Your message dated Sat, 22 Jun 2024 10:32:08 +0000
with message-id <e1sky2s-004ys7...@fasolo.debian.org>
and subject line Bug#1073002: fixed in cups 2.4.2-3+deb12u6
has caused the Debian Bug report #1073002,
regarding cups: CVE-2024-35235
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1073002: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073002
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: cups
Version: 2.4.7-1.2
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for cups.
CVE-2024-35235[0]:
| OpenPrinting CUPS is an open source printing system for Linux and
| other Unix-like operating systems. In versions 2.4.8 and earlier,
| when starting the cupsd server with a Listen configuration item
| pointing to a symbolic link, the cupsd process can be caused to
| perform an arbitrary chmod of the provided argument, providing
| world-writable access to the target. Given that cupsd is often
| running as root, this can result in the change of permission of any
| user or system files to be world writable. Given the aforementioned
| Ubuntu AppArmor context, on such systems this vulnerability is
| limited to those files modifiable by the cupsd process. In that
| specific case it was found to be possible to turn the configuration
| of the Listen argument into full control over the cupsd.conf and
| cups-files.conf configuration files. By later setting the User and
| Group arguments in cups-files.conf, and printing with a printer
| configured by PPD with a `FoomaticRIPCommandLine` argument,
| arbitrary user and group (not root) command execution could be
| achieved, which can further be used on Ubuntu systems to achieve
| full root command execution. Commit
| ff1f8a623e090dee8a8aadf12a6a4b25efac143d contains a patch for the
| issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-35235
https://www.cve.org/CVERecord?id=CVE-2024-35235
[1] https://www.openwall.com/lists/oss-security/2024/06/11/1
[2]
https://github.com/OpenPrinting/cups/commit/a436956f374b0fd7f5da9df482e4f5840fa1c0d2
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: cups
Source-Version: 2.4.2-3+deb12u6
Done: Thorsten Alteholz <deb...@alteholz.de>
We believe that the bug you reported is fixed in the latest version of
cups, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1073...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Alteholz <deb...@alteholz.de> (supplier of updated cups package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 11 Jun 2024 22:16:49 +0200
Source: cups
Architecture: source
Version: 2.4.2-3+deb12u6
Distribution: bookworm
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Thorsten Alteholz <deb...@alteholz.de>
Closes: 1073002
Changes:
cups (2.4.2-3+deb12u6) bookworm; urgency=medium
.
* CVE-2024-35235 (Closes: #1073002)
fix domain socket handling
Checksums-Sha1:
11ae28417b076723648aacc49ed578d3a30ea596 3389 cups_2.4.2-3+deb12u6.dsc
85442d5b71014d9cf488cf2d03a4f7a92ad40552 385428
cups_2.4.2-3+deb12u6.debian.tar.xz
28a01ed7b64556f8a6810dc35be32f32ba6d18ab 14295
cups_2.4.2-3+deb12u6_amd64.buildinfo
Checksums-Sha256:
92cdafe168d3db7444fca7dcf18babeca8cf113d6d4e6c8bd09436948d42b340 3389
cups_2.4.2-3+deb12u6.dsc
c11b63b5c60c518e3dfd1d365dba3e3e2ffa83f6590a771be4bb67e46b1bab1b 385428
cups_2.4.2-3+deb12u6.debian.tar.xz
90b5a1b89b9170f83727b5530ba6fe245f3c4c024f292ece19e92d1fa20dea1d 14295
cups_2.4.2-3+deb12u6_amd64.buildinfo
Files:
fd09f869993d452907d076aa5fb06f44 3389 net optional cups_2.4.2-3+deb12u6.dsc
95767f3b397bf7797223f75b70ba25c4 385428 net optional
cups_2.4.2-3+deb12u6.debian.tar.xz
57610f46819b35391c7ba13152043a76 14295 net optional
cups_2.4.2-3+deb12u6_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmZ17+1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh
bHRlaG9sei5kZQAKCRCW/KwNOHtYRypgD/4zorLUY8LcfjvRaPJTx2FNqUA67zLp
W948YOrogOQRAJ6VgQXpv4RwQ6khIPpvmweHpOOeTOqD7fIrbepnZGfEqOpS95pw
sOafG6Ez5Gk/xpYffO+px10MrubDYM0mu7VCCm9iDyK9e3GhSFknv9EEsJb05h3t
/etdJI6ylQm+06t6MNbrDJ6iQaUeYuCk+jCHR9zkYUqmWDBnEKfsj9T8J/eHbHtS
sG1xLmNEwFkJWP663UuO/jx7nwr1/EnkuFyKy4IersdHcS7ELQY9K3VsXSak94/9
nJh4xwSbyfgoX3OOjiU+Te45lUeu/Lu2B0wzBM6OducYIXLg82wmd8h8IUjKeGgs
8Hiv5K0WhbB4xzKr9XtYac6hji6NcMa22f+ES/W04whLah0jUrRfQ4HqpjuDQNIo
lUjCmdSYOlxD59M3I8gJbF0AbS70SGw6xeF2EB41RzqQGvTBqSEaiBm6mo4BGagF
xR0ZaOo0m0tud+zE2G3Y8V6naGEkV9/657Gpo6CqQrsMJMFTkqEEB0JolUFvt1Jd
uOK0ecGQGkE9+L4jsI4aVU6jjXIRM4bC3svQCVoLaQiAZy6LRLjDoHeLxW7+m93y
G5nqQsbb3m9W1SXk5+E8V5LCjzjTG8Umwl6VoWrmLtOR2g4b4/jQsG8Z6lCHFyrK
eHFKqBkQRSe/yA==
=+F21
-----END PGP SIGNATURE-----
pgpAsZXdEgHK9.pgp
Description: PGP signature
--- End Message ---
