Your message dated Tue, 11 Jun 2024 21:49:38 +0000
with message-id <e1sh9n4-006bgn...@fasolo.debian.org>
and subject line Bug#1073002: fixed in cups 2.4.7-2
has caused the Debian Bug report #1073002,
regarding cups: CVE-2024-35235
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1073002: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073002
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: cups
Version: 2.4.7-1.2
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for cups.
CVE-2024-35235[0]:
| OpenPrinting CUPS is an open source printing system for Linux and
| other Unix-like operating systems. In versions 2.4.8 and earlier,
| when starting the cupsd server with a Listen configuration item
| pointing to a symbolic link, the cupsd process can be caused to
| perform an arbitrary chmod of the provided argument, providing
| world-writable access to the target. Given that cupsd is often
| running as root, this can result in the change of permission of any
| user or system files to be world writable. Given the aforementioned
| Ubuntu AppArmor context, on such systems this vulnerability is
| limited to those files modifiable by the cupsd process. In that
| specific case it was found to be possible to turn the configuration
| of the Listen argument into full control over the cupsd.conf and
| cups-files.conf configuration files. By later setting the User and
| Group arguments in cups-files.conf, and printing with a printer
| configured by PPD with a `FoomaticRIPCommandLine` argument,
| arbitrary user and group (not root) command execution could be
| achieved, which can further be used on Ubuntu systems to achieve
| full root command execution. Commit
| ff1f8a623e090dee8a8aadf12a6a4b25efac143d contains a patch for the
| issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-35235
https://www.cve.org/CVERecord?id=CVE-2024-35235
[1] https://www.openwall.com/lists/oss-security/2024/06/11/1
[2]
https://github.com/OpenPrinting/cups/commit/a436956f374b0fd7f5da9df482e4f5840fa1c0d2
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: cups
Source-Version: 2.4.7-2
Done: Thorsten Alteholz <deb...@alteholz.de>
We believe that the bug you reported is fixed in the latest version of
cups, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1073...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Alteholz <deb...@alteholz.de> (supplier of updated cups package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 11 Jun 2024 22:16:49 +0200
Source: cups
Architecture: source
Version: 2.4.7-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Thorsten Alteholz <deb...@alteholz.de>
Closes: 1073002
Changes:
cups (2.4.7-2) unstable; urgency=medium
.
* CVE-2024-35235 (Closes: #1073002)
fix domain socket handling
Checksums-Sha1:
26d12c2f5cde591a7de5f41cb327e929c1a15208 3413 cups_2.4.7-2.dsc
ac4d7df32637809039ee8b5eb93ec2b0b7b46ad0 384396 cups_2.4.7-2.debian.tar.xz
19b9e64c5e838225ab11d4b9753a13c21b9185b8 13589 cups_2.4.7-2_amd64.buildinfo
Checksums-Sha256:
a185abbc1dfb4b1023d27c6fe6cd0b36f7641acff3c7581db7e88c0edf32d121 3413
cups_2.4.7-2.dsc
3524092793e346e46316e31f5680082923271742eaadd766c218eddac2b6409f 384396
cups_2.4.7-2.debian.tar.xz
cc98666ee9b84f7f1506d39fcb5897fce8bf99b1af0ea09458c8a4057bf39d5e 13589
cups_2.4.7-2_amd64.buildinfo
Files:
77dd157f682453a6c2c4b3c8fc47a1d4 3413 net optional cups_2.4.7-2.dsc
ad2b80976b3de3b48075d00fe840e1e9 384396 net optional cups_2.4.7-2.debian.tar.xz
c9e9b198f8e9fd76753335202cc31c19 13589 net optional
cups_2.4.7-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmZowQVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh
bHRlaG9sei5kZQAKCRCW/KwNOHtYR9K5D/9MkjWsVy1s2orc0TBRNoNVMJCuKO1N
MN9u/CO8PW8nnOCrv9WicfRMVwAF2iLCbfu5yGJbyNNqTanhxRM57xr0tPBQfVhT
pYIMUURU8z7nFRRQ+ZKtY6vFmYn2nw//acDNksa476aZ7ZEzir9wrCxBWV5FM1L3
QpSyNrBb0+cIBVMqGQVfD1/uoC1wmxZnRT/a3+MDVt8YpfpFca6IO4DIW5UeBgMB
8xKyBsz62JFi9ndPNpWx+Qhcg7U/yAy0tLmswFjoV/lGcZtUu2mFpRkedFUBrqW3
ZulAz+DkPhlN6BxrItPFjIXIs2gfgeyuq0+LNDKOeb2Xv8vap9D1XqOhmbwdqDMm
e7eTpulkEGfzApHfZ38r1x/955Vc6rheZzkJCzTBpiimxN0qrZDnSX89/YE4qK5/
Ycd9kvelj7fnlPF11sHjz/Y4axic7ccCjQ+V6TZIsv6eTy5f1wK041IR2TuYrw/1
fe4coDMRqq7BqClj1mCPZUPu2mSLB365IgiSYeeH/rSth3n+Abu9KYsXrXT2PdCd
S81cfzAHXAcL38Hl9ZYANjwSxlRUc26oLPTQuz3+NYVidK/wkt0FxXN+BhdVVMDc
sy6TF0YMYnUSMEifyoHB/mhEeN9AK+S0fpv2RAU2e6hwRDxTZiSQ9Qf0Ir1cFH6Z
s1OyeEx3Ibj4IA==
=kqKv
-----END PGP SIGNATURE-----
pgpmhk_tFPP9v.pgp
Description: PGP signature
--- End Message ---
