Bug#891251: jessie-pu: package cups/1.7.5-11+deb8u3

2018-06-08 Thread Adam D. Barratt
Control: tags -1 + confirmed

On Fri, 2018-02-23 at 20:03 +0100, Didier 'OdyX' Raboud wrote:
> (Mirroring #891142 for stretch):
> 
> CUPS is affected by CVE-2017-18190: remote attackers could execute
> arbitrary
> IPP commands by sending POST requests to the CUPS daemon in
> conjunction with
> DNS rebinding. This was caused by a whitelisted
> "localhost.localdomain" entry.
> 
> According to the Security Team it doesn't warrant a DSA, but still
> makes sense
> to be addressed on Jessie (and Stretch). It was fixed independently
> on wheezy
> already.
> 

Please go ahead; sorry for the delay.

Regards,

Adam



Processed: Re: Bug#891251: jessie-pu: package cups/1.7.5-11+deb8u3

2018-06-08 Thread Debian Bug Tracking System
Processing control commands:

> tags -1 + confirmed
Bug #891251 [release.debian.org] jessie-pu: package cups/1.7.5-11+deb8u3
Added tag(s) confirmed.

-- 
891251: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891251
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems



Bug#891251: jessie-pu: package cups/1.7.5-11+deb8u3

2018-02-23 Thread Didier 'OdyX' Raboud
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

(Mirroring #891142 for stretch):

CUPS is affected by CVE-2017-18190: remote attackers could execute arbitrary
IPP commands by sending POST requests to the CUPS daemon in conjunction with
DNS rebinding. This was caused by a whitelisted "localhost.localdomain" entry.

According to the Security Team it doesn't warrant a DSA, but still makes sense
to be addressed on Jessie (and Stretch). It was fixed independently on wheezy
already.

The proposed debdiff is attached; can I upload to jessie?
diff -Nru cups-1.7.5/debian/changelog cups-1.7.5/debian/changelog
--- cups-1.7.5/debian/changelog 2017-07-21 14:44:00.0 +0200
+++ cups-1.7.5/debian/changelog 2018-02-23 19:34:51.0 +0100
@@ -1,3 +1,12 @@
+cups (1.7.5-11+deb8u3) jessie; urgency=low
+
+  * CVE-2017-18190: Prevent an issue where remote attackers could execute
+arbitrary IPP commands by sending POST requests to the CUPS daemon in
+conjunction with DNS rebinding. This was caused by a whitelisted
+"localhost.localdomain" entry.
+
+ -- Didier Raboud   Fri, 23 Feb 2018 19:34:51 +0100
+
 cups (1.7.5-11+deb8u2) jessie; urgency=high
 
   * Disable SSLv3 and RC4 by default to address POODLE vulnerability
diff -Nru 
cups-1.7.5/debian/patches/CVE-2017-18190-Dont-treat-localhost.localdomain-as-replacement-for-localhost.patch
 
cups-1.7.5/debian/patches/CVE-2017-18190-Dont-treat-localhost.localdomain-as-replacement-for-localhost.patch
--- 
cups-1.7.5/debian/patches/CVE-2017-18190-Dont-treat-localhost.localdomain-as-replacement-for-localhost.patch
1970-01-01 01:00:00.0 +0100
+++ 
cups-1.7.5/debian/patches/CVE-2017-18190-Dont-treat-localhost.localdomain-as-replacement-for-localhost.patch
2018-02-23 19:34:51.0 +0100
@@ -0,0 +1,23 @@
+From afa80cb2b457bf8d64f775bed307588610476c41 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet 
+Date: Tue, 3 Jan 2017 13:52:47 -0500
+Subject: [PATCH] Don't treat "localhost.localdomain" as an allowed replacement
+ for localhost, since it isn't.
+
+Fixes: CVE-2017-18190
+---
+ scheduler/client.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/scheduler/client.c
 b/scheduler/client.c
+@@ -4220,9 +4220,6 @@
+ 
+ return (!_cups_strcasecmp(con->clientname, "localhost") ||
+   !_cups_strcasecmp(con->clientname, "localhost.") ||
+-#ifdef __linux
+-  !_cups_strcasecmp(con->clientname, "localhost.localdomain") ||
+-#endif /* __linux */
+ !strcmp(con->clientname, "127.0.0.1") ||
+   !strcmp(con->clientname, "[::1]"));
+   }
diff -Nru cups-1.7.5/debian/patches/series cups-1.7.5/debian/patches/series
--- cups-1.7.5/debian/patches/series2017-07-21 13:32:05.0 +0200
+++ cups-1.7.5/debian/patches/series2018-02-23 19:34:51.0 +0100
@@ -66,3 +66,4 @@
 # po4a might not be appropriate. It also needs to be high on the patch
 # queue to catch all Debian-specific changes
 manpage-translations.patch
+CVE-2017-18190-Dont-treat-localhost.localdomain-as-replacement-for-localhost.patch