Your message dated Fri, 27 Sep 2024 17:19:34 +0000
with message-id <e1suecw-00fqks...@fasolo.debian.org>
and subject line Bug#1082821: fixed in libcupsfilters 2.0.0-3
has caused the Debian Bug report #1082821,
regarding libcupsfilters: CVE-2024-47076
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1082821: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082821
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libcupsfilters
Version: 2.0.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for libcupsfilters.
CVE-2024-47076[0]:
| CUPS is a standards-based, open-source printing system, and
| `libcupsfilters` contains the code of the filters of the former
| `cups-filters` package as library functions to be used for the data
| format conversion tasks needed in Printer Applications. The
| `cfGetPrinterAttributes5` function in `libcupsfilters` does not
| sanitize IPP attributes returned from an IPP server. When these IPP
| attributes are used, for instance, to generate a PPD file, this can
| lead to attacker controlled data to be provided to the rest of the
| CUPS system.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-47076
https://www.cve.org/CVERecord?id=CVE-2024-47076
[1]
https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5
[2]
https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/
[3]
https://github.com/OpenPrinting/libcupsfilters/commit/95576ec3d20c109332d14672a807353cdc551018
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libcupsfilters
Source-Version: 2.0.0-3
Done: Thorsten Alteholz <deb...@alteholz.de>
We believe that the bug you reported is fixed in the latest version of
libcupsfilters, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1082...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Alteholz <deb...@alteholz.de> (supplier of updated libcupsfilters
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 26 Sep 2024 23:45:05 +0200
Source: libcupsfilters
Architecture: source
Version: 2.0.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Thorsten Alteholz <deb...@alteholz.de>
Closes: 1082821
Changes:
libcupsfilters (2.0.0-3) unstable; urgency=medium
.
* CVE-2024-47076 (Closes: #1082821)
cfGetPrinterAttributes5(): Validate response attributes before return
* temporarily disable libcupsfilters-2-functionality for now
Checksums-Sha1:
2cc57892ddc900a24b26a7fb005c9be80b07e3fe 2899 libcupsfilters_2.0.0-3.dsc
1027dd7257d19791f2693f0c5b2f3fcde350c21b 62800
libcupsfilters_2.0.0-3.debian.tar.xz
9de1b64e4d4d23ecc13bd672e91a737661d44b83 13184
libcupsfilters_2.0.0-3_amd64.buildinfo
Checksums-Sha256:
280c77ba8739cb91b8311d2dbba07b732a6263f82f4ce33499a0b887360dccb0 2899
libcupsfilters_2.0.0-3.dsc
97e06c50ca382489307862f12c59ac86bc759b633547fcbd998f14f7a921e222 62800
libcupsfilters_2.0.0-3.debian.tar.xz
c82ada883a0e5719f3510154a3aefa9f022088e8660099c1c2263c8ab19c45ff 13184
libcupsfilters_2.0.0-3_amd64.buildinfo
Files:
d548c71a49d3d24b76346b3d1bc3fe79 2899 net optional libcupsfilters_2.0.0-3.dsc
d4dc362948ed36df9d1fa275b1335e30 62800 net optional
libcupsfilters_2.0.0-3.debian.tar.xz
73893ed62c3b933a79ba6cc7c22b6173 13184 net optional
libcupsfilters_2.0.0-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmb25WRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh
bHRlaG9sei5kZQAKCRCW/KwNOHtYR4y3EADGRe+XDJQCiepWZL/u2qFVoonoo0WQ
KySi0+rCMGmOEaF7gCkoCHl44WyjdVJ2lxdBoMEuphZcmc5J7PiPUL2eu9BHymtB
FFdkNGKW2J8EnxV6eRKEVkwrjpEWs1lWRbZxKkT4vwQav8NvZRN1Eju4ofqUDEqy
hudPRl1eoaCiiifIyPfb+9yi9GJDhoD1G5NKkEYUAPF/DNFVQWAhT/mGYc/Mm9zm
LY7+PSXqnFkMvO3i+SMVDEW0a/SO5g5egqxunVQ8FXD+4IANPj7sBZwcR4KvRQfV
MUTnfQgGp9HncRj2649Yh53sygZ+S2elNhJJKVwQqkqcShaffttKjKmBB+VbQIij
Z85VGJZVFATfVMMEeYV3ZoR9aa3KrVWJcbybLa26qSzRa6GKWbFCQ+MqJGg6SdDL
aUeBcNytA/62NDpLb53S2ctP1Ok0ga7a3Yn3ZfK99bjhmTOfiANyO8cvgXPdZTla
PmtebtcybBUJIVF6C10I4x5v9IcFD8FxBH/7tTbkDgD6MKmXhsSoIA3YNBo0ozVS
RlaLKF4kOsk/3BwkeBWz87M/Zn0D4wPIE6OVToMJA24cDa60pGT6enzT6Hgt5iUW
mqIZ2mfybPbdv7G6WWPmHeyD7NR4m2rh7lDR8Vm1edBjNvicm8u+uqLN4uF9dkC/
Q9ISyPRq6j6tAw==
=KzVt
-----END PGP SIGNATURE-----
pgpI0ZJaVMCF8.pgp
Description: PGP signature
--- End Message ---
