adam
Bug#1052363: bullseye-pu: cups/2.3.3op2-3+deb11u4
On 27.09.23 20:33, Adam D. Barratt wrote: Thanks; please go ahead. great, thanks, ... ... and uploaded. Thorsten
Bug#1052363: bullseye-pu: cups/2.3.3op2-3+deb11u4
Control: tags 1052363 - moreinfo
On Sat, 23 Sep 2023, Adam D. Barratt wrote:
The same query as for bookworm applies here - do we expect users to
know how to find the patch?
... and the same new text for Bullseye.
Thorstendiff -Nru cups-2.3.3op2/debian/changelog cups-2.3.3op2/debian/changelog
--- cups-2.3.3op2/debian/changelog 2023-06-24 10:54:05.0 +0200
+++ cups-2.3.3op2/debian/changelog 2023-09-19 21:20:27.0 +0200
@@ -1,3 +1,12 @@
+cups (2.3.3op2-3+deb11u4) bullseye; urgency=medium
+
+ * CVE-2023-4504
+Postscript parsing heap-based buffer overflow
+ * CVE-2023-32360 (Closes: #1051953)
+authentication issue
+
+ -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200
+
cups (2.3.3op2-3+deb11u3) bullseye; urgency=medium
* CVE-2023-34241 (Closes: #1038885)
diff -Nru cups-2.3.3op2/debian/cups-daemon.NEWS
cups-2.3.3op2/debian/cups-daemon.NEWS
--- cups-2.3.3op2/debian/cups-daemon.NEWS 2023-06-22 23:22:40.0
+0200
+++ cups-2.3.3op2/debian/cups-daemon.NEWS 2023-09-19 21:20:27.0
+0200
@@ -1,3 +1,20 @@
+cups (2.3.3op2-3+deb11u4) bullseye; urgency=medium
+
+ This release addresses a security issue (CVE-2023-32360) which allows
+ unauthorized users to fetch documents over local or remote networks.
+ Since this is a configuration fix, it might be that it does not reach you if
you
+ are updating 'cups-daemon' (rather than doing a fresh installation).
+ Please double check your /etc/cups/cupds.conf file, whether it limits the
access
+ to CUPS-Get-Document with something like the following
+ >
+ >AuthType Default
+ >Require user @OWNER @SYSTEM
+ >Order deny,allow
+ >
+ (The important line is the 'AuthType Default' in this section)
+
+ -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200
+
cups (2.1.4-3) unstable; urgency=low
The default ErrorPolicy is changed from 'stop-printer' to 'retry-job',
diff -Nru cups-2.3.3op2/debian/NEWS.Debian cups-2.3.3op2/debian/NEWS.Debian
--- cups-2.3.3op2/debian/NEWS.Debian1970-01-01 01:00:00.0 +0100
+++ cups-2.3.3op2/debian/NEWS.Debian2023-09-19 21:20:27.0 +0200
@@ -0,0 +1,16 @@
+cups (2.3.3op2-3+deb11u4) bullseye; urgency=medium
+
+ This release addresses a security issue (CVE-2023-32360) which allows
+ unauthorized users to fetch documents over local or remote networks.
+ Since this is a configuration fix, it might be that it does not reach you if
you
+ are updating 'cups-daemon' (rather than doing a fresh installation).
+ Please double check your /etc/cups/cupds.conf file, whether it limits the
access
+ to CUPS-Get-Document with something like the following
+ >
+ >AuthType Default
+ >Require user @OWNER @SYSTEM
+ >Order deny,allow
+ >
+ (The important line is the 'AuthType Default' in this section)
+
+ -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200
diff -Nru cups-2.3.3op2/debian/patches/0019-CVE-2023-32360.patch
cups-2.3.3op2/debian/patches/0019-CVE-2023-32360.patch
--- cups-2.3.3op2/debian/patches/0019-CVE-2023-32360.patch 1970-01-01
01:00:00.0 +0100
+++ cups-2.3.3op2/debian/patches/0019-CVE-2023-32360.patch 2023-09-19
21:20:27.0 +0200
@@ -0,0 +1,27 @@
+From: Thorsten Alteholz
+Date: Wed, 20 Sep 2023 23:21:42 +0200
+Subject: CVE-2023-32360
+
+---
+ conf/cupsd.conf.in | 8 +++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in
+index 09059dc..67d1c8b 100644
+--- a/conf/cupsd.conf.in
b/conf/cupsd.conf.in
+@@ -65,7 +65,13 @@ WebInterface @CUPS_WEBIF@
+ Order deny,allow
+
+
+-
++
++Require user @OWNER @SYSTEM
++Order deny,allow
++
++
++
++AuthType Default
+ Require user @OWNER @SYSTEM
+ Order deny,allow
+
diff -Nru cups-2.3.3op2/debian/patches/0020-CVE-2023-4504.patch
cups-2.3.3op2/debian/patches/0020-CVE-2023-4504.patch
--- cups-2.3.3op2/debian/patches/0020-CVE-2023-4504.patch 1970-01-01
01:00:00.0 +0100
+++ cups-2.3.3op2/debian/patches/0020-CVE-2023-4504.patch 2023-09-19
21:20:27.0 +0200
@@ -0,0 +1,33 @@
+From: Thorsten Alteholz
+Date: Wed, 20 Sep 2023 23:22:44 +0200
+Subject: CVE-2023-4504
+
+---
+ cups/raster-interpret.c | 14 +-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
+index fbe52f3..89ef158 100644
+--- a/cups/raster-interpret.c
b/cups/raster-interpret.c
+@@ -1113,7 +1113,19 @@ scan_ps(_cups_ps_stack_t *st, /* I - Stack */
+
+ cur ++;
+
+-if (*cur == 'b')
++ /*
++ * Return NULL if we reached NULL terminator, a lone backslash
++* is not a valid character in PostScript.
++ */
++
++ if (!*cur)
++ {
++*ptr = NULL;
++
++return (NULL);
++ }
++
++ if (*cur == 'b')
+ *valptr++ = '\b';
+ else if (*cur == 'f')
+
Bug#1052363: bullseye-pu: cups/2.3.3op2-3+deb11u4
Control: tags -1 confirmed On Wed, 2023-09-27 at 17:44 +, Thorsten Alteholz wrote: > Control: tags 1052363 - moreinfo > > > On Sat, 23 Sep 2023, Adam D. Barratt wrote: > > The same query as for bookworm applies here - do we expect users to > > know how to find the patch? > > ... and the same new text for Bullseye. > Thanks; please go ahead. Regards, Adam
Bug#1052363: bullseye-pu: cups/2.3.3op2-3+deb11u4
Control: tags -1 moreinfo On Wed, 2023-09-20 at 21:40 +, Thorsten Alteholz wrote: > The attached debdiff for cups fixes CVE-2023-4504 and CVE-2023-32360 > in > Bullseye. These CVEs have been marked as no-dsa by the security team, > but > at least CVE-2023-32360 got anRC bug (#1051953). > +cups (2.4.2-6) unstable; urgency=low + + In case this is not a fresh installation of cups, please double check + whether your cupsd.conf really does contain the limitiation for + "CUPS-Get-Document" (see patch 0019-CVE-2023-32360.patch) The same query as for bookworm applies here - do we expect users to know how to find the patch? Regards, Adam
Bug#1052363: bullseye-pu: cups/2.3.3op2-3+deb11u4
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for cups fixes CVE-2023-4504 and CVE-2023-32360 in
Bullseye. These CVEs have been marked as no-dsa by the security team, but
at least CVE-2023-32360 got anRC bug (#1051953).
Thorsten
PS: There already is 2.3.3op2-3+deb11u3 in P-Udiff -Nru cups-2.3.3op2/debian/changelog cups-2.3.3op2/debian/changelog
--- cups-2.3.3op2/debian/changelog 2023-06-24 10:54:05.0 +0200
+++ cups-2.3.3op2/debian/changelog 2023-09-19 21:20:27.0 +0200
@@ -1,3 +1,12 @@
+cups (2.3.3op2-3+deb11u4) bullseye; urgency=medium
+
+ * CVE-2023-4504
+Postscript parsing heap-based buffer overflow
+ * CVE-2023-32360 (Closes: #1051953)
+authentication issue
+
+ -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200
+
cups (2.3.3op2-3+deb11u3) bullseye; urgency=medium
* CVE-2023-34241 (Closes: #1038885)
diff -Nru cups-2.3.3op2/debian/cups-daemon.NEWS
cups-2.3.3op2/debian/cups-daemon.NEWS
--- cups-2.3.3op2/debian/cups-daemon.NEWS 2023-06-22 23:22:40.0
+0200
+++ cups-2.3.3op2/debian/cups-daemon.NEWS 2023-09-19 21:20:27.0
+0200
@@ -1,3 +1,11 @@
+cups (2.4.2-6) unstable; urgency=low
+
+ In case this is not a fresh installation of cups, please double check
+ whether your cupsd.conf really does contain the limitiation for
+ "CUPS-Get-Document" (see patch 0019-CVE-2023-32360.patch)
+
+ -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200
+
cups (2.1.4-3) unstable; urgency=low
The default ErrorPolicy is changed from 'stop-printer' to 'retry-job',
diff -Nru cups-2.3.3op2/debian/NEWS.Debian cups-2.3.3op2/debian/NEWS.Debian
--- cups-2.3.3op2/debian/NEWS.Debian1970-01-01 01:00:00.0 +0100
+++ cups-2.3.3op2/debian/NEWS.Debian2023-09-19 21:20:27.0 +0200
@@ -0,0 +1,7 @@
+cups (2.4.2-6) unstable; urgency=low
+
+ In case this is not a fresh installation of cups, please double check
+ whether your cupsd.conf really does contain the limitiation for
+ "CUPS-Get-Document" (see patch 0019-CVE-2023-32360.patch)
+
+ -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200
diff -Nru cups-2.3.3op2/debian/patches/0019-CVE-2023-32360.patch
cups-2.3.3op2/debian/patches/0019-CVE-2023-32360.patch
--- cups-2.3.3op2/debian/patches/0019-CVE-2023-32360.patch 1970-01-01
01:00:00.0 +0100
+++ cups-2.3.3op2/debian/patches/0019-CVE-2023-32360.patch 2023-09-19
21:20:27.0 +0200
@@ -0,0 +1,27 @@
+From: Thorsten Alteholz
+Date: Wed, 20 Sep 2023 23:21:42 +0200
+Subject: CVE-2023-32360
+
+---
+ conf/cupsd.conf.in | 8 +++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in
+index 09059dc..67d1c8b 100644
+--- a/conf/cupsd.conf.in
b/conf/cupsd.conf.in
+@@ -65,7 +65,13 @@ WebInterface @CUPS_WEBIF@
+ Order deny,allow
+
+
+-
++
++Require user @OWNER @SYSTEM
++Order deny,allow
++
++
++
++AuthType Default
+ Require user @OWNER @SYSTEM
+ Order deny,allow
+
diff -Nru cups-2.3.3op2/debian/patches/0020-CVE-2023-4504.patch
cups-2.3.3op2/debian/patches/0020-CVE-2023-4504.patch
--- cups-2.3.3op2/debian/patches/0020-CVE-2023-4504.patch 1970-01-01
01:00:00.0 +0100
+++ cups-2.3.3op2/debian/patches/0020-CVE-2023-4504.patch 2023-09-19
21:20:27.0 +0200
@@ -0,0 +1,33 @@
+From: Thorsten Alteholz
+Date: Wed, 20 Sep 2023 23:22:44 +0200
+Subject: CVE-2023-4504
+
+---
+ cups/raster-interpret.c | 14 +-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
+index fbe52f3..89ef158 100644
+--- a/cups/raster-interpret.c
b/cups/raster-interpret.c
+@@ -1113,7 +1113,19 @@ scan_ps(_cups_ps_stack_t *st, /* I - Stack */
+
+ cur ++;
+
+-if (*cur == 'b')
++ /*
++ * Return NULL if we reached NULL terminator, a lone backslash
++* is not a valid character in PostScript.
++ */
++
++ if (!*cur)
++ {
++*ptr = NULL;
++
++return (NULL);
++ }
++
++ if (*cur == 'b')
+ *valptr++ = '\b';
+ else if (*cur == 'f')
+ *valptr++ = '\f';
diff -Nru cups-2.3.3op2/debian/patches/series
cups-2.3.3op2/debian/patches/series
--- cups-2.3.3op2/debian/patches/series 2023-06-24 10:54:05.0 +0200
+++ cups-2.3.3op2/debian/patches/series 2023-09-19 21:20:27.0 +0200
@@ -16,3 +16,5 @@
0016-Fix-certificate-comparison-CVE-2022-26691.patch
0017-CVE-2023-32324.patch
0018-CVE-2023-34241.patch
+0019-CVE-2023-32360.patch
+0020-CVE-2023-4504.patch
