Bug#1052363: bullseye-pu: cups/2.3.3op2-3+deb11u4

Thorsten Alteholz Wed, 20 Sep 2023 15:33:30 -0700

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu

The attached debdiff for cups fixes CVE-2023-4504 and CVE-2023-32360 inBullseye. These CVEs have been marked as no-dsa by the security team, butat least CVE-2023-32360 got anRC bug (#1051953).


  Thorsten

PS: There already is 2.3.3op2-3+deb11u3 in P-U

diff -Nru cups-2.3.3op2/debian/changelog cups-2.3.3op2/debian/changelog
--- cups-2.3.3op2/debian/changelog      2023-06-24 10:54:05.000000000 +0200
+++ cups-2.3.3op2/debian/changelog      2023-09-19 21:20:27.000000000 +0200
@@ -1,3 +1,12 @@
+cups (2.3.3op2-3+deb11u4) bullseye; urgency=medium
+
+  * CVE-2023-4504
+    Postscript parsing heap-based buffer overflow
+  * CVE-2023-32360 (Closes: #1051953)
+    authentication issue
+
+ -- Thorsten Alteholz <deb...@alteholz.de>  Tue, 19 Sep 2023 21:20:27 +0200
+
 cups (2.3.3op2-3+deb11u3) bullseye; urgency=medium
 
   * CVE-2023-34241 (Closes: #1038885)
diff -Nru cups-2.3.3op2/debian/cups-daemon.NEWS 
cups-2.3.3op2/debian/cups-daemon.NEWS
--- cups-2.3.3op2/debian/cups-daemon.NEWS       2023-06-22 23:22:40.000000000 
+0200
+++ cups-2.3.3op2/debian/cups-daemon.NEWS       2023-09-19 21:20:27.000000000 
+0200
@@ -1,3 +1,11 @@
+cups (2.4.2-6) unstable; urgency=low
+
+  In case this is not a fresh installation of cups, please double check
+  whether your cupsd.conf really does contain the limitiation for
+  "CUPS-Get-Document" (see patch 0019-CVE-2023-32360.patch)
+
+ -- Thorsten Alteholz <deb...@alteholz.de>  Tue, 19 Sep 2023 21:20:27 +0200
+
 cups (2.1.4-3) unstable; urgency=low
 
   The default ErrorPolicy is changed from 'stop-printer' to 'retry-job',
diff -Nru cups-2.3.3op2/debian/NEWS.Debian cups-2.3.3op2/debian/NEWS.Debian
--- cups-2.3.3op2/debian/NEWS.Debian    1970-01-01 01:00:00.000000000 +0100
+++ cups-2.3.3op2/debian/NEWS.Debian    2023-09-19 21:20:27.000000000 +0200
@@ -0,0 +1,7 @@
+cups (2.4.2-6) unstable; urgency=low
+
+  In case this is not a fresh installation of cups, please double check
+  whether your cupsd.conf really does contain the limitiation for
+  "CUPS-Get-Document" (see patch 0019-CVE-2023-32360.patch)
+
+ -- Thorsten Alteholz <deb...@alteholz.de>  Tue, 19 Sep 2023 21:20:27 +0200
diff -Nru cups-2.3.3op2/debian/patches/0019-CVE-2023-32360.patch 
cups-2.3.3op2/debian/patches/0019-CVE-2023-32360.patch
--- cups-2.3.3op2/debian/patches/0019-CVE-2023-32360.patch      1970-01-01 
01:00:00.000000000 +0100
+++ cups-2.3.3op2/debian/patches/0019-CVE-2023-32360.patch      2023-09-19 
21:20:27.000000000 +0200
@@ -0,0 +1,27 @@
+From: Thorsten Alteholz <deb...@alteholz.de>
+Date: Wed, 20 Sep 2023 23:21:42 +0200
+Subject: CVE-2023-32360
+
+---
+ conf/cupsd.conf.in | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in
+index 09059dc..67d1c8b 100644
+--- a/conf/cupsd.conf.in
++++ b/conf/cupsd.conf.in
+@@ -65,7 +65,13 @@ WebInterface @CUPS_WEBIF@
+     Order deny,allow
+   </Limit>
+ 
+-  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs 
Set-Job-Attributes Create-Job-Subscription Renew-Subscription 
Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job 
Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job 
CUPS-Get-Document>
++  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs 
Set-Job-Attributes Create-Job-Subscription Renew-Subscription 
Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job 
Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job>
++    Require user @OWNER @SYSTEM
++    Order deny,allow
++  </Limit>
++
++  <Limit CUPS-Get-Document>
++    AuthType Default
+     Require user @OWNER @SYSTEM
+     Order deny,allow
+   </Limit>
diff -Nru cups-2.3.3op2/debian/patches/0020-CVE-2023-4504.patch 
cups-2.3.3op2/debian/patches/0020-CVE-2023-4504.patch
--- cups-2.3.3op2/debian/patches/0020-CVE-2023-4504.patch       1970-01-01 
01:00:00.000000000 +0100
+++ cups-2.3.3op2/debian/patches/0020-CVE-2023-4504.patch       2023-09-19 
21:20:27.000000000 +0200
@@ -0,0 +1,33 @@
+From: Thorsten Alteholz <deb...@alteholz.de>
+Date: Wed, 20 Sep 2023 23:22:44 +0200
+Subject: CVE-2023-4504
+
+---
+ cups/raster-interpret.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
+index fbe52f3..89ef158 100644
+--- a/cups/raster-interpret.c
++++ b/cups/raster-interpret.c
+@@ -1113,7 +1113,19 @@ scan_ps(_cups_ps_stack_t *st,           /* I  - Stack */
+ 
+           cur ++;
+ 
+-            if (*cur == 'b')
++         /*
++          * Return NULL if we reached NULL terminator, a lone backslash
++            * is not a valid character in PostScript.
++          */
++
++          if (!*cur)
++          {
++            *ptr = NULL;
++
++            return (NULL);
++          }
++
++          if (*cur == 'b')
+             *valptr++ = '\b';
+           else if (*cur == 'f')
+             *valptr++ = '\f';
diff -Nru cups-2.3.3op2/debian/patches/series 
cups-2.3.3op2/debian/patches/series
--- cups-2.3.3op2/debian/patches/series 2023-06-24 10:54:05.000000000 +0200
+++ cups-2.3.3op2/debian/patches/series 2023-09-19 21:20:27.000000000 +0200
@@ -16,3 +16,5 @@
 0016-Fix-certificate-comparison-CVE-2022-26691.patch
 0017-CVE-2023-32324.patch
 0018-CVE-2023-34241.patch
+0019-CVE-2023-32360.patch
+0020-CVE-2023-4504.patch

Bug#1052363: bullseye-pu: cups/2.3.3op2-3+deb11u4

Reply via email to