Processed: Re: Bug#891142: stretch-pu: package cups/2.2.1-8+

2018-02-25 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + pending
Bug #891142 [release.debian.org] stretch-pu: package cups/2.2.1-8+deb9u1
Added tag(s) pending.

-- 
891142: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891142
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#891142: stretch-pu: package cups/2.2.1-8+

2018-02-25 Thread Adam D. Barratt 
Control: tags -1 + pending

On Fri, 2018-02-23 at 21:27 +0100, Didier 'OdyX' Raboud wrote:
> Le vendredi, 23 février 2018, 18.50:52 h CET Adam D. Barratt a écrit
> :
> > > The proposed debdiff is attached; can I upload to stretch?
> > 
> > Please go ahead.
> 
> Uploaded.
> 

Flagged for acceptance.

Regards,

Adam

Bug#891142: stretch-pu: package cups/2.2.1-8+

2018-02-23 Thread Didier 'OdyX' Raboud 
Le vendredi, 23 février 2018, 18.50:52 h CET Adam D. Barratt a écrit :
> > The proposed debdiff is attached; can I upload to stretch?
> 
> Please go ahead.

Uploaded.

> > Do you need another bug for Jessie ?

Done; #891251.

Thanks for your time!

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Processed: Re: Bug#891142: stretch-pu: package cups/2.2.1-8+

2018-02-23 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + confirmed
Bug #891142 [release.debian.org] stretch-pu: package cups/2.2.1-8+deb9u1
Added tag(s) confirmed.

-- 
891142: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891142
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#891142: stretch-pu: package cups/2.2.1-8+

2018-02-23 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Thu, 2018-02-22 at 17:57 +0100, Didier 'OdyX' Raboud wrote:
> CUPS is affected by CVE-2017-18190: remote attackers could execute
> arbitrary
> IPP commands by sending POST requests to the CUPS daemon in
> conjunction with
> DNS rebinding. This was caused by a whitelisted
> "localhost.localdomain" entry.
> 
> According to the Security Team it doesn't warrant a DSA, but still
> makes sense
> to be addressed on Stretch (and Jessie). It was fixed independently
> on wheezy
> already.
> 
> The proposed debdiff is attached; can I upload to stretch?

Please go ahead.

> Do you need another bug for Jessie ?

Yes, please.

Regards,

Adam

Bug#891142: stretch-pu: package cups/2.2.1-8+

2018-02-22 Thread Didier 'OdyX' Raboud 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

CUPS is affected by CVE-2017-18190: remote attackers could execute arbitrary
IPP commands by sending POST requests to the CUPS daemon in conjunction with
DNS rebinding. This was caused by a whitelisted "localhost.localdomain" entry.

According to the Security Team it doesn't warrant a DSA, but still makes sense
to be addressed on Stretch (and Jessie). It was fixed independently on wheezy
already.

The proposed debdiff is attached; can I upload to stretch? Do you need another
bug for Jessie ?

Cheers,
OdyX
diff -Nru cups-2.2.1/debian/changelog cups-2.2.1/debian/changelog
--- cups-2.2.1/debian/changelog 2017-01-31 08:00:49.0 +0100
+++ cups-2.2.1/debian/changelog 2018-02-22 17:51:44.0 +0100
@@ -1,3 +1,12 @@
+cups (2.2.1-8+deb9u1) stretch; urgency=low
+
+  * CVE-2017-18190: Prevent an issue where remote attackers could execute
+arbitrary IPP commands by sending POST requests to the CUPS daemon in
+conjunction with DNS rebinding. This was caused by a whitelisted
+"localhost.localdomain" entry.
+
+ -- Didier Raboud   Thu, 22 Feb 2018 17:51:44 +0100
+
 cups (2.2.1-8) unstable; urgency=medium
 
   [ JP Guillonneau ]
diff -Nru cups-2.2.1/debian/.git-dpm cups-2.2.1/debian/.git-dpm
--- cups-2.2.1/debian/.git-dpm  2017-01-18 14:02:35.0 +0100
+++ cups-2.2.1/debian/.git-dpm  2018-02-22 17:51:44.0 +0100
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-96d42e942cf2c930c3b535317bafd886c775a160
-96d42e942cf2c930c3b535317bafd886c775a160
+63883f6c2d0ebbb3e7499799b727fdb7d3f52d72
+63883f6c2d0ebbb3e7499799b727fdb7d3f52d72
 a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
 a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
 cups_2.2.1.orig.tar.gz
diff -Nru 
cups-2.2.1/debian/patches/0048-Don-t-treat-localhost.localdomain-as-an-allowed-repl.patch
 
cups-2.2.1/debian/patches/0048-Don-t-treat-localhost.localdomain-as-an-allowed-repl.patch
--- 
cups-2.2.1/debian/patches/0048-Don-t-treat-localhost.localdomain-as-an-allowed-repl.patch
   1970-01-01 01:00:00.0 +0100
+++ 
cups-2.2.1/debian/patches/0048-Don-t-treat-localhost.localdomain-as-an-allowed-repl.patch
   2018-02-22 17:51:44.0 +0100
@@ -0,0 +1,25 @@
+From 63883f6c2d0ebbb3e7499799b727fdb7d3f52d72 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet 
+Date: Tue, 3 Jan 2017 13:52:47 -0500
+Subject: Don't treat "localhost.localdomain" as an allowed replacement for
+ localhost, since it isn't.
+
+Fixes: CVE-2017-18190
+---
+ scheduler/client.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/scheduler/client.c b/scheduler/client.c
+index 42010def1..20ccf11a9 100644
+--- a/scheduler/client.c
 b/scheduler/client.c
+@@ -3890,9 +3890,6 @@ valid_host(cupsd_client_t *con)  /* I - Client 
connection */
+ 
+ return (!_cups_strcasecmp(con->clientname, "localhost") ||
+   !_cups_strcasecmp(con->clientname, "localhost.") ||
+-#ifdef __linux
+-  !_cups_strcasecmp(con->clientname, "localhost.localdomain") ||
+-#endif /* __linux */
+ !strcmp(con->clientname, "127.0.0.1") ||
+   !strcmp(con->clientname, "[::1]"));
+   }
diff -Nru cups-2.2.1/debian/patches/series cups-2.2.1/debian/patches/series
--- cups-2.2.1/debian/patches/series2017-01-18 14:02:35.0 +0100
+++ cups-2.2.1/debian/patches/series2018-02-22 17:51:44.0 +0100
@@ -45,3 +45,4 @@
 0045-Build-mantohtml-with-the-build-architecture-compiler.patch
 0046-Do-not-execute-genstrings-during-build.patch
 manpage-translations.patch
+0048-Don-t-treat-localhost.localdomain-as-an-allowed-repl.patch