Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
(Mirroring #891142 for stretch):
CUPS is affected by CVE-2017-18190: remote attackers could execute arbitrary
IPP commands by sending POST requests to the CUPS daemon in conjunction with
DNS rebinding. This was caused by a whitelisted "localhost.localdomain" entry.
According to the Security Team it doesn't warrant a DSA, but still makes sense
to be addressed on Jessie (and Stretch). It was fixed independently on wheezy
already.
The proposed debdiff is attached; can I upload to jessie?
diff -Nru cups-1.7.5/debian/changelog cups-1.7.5/debian/changelog
--- cups-1.7.5/debian/changelog 2017-07-21 14:44:00.0 +0200
+++ cups-1.7.5/debian/changelog 2018-02-23 19:34:51.0 +0100
@@ -1,3 +1,12 @@
+cups (1.7.5-11+deb8u3) jessie; urgency=low
+
+ * CVE-2017-18190: Prevent an issue where remote attackers could execute
+arbitrary IPP commands by sending POST requests to the CUPS daemon in
+conjunction with DNS rebinding. This was caused by a whitelisted
+"localhost.localdomain" entry.
+
+ -- Didier Raboud Fri, 23 Feb 2018 19:34:51 +0100
+
cups (1.7.5-11+deb8u2) jessie; urgency=high
* Disable SSLv3 and RC4 by default to address POODLE vulnerability
diff -Nru
cups-1.7.5/debian/patches/CVE-2017-18190-Dont-treat-localhost.localdomain-as-replacement-for-localhost.patch
cups-1.7.5/debian/patches/CVE-2017-18190-Dont-treat-localhost.localdomain-as-replacement-for-localhost.patch
---
cups-1.7.5/debian/patches/CVE-2017-18190-Dont-treat-localhost.localdomain-as-replacement-for-localhost.patch
1970-01-01 01:00:00.0 +0100
+++
cups-1.7.5/debian/patches/CVE-2017-18190-Dont-treat-localhost.localdomain-as-replacement-for-localhost.patch
2018-02-23 19:34:51.0 +0100
@@ -0,0 +1,23 @@
+From afa80cb2b457bf8d64f775bed307588610476c41 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet
+Date: Tue, 3 Jan 2017 13:52:47 -0500
+Subject: [PATCH] Don't treat "localhost.localdomain" as an allowed replacement
+ for localhost, since it isn't.
+
+Fixes: CVE-2017-18190
+---
+ scheduler/client.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/scheduler/client.c
b/scheduler/client.c
+@@ -4220,9 +4220,6 @@
+
+ return (!_cups_strcasecmp(con->clientname, "localhost") ||
+ !_cups_strcasecmp(con->clientname, "localhost.") ||
+-#ifdef __linux
+- !_cups_strcasecmp(con->clientname, "localhost.localdomain") ||
+-#endif /* __linux */
+ !strcmp(con->clientname, "127.0.0.1") ||
+ !strcmp(con->clientname, "[::1]"));
+ }
diff -Nru cups-1.7.5/debian/patches/series cups-1.7.5/debian/patches/series
--- cups-1.7.5/debian/patches/series2017-07-21 13:32:05.0 +0200
+++ cups-1.7.5/debian/patches/series2018-02-23 19:34:51.0 +0100
@@ -66,3 +66,4 @@
# po4a might not be appropriate. It also needs to be high on the patch
# queue to catch all Debian-specific changes
manpage-translations.patch
+CVE-2017-18190-Dont-treat-localhost.localdomain-as-replacement-for-localhost.patch