Bug#1052361: bookworm-pu: cups/2.4.2-3+deb12u2
On Fri, 29 Sep 2023, Adam D. Barratt wrote: I should have spotted this before (particularly as we recently had the same issue with another package) but debian/NEWS.Debian should simply be debian/NEWS. dh_installchangelogs then renames it to NEWS.Debian in the binary package. ok, uploaded, I keep my fingers crossed. Thorsten
Bug#1052361: bookworm-pu: cups/2.4.2-3+deb12u2
On Thu, 2023-09-28 at 19:52 +0200, Thorsten Alteholz wrote: > > On 27.09.23 20:32, Adam D. Barratt wrote: > > Please go ahead. > > great, thanks, ... > > ... and uploaded. > I should have spotted this before (particularly as we recently had the same issue with another package) but debian/NEWS.Debian should simply be debian/NEWS. dh_installchangelogs then renames it to NEWS.Debian in the binary package. Regards, Adam
Bug#1052361: bookworm-pu: cups/2.4.2-3+deb12u2
On 27.09.23 20:32, Adam D. Barratt wrote: Please go ahead. great, thanks, ... ... and uploaded. Thorsten
Bug#1052361: bookworm-pu: cups/2.4.2-3+deb12u2
Control: tags 1052361 - moreinfo Hi Adam, On Sat, 23 Sep 2023, Adam D. Barratt wrote: Hmm. Is there a better way we can point users to the required change here that doesn't require them knowing how to find patches applied to the source package? yes, *sigh* the wording was bad and I also mangled the version numbers, sorry. What do you think of this version, which was thankfully provided by IOhannes? Thorstendiff -Nru cups-2.4.2/debian/changelog cups-2.4.2/debian/changelog --- cups-2.4.2/debian/changelog 2023-06-24 10:54:05.0 +0200 +++ cups-2.4.2/debian/changelog 2023-09-19 21:20:27.0 +0200 @@ -1,3 +1,12 @@ +cups (2.4.2-3+deb12u2) bookworm; urgency=medium + + * CVE-2023-4504 +Postscript parsing heap-based buffer overflow + * CVE-2023-32360 (Closes: #1051953) +authentication issue + + -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200 + cups (2.4.2-3+deb12u1) bookworm; urgency=medium * CVE-2023-34241 (Closes: #1038885) diff -Nru cups-2.4.2/debian/cups-daemon.NEWS cups-2.4.2/debian/cups-daemon.NEWS --- cups-2.4.2/debian/cups-daemon.NEWS 2023-06-22 23:22:40.0 +0200 +++ cups-2.4.2/debian/cups-daemon.NEWS 2023-09-19 21:20:27.0 +0200 @@ -1,3 +1,20 @@ +cups (2.4.2-3+deb12u2) bookworm; urgency=medium + + This release addresses a security issue (CVE-2023-32360) which allows + unauthorized users to fetch documents over local or remote networks. + Since this is a configuration fix, it might be that it does not reach you if you + are updating 'cups-daemon' (rather than doing a fresh installation). + Please double check your /etc/cups/cupds.conf file, whether it limits the access + to CUPS-Get-Document with something like the following + > + >AuthType Default + >Require user @OWNER @SYSTEM + >Order deny,allow + > + (The important line is the 'AuthType Default' in this section) + + -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200 + cups (2.1.4-3) unstable; urgency=low The default ErrorPolicy is changed from 'stop-printer' to 'retry-job', diff -Nru cups-2.4.2/debian/NEWS.Debian cups-2.4.2/debian/NEWS.Debian --- cups-2.4.2/debian/NEWS.Debian 1970-01-01 01:00:00.0 +0100 +++ cups-2.4.2/debian/NEWS.Debian 2023-09-19 21:20:27.0 +0200 @@ -0,0 +1,16 @@ +cups (2.4.2-3+deb12u2) bookworm; urgency=medium + + This release addresses a security issue (CVE-2023-32360) which allows + unauthorized users to fetch documents over local or remote networks. + Since this is a configuration fix, it might be that it does not reach you if you + are updating 'cups-daemon' (rather than doing a fresh installation). + Please double check your /etc/cups/cupds.conf file, whether it limits the access + to CUPS-Get-Document with something like the following + > + >AuthType Default + >Require user @OWNER @SYSTEM + >Order deny,allow + > + (The important line is the 'AuthType Default' in this section) + + -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200 diff -Nru cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch --- cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch 1970-01-01 01:00:00.0 +0100 +++ cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch 2023-09-19 21:20:27.0 +0200 @@ -0,0 +1,33 @@ +From: Thorsten Alteholz +Date: Wed, 20 Sep 2023 04:55:44 +0200 +Subject: CVE-2023-4504 + +--- + cups/raster-interpret.c | 14 +- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c +index fbe52f3..89ef158 100644 +--- a/cups/raster-interpret.c b/cups/raster-interpret.c +@@ -1113,7 +1113,19 @@ scan_ps(_cups_ps_stack_t *st, /* I - Stack */ + + cur ++; + +-if (*cur == 'b') ++ /* ++ * Return NULL if we reached NULL terminator, a lone backslash ++* is not a valid character in PostScript. ++ */ ++ ++ if (!*cur) ++ { ++*ptr = NULL; ++ ++return (NULL); ++ } ++ ++ if (*cur == 'b') + *valptr++ = '\b'; + else if (*cur == 'f') + *valptr++ = '\f'; diff -Nru cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch --- cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch 1970-01-01 01:00:00.0 +0100 +++ cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch 2023-09-19 21:20:27.0 +0200 @@ -0,0 +1,27 @@ +From: Thorsten Alteholz +Date: Wed, 20 Sep 2023 04:56:47 +0200 +Subject: CVE-2023-32360 + +--- + conf/cupsd.conf.in | 8 +++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in +index b258849..a07536f 100644 +--- a/conf/cupsd.conf.in b/conf/cupsd.conf.in +@@ -68,7 +68,13 @@ IdleExitTimeout @EXIT_TIMEOUT@ + Order deny,allow + + +- ++ ++Require user @OWNER @SYSTEM ++
Bug#1052361: bookworm-pu: cups/2.4.2-3+deb12u2
Control: tags -1 confirmed On Wed, 2023-09-27 at 17:43 +, Thorsten Alteholz wrote: > Control: tags 1052361 - moreinfo > > Hi Adam, > > On Sat, 23 Sep 2023, Adam D. Barratt wrote: > > Hmm. Is there a better way we can point users to the required > > change > > here that doesn't require them knowing how to find patches applied > > to > > the source package? > > yes, *sigh* the wording was bad and I also mangled the version > numbers, > sorry. > What do you think of this version, which was thankfully provided by > IOhannes? > Much better, thanks. :-) Please go ahead. Regards, Adam
Bug#1052361: bookworm-pu: cups/2.4.2-3+deb12u2
Control: tags -1 moreinfo On Wed, 2023-09-20 at 21:05 +, Thorsten Alteholz wrote: > The attached debdiff for cups fixes CVE-2023-4504 and CVE-2023-32360 > in > Bookworm. These CVEs have been marked as no-dsa by the security > team, > but at least CVE-2023-32360 got an RC bug (#1051953). > +cups (2.4.2-6) unstable; urgency=low + + In case this is not a fresh installation of cups, please double check + whether your cupsd.conf really does contain the limitiation for + "CUPS-Get-Document" (see patch 0015-CVE-2023-32360.patch) Hmm. Is there a better way we can point users to the required change here that doesn't require them knowing how to find patches applied to the source package? Regards, Adam
Bug#1052361: bookworm-pu: cups/2.4.2-3+deb12u2
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu The attached debdiff for cups fixes CVE-2023-4504 and CVE-2023-32360 in Bookworm. These CVEs have been marked as no-dsa by the security team, but at least CVE-2023-32360 got an RC bug (#1051953). Thorstendiff -Nru cups-2.4.2/debian/changelog cups-2.4.2/debian/changelog --- cups-2.4.2/debian/changelog 2023-06-24 10:54:05.0 +0200 +++ cups-2.4.2/debian/changelog 2023-09-19 21:20:27.0 +0200 @@ -1,3 +1,12 @@ +cups (2.4.2-3+deb12u2) bookworm; urgency=medium + + * CVE-2023-4504 +Postscript parsing heap-based buffer overflow + * CVE-2023-32360 (Closes: #1051953) +authentication issue + + -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200 + cups (2.4.2-3+deb12u1) bookworm; urgency=medium * CVE-2023-34241 (Closes: #1038885) diff -Nru cups-2.4.2/debian/cups-daemon.NEWS cups-2.4.2/debian/cups-daemon.NEWS --- cups-2.4.2/debian/cups-daemon.NEWS 2023-06-22 23:22:40.0 +0200 +++ cups-2.4.2/debian/cups-daemon.NEWS 2023-09-19 21:20:27.0 +0200 @@ -1,3 +1,11 @@ +cups (2.4.2-6) unstable; urgency=low + + In case this is not a fresh installation of cups, please double check + whether your cupsd.conf really does contain the limitiation for + "CUPS-Get-Document" (see patch 0015-CVE-2023-32360.patch) + + -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200 + cups (2.1.4-3) unstable; urgency=low The default ErrorPolicy is changed from 'stop-printer' to 'retry-job', diff -Nru cups-2.4.2/debian/NEWS.Debian cups-2.4.2/debian/NEWS.Debian --- cups-2.4.2/debian/NEWS.Debian 1970-01-01 01:00:00.0 +0100 +++ cups-2.4.2/debian/NEWS.Debian 2023-09-19 21:20:27.0 +0200 @@ -0,0 +1,7 @@ +cups (2.4.2-6) unstable; urgency=low + + In case this is not a fresh installation of cups, please double check + whether your cupsd.conf really does contain the limitiation for + "CUPS-Get-Document" (see patch 0015-CVE-2023-32360.patch) + + -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200 diff -Nru cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch --- cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch 1970-01-01 01:00:00.0 +0100 +++ cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch 2023-09-19 21:20:27.0 +0200 @@ -0,0 +1,33 @@ +From: Thorsten Alteholz +Date: Wed, 20 Sep 2023 04:55:44 +0200 +Subject: CVE-2023-4504 + +--- + cups/raster-interpret.c | 14 +- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c +index fbe52f3..89ef158 100644 +--- a/cups/raster-interpret.c b/cups/raster-interpret.c +@@ -1113,7 +1113,19 @@ scan_ps(_cups_ps_stack_t *st, /* I - Stack */ + + cur ++; + +-if (*cur == 'b') ++ /* ++ * Return NULL if we reached NULL terminator, a lone backslash ++* is not a valid character in PostScript. ++ */ ++ ++ if (!*cur) ++ { ++*ptr = NULL; ++ ++return (NULL); ++ } ++ ++ if (*cur == 'b') + *valptr++ = '\b'; + else if (*cur == 'f') + *valptr++ = '\f'; diff -Nru cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch --- cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch 1970-01-01 01:00:00.0 +0100 +++ cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch 2023-09-19 21:20:27.0 +0200 @@ -0,0 +1,27 @@ +From: Thorsten Alteholz +Date: Wed, 20 Sep 2023 04:56:47 +0200 +Subject: CVE-2023-32360 + +--- + conf/cupsd.conf.in | 8 +++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in +index b258849..a07536f 100644 +--- a/conf/cupsd.conf.in b/conf/cupsd.conf.in +@@ -68,7 +68,13 @@ IdleExitTimeout @EXIT_TIMEOUT@ + Order deny,allow + + +- ++ ++Require user @OWNER @SYSTEM ++Order deny,allow ++ ++ ++ ++AuthType Default + Require user @OWNER @SYSTEM + Order deny,allow + diff -Nru cups-2.4.2/debian/patches/series cups-2.4.2/debian/patches/series --- cups-2.4.2/debian/patches/series2023-06-24 10:54:05.0 +0200 +++ cups-2.4.2/debian/patches/series2023-09-19 21:20:27.0 +0200 @@ -12,3 +12,5 @@ 0012-add-pt.patch 0013-CVE-2023-32324.patch 0014-CVE-2023-34241.patch +0015-CVE-2023-4504.patch +0016-CVE-2023-32360.patch