subject:"Bug#1052361\: bookworm\-pu\: cups\/2.4.2\-3\+deb12u2"

Bug#1052361: bookworm-pu: cups/2.4.2-3+deb12u2

2023-09-29 Thread Thorsten Alteholz





On Fri, 29 Sep 2023, Adam D. Barratt wrote:

I should have spotted this before (particularly as we recently had the
same issue with another package) but debian/NEWS.Debian should simply
be debian/NEWS. dh_installchangelogs then renames it to NEWS.Debian in
the binary package.


ok, uploaded, I keep my fingers crossed.

  Thorsten

Bug#1052361: bookworm-pu: cups/2.4.2-3+deb12u2

2023-09-29 Thread Adam D. Barratt

On Thu, 2023-09-28 at 19:52 +0200, Thorsten Alteholz wrote:
> 
> On 27.09.23 20:32, Adam D. Barratt wrote:
> > Please go ahead.
> 
> great, thanks, ...
> 
> ... and uploaded.
> 

I should have spotted this before (particularly as we recently had the
same issue with another package) but debian/NEWS.Debian should simply
be debian/NEWS. dh_installchangelogs then renames it to NEWS.Debian in
the binary package.

Regards,

Adam

Bug#1052361: bookworm-pu: cups/2.4.2-3+deb12u2

2023-09-28 Thread Thorsten Alteholz





On 27.09.23 20:32, Adam D. Barratt wrote:


Please go ahead.


great, thanks, ...

... and uploaded.

  Thorsten

Bug#1052361: bookworm-pu: cups/2.4.2-3+deb12u2

2023-09-27 Thread Thorsten Alteholz


Control: tags 1052361 - moreinfo

Hi Adam,

On Sat, 23 Sep 2023, Adam D. Barratt wrote:

Hmm. Is there a better way we can point users to the required change
here that doesn't require them knowing how to find patches applied to
the source package?


yes, *sigh* the wording was bad and I also mangled the version numbers, 
sorry.
What do you think of this version, which was thankfully provided by 
IOhannes?


  Thorstendiff -Nru cups-2.4.2/debian/changelog cups-2.4.2/debian/changelog
--- cups-2.4.2/debian/changelog 2023-06-24 10:54:05.0 +0200
+++ cups-2.4.2/debian/changelog 2023-09-19 21:20:27.0 +0200
@@ -1,3 +1,12 @@
+cups (2.4.2-3+deb12u2) bookworm; urgency=medium
+
+  * CVE-2023-4504
+Postscript parsing heap-based buffer overflow
+  * CVE-2023-32360 (Closes: #1051953)
+authentication issue
+
+ -- Thorsten Alteholz   Tue, 19 Sep 2023 21:20:27 +0200
+
 cups (2.4.2-3+deb12u1) bookworm; urgency=medium
 
   * CVE-2023-34241 (Closes: #1038885)
diff -Nru cups-2.4.2/debian/cups-daemon.NEWS cups-2.4.2/debian/cups-daemon.NEWS
--- cups-2.4.2/debian/cups-daemon.NEWS  2023-06-22 23:22:40.0 +0200
+++ cups-2.4.2/debian/cups-daemon.NEWS  2023-09-19 21:20:27.0 +0200
@@ -1,3 +1,20 @@
+cups (2.4.2-3+deb12u2) bookworm; urgency=medium
+
+  This release addresses a security issue (CVE-2023-32360) which allows
+  unauthorized users to fetch documents over local or remote networks.
+  Since this is a configuration fix, it might be that it does not reach you if 
you
+  are updating 'cups-daemon' (rather than doing a fresh installation).
+  Please double check your /etc/cups/cupds.conf file, whether it limits the 
access
+  to CUPS-Get-Document with something like the following
+  >  
+  >AuthType Default
+  >Require user @OWNER @SYSTEM
+  >Order deny,allow
+  >   
+  (The important line is the 'AuthType Default' in this section)
+
+ -- Thorsten Alteholz   Tue, 19 Sep 2023 21:20:27 +0200
+
 cups (2.1.4-3) unstable; urgency=low
 
   The default ErrorPolicy is changed from 'stop-printer' to 'retry-job',
diff -Nru cups-2.4.2/debian/NEWS.Debian cups-2.4.2/debian/NEWS.Debian
--- cups-2.4.2/debian/NEWS.Debian   1970-01-01 01:00:00.0 +0100
+++ cups-2.4.2/debian/NEWS.Debian   2023-09-19 21:20:27.0 +0200
@@ -0,0 +1,16 @@
+cups (2.4.2-3+deb12u2) bookworm; urgency=medium
+
+  This release addresses a security issue (CVE-2023-32360) which allows
+  unauthorized users to fetch documents over local or remote networks.
+  Since this is a configuration fix, it might be that it does not reach you if 
you
+  are updating 'cups-daemon' (rather than doing a fresh installation).
+  Please double check your /etc/cups/cupds.conf file, whether it limits the 
access
+  to CUPS-Get-Document with something like the following
+  >  
+  >AuthType Default
+  >Require user @OWNER @SYSTEM
+  >Order deny,allow
+  >   
+  (The important line is the 'AuthType Default' in this section)
+
+ -- Thorsten Alteholz   Tue, 19 Sep 2023 21:20:27 +0200
diff -Nru cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch 
cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch
--- cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch  1970-01-01 
01:00:00.0 +0100
+++ cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch  2023-09-19 
21:20:27.0 +0200
@@ -0,0 +1,33 @@
+From: Thorsten Alteholz 
+Date: Wed, 20 Sep 2023 04:55:44 +0200
+Subject: CVE-2023-4504
+
+---
+ cups/raster-interpret.c | 14 +-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
+index fbe52f3..89ef158 100644
+--- a/cups/raster-interpret.c
 b/cups/raster-interpret.c
+@@ -1113,7 +1113,19 @@ scan_ps(_cups_ps_stack_t *st,   /* I  - Stack */
+ 
+   cur ++;
+ 
+-if (*cur == 'b')
++ /*
++  * Return NULL if we reached NULL terminator, a lone backslash
++* is not a valid character in PostScript.
++  */
++
++  if (!*cur)
++  {
++*ptr = NULL;
++
++return (NULL);
++  }
++
++  if (*cur == 'b')
+ *valptr++ = '\b';
+   else if (*cur == 'f')
+ *valptr++ = '\f';
diff -Nru cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch 
cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch
--- cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch 1970-01-01 
01:00:00.0 +0100
+++ cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch 2023-09-19 
21:20:27.0 +0200
@@ -0,0 +1,27 @@
+From: Thorsten Alteholz 
+Date: Wed, 20 Sep 2023 04:56:47 +0200
+Subject: CVE-2023-32360
+
+---
+ conf/cupsd.conf.in | 8 +++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in
+index b258849..a07536f 100644
+--- a/conf/cupsd.conf.in
 b/conf/cupsd.conf.in
+@@ -68,7 +68,13 @@ IdleExitTimeout @EXIT_TIMEOUT@
+ Order deny,allow
+   
+ 
+-  
++  
++Require user @OWNER @SYSTEM
++

Bug#1052361: bookworm-pu: cups/2.4.2-3+deb12u2

2023-09-27 Thread Adam D. Barratt

Control: tags -1 confirmed

On Wed, 2023-09-27 at 17:43 +, Thorsten Alteholz wrote:
> Control: tags 1052361 - moreinfo
> 
> Hi Adam,
> 
> On Sat, 23 Sep 2023, Adam D. Barratt wrote:
> > Hmm. Is there a better way we can point users to the required
> > change
> > here that doesn't require them knowing how to find patches applied
> > to
> > the source package?
> 
> yes, *sigh* the wording was bad and I also mangled the version
> numbers, 
> sorry.
> What do you think of this version, which was thankfully provided by 
> IOhannes?
> 

Much better, thanks. :-)

Please go ahead.

Regards,

Adam

Bug#1052361: bookworm-pu: cups/2.4.2-3+deb12u2

2023-09-23 Thread Adam D. Barratt

Control: tags -1 moreinfo

On Wed, 2023-09-20 at 21:05 +, Thorsten Alteholz wrote:
> The attached debdiff for cups fixes CVE-2023-4504 and CVE-2023-32360
> in 
> Bookworm. These CVEs have been marked as no-dsa by the security
> team, 
> but at least CVE-2023-32360 got an RC bug (#1051953).
> 

+cups (2.4.2-6) unstable; urgency=low
+
+  In case this is not a fresh installation of cups, please double check
+  whether your cupsd.conf really does contain the limitiation for
+  "CUPS-Get-Document" (see patch 0015-CVE-2023-32360.patch)

Hmm. Is there a better way we can point users to the required change
here that doesn't require them knowing how to find patches applied to
the source package?

Regards,

Adam

Bug#1052361: bookworm-pu: cups/2.4.2-3+deb12u2

2023-09-20 Thread Thorsten Alteholz


Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu


The attached debdiff for cups fixes CVE-2023-4504 and CVE-2023-32360 in 
Bookworm. These CVEs have been marked as no-dsa by the security team, 
but at least CVE-2023-32360 got an RC bug (#1051953).


  Thorstendiff -Nru cups-2.4.2/debian/changelog cups-2.4.2/debian/changelog
--- cups-2.4.2/debian/changelog 2023-06-24 10:54:05.0 +0200
+++ cups-2.4.2/debian/changelog 2023-09-19 21:20:27.0 +0200
@@ -1,3 +1,12 @@
+cups (2.4.2-3+deb12u2) bookworm; urgency=medium
+
+  * CVE-2023-4504
+Postscript parsing heap-based buffer overflow
+  * CVE-2023-32360 (Closes: #1051953)
+authentication issue
+
+ -- Thorsten Alteholz   Tue, 19 Sep 2023 21:20:27 +0200
+
 cups (2.4.2-3+deb12u1) bookworm; urgency=medium
 
   * CVE-2023-34241 (Closes: #1038885)
diff -Nru cups-2.4.2/debian/cups-daemon.NEWS cups-2.4.2/debian/cups-daemon.NEWS
--- cups-2.4.2/debian/cups-daemon.NEWS  2023-06-22 23:22:40.0 +0200
+++ cups-2.4.2/debian/cups-daemon.NEWS  2023-09-19 21:20:27.0 +0200
@@ -1,3 +1,11 @@
+cups (2.4.2-6) unstable; urgency=low
+
+  In case this is not a fresh installation of cups, please double check
+  whether your cupsd.conf really does contain the limitiation for
+  "CUPS-Get-Document" (see patch 0015-CVE-2023-32360.patch)
+
+ -- Thorsten Alteholz   Tue, 19 Sep 2023 21:20:27 +0200
+
 cups (2.1.4-3) unstable; urgency=low
 
   The default ErrorPolicy is changed from 'stop-printer' to 'retry-job',
diff -Nru cups-2.4.2/debian/NEWS.Debian cups-2.4.2/debian/NEWS.Debian
--- cups-2.4.2/debian/NEWS.Debian   1970-01-01 01:00:00.0 +0100
+++ cups-2.4.2/debian/NEWS.Debian   2023-09-19 21:20:27.0 +0200
@@ -0,0 +1,7 @@
+cups (2.4.2-6) unstable; urgency=low
+
+  In case this is not a fresh installation of cups, please double check
+  whether your cupsd.conf really does contain the limitiation for
+  "CUPS-Get-Document" (see patch 0015-CVE-2023-32360.patch)
+
+ -- Thorsten Alteholz   Tue, 19 Sep 2023 21:20:27 +0200
diff -Nru cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch 
cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch
--- cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch  1970-01-01 
01:00:00.0 +0100
+++ cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch  2023-09-19 
21:20:27.0 +0200
@@ -0,0 +1,33 @@
+From: Thorsten Alteholz 
+Date: Wed, 20 Sep 2023 04:55:44 +0200
+Subject: CVE-2023-4504
+
+---
+ cups/raster-interpret.c | 14 +-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
+index fbe52f3..89ef158 100644
+--- a/cups/raster-interpret.c
 b/cups/raster-interpret.c
+@@ -1113,7 +1113,19 @@ scan_ps(_cups_ps_stack_t *st,   /* I  - Stack */
+ 
+   cur ++;
+ 
+-if (*cur == 'b')
++ /*
++  * Return NULL if we reached NULL terminator, a lone backslash
++* is not a valid character in PostScript.
++  */
++
++  if (!*cur)
++  {
++*ptr = NULL;
++
++return (NULL);
++  }
++
++  if (*cur == 'b')
+ *valptr++ = '\b';
+   else if (*cur == 'f')
+ *valptr++ = '\f';
diff -Nru cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch 
cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch
--- cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch 1970-01-01 
01:00:00.0 +0100
+++ cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch 2023-09-19 
21:20:27.0 +0200
@@ -0,0 +1,27 @@
+From: Thorsten Alteholz 
+Date: Wed, 20 Sep 2023 04:56:47 +0200
+Subject: CVE-2023-32360
+
+---
+ conf/cupsd.conf.in | 8 +++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in
+index b258849..a07536f 100644
+--- a/conf/cupsd.conf.in
 b/conf/cupsd.conf.in
+@@ -68,7 +68,13 @@ IdleExitTimeout @EXIT_TIMEOUT@
+ Order deny,allow
+   
+ 
+-  
++  
++Require user @OWNER @SYSTEM
++Order deny,allow
++  
++
++  
++AuthType Default
+ Require user @OWNER @SYSTEM
+ Order deny,allow
+   
diff -Nru cups-2.4.2/debian/patches/series cups-2.4.2/debian/patches/series
--- cups-2.4.2/debian/patches/series2023-06-24 10:54:05.0 +0200
+++ cups-2.4.2/debian/patches/series2023-09-19 21:20:27.0 +0200
@@ -12,3 +12,5 @@
 0012-add-pt.patch
 0013-CVE-2023-32324.patch
 0014-CVE-2023-34241.patch
+0015-CVE-2023-4504.patch
+0016-CVE-2023-32360.patch

Bug#1052361: bookworm-pu: cups/2.4.2-3+deb12u2

Bug#1052361: bookworm-pu: cups/2.4.2-3+deb12u2

Bug#1052361: bookworm-pu: cups/2.4.2-3+deb12u2

Bug#1052361: bookworm-pu: cups/2.4.2-3+deb12u2

Bug#1052361: bookworm-pu: cups/2.4.2-3+deb12u2

Bug#1052361: bookworm-pu: cups/2.4.2-3+deb12u2

Bug#1052361: bookworm-pu: cups/2.4.2-3+deb12u2

7 matches

Site Navigation

Mail list logo

Footer information