Bug#1074439: bookworm-pu: cups/2.4.2-3+deb12u7
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
I know, I am rather late, but while preparing a new version of cups for
unstable, I found an upstream regression for the latest fix of
CVE-2024-35235. Four other commits are needed as well when cups only uses
a domain socket for communication.
In unstable I got #1073852 and #1074074, so this seems to be a valid use
case.
Thorsten
PS. to maybe quicken things, I already uploaded the package
diff -Nru cups-2.4.2/debian/changelog cups-2.4.2/debian/changelog
--- cups-2.4.2/debian/changelog 2024-06-11 19:32:57.0 +0200
+++ cups-2.4.2/debian/changelog 2024-06-27 23:16:49.0 +0200
@@ -1,3 +1,10 @@
+cups (2.4.2-3+deb12u7) bookworm; urgency=medium
+
+ * fix regression of CVE-2024-35235 in case only domain sockets
+are used
+
+ -- Thorsten Alteholz Thu, 27 Jun 2024 23:16:49 +0200
+
cups (2.4.2-3+deb12u6) bookworm; urgency=medium
* CVE-2024-35235 (Closes: #1073002)
diff -Nru cups-2.4.2/debian/patches/0020-CVE-2024-35235-regression1.patch
cups-2.4.2/debian/patches/0020-CVE-2024-35235-regression1.patch
--- cups-2.4.2/debian/patches/0020-CVE-2024-35235-regression1.patch
1970-01-01 01:00:00.0 +0100
+++ cups-2.4.2/debian/patches/0020-CVE-2024-35235-regression1.patch
2024-06-27 23:16:49.0 +0200
@@ -0,0 +1,47 @@
+commit 7adb50839710f908af11a2f0a7d4b7aa506af2b8
+Author: Michael R Sweet
+Date: Fri Jun 14 15:09:41 2024 -0400
+
+Don't abort early if there are no listen sockets after loading cupsd.conf
(Issue #985)
+
+Index: cups-2.4.2/scheduler/conf.c
+===
+--- cups-2.4.2.orig/scheduler/conf.c 2024-06-26 16:06:39.865759162 +0200
cups-2.4.2/scheduler/conf.c2024-06-26 16:06:39.865759162 +0200
+@@ -1052,7 +1052,7 @@
+ * as an error and exit!
+ */
+
+- if (cupsArrayCount(Listeners) == 0)
++ if (cupsArrayCount(Listeners) == 0 && !OnDemand)
+ {
+/*
+ * No listeners!
+Index: cups-2.4.2/scheduler/main.c
+===
+--- cups-2.4.2.orig/scheduler/main.c 2024-06-26 16:06:39.865759162 +0200
cups-2.4.2/scheduler/main.c2024-06-26 16:06:39.865759162 +0200
+@@ -2037,6 +2037,23 @@
+ service_add_listener(fd, 0);
+ }
+ #endif /* HAVE_LAUNCHD */
++
++ if (cupsArrayCount(Listeners) == 0)
++ {
++ /*
++* No listeners!
++*/
++
++cupsdLogMessage(CUPSD_LOG_EMERG,
++"No valid Listen or Port lines were found in the "
++ "configuration file.");
++
++ /*
++* Commit suicide...
++*/
++
++cupsdEndProcess(getpid(), 0);
++ }
+ }
+
+
diff -Nru cups-2.4.2/debian/patches/0021-CVE-2024-35235-regression2.patch
cups-2.4.2/debian/patches/0021-CVE-2024-35235-regression2.patch
--- cups-2.4.2/debian/patches/0021-CVE-2024-35235-regression2.patch
1970-01-01 01:00:00.0 +0100
+++ cups-2.4.2/debian/patches/0021-CVE-2024-35235-regression2.patch
2024-06-27 23:16:49.0 +0200
@@ -0,0 +1,22 @@
+commit 824f49f24d6babc2c02215ee6303fee7ce6a553a
+Author: Michael R Sweet
+Date: Fri Jun 14 15:16:11 2024 -0400
+
+Fix builds without on-demand support.
+
+Index: cups-2.4.2/scheduler/conf.c
+===
+--- cups-2.4.2.orig/scheduler/conf.c 2024-06-26 16:07:35.737840279 +0200
cups-2.4.2/scheduler/conf.c2024-06-26 16:07:35.737840279 +0200
+@@ -1052,7 +1052,11 @@
+ * as an error and exit!
+ */
+
++#ifdef HAVE_ONDEMAND
+ if (cupsArrayCount(Listeners) == 0 && !OnDemand)
++#else
++ if (cupsArrayCount(Listeners) == 0)
++#endif // HAVE_ONDEMAND
+ {
+/*
+ * No listeners!
diff -Nru cups-2.4.2/debian/patches/0022-CVE-2024-35235-regression3.patch
cups-2.4.2/debian/patches/0022-CVE-2024-35235-regression3.patch
--- cups-2.4.2/debian/patches/0022-CVE-2024-35235-regression3.patch
1970-01-01 01:00:00.0 +0100
+++ cups-2.4.2/debian/patches/0022-CVE-2024-35235-regression3.patch
2024-06-27 23:16:49.0 +0200
@@ -0,0 +1,102 @@
+commit 74f437b7d20be44bacbbbc792da69ff9c82dfe8f
+Author: Zdenek Dohnal
+Date: Tue Jun 18 10:43:30 2024 +0200
+
+scheduler: Fix cupsd activated on-demand via socket
+
+If only the expected cups.sock is set as listener in cupsd.conf, the
+array Listeners was NULL. To prevent copying the code, do the array
+allocation earlier and have only one check for Listeners, in
+service_checkin() which is run every time cupsd starts.
+
+Fixes #985
+
+Index: cups-2.4.2/scheduler/conf.c
+===
+--- cups-2.4.2.orig/scheduler/conf.c 2024-06-28 11:44:05.099633082 +0200
cups-2.4.2/scheduler/conf.c2024-06-28 11:44:05.095633082 +0200
+@@ -558,6 +558,18 @@
+
+ cupsdDeleteAllListeners();
+
Bug#1074438: bullseye-pu: cups/2.3.3op2-3+deb11u8
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
I know, I am rather late, but while preparing a new version of cups for
unstable, I found an upstream regression for the latest fix of
CVE-2024-35235. Four other commits are needed as well when cups only uses
a domain socket for communication.
In unstable I got #1073852 and #1074074, so this seems to be a valid use
case.
Thorsten
PS. to maybe quicken things, I already uploaded the package
diff -Nru cups-2.3.3op2/debian/changelog cups-2.3.3op2/debian/changelog
--- cups-2.3.3op2/debian/changelog 2024-06-11 19:33:32.0 +0200
+++ cups-2.3.3op2/debian/changelog 2024-06-25 22:16:49.0 +0200
@@ -1,3 +1,10 @@
+cups (2.3.3op2-3+deb11u8) bullseye; urgency=medium
+
+ * fix regression of CVE-2024-35235 in case only domain sockets
+are used
+
+ -- Thorsten Alteholz Tue, 25 Jun 2024 22:16:49 +0200
+
cups (2.3.3op2-3+deb11u7) bullseye; urgency=medium
* CVE-2024-35235 (Closes: #1073002)
diff -Nru cups-2.3.3op2/debian/patches/0022-CVE-2024-35235-regression1.patch
cups-2.3.3op2/debian/patches/0022-CVE-2024-35235-regression1.patch
--- cups-2.3.3op2/debian/patches/0022-CVE-2024-35235-regression1.patch
1970-01-01 01:00:00.0 +0100
+++ cups-2.3.3op2/debian/patches/0022-CVE-2024-35235-regression1.patch
2024-06-25 22:16:49.0 +0200
@@ -0,0 +1,47 @@
+commit 7adb50839710f908af11a2f0a7d4b7aa506af2b8
+Author: Michael R Sweet
+Date: Fri Jun 14 15:09:41 2024 -0400
+
+Don't abort early if there are no listen sockets after loading cupsd.conf
(Issue #985)
+
+Index: cups-2.3.3op2/scheduler/conf.c
+===
+--- cups-2.3.3op2.orig/scheduler/conf.c2024-06-26 14:29:33.834864098
+0200
cups-2.3.3op2/scheduler/conf.c 2024-06-26 14:29:33.834864098 +0200
+@@ -1063,7 +1063,7 @@
+ * as an error and exit!
+ */
+
+- if (cupsArrayCount(Listeners) == 0)
++ if (cupsArrayCount(Listeners) == 0 && !OnDemand)
+ {
+/*
+ * No listeners!
+Index: cups-2.3.3op2/scheduler/main.c
+===
+--- cups-2.3.3op2.orig/scheduler/main.c2024-06-26 14:29:33.834864098
+0200
cups-2.3.3op2/scheduler/main.c 2024-06-26 14:29:33.834864098 +0200
+@@ -2040,6 +2040,23 @@
+ service_add_listener(fd, 0);
+ }
+ #endif /* HAVE_LAUNCHD */
++
++ if (cupsArrayCount(Listeners) == 0)
++ {
++ /*
++* No listeners!
++*/
++
++cupsdLogMessage(CUPSD_LOG_EMERG,
++"No valid Listen or Port lines were found in the "
++ "configuration file.");
++
++ /*
++* Commit suicide...
++*/
++
++cupsdEndProcess(getpid(), 0);
++ }
+ }
+
+
diff -Nru cups-2.3.3op2/debian/patches/0023-CVE-2024-35235-regression2.patch
cups-2.3.3op2/debian/patches/0023-CVE-2024-35235-regression2.patch
--- cups-2.3.3op2/debian/patches/0023-CVE-2024-35235-regression2.patch
1970-01-01 01:00:00.0 +0100
+++ cups-2.3.3op2/debian/patches/0023-CVE-2024-35235-regression2.patch
2024-06-25 22:16:49.0 +0200
@@ -0,0 +1,22 @@
+commit 824f49f24d6babc2c02215ee6303fee7ce6a553a
+Author: Michael R Sweet
+Date: Fri Jun 14 15:16:11 2024 -0400
+
+Fix builds without on-demand support.
+
+Index: cups-2.3.3op2/scheduler/conf.c
+===
+--- cups-2.3.3op2.orig/scheduler/conf.c2024-06-26 16:08:52.549951772
+0200
cups-2.3.3op2/scheduler/conf.c 2024-06-26 16:08:52.545951766 +0200
+@@ -1063,7 +1063,11 @@
+ * as an error and exit!
+ */
+
++#ifdef HAVE_ONDEMAND
+ if (cupsArrayCount(Listeners) == 0 && !OnDemand)
++#else
++ if (cupsArrayCount(Listeners) == 0)
++#endif // HAVE_ONDEMAND
+ {
+/*
+ * No listeners!
diff -Nru cups-2.3.3op2/debian/patches/0024-CVE-2024-35235-regression3.patch
cups-2.3.3op2/debian/patches/0024-CVE-2024-35235-regression3.patch
--- cups-2.3.3op2/debian/patches/0024-CVE-2024-35235-regression3.patch
1970-01-01 01:00:00.0 +0100
+++ cups-2.3.3op2/debian/patches/0024-CVE-2024-35235-regression3.patch
2024-06-25 22:16:49.0 +0200
@@ -0,0 +1,102 @@
+commit 74f437b7d20be44bacbbbc792da69ff9c82dfe8f
+Author: Zdenek Dohnal
+Date: Tue Jun 18 10:43:30 2024 +0200
+
+scheduler: Fix cupsd activated on-demand via socket
+
+If only the expected cups.sock is set as listener in cupsd.conf, the
+array Listeners was NULL. To prevent copying the code, do the array
+allocation earlier and have only one check for Listeners, in
+service_checkin() which is run every time cupsd starts.
+
+Fixes #985
+
+Index: cups-2.3.3op2/scheduler/conf.c
+===
+--- cups-2.3.3op2.orig/scheduler/conf.c2024-06-28 16:22:55.876537369
+0200
cups-2.3.3op2/scheduler/conf.c
Bug#1073519: bullseye-pu: cups/2.3.3op2-3+deb11u7
On Mon, 17 Jun 2024, Adam D. Barratt wrote: Please go ahead. Great, thanks ... ... and uploaded. Thorsten
Bug#1073518: bookworm-pu: cups/2.4.2-3+deb12u6
On Mon, 17 Jun 2024, Adam D. Barratt wrote: Please go ahead. great, thanks ... ... and uploaded. Thorsten
Re: Requesting for the loong64 port could be included in the Official ports
Hi Dandan, On Mon, 17 Jun 2024, zhangdandan wrote: I hope you don't mind if I already make use of the Loongson team. Do you have any idea why package cups does occasionally fail to build on loong64? (-> https://buildd.debian.org/status/logs.php?pkg=cups=loong64) Thanks for your reply and help. There is no additional need for architectural support for cups. Currently, the cups package has been built and installed. Please view http://ftp.ports.debian.org/debian-ports/pool-loong64/main/c/cups/. Sometimes fail to build in Debian Package Auto-Building ENV due to source package version upgrades, but are quickly fixed by the cups maintainers. when you look at the link I provided: https://buildd.debian.org/status/logs.php?pkg=cups=loong64 you can see that building cups failed several times. It even failed twice for version 2.4.7-1.2+b1 and once for 2.4.7-3. Those failures have nothing to do with source package version upgrades and please be assured that the maintainer didn't fix anything but just gave back the package to the buildd. Such unreliable builds might be fine with the ports architectures, but not really acceptable for release architectures (I am not part of the release team, so I hope nobody disagrees with this statement). This issue looks like a typical task for the porters of an architecture, so I have a favour to ask you. Could the Loongson team please have a look at it and maybe provide a patch to make the build more reliable? Thorsten
Re: Requesting for the loong64 port could be included in the Official ports
Hi Dandan, On Fri, 14 Jun 2024, zhangdandan wrote: In this email, I have added partners and products information for LoongArch. There are also download links under some of the partner and product links. (...) thanks a lot for all the information. That list is really helpful. Loongson team will always maintain the LoongArch architecture with Debian Community. I hope you don't mind if I already make use of the Loongson team. Do you have any idea why package cups does occasionally fail to build on loong64? (-> https://buildd.debian.org/status/logs.php?pkg=cups=loong64) - How to buy LoongArch hardware in Europe? Which of the international buying channels, such as Amazon, eBay, Ozon, etc., is preferred in Europe? This is only my opinion, but I would prefer to buy at Amazon. Best regards Thorsten
Bug#1073519: bullseye-pu: cups/2.3.3op2-3+deb11u7
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for cups fixes CVE-2024-35235 in Bullseye. The CVE
has been marked as no-dsa by the security team. The same patch has been
already uploaded to unstable.
Thorsten
diff -Nru cups-2.3.3op2/debian/changelog cups-2.3.3op2/debian/changelog
--- cups-2.3.3op2/debian/changelog 2023-10-05 16:35:27.0 +0200
+++ cups-2.3.3op2/debian/changelog 2024-06-11 19:33:32.0 +0200
@@ -1,3 +1,10 @@
+cups (2.3.3op2-3+deb11u7) bullseye; urgency=medium
+
+ * CVE-2024-35235 (Closes: #1073002)
+fix domain socket handling
+
+ -- Thorsten Alteholz Tue, 11 Jun 2024 22:16:49 +0200
+
cups (2.3.3op2-3+deb11u6) bullseye; urgency=medium
* remove debian/NEWS again to avoid too much information when only
diff -Nru cups-2.3.3op2/debian/patches/0021-CVE-2024-35235.patch
cups-2.3.3op2/debian/patches/0021-CVE-2024-35235.patch
--- cups-2.3.3op2/debian/patches/0021-CVE-2024-35235.patch 1970-01-01
01:00:00.0 +0100
+++ cups-2.3.3op2/debian/patches/0021-CVE-2024-35235.patch 2024-06-11
13:16:28.0 +0200
@@ -0,0 +1,108 @@
+commit 2f87c46b719e6edf0b6900e5eb307b7154e183e8
+Author: Zdenek Dohnal
+Date: Mon Jun 3 18:53:58 2024 +0200
+
+Fix domain socket handling
+
+- Check status of unlink and bind system calls.
+- Don't allow extra domain sockets when running from launchd/systemd.
+- Validate length of domain socket path (< sizeof(sun_path))
+
+Fixes CVE-2024-35235, written by Mike Sweet
+
+Index: cups-2.3.3op2/cups/http-addr.c
+===
+--- cups-2.3.3op2.orig/cups/http-addr.c2024-06-11 13:15:45.109860935
+0200
cups-2.3.3op2/cups/http-addr.c 2024-06-11 13:16:25.961881895 +0200
+@@ -1,6 +1,7 @@
+ /*
+ * HTTP address routines for CUPS.
+ *
++ * Copyright 2024 by OpenPrinting
+ * Copyright 2007-2019 by Apple Inc.
+ * Copyright 1997-2006 by Easy Software Products, all rights reserved.
+ *
+@@ -200,27 +201,31 @@
+ * Remove any existing domain socket file...
+ */
+
+-unlink(addr->un.sun_path);
+-
+- /*
+-* Save the current umask and set it to 0 so that all users can access
+-* the domain socket...
+-*/
+-
+-mask = umask(0);
+-
+- /*
+-* Bind the domain socket...
+-*/
+-
+-status = bind(fd, (struct sockaddr *)addr,
(socklen_t)httpAddrLength(addr));
+-
+- /*
+-* Restore the umask and fix permissions...
+-*/
+-
+-umask(mask);
+-chmod(addr->un.sun_path, 0140777);
++if ((status = unlink(addr->un.sun_path)) < 0)
++{
++ DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s",
addr->un.sun_path, strerror(errno)));
++
++ if (errno == ENOENT)
++ status = 0;
++}
++
++
++if (!status)
++{
++ // Save the current umask and set it to 0 so that all users can access
++ // the domain socket...
++ mask = umask(0);
++
++
++ // Bind the domain socket...
++ if ((status = bind(fd, (struct sockaddr *)addr,
(socklen_t)httpAddrLength(addr))) < 0)
++ {
++ DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\":
%s", addr->un.sun_path, strerror(errno)));
++ }
++
++ // Restore the umask...
++ umask(mask);
++}
+ }
+ else
+ #endif /* AF_LOCAL */
+Index: cups-2.3.3op2/scheduler/conf.c
+===
+--- cups-2.3.3op2.orig/scheduler/conf.c2024-06-11 13:15:45.109860935
+0200
cups-2.3.3op2/scheduler/conf.c 2024-06-11 13:15:45.109860935 +0200
+@@ -3074,6 +3074,26 @@
+
+
+ /*
++ * If we are launched on-demand, do not use domain sockets from the
config
++ * file. Also check that the domain socket path is not too long...
++ */
++
++#ifdef HAVE_ONDEMAND
++ if (*value == '/' && OnDemand)
++ {
++if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
++ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d
- only using domain socket from launchd/systemd.", line, value, linenum);
++continue;
++ }
++#endif // HAVE_ONDEMAND
++
++ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) -
1))
++ {
++cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d -
too long.", line, value, linenum);
++continue;
++ }
++
++ /*
+ * Get the address list...
+ */
+
diff -Nru cups-2.3.3op2/debian/patches/series
cups-2.3.3op2/debian/patches/series
--- cups-2.3.3op2/debian/patches/series 2023-10-05 16:35:27.0 +0200
+++ cups-2.3.3op2/debian/patches/series 2024-06-11 13:15:04.0 +0200
@@ -18,3 +18,4 @@
0018-CVE-2023-34241.patch
0019-CVE-2023-32360.patch
0020-CVE-2023-4504.patch
+0021-CVE-2024-35235.patch
Bug#1073518: bookworm-pu: cups/2.4.2-3+deb12u6
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for cups fixes CVE-2024-35235 in Bookworm. The CVE
has been marked as no-dsa by the security team. The same patch has been
already uploaded to unstable.
Thorstendiff -Nru cups-2.4.2/debian/changelog cups-2.4.2/debian/changelog
--- cups-2.4.2/debian/changelog 2023-12-01 20:35:27.0 +0100
+++ cups-2.4.2/debian/changelog 2024-06-11 19:32:57.0 +0200
@@ -1,3 +1,10 @@
+cups (2.4.2-3+deb12u6) bookworm; urgency=medium
+
+ * CVE-2024-35235 (Closes: #1073002)
+fix domain socket handling
+
+ -- Thorsten Alteholz Tue, 11 Jun 2024 22:16:49 +0200
+
cups (2.4.2-3+deb12u5) bookworm; urgency=medium
* 0017-check-colormodel-also-for-CMYK.patch
diff -Nru cups-2.4.2/debian/patches/0019-CVE-2024-35235.patch
cups-2.4.2/debian/patches/0019-CVE-2024-35235.patch
--- cups-2.4.2/debian/patches/0019-CVE-2024-35235.patch 1970-01-01
01:00:00.0 +0100
+++ cups-2.4.2/debian/patches/0019-CVE-2024-35235.patch 2024-06-11
13:11:25.0 +0200
@@ -0,0 +1,108 @@
+commit 2f87c46b719e6edf0b6900e5eb307b7154e183e8
+Author: Zdenek Dohnal
+Date: Mon Jun 3 18:53:58 2024 +0200
+
+Fix domain socket handling
+
+- Check status of unlink and bind system calls.
+- Don't allow extra domain sockets when running from launchd/systemd.
+- Validate length of domain socket path (< sizeof(sun_path))
+
+Fixes CVE-2024-35235, written by Mike Sweet
+
+Index: cups-2.4.2/cups/http-addr.c
+===
+--- cups-2.4.2.orig/cups/http-addr.c 2024-06-11 13:11:20.465733904 +0200
cups-2.4.2/cups/http-addr.c2024-06-11 13:11:20.465733904 +0200
+@@ -1,6 +1,7 @@
+ /*
+ * HTTP address routines for CUPS.
+ *
++ * Copyright © 2023-2024 by OpenPrinting
+ * Copyright © 2007-2021 by Apple Inc.
+ * Copyright © 1997-2006 by Easy Software Products, all rights reserved.
+ *
+@@ -206,27 +207,31 @@
+ * Remove any existing domain socket file...
+ */
+
+-unlink(addr->un.sun_path);
+-
+- /*
+-* Save the current umask and set it to 0 so that all users can access
+-* the domain socket...
+-*/
+-
+-mask = umask(0);
+-
+- /*
+-* Bind the domain socket...
+-*/
+-
+-status = bind(fd, (struct sockaddr *)addr,
(socklen_t)httpAddrLength(addr));
+-
+- /*
+-* Restore the umask and fix permissions...
+-*/
+-
+-umask(mask);
+-chmod(addr->un.sun_path, 0140777);
++if ((status = unlink(addr->un.sun_path)) < 0)
++{
++ DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s",
addr->un.sun_path, strerror(errno)));
++
++ if (errno == ENOENT)
++ status = 0;
++}
++
++
++if (!status)
++{
++ // Save the current umask and set it to 0 so that all users can access
++ // the domain socket...
++ mask = umask(0);
++
++
++ // Bind the domain socket...
++ if ((status = bind(fd, (struct sockaddr *)addr,
(socklen_t)httpAddrLength(addr))) < 0)
++ {
++ DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\":
%s", addr->un.sun_path, strerror(errno)));
++ }
++
++ // Restore the umask...
++ umask(mask);
++}
+ }
+ else
+ #endif /* AF_LOCAL */
+Index: cups-2.4.2/scheduler/conf.c
+===
+--- cups-2.4.2.orig/scheduler/conf.c 2024-06-11 13:11:20.465733904 +0200
cups-2.4.2/scheduler/conf.c2024-06-11 13:11:20.465733904 +0200
+@@ -3077,6 +3077,26 @@
+
+
+ /*
++ * If we are launched on-demand, do not use domain sockets from the
config
++ * file. Also check that the domain socket path is not too long...
++ */
++
++#ifdef HAVE_ONDEMAND
++ if (*value == '/' && OnDemand)
++ {
++if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
++ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d
- only using domain socket from launchd/systemd.", line, value, linenum);
++continue;
++ }
++#endif // HAVE_ONDEMAND
++
++ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) -
1))
++ {
++cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d -
too long.", line, value, linenum);
++continue;
++ }
++
++ /*
+ * Get the address list...
+ */
+
diff -Nru cups-2.4.2/debian/patches/series cups-2.4.2/debian/patches/series
--- cups-2.4.2/debian/patches/series2023-12-01 20:35:27.0 +0100
+++ cups-2.4.2/debian/patches/series2024-06-11 13:11:18.0 +0200
@@ -16,3 +16,4 @@
0016-CVE-2023-32360.patch
0017-check-colormodel-also-for-CMYK.patch
0018-dont-override-color-settings-from-print-dialoag.patch
+0019-CVE-2024-35235.patch
Bug#1070153: bookworm-pu: qtbase-opensource-src/5.15.8+dfsg-11+deb12u2
On 15.06.24 17:06, Adam D. Barratt wrote: Please go ahead. great, thanks ... ... and uploaded. Thorsten
Re: Requesting for the loong64 port could be included in the Official ports
Hi Dandan, On 12.06.24 11:28, zhangdandan wrote: 2. Answer the questions included in the archive criteria. I have created a ArchiveQualification page for loong64 and answered the questions. I will update continuously. Please check https://wiki.debian.org/ArchiveQualification/loong64. from my point of view you didn't answer question 6. Can you please provide an English version of the link about the information partners? Adding a new architecture to Debian increases the burden of every package maintainer and of course of all teams dealing with the infrastructure as well. So the effort in doing so must be worth it. Please be more verbose about the number of users that are already using your architecture. On IRC (nick: ta) you wanted to give me some links where I could buy your hardware in Europe. I don't think you will attract enough developers as porters if nobody can buy your hardware, not to mention the non existing user base. No, I don't see Aliexpress as a suitable source for expensive stuff. So how do you want to attract more people as porters? Thorsten
Bug#1070154: bullseye-pu: qtbase-opensource-src/5.15.2+dfsg-9+deb11u1
Hi Jonathan, On 12.05.24 13:13, Jonathan Wiltshire wrote: Please go ahead. great, thanks ... ... and done. Thorsten
Bug#1070154: bullseye-pu: qtbase-opensource-src/5.15.2+dfsg-9+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for qtbase-opensource-src fixes several CVEs in
Bullseye. All CVEs are marked as no-dsa by the security team.
Thorstendiff -Nru qtbase-opensource-src-5.15.2+dfsg/debian/changelog
qtbase-opensource-src-5.15.2+dfsg/debian/changelog
--- qtbase-opensource-src-5.15.2+dfsg/debian/changelog 2021-07-02
17:58:04.0 +0200
+++ qtbase-opensource-src-5.15.2+dfsg/debian/changelog 2024-04-28
22:48:02.0 +0200
@@ -1,3 +1,33 @@
+qtbase-opensource-src (5.15.2+dfsg-9+deb11u1) bullseye; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2024-25580 (Closes: #1064053)
+fix buffer overflow due to crafted KTX image file
+ * CVE-2023-32763 (Closes: #1036702)
+fix QTextLayout buffer overflow due to crafted SVG file
+ * CVE-2022-25255
+prevent QProcess from execution of a binary from the current working
+directory when not found in the PATH
+ * CVE-2023-24607 (Closes: #1031872)
+fix denial of service via a crafted string when the SQL ODBC driver
+plugin is used
+ * fix regression caused by patch for CVE-2023-24607
+ * CVE-2023-32762
+prevent incorrect parsing of the strict-transport-security (HSTS) header
+ * CVE-2023-51714 (Closes: #1060694)
+fix incorrect HPack integer overflow check.
+ * CVE-2023-38197 (Closes: #1041105)
+fix infinite loop in recursive entity expansion
+ * CVE-2023-37369 (Closes: #1059302)
+fix crash of application in QXmlStreamReader due to crafted XML string
+ * CVE-2023-34410 (Closes: #1037210)
+fix checking during TLS whether root of the chain really is a
+configured CA certificate
+ * CVE-2023-33285 (Closes: #1036848)
+fix buffer overflow in QDnsLookup
+
+ -- Thorsten Alteholz Sun, 28 Apr 2024 22:48:02 +0200
+
qtbase-opensource-src (5.15.2+dfsg-9) unstable; urgency=medium
* Revert adding fix-misplacement-of-placeholder-text-in-QLineEdit.diff.
diff -Nru qtbase-opensource-src-5.15.2+dfsg/debian/patches/CVE-2022-25255.diff
qtbase-opensource-src-5.15.2+dfsg/debian/patches/CVE-2022-25255.diff
--- qtbase-opensource-src-5.15.2+dfsg/debian/patches/CVE-2022-25255.diff
1970-01-01 01:00:00.0 +0100
+++ qtbase-opensource-src-5.15.2+dfsg/debian/patches/CVE-2022-25255.diff
2024-03-05 13:22:01.0 +0100
@@ -0,0 +1,96 @@
+Description: QProcess: ensure we don't accidentally execute something from CWD
+ Unless "." (or the empty string) is in $PATH, we're not supposed to find
+ executables in the current directory. This is how the Unix shells behave
+ and we match their behavior. It's also the behavior Qt had prior to 5.9
+ (commit 28666d167aa8e602c0bea25ebc4d51b55005db13). On Windows, searching
+ the current directory is the norm, so we keep that behavior.
+ .
+ This commit does not add an explicit check for an empty return from
+ QStandardPaths::findExecutable(). Instead, we allow that empty string to
+ go all the way to execve(2), which will fail with ENOENT. We could catch
+ it early, before fork(2), but why add code for the error case?
+ .
+ See https://kde.org/info/security/advisory-20220131-1.txt
+Origin: upstream,
https://download.qt.io/official_releases/qt/5.15/CVE-2022-25255-qprocess5-15.diff
+Last-Update: 2022-02-21
+
+Index: qtbase-opensource-src-5.15.2+dfsg/src/corelib/io/qprocess_unix.cpp
+===
+--- qtbase-opensource-src-5.15.2+dfsg.orig/src/corelib/io/qprocess_unix.cpp
2024-03-05 13:21:06.432881985 +0100
qtbase-opensource-src-5.15.2+dfsg/src/corelib/io/qprocess_unix.cpp
2024-03-05 13:21:06.428881981 +0100
+@@ -1,7 +1,7 @@
+ /
+ **
+ ** Copyright (C) 2016 The Qt Company Ltd.
+-** Copyright (C) 2016 Intel Corporation.
++** Copyright (C) 2022 Intel Corporation.
+ ** Contact: https://www.qt.io/licensing/
+ **
+ ** This file is part of the QtCore module of the Qt Toolkit.
+@@ -422,14 +422,15 @@
+ // Add the program name to the argument list.
+ argv[0] = nullptr;
+ if (!program.contains(QLatin1Char('/'))) {
++// findExecutable() returns its argument if it's an absolute path,
++// otherwise it searches $PATH; returns empty if not found (we handle
++// that case much later)
+ const QString = QStandardPaths::findExecutable(program);
+-if (!exeFilePath.isEmpty()) {
+-const QByteArray = QFile::encodeName(exeFilePath);
+-argv[0] = ::strdup(tmp.constData());
+-}
+-}
+-if (!argv[0])
++const QByteArray = QFile::encodeName(exeFilePath);
++argv[0] = ::strdup(tmp.constData());
++} else {
+ argv[0] = ::strdup(encodedProgramName.constData());
++}
+
+ // Add every argument to the list
+ for (int i = 0; i < arguments.count(); ++i)
+@@ -9
Bug#1070153: bookworm-pu: qtbase-opensource-src/5.15.8+dfsg-11+deb12u2
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for qtbase-opensource-src fixes several CVEs in
Bookworm. All CVEs are marked as no-dsa by the security team.
The debdiff is based on version 5.15.8+dfsg-11+deb12u1, which is already
in s-p-u.
Thorstendiff -Nru qtbase-opensource-src-5.15.8+dfsg/debian/changelog
qtbase-opensource-src-5.15.8+dfsg/debian/changelog
--- qtbase-opensource-src-5.15.8+dfsg/debian/changelog 2024-04-07
11:45:51.0 +0200
+++ qtbase-opensource-src-5.15.8+dfsg/debian/changelog 2024-04-28
20:48:02.0 +0200
@@ -1,3 +1,13 @@
+qtbase-opensource-src (5.15.8+dfsg-11+deb12u2) bookworm; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2024-25580 (Closes: #1064053)
+fix buffer overflow due to crafted KTX image file
+ * CVE-2023-51714 (Closes: #1060694)
+fix incorrect HPack integer overflow check.
+
+ -- Thorsten Alteholz Sun, 28 Apr 2024 20:48:02 +0200
+
qtbase-opensource-src (5.15.8+dfsg-11+deb12u1) bookworm; urgency=medium
[ Alexander Volkov ]
diff -Nru qtbase-opensource-src-5.15.8+dfsg/debian/patches/CVE-2023-51714.diff
qtbase-opensource-src-5.15.8+dfsg/debian/patches/CVE-2023-51714.diff
--- qtbase-opensource-src-5.15.8+dfsg/debian/patches/CVE-2023-51714.diff
1970-01-01 01:00:00.0 +0100
+++ qtbase-opensource-src-5.15.8+dfsg/debian/patches/CVE-2023-51714.diff
2024-04-28 20:48:02.0 +0200
@@ -0,0 +1,61 @@
+From 23c3fc483e8b6e21012a61f0bea884446f727776 Mon Sep 17 00:00:00 2001
+From: Marc Mutz
+Date: Tue, 12 Dec 2023 22:08:07 +0100
+Subject: [PATCH] HPack: fix incorrect integer overflow check
+
+This code never worked:
+
+For the comparison with max() - 32 to trigger, on 32-bit platforms (or
+Qt 5) signed interger overflow would have had to happen in the
+addition of the two sizes. The compiler can therefore remove the
+overflow check as dead code.
+
+On Qt 6 and 64-bit platforms, the signed integer addition would be
+very unlikely to overflow, but the following truncation to uint32
+would yield the correct result only in a narrow 32-value window just
+below UINT_MAX, if even that.
+
+Fix by using the proper tool, qAddOverflow.
+
+Manual conflict resolutions:
+ - qAddOverflow doesn't exist in Qt 5, use private add_overflow
+ predecessor API instead
+
+Change-Id: I7599f2e75ff7f488077b0c60b81022591005661c
+Reviewed-by: Allan Sandfeld Jensen
+(cherry picked from commit ee5da1f2eaf8932aeca02ffea6e4c618585e29e3)
+Reviewed-by: Qt Cherry-pick Bot
+(cherry picked from commit debeb8878da2dc706ead04b6072ecbe7e5313860)
+Reviewed-by: Thiago Macieira
+Reviewed-by: Marc Mutz
+(cherry picked from commit 811b9eef6d08d929af8708adbf2a5effb0eb62d7)
+(cherry picked from commit f931facd077ce945f1e42eaa3bead208822d3e00)
+(cherry picked from commit 9ef4ca5ecfed771dab890856130e93ef5ceabef5)
+Reviewed-by: Mårten Nordheim
+---
+
+Index:
qtbase-opensource-src-5.15.8+dfsg/src/network/access/http2/hpacktable.cpp
+===
+---
qtbase-opensource-src-5.15.8+dfsg.orig/src/network/access/http2/hpacktable.cpp
2024-04-24 16:08:28.259865332 +0200
qtbase-opensource-src-5.15.8+dfsg/src/network/access/http2/hpacktable.cpp
2024-04-24 16:09:16.163853040 +0200
+@@ -40,6 +40,7 @@
+ #include "hpacktable_p.h"
+
+ #include
++#include
+
+ #include
+ #include
+@@ -62,8 +63,10 @@
+ // for counting the number of references to the name and value would have
+ // 32 octets of overhead."
+
+-const unsigned sum = unsigned(name.size() + value.size());
+-if (std::numeric_limits::max() - 32 < sum)
++size_t sum;
++if (add_overflow(size_t(name.size()), size_t(value.size()), ))
++return HeaderSize();
++if (sum > (std::numeric_limits::max() - 32))
+ return HeaderSize();
+ return HeaderSize(true, quint32(sum + 32));
+ }
diff -Nru qtbase-opensource-src-5.15.8+dfsg/debian/patches/CVE-2024-25580.diff
qtbase-opensource-src-5.15.8+dfsg/debian/patches/CVE-2024-25580.diff
--- qtbase-opensource-src-5.15.8+dfsg/debian/patches/CVE-2024-25580.diff
1970-01-01 01:00:00.0 +0100
+++ qtbase-opensource-src-5.15.8+dfsg/debian/patches/CVE-2024-25580.diff
2024-04-28 20:48:02.0 +0200
@@ -0,0 +1,197 @@
+diff --git a/src/gui/util/qktxhandler.cpp b/src/gui/util/qktxhandler.cpp
+index 0d98e97453..6a79e55109 100644
+--- a/src/gui/util/qktxhandler.cpp
b/src/gui/util/qktxhandler.cpp
+@@ -73,7 +73,7 @@ struct KTXHeader {
+ quint32 bytesOfKeyValueData;
+ };
+
+-static const quint32 headerSize = sizeof(KTXHeader);
++static constexpr quint32 qktxh_headerSize = sizeof(KTXHeader);
+
+ // Currently unused, declared for future reference
+ struct KTXKeyValuePairItem {
+@@ -103,11 +103,36 @@ struct KTXMipmapLevel {
+ */
+ };
+
+-bool QKtxHandler::canRead(const QByteArray , const QByteArray )
++static bool
Bug#1067544: bullseye-pu: libmicrohttpd/0.9.72-2+deb11u1.debdiff
Hi Jonathan, On 22.04.24 18:59, Jonathan Wiltshire wrote: Please go ahead. great, thanks ... ... and uploaded. Thorsten
Bug#1064550: bullseye-pu: libjwt/1.10.2-1+deb11u1
Hi Jonathan, On 22.04.24 19:10, Jonathan Wiltshire wrote: Please go ahead. great, thanks ... ... and uploaded. Thorsten
Bug#1067544: bullseye-pu: libmicrohttpd/0.9.72-2+deb11u1.debdiff
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for libmicrohttpd fixes CVE-2023-27371 in Bullseye.
It is marked as no-dsa by the security team.
The fix was uploaded to Buster about a year ago and nobody complained yet.
For whatever reason, the upload to Bullseye was forgotten back then, so I
catch up on this now.
Thorsten
diff -Nru libmicrohttpd-0.9.72/debian/changelog
libmicrohttpd-0.9.72/debian/changelog
--- libmicrohttpd-0.9.72/debian/changelog 2021-02-27 06:47:48.0
+0100
+++ libmicrohttpd-0.9.72/debian/changelog 2024-03-23 12:03:02.0
+0100
@@ -1,3 +1,12 @@
+libmicrohttpd (0.9.72-2+deb11u1) bullseye; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2023-27371
+parsing crafted POST requests result in an out of bounds read, which
+might cause a DoS (Denial of Service)
+
+ -- Thorsten Alteholz Sat, 23 Mar 2024 12:03:02 +0100
+
libmicrohttpd (0.9.72-2) sid; urgency=medium
* Uploading to sid.
diff -Nru libmicrohttpd-0.9.72/debian/patches/CVE-2023-27371.patch
libmicrohttpd-0.9.72/debian/patches/CVE-2023-27371.patch
--- libmicrohttpd-0.9.72/debian/patches/CVE-2023-27371.patch1970-01-01
01:00:00.0 +0100
+++ libmicrohttpd-0.9.72/debian/patches/CVE-2023-27371.patch2023-03-29
19:22:12.0 +0200
@@ -0,0 +1,23 @@
+From e0754d1638c602382384f1eface30854b1defeec Mon Sep 17 00:00:00 2001
+From: Christian Grothoff
+Date: Sun, 26 Feb 2023 17:51:24 +0100
+Subject: fix parser bug that could be used to crash servers using the
+ MHD_PostProcessor
+
+---
+ src/microhttpd/postprocessor.c | 2 +-
+ 1 file changed, 1 insertions(+), 1 deletions(-)
+
+Index: libmicrohttpd-0.9.72/src/microhttpd/postprocessor.c
+===
+--- libmicrohttpd-0.9.72.orig/src/microhttpd/postprocessor.c 2023-03-29
19:22:08.888629726 +0200
libmicrohttpd-0.9.72/src/microhttpd/postprocessor.c2023-03-29
19:22:08.884629728 +0200
+@@ -321,7 +321,7 @@
+ return NULL; /* failed to determine boundary */
+ boundary += MHD_STATICSTR_LEN_ ("boundary=");
+ blen = strlen (boundary);
+-if ( (blen == 0) ||
++if ( (blen < 2) ||
+ (blen * 2 + 2 > buffer_size) )
+ return NULL; /* (will be) out of memory or invalid
boundary */
+ if ( (boundary[0] == '"') &&
diff -Nru libmicrohttpd-0.9.72/debian/patches/series
libmicrohttpd-0.9.72/debian/patches/series
--- libmicrohttpd-0.9.72/debian/patches/series 1970-01-01 01:00:00.0
+0100
+++ libmicrohttpd-0.9.72/debian/patches/series 2023-03-29 19:21:28.0
+0200
@@ -0,0 +1 @@
+CVE-2023-27371.patch
Re: Security releases for ecosystems that use static linking
On Mon, 18 Mar 2024, Emilio Pozuelo Monfort wrote: One solution which has been discussed in the past is to import a full copy of stable towards stable-security at the beginning of each release cycle, but that is currently not possible since security-master is a Ganeti VM and the disk requirements for a full archive copy would rather require a baremetal host. (... suggestion of Emilio ...) Thoughts? The idea is nice, but needs someone to implement it. Anyway, the problem is not really new. Since many years, not to say decades, I hear that there is not enough space on security-master. I also hear that Debian has so much money and problems to spend it. So why not solve this problem by buying new hardware? This can not be that difficult. Is there any reason why security-master needs to be a Ganeti VM? Thorsten
Bug#1064551: bookworm-pu: libjwt/1.10.2-1+deb11u1
On Sun, 25 Feb 2024, Jonathan Wiltshire wrote: Please go ahead. great, thanks ... ... and uploaded. Thorsten
Bug#1064551: bookworm-pu: libjwt/1.10.2-1+deb11u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu The attached debdiff for libjwt fixes CVE-2024-25189 in Bookworm. It is marked as no-dsa by the security team. The fix is straightfoward and should not make any problems. Thorsten diff -Nru libjwt-1.10.2/debian/changelog libjwt-1.10.2/debian/changelog --- libjwt-1.10.2/debian/changelog 2019-07-14 19:03:00.0 +0200 +++ libjwt-1.10.2/debian/changelog 2024-02-19 22:03:02.0 +0100 @@ -1,3 +1,10 @@ +libjwt (1.10.2-1+deb12u1) bookworm; urgency=medium + + * CVE-2024-25189 (Closes: #1063534) +fix a timing side channel via strcmp() + + -- Thorsten Alteholz Mon, 19 Feb 2024 22:03:02 +0100 + libjwt (1.10.2-1) unstable; urgency=medium * New upstream release diff -Nru libjwt-1.10.2/debian/libjwt0.symbols libjwt-1.10.2/debian/libjwt0.symbols --- libjwt-1.10.2/debian/libjwt0.symbols2019-01-13 15:13:51.0 +0100 +++ libjwt-1.10.2/debian/libjwt0.symbols2024-02-19 22:03:02.0 +0100 @@ -38,5 +38,6 @@ jwt_sign_sha_hmac@Base 1.9.0 jwt_sign_sha_pem@Base 1.9.0 jwt_str_alg@Base 1.9.0 + jwt_strcmp@Base 1.10.2 jwt_verify_sha_hmac@Base 1.9.0 jwt_verify_sha_pem@Base 1.9.0 diff -Nru libjwt-1.10.2/debian/libjwt-gnutls0.symbols libjwt-1.10.2/debian/libjwt-gnutls0.symbols --- libjwt-1.10.2/debian/libjwt-gnutls0.symbols 2019-01-13 15:13:51.0 +0100 +++ libjwt-1.10.2/debian/libjwt-gnutls0.symbols 2024-02-19 22:03:02.0 +0100 @@ -38,5 +38,6 @@ jwt_sign_sha_hmac@Base 1.9.0 jwt_sign_sha_pem@Base 1.9.0 jwt_str_alg@Base 1.9.0 + jwt_strcmp@Base 1.10.2 jwt_verify_sha_hmac@Base 1.9.0 jwt_verify_sha_pem@Base 1.9.0 diff -Nru libjwt-1.10.2/debian/patches/CVE-2024-25189-1.patch libjwt-1.10.2/debian/patches/CVE-2024-25189-1.patch --- libjwt-1.10.2/debian/patches/CVE-2024-25189-1.patch 1970-01-01 01:00:00.0 +0100 +++ libjwt-1.10.2/debian/patches/CVE-2024-25189-1.patch 2024-02-19 22:03:02.0 +0100 @@ -0,0 +1,130 @@ +commit f73bac57c5bece16ac24f1a70022aa34355fc1bf +Author: Ben Collins +Date: Fri Feb 9 09:03:35 2024 -0500 + +Implement a safer strcmp() function + +As noted, the strcmp() function can be used for time-based side attacks. + +I tried to test this and could not find a reasonable way to implement +this attack for several reasons: + +1) strcmp() is optimized to compare 4 and 8 bytes at a time when possible + on almost every modern system, making the attack almost impossible. +2) Running 128 million iterations of strcmp() for a single byte attack + gave sub-nanosecond average differences (locally on same excution stack) + and almost as often as the comparison was correct, it was also wrong in + the reverse sense (i.e. two byte strcmp() took less time than single + byte). +3) Adding noise from network, application stack, web server, etc. would + only add to the failure rate of guessing the differences above. + +Erwan noted that there are proofs out there showing that signal noise +reduction can make this guessing more "accurate", but this proof also +noted it would take up to 4 billion guesses to completely cover this +attack surface. The claim was that 50k attempts per second would break +a 256-bit hmac in 22 hours. While this isn't impossible, it's very +implausible. + +However, for the sake of cryptographic correctness, I implemented +jwt_strcmp() which always compares all bytes, and does so up to the +longest string in the 2-string set, without passing string boundaries. + +This makes it time-consistent for len(max(a,b)) comparisons. I proofed +this using a 128 million interation average for various scenarious. + +Reported-by: Erwan Legrand +Signed-off-by: Ben Collins + +Index: libjwt-1.10.2/libjwt/jwt-gnutls.c +=== +--- libjwt-1.10.2.orig/libjwt/jwt-gnutls.c 2024-02-19 22:38:58.575655983 +0100 libjwt-1.10.2/libjwt/jwt-gnutls.c 2024-02-19 22:38:58.571655984 +0100 +@@ -90,7 +90,7 @@ + jwt_Base64encode(buf, sig_check, len); + jwt_base64uri_encode(buf); + +- if (!strcmp(sig, buf)) ++ if (!jwt_strcmp(sig, buf)) + ret = 0; + + free(sig_check); +Index: libjwt-1.10.2/libjwt/jwt-openssl.c +=== +--- libjwt-1.10.2.orig/libjwt/jwt-openssl.c2024-02-19 22:38:58.575655983 +0100 libjwt-1.10.2/libjwt/jwt-openssl.c 2024-02-19 22:38:58.571655984 +0100 +@@ -140,7 +140,7 @@ + jwt_base64uri_encode(buf); + + /* And now... */ +- ret = strcmp(buf, sig) ? EINVAL : 0; ++ ret = jwt_strcmp(buf, sig) ? EINVAL : 0; + + jwt_verify_hmac_done: + BIO_free_all(b64); +Index: libjwt-1.10.2/libjwt/jwt
Bug#1064550: bullseye-pu: libjwt/1.10.2-1+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu The attached debdiff for libjwt fixes CVE-2024-25189 in Bullseye. It is marked as no-dsa by the security team. The fix is straightfoward and should not make any problems. Thorsten diff -Nru libjwt-1.10.2/debian/changelog libjwt-1.10.2/debian/changelog --- libjwt-1.10.2/debian/changelog 2019-07-14 19:03:00.0 +0200 +++ libjwt-1.10.2/debian/changelog 2024-02-20 23:03:02.0 +0100 @@ -1,3 +1,10 @@ +libjwt (1.10.2-1+deb11u1) bullseye; urgency=medium + + * CVE-2024-25189 (Closes: #1063534) +fix a timing side channel via strcmp() + + -- Thorsten Alteholz Tue, 20 Feb 2024 23:03:02 +0100 + libjwt (1.10.2-1) unstable; urgency=medium * New upstream release diff -Nru libjwt-1.10.2/debian/libjwt0.symbols libjwt-1.10.2/debian/libjwt0.symbols --- libjwt-1.10.2/debian/libjwt0.symbols2019-01-13 15:13:51.0 +0100 +++ libjwt-1.10.2/debian/libjwt0.symbols2024-02-20 23:03:02.0 +0100 @@ -38,5 +38,6 @@ jwt_sign_sha_hmac@Base 1.9.0 jwt_sign_sha_pem@Base 1.9.0 jwt_str_alg@Base 1.9.0 + jwt_strcmp@Base 1.10.2 jwt_verify_sha_hmac@Base 1.9.0 jwt_verify_sha_pem@Base 1.9.0 diff -Nru libjwt-1.10.2/debian/libjwt-gnutls0.symbols libjwt-1.10.2/debian/libjwt-gnutls0.symbols --- libjwt-1.10.2/debian/libjwt-gnutls0.symbols 2019-01-13 15:13:51.0 +0100 +++ libjwt-1.10.2/debian/libjwt-gnutls0.symbols 2024-02-20 23:03:02.0 +0100 @@ -38,5 +38,6 @@ jwt_sign_sha_hmac@Base 1.9.0 jwt_sign_sha_pem@Base 1.9.0 jwt_str_alg@Base 1.9.0 + jwt_strcmp@Base 1.10.2 jwt_verify_sha_hmac@Base 1.9.0 jwt_verify_sha_pem@Base 1.9.0 diff -Nru libjwt-1.10.2/debian/patches/CVE-2024-25189-1.patch libjwt-1.10.2/debian/patches/CVE-2024-25189-1.patch --- libjwt-1.10.2/debian/patches/CVE-2024-25189-1.patch 1970-01-01 01:00:00.0 +0100 +++ libjwt-1.10.2/debian/patches/CVE-2024-25189-1.patch 2024-02-20 23:03:02.0 +0100 @@ -0,0 +1,130 @@ +commit f73bac57c5bece16ac24f1a70022aa34355fc1bf +Author: Ben Collins +Date: Fri Feb 9 09:03:35 2024 -0500 + +Implement a safer strcmp() function + +As noted, the strcmp() function can be used for time-based side attacks. + +I tried to test this and could not find a reasonable way to implement +this attack for several reasons: + +1) strcmp() is optimized to compare 4 and 8 bytes at a time when possible + on almost every modern system, making the attack almost impossible. +2) Running 128 million iterations of strcmp() for a single byte attack + gave sub-nanosecond average differences (locally on same excution stack) + and almost as often as the comparison was correct, it was also wrong in + the reverse sense (i.e. two byte strcmp() took less time than single + byte). +3) Adding noise from network, application stack, web server, etc. would + only add to the failure rate of guessing the differences above. + +Erwan noted that there are proofs out there showing that signal noise +reduction can make this guessing more "accurate", but this proof also +noted it would take up to 4 billion guesses to completely cover this +attack surface. The claim was that 50k attempts per second would break +a 256-bit hmac in 22 hours. While this isn't impossible, it's very +implausible. + +However, for the sake of cryptographic correctness, I implemented +jwt_strcmp() which always compares all bytes, and does so up to the +longest string in the 2-string set, without passing string boundaries. + +This makes it time-consistent for len(max(a,b)) comparisons. I proofed +this using a 128 million interation average for various scenarious. + +Reported-by: Erwan Legrand +Signed-off-by: Ben Collins + +Index: libjwt-1.10.2/libjwt/jwt-gnutls.c +=== +--- libjwt-1.10.2.orig/libjwt/jwt-gnutls.c 2024-02-19 22:38:58.575655983 +0100 libjwt-1.10.2/libjwt/jwt-gnutls.c 2024-02-19 22:38:58.571655984 +0100 +@@ -90,7 +90,7 @@ + jwt_Base64encode(buf, sig_check, len); + jwt_base64uri_encode(buf); + +- if (!strcmp(sig, buf)) ++ if (!jwt_strcmp(sig, buf)) + ret = 0; + + free(sig_check); +Index: libjwt-1.10.2/libjwt/jwt-openssl.c +=== +--- libjwt-1.10.2.orig/libjwt/jwt-openssl.c2024-02-19 22:38:58.575655983 +0100 libjwt-1.10.2/libjwt/jwt-openssl.c 2024-02-19 22:38:58.571655984 +0100 +@@ -140,7 +140,7 @@ + jwt_base64uri_encode(buf); + + /* And now... */ +- ret = strcmp(buf, sig) ? EINVAL : 0; ++ ret = jwt_strcmp(buf, sig) ? EINVAL : 0; + + jwt_verify_hmac_done: + BIO_free_all(b64); +Index: libjwt-1.10.2/libjwt/jwt
Bug#1060186: bookworm-pu: libde265/1.0.11-1+deb12u2
On 29.01.24 23:02, Adam D. Barratt wrote: Please go ahead. great, thanks ... ... and done. Thorsten
Bug#1060185: bullseye-pu: libde265/1.0.11-0+deb11u3
On 01.02.24 07:37, Adam D. Barratt wrote: Please go ahead. great, thanks ... ... and done. Thorsten
Bug#1060186: bookworm-pu: libde265/1.0.11-1+deb12u2
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for libde265 fixes CVE-2023-49468, CVE-2023-49467 and
CVE-2023-49465 in Bookworm. All CVEs are marked as no-dsa by the security
team.
The fix was already uploaded to Stretch and nobody complained up to now.
Thorsten
diff -Nru libde265-1.0.11/debian/changelog libde265-1.0.11/debian/changelog
--- libde265-1.0.11/debian/changelog2023-11-26 13:03:02.0 +0100
+++ libde265-1.0.11/debian/changelog2023-12-29 23:03:02.0 +0100
@@ -1,3 +1,16 @@
+libde265 (1.0.11-1+deb12u2) bookworm; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+(Closes: #1059275)
+ * CVE-2023-49465
+heap-buffer-overflow in derive_spatial_luma_vector_prediction()
+ * CVE-2023-49467
+heap-buffer-overflow in derive_combined_bipredictive_merging_candidates()
+ * CVE-2023-49468
+global buffer overflow in read_coding_unit()
+
+ -- Thorsten Alteholz Fri, 29 Dec 2023 23:03:02 +0100
+
libde265 (1.0.11-1+deb12u1) bookworm; urgency=medium
* Non-maintainer upload by the LTS Team.
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-49465.patch
libde265-1.0.11/debian/patches/CVE-2023-49465.patch
--- libde265-1.0.11/debian/patches/CVE-2023-49465.patch 1970-01-01
01:00:00.0 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-49465.patch 2023-12-26
00:54:10.0 +0100
@@ -0,0 +1,26 @@
+commit 1475c7d2f0a6dc35c27e18abc4db9679bfd32568
+Author: Dirk Farin
+Date: Thu Nov 23 19:43:55 2023 +0100
+
+possible fix for #435
+
+Index: libde265-1.0.11/libde265/motion.cc
+===
+--- libde265-1.0.11.orig/libde265/motion.cc2023-12-26 00:54:05.172996659
+0100
libde265-1.0.11/libde265/motion.cc 2023-12-26 00:54:05.168996661 +0100
+@@ -1859,7 +1859,14 @@
+ logmvcand(vi);
+
+ const de265_image* imgX = NULL;
+- if (vi.predFlag[X]) imgX = ctx->get_image(shdr->RefPicList[X][
vi.refIdx[X] ]);
++ if (vi.predFlag[X]) {
++if (vi.refIdx[X] < 0 || vi.refIdx[X] >= MAX_NUM_REF_PICS) {
++ return;
++}
++
++imgX = ctx->get_image(shdr->RefPicList[X][ vi.refIdx[X] ]);
++ }
++
+ const de265_image* imgY = NULL;
+ if (vi.predFlag[Y]) imgY = ctx->get_image(shdr->RefPicList[Y][
vi.refIdx[Y] ]);
+
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-49467.patch
libde265-1.0.11/debian/patches/CVE-2023-49467.patch
--- libde265-1.0.11/debian/patches/CVE-2023-49467.patch 1970-01-01
01:00:00.0 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-49467.patch 2023-12-26
00:53:43.0 +0100
@@ -0,0 +1,22 @@
+commit 7e4faf254bbd2e52b0f216cb987573a2cce97b54
+Author: Dirk Farin
+Date: Thu Nov 23 19:38:34 2023 +0100
+
+prevent endless loop for #434 input
+
+diff --git a/libde265/slice.cc b/libde265/slice.cc
+index 435123dc..3a8a8de1 100644
+--- a/libde265/slice.cc
b/libde265/slice.cc
+@@ -2582,6 +2582,11 @@ static int decode_rqt_root_cbf(thread_context* tctx)
+
+ static int decode_ref_idx_lX(thread_context* tctx, int numRefIdxLXActive)
+ {
++ // prevent endless loop when 'numRefIdxLXActive' is invalid
++ if (numRefIdxLXActive <= 1) {
++return 0;
++ }
++
+ logtrace(LogSlice,"# ref_idx_lX\n");
+
+ int cMax = numRefIdxLXActive-1;
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-49468.patch
libde265-1.0.11/debian/patches/CVE-2023-49468.patch
--- libde265-1.0.11/debian/patches/CVE-2023-49468.patch 1970-01-01
01:00:00.0 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-49468.patch 2023-12-26
00:53:43.0 +0100
@@ -0,0 +1,26 @@
+commit 3e822a3ccf88df1380b165d6ce5a00494a27ceeb
+Author: Dirk Farin
+Date: Thu Nov 23 19:11:34 2023 +0100
+
+fix #432 (undefined IPM)
+
+diff --git a/libde265/image.h b/libde265/image.h
+index 0b536054..0a0c0e32 100644
+--- a/libde265/image.h
b/libde265/image.h
+@@ -624,7 +624,14 @@ public:
+
+ enum IntraPredMode get_IntraPredMode(int x,int y) const
+ {
+-return (enum IntraPredMode)intraPredMode.get(x,y);
++uint8_t ipm = intraPredMode.get(x,y);
++
++// sanitize values if IPM is uninitialized (because of earlier read error)
++if (ipm > 34) {
++ ipm = 0;
++}
++
++return static_cast(ipm);
+ }
+
+ enum IntraPredMode get_IntraPredMode_atIndex(int idx) const
diff -Nru libde265-1.0.11/debian/patches/series
libde265-1.0.11/debian/patches/series
--- libde265-1.0.11/debian/patches/series 2023-11-21 19:08:07.0
+0100
+++ libde265-1.0.11/debian/patches/series 2023-12-26 00:54:03.0
+0100
@@ -9,3 +9,6 @@
CVE-2023-43887.patch
CVE-2023-47471.patch
+CVE-2023-49465.patch
+CVE-2023-49467.patch
+CVE-2023-49468.patch
Bug#1060185: bullseye-pu: libde265/1.0.11-0+deb11u3
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for libde265 fixes CVE-2023-49468, CVE-2023-49467 and
CVE-2023-49465 in Bullseye. All CVEs are marked as no-dsa by the security
team.
The fix was already uploaded to Stretch and nobody complained up to now.
Thorsten
diff -Nru libde265-1.0.11/debian/changelog libde265-1.0.11/debian/changelog
--- libde265-1.0.11/debian/changelog2023-11-26 13:03:02.0 +0100
+++ libde265-1.0.11/debian/changelog2023-12-29 23:03:02.0 +0100
@@ -1,3 +1,16 @@
+libde265 (1.0.11-0+deb11u3) bullseye; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+(Closes: #1059275)
+ * CVE-2023-49465
+heap-buffer-overflow in derive_spatial_luma_vector_prediction()
+ * CVE-2023-49467
+heap-buffer-overflow in derive_combined_bipredictive_merging_candidates()
+ * CVE-2023-49468
+global buffer overflow in read_coding_unit()
+
+ -- Thorsten Alteholz Fri, 29 Dec 2023 23:03:02 +0100
+
libde265 (1.0.11-0+deb11u2) bullseye; urgency=high
* Non-maintainer upload by the LTS Team.
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-49465.patch
libde265-1.0.11/debian/patches/CVE-2023-49465.patch
--- libde265-1.0.11/debian/patches/CVE-2023-49465.patch 1970-01-01
01:00:00.0 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-49465.patch 2023-12-29
23:03:02.0 +0100
@@ -0,0 +1,26 @@
+commit 1475c7d2f0a6dc35c27e18abc4db9679bfd32568
+Author: Dirk Farin
+Date: Thu Nov 23 19:43:55 2023 +0100
+
+possible fix for #435
+
+Index: libde265-1.0.11/libde265/motion.cc
+===
+--- libde265-1.0.11.orig/libde265/motion.cc2023-12-26 00:54:05.172996659
+0100
libde265-1.0.11/libde265/motion.cc 2023-12-26 00:54:05.168996661 +0100
+@@ -1859,7 +1859,14 @@
+ logmvcand(vi);
+
+ const de265_image* imgX = NULL;
+- if (vi.predFlag[X]) imgX = ctx->get_image(shdr->RefPicList[X][
vi.refIdx[X] ]);
++ if (vi.predFlag[X]) {
++if (vi.refIdx[X] < 0 || vi.refIdx[X] >= MAX_NUM_REF_PICS) {
++ return;
++}
++
++imgX = ctx->get_image(shdr->RefPicList[X][ vi.refIdx[X] ]);
++ }
++
+ const de265_image* imgY = NULL;
+ if (vi.predFlag[Y]) imgY = ctx->get_image(shdr->RefPicList[Y][
vi.refIdx[Y] ]);
+
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-49467.patch
libde265-1.0.11/debian/patches/CVE-2023-49467.patch
--- libde265-1.0.11/debian/patches/CVE-2023-49467.patch 1970-01-01
01:00:00.0 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-49467.patch 2023-12-29
23:03:02.0 +0100
@@ -0,0 +1,22 @@
+commit 7e4faf254bbd2e52b0f216cb987573a2cce97b54
+Author: Dirk Farin
+Date: Thu Nov 23 19:38:34 2023 +0100
+
+prevent endless loop for #434 input
+
+diff --git a/libde265/slice.cc b/libde265/slice.cc
+index 435123dc..3a8a8de1 100644
+--- a/libde265/slice.cc
b/libde265/slice.cc
+@@ -2582,6 +2582,11 @@ static int decode_rqt_root_cbf(thread_context* tctx)
+
+ static int decode_ref_idx_lX(thread_context* tctx, int numRefIdxLXActive)
+ {
++ // prevent endless loop when 'numRefIdxLXActive' is invalid
++ if (numRefIdxLXActive <= 1) {
++return 0;
++ }
++
+ logtrace(LogSlice,"# ref_idx_lX\n");
+
+ int cMax = numRefIdxLXActive-1;
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-49468.patch
libde265-1.0.11/debian/patches/CVE-2023-49468.patch
--- libde265-1.0.11/debian/patches/CVE-2023-49468.patch 1970-01-01
01:00:00.0 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-49468.patch 2023-12-29
23:03:02.0 +0100
@@ -0,0 +1,26 @@
+commit 3e822a3ccf88df1380b165d6ce5a00494a27ceeb
+Author: Dirk Farin
+Date: Thu Nov 23 19:11:34 2023 +0100
+
+fix #432 (undefined IPM)
+
+diff --git a/libde265/image.h b/libde265/image.h
+index 0b536054..0a0c0e32 100644
+--- a/libde265/image.h
b/libde265/image.h
+@@ -624,7 +624,14 @@ public:
+
+ enum IntraPredMode get_IntraPredMode(int x,int y) const
+ {
+-return (enum IntraPredMode)intraPredMode.get(x,y);
++uint8_t ipm = intraPredMode.get(x,y);
++
++// sanitize values if IPM is uninitialized (because of earlier read error)
++if (ipm > 34) {
++ ipm = 0;
++}
++
++return static_cast(ipm);
+ }
+
+ enum IntraPredMode get_IntraPredMode_atIndex(int idx) const
diff -Nru libde265-1.0.11/debian/patches/series
libde265-1.0.11/debian/patches/series
--- libde265-1.0.11/debian/patches/series 2023-11-21 19:01:52.0
+0100
+++ libde265-1.0.11/debian/patches/series 2023-12-29 23:03:02.0
+0100
@@ -8,3 +8,7 @@
CVE-2023-27103.patch
CVE-2023-43887.patch
CVE-2023-47471.patch
+
+CVE-2023-49465.patch
+CVE-2023-49467.patch
+CVE-2023-49468.patch
Bug#1056935: bullseye-pu: libde265/1.0.11-0+deb11u2
On Tue, 19 Dec 2023, Jonathan Wiltshire wrote: Please go ahead. great, thanks ... ... and uploaded. Thorsten
Bug#1056738: bullseye-pu: minizip/1.1-8+deb11u1
On Tue, 19 Dec 2023, Jonathan Wiltshire wrote: Please go ahead. great, thanks ... ... and uploaded. Thorsten
Bug#1057239: bookworm-pu: cups/2.4.2-3+deb12u5
On Sat, 2 Dec 2023, Adam D. Barratt wrote: Please go ahead. Great, thanks ... ... and uploaded Thorsten
Bug#1056934: bookworm-pu: libde265/1.0.11-1+deb12u1
On Sat, 2 Dec 2023, Adam D. Barratt wrote: Please go ahead. Great, thanks ... ... and uploaded Thorsten
Bug#1056737: bookworm-pu: minizip/1.1-8+deb12u1
On Sat, 2 Dec 2023, Adam D. Barratt wrote: Please go ahead. Great, thanks ... ... and uploaded Thorsten
Bug#1057239: bookworm-pu: cups/2.4.2-3+deb12u5
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for cups fixes a nasty bug in Bookworm.
If the PPD file for a printer has a ColorModel option and the only choice
for printing in color is not named RGB but CMYK instead, the printer
cannot be made printing in color with intuitive methods, usually
by selecting the color choice in the print dialog.
The fix was already applied in Unstable/Testing and also uploaded
to Ubuntu-Lunar and seems to work as expected.
Thorsten
diff -Nru cups-2.4.2/debian/changelog cups-2.4.2/debian/changelog
--- cups-2.4.2/debian/changelog 2023-10-05 16:35:27.0 +0200
+++ cups-2.4.2/debian/changelog 2023-12-01 20:35:27.0 +0100
@@ -1,3 +1,15 @@
+cups (2.4.2-3+deb12u5) bookworm; urgency=medium
+
+ * 0017-check-colormodel-also-for-CMYK.patch
+Take into account that on some printers the ColorModel option's
+choice for color printing is CMYK and not RGB.
+ * 0018-dont-override-color-settings-from-print-dialoag.patch
+Prioritize the ColorModel PPD file option over the print-color-mode
+IPP attribute. (Closes: #1056581)
+(Thanks a lot to Till Kamppeter for the patches)
+
+ -- Thorsten Alteholz Fri, 01 Dec 2023 20:35:27 +0100
+
cups (2.4.2-3+deb12u4) bookworm; urgency=medium
* remove debian/NEWS again to avoid too much information when only
diff -Nru cups-2.4.2/debian/patches/0017-check-colormodel-also-for-CMYK.patch
cups-2.4.2/debian/patches/0017-check-colormodel-also-for-CMYK.patch
--- cups-2.4.2/debian/patches/0017-check-colormodel-also-for-CMYK.patch
1970-01-01 01:00:00.0 +0100
+++ cups-2.4.2/debian/patches/0017-check-colormodel-also-for-CMYK.patch
2023-12-01 20:35:27.0 +0100
@@ -0,0 +1,21 @@
+From: Thorsten Alteholz
+Date: Sat, 2 Dec 2023 00:00:38 +0100
+Subject: check colormodel also for CMYK
+
+---
+ scheduler/printers.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scheduler/printers.c b/scheduler/printers.c
+index 4efa613..2fbdaad 100644
+--- a/scheduler/printers.c
b/scheduler/printers.c
+@@ -4509,7 +4509,7 @@ load_ppd(cupsd_printer_t *p) /* I - Printer
*/
+ ppd_option_t *color_model = ppdFindOption(ppd, "ColorModel");
+ // ColorModel PPD option
+
+-if (color_model && strcmp(color_model->defchoice, "RGB"))
++if (color_model && strcmp(color_model->defchoice, "RGB") &&
strcmp(color_model->defchoice, "CMYK"))
+ p->num_options = cupsAddOption("print-color-mode", "monochrome",
p->num_options, >options);
+ }
+ }
diff -Nru
cups-2.4.2/debian/patches/0018-dont-override-color-settings-from-print-dialoag.patch
cups-2.4.2/debian/patches/0018-dont-override-color-settings-from-print-dialoag.patch
---
cups-2.4.2/debian/patches/0018-dont-override-color-settings-from-print-dialoag.patch
1970-01-01 01:00:00.0 +0100
+++
cups-2.4.2/debian/patches/0018-dont-override-color-settings-from-print-dialoag.patch
2023-12-01 20:35:27.0 +0100
@@ -0,0 +1,78 @@
+From: Thorsten Alteholz
+Date: Sat, 2 Dec 2023 00:01:23 +0100
+Subject: dont override color settings from print dialoag
+
+---
+ cups/ppd-cache.c | 39 +++
+ scheduler/ipp.c | 3 +++
+ 2 files changed, 38 insertions(+), 4 deletions(-)
+
+diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c
+index 8861813..f72d834 100644
+--- a/cups/ppd-cache.c
b/cups/ppd-cache.c
+@@ -259,15 +259,46 @@ _cupsConvertOptions(
+
+ color_attr_name = print_color_mode_sup ? "print-color-mode" : "output-mode";
+
+- if ((keyword = cupsGetOption("print-color-mode", num_options, options)) ==
NULL)
++ /*
++ * If we use PPD with standardized PPD option for color support - ColorModel,
++ * prefer it to don't break color/grayscale support for PPDs, either classic
++ * or the ones generated from IPP Get-Printer-Attributes response.
++ */
++
++ if ((keyword = cupsGetOption("ColorModel", num_options, options)) == NULL)
+ {
++ /*
++* No ColorModel in options...
++*/
++
+ if ((choice = ppdFindMarkedChoice(ppd, "ColorModel")) != NULL)
+ {
+- if (!_cups_strcasecmp(choice->choice, "Gray"))
+- keyword = "monochrome";
++ /*
++ * ColorModel is taken from PPD as its default option.
++ */
++
++ if (!strcmp(choice->choice, "Gray") || !strcmp(choice->choice,
"FastGray") || !strcmp(choice->choice, "DeviceGray"))
++keyword = "monochrome";
+ else
+- keyword = "color";
++keyword = "color";
+ }
++else
++ /*
++ * print-color-mode is a default option since 2.4.1, use it as a
fallback if there is
Bug#1056935: bullseye-pu: libde265/1.0.11-0+deb11u2
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for libde265 fixes CVE-2023-27102, CVE-2023-27103,
CVE-2023-43887 and CVE-2023-47471 in Bullseye.
Except CVE-2023-43887 all others are marked as no-dsa by the security
team (CVE-2023-43887 appeared recently and was not evaluated yet).
The fix was already uploaded to Stretch and nobody complained up to now.
Thorsten
diff -Nru libde265-1.0.11/debian/changelog libde265-1.0.11/debian/changelog
--- libde265-1.0.11/debian/changelog2023-02-04 17:18:48.0 +0100
+++ libde265-1.0.11/debian/changelog2023-11-26 13:03:02.0 +0100
@@ -1,3 +1,19 @@
+libde265 (1.0.11-0+deb11u2) bullseye; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2023-27102 (Closes: #1033257)
+fix segmentation violation in the
+function decoder_context::process_slice_segment_header
+ * CVE-2023-27103
+fix heap buffer overflow in the
+function derive_collocated_motion_vectors
+ * CVE-2023-43887
+fix buffer over-read in pic_parameter_set::dump
+ * CVE-2023-47471 (Closes: #1056187)
+fix buffer overflow in the slice_segment_header function
+
+ -- Thorsten Alteholz Sun, 26 Nov 2023 13:03:02 +0100
+
libde265 (1.0.11-0+deb11u1) bullseye-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-27102.patch
libde265-1.0.11/debian/patches/CVE-2023-27102.patch
--- libde265-1.0.11/debian/patches/CVE-2023-27102.patch 1970-01-01
01:00:00.0 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-27102.patch 2023-11-21
14:07:48.0 +0100
@@ -0,0 +1,23 @@
+commit 0b1752abff97cb542941d317a0d18aa50cb199b1
+Author: Dirk Farin
+Date: Sat Mar 4 10:32:43 2023 +0100
+
+check whether referenced PPS exists (fixes #393)
+
+Index: libde265-1.0.11/libde265/decctx.cc
+===
+--- libde265-1.0.11.orig/libde265/decctx.cc2023-11-19 19:08:18.703219858
+0100
libde265-1.0.11/libde265/decctx.cc 2023-11-19 19:08:18.703219858 +0100
+@@ -2276,9 +2276,10 @@
+ // get PPS and SPS for this slice
+
+ int pps_id = hdr->slice_pic_parameter_set_id;
+- if (pps[pps_id]->pps_read==false) {
++ if (pps[pps_id]==nullptr || pps[pps_id]->pps_read==false) {
+ logerror(LogHeaders, "PPS %d has not been read\n", pps_id);
+-assert(false); // TODO
++img->decctx->add_warning(DE265_WARNING_NONEXISTING_PPS_REFERENCED, false);
++return false;
+ }
+
+ current_pps = pps[pps_id];
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-27103.patch
libde265-1.0.11/debian/patches/CVE-2023-27103.patch
--- libde265-1.0.11/debian/patches/CVE-2023-27103.patch 1970-01-01
01:00:00.0 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-27103.patch 2023-11-21
14:07:48.0 +0100
@@ -0,0 +1,54 @@
+commit d6bf73e765b7a23627bfd7a8645c143fd9097995
+Author: Dirk Farin
+Date: Sat Mar 4 10:27:59 2023 +0100
+
+check for valid slice header index access (fixes #394)
+
+Index: libde265-1.0.11/libde265/de265.cc
+===
+--- libde265-1.0.11.orig/libde265/de265.cc 2023-11-19 19:08:22.851224558
+0100
libde265-1.0.11/libde265/de265.cc 2023-11-19 19:08:22.847224554 +0100
+@@ -174,6 +174,8 @@
+ return "Bit-depth of current image does not match SPS";
+ case DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH:
+ return "Chroma format of reference image does not match current image";
++ case DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS:
++return "Access with invalid slice header index";
+
+ default: return "unknown error";
+ }
+Index: libde265-1.0.11/libde265/de265.h
+===
+--- libde265-1.0.11.orig/libde265/de265.h 2023-11-19 19:08:22.851224558
+0100
libde265-1.0.11/libde265/de265.h 2023-11-19 19:08:22.847224554 +0100
+@@ -145,7 +145,8 @@
+ DE265_WARNING_REFERENCE_IMAGE_SIZE_DOES_NOT_MATCH_SPS=1029,
+ DE265_WARNING_CHROMA_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1030,
+ DE265_WARNING_BIT_DEPTH_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1031,
+- DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH=1032
++ DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH=1032,
++ DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS=1033
+ } de265_error;
+
+ LIBDE265_API const char* de265_get_error_text(de265_error err);
+Index: libde265-1.0.11/libde265/motion.cc
+===
+--- libde265-1.0.11.orig/libde265/motion.cc2023-11-19 19:08:22.851224558
+0100
libde265-1.0.11/libde265/motion.cc 2023-11-19 19:08:22.847224554 +0100
+@@ -1266,6 +1266,16 @@
+
+
+
++ int slice_hdr_idx = colImg->get_SliceHeaderIndex(xColPb,yColPb);
++
Bug#1056934: bookworm-pu: libde265/1.0.11-1+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for libde265 fixes CVE-2023-27102, CVE-2023-27103,
CVE-2023-43887 and CVE-2023-47471 in Bookworm.
Except CVE-2023-43887 all others are marked as no-dsa by the security team
(CVE-2023-43887 appeared recently and was not evaluated yet).
The fix was already uploaded to Stretch and nobody complained up to now.
Thorsten
diff -Nru libde265-1.0.11/debian/changelog libde265-1.0.11/debian/changelog
--- libde265-1.0.11/debian/changelog2023-02-02 16:06:20.0 +0100
+++ libde265-1.0.11/debian/changelog2023-11-26 13:03:02.0 +0100
@@ -1,3 +1,19 @@
+libde265 (1.0.11-1+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2023-27102 (Closes: #1033257)
+fix segmentation violation in the
+function decoder_context::process_slice_segment_header
+ * CVE-2023-27103
+fix heap buffer overflow in the
+function derive_collocated_motion_vectors
+ * CVE-2023-43887
+fix buffer over-read in pic_parameter_set::dump
+ * CVE-2023-47471 (Closes: #1056187)
+fix buffer overflow in the slice_segment_header function
+
+ -- Thorsten Alteholz Sun, 26 Nov 2023 13:03:02 +0100
+
libde265 (1.0.11-1) unstable; urgency=medium
[ Tobias Frost ]
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-27102.patch
libde265-1.0.11/debian/patches/CVE-2023-27102.patch
--- libde265-1.0.11/debian/patches/CVE-2023-27102.patch 1970-01-01
01:00:00.0 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-27102.patch 2023-11-21
14:10:17.0 +0100
@@ -0,0 +1,23 @@
+commit 0b1752abff97cb542941d317a0d18aa50cb199b1
+Author: Dirk Farin
+Date: Sat Mar 4 10:32:43 2023 +0100
+
+check whether referenced PPS exists (fixes #393)
+
+Index: libde265-1.0.11/libde265/decctx.cc
+===
+--- libde265-1.0.11.orig/libde265/decctx.cc2023-11-19 19:08:18.703219858
+0100
libde265-1.0.11/libde265/decctx.cc 2023-11-19 19:08:18.703219858 +0100
+@@ -2276,9 +2276,10 @@
+ // get PPS and SPS for this slice
+
+ int pps_id = hdr->slice_pic_parameter_set_id;
+- if (pps[pps_id]->pps_read==false) {
++ if (pps[pps_id]==nullptr || pps[pps_id]->pps_read==false) {
+ logerror(LogHeaders, "PPS %d has not been read\n", pps_id);
+-assert(false); // TODO
++img->decctx->add_warning(DE265_WARNING_NONEXISTING_PPS_REFERENCED, false);
++return false;
+ }
+
+ current_pps = pps[pps_id];
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-27103.patch
libde265-1.0.11/debian/patches/CVE-2023-27103.patch
--- libde265-1.0.11/debian/patches/CVE-2023-27103.patch 1970-01-01
01:00:00.0 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-27103.patch 2023-11-21
14:10:17.0 +0100
@@ -0,0 +1,54 @@
+commit d6bf73e765b7a23627bfd7a8645c143fd9097995
+Author: Dirk Farin
+Date: Sat Mar 4 10:27:59 2023 +0100
+
+check for valid slice header index access (fixes #394)
+
+Index: libde265-1.0.11/libde265/de265.cc
+===
+--- libde265-1.0.11.orig/libde265/de265.cc 2023-11-19 19:08:22.851224558
+0100
libde265-1.0.11/libde265/de265.cc 2023-11-19 19:08:22.847224554 +0100
+@@ -174,6 +174,8 @@
+ return "Bit-depth of current image does not match SPS";
+ case DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH:
+ return "Chroma format of reference image does not match current image";
++ case DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS:
++return "Access with invalid slice header index";
+
+ default: return "unknown error";
+ }
+Index: libde265-1.0.11/libde265/de265.h
+===
+--- libde265-1.0.11.orig/libde265/de265.h 2023-11-19 19:08:22.851224558
+0100
libde265-1.0.11/libde265/de265.h 2023-11-19 19:08:22.847224554 +0100
+@@ -145,7 +145,8 @@
+ DE265_WARNING_REFERENCE_IMAGE_SIZE_DOES_NOT_MATCH_SPS=1029,
+ DE265_WARNING_CHROMA_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1030,
+ DE265_WARNING_BIT_DEPTH_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1031,
+- DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH=1032
++ DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH=1032,
++ DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS=1033
+ } de265_error;
+
+ LIBDE265_API const char* de265_get_error_text(de265_error err);
+Index: libde265-1.0.11/libde265/motion.cc
+===
+--- libde265-1.0.11.orig/libde265/motion.cc2023-11-19 19:08:22.851224558
+0100
libde265-1.0.11/libde265/motion.cc 2023-11-19 19:08:22.847224554 +0100
+@@ -1266,6 +1266,16 @@
+
+
+
++ int slice_hdr_idx = colImg->get_SliceHeaderIndex(xColPb,yColPb);
++ if (slice_hdr_idx >= colImg->slices.size()) {
++
Bug#1056737: bookworm-pu: minizip/1.1-8+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu The attached debdiff for minizip fixes CVE-2023-45853 in Bookworm. This CVE has been marked as no-dsa by the security team. Chrome upstream added a test for their internal copy of minizip. Running this test against libminizip1 of this package worked as well, so I don't expect any problems. Thorsten diff -Nru minizip-1.1/debian/changelog minizip-1.1/debian/changelog --- minizip-1.1/debian/changelog2016-01-03 04:24:26.0 +0100 +++ minizip-1.1/debian/changelog2023-11-25 13:03:02.0 +0100 @@ -1,3 +1,11 @@ +minizip (1.1-8+deb12u1) bookworm; urgency=high + + * Non-maintainer upload by the LTS Team. + * CVE-2023-45853 (Closes: #1056719) +Reject overflows of zip header fields in minizip. + + -- Thorsten Alteholz Sat, 25 Nov 2023 13:03:02 +0100 + minizip (1.1-8) unstable; urgency=medium * Fix implicit function declaration. diff -Nru minizip-1.1/debian/patches/CVE-2023-45853.patch minizip-1.1/debian/patches/CVE-2023-45853.patch --- minizip-1.1/debian/patches/CVE-2023-45853.patch 1970-01-01 01:00:00.0 +0100 +++ minizip-1.1/debian/patches/CVE-2023-45853.patch 2023-11-18 17:51:11.0 +0100 @@ -0,0 +1,34 @@ +commit 73331a6a0481067628f065ffe87bb1d8f787d10c +Author: Hans Wennborg +Date: Fri Aug 18 11:05:33 2023 +0200 + +Reject overflows of zip header fields in minizip. + +This checks the lengths of the file name, extra field, and comment +that would be put in the zip headers, and rejects them if they are +too long. They are each limited to 65535 bytes in length by the zip +format. This also avoids possible buffer overflows if the provided +fields are too long. + +Index: minizip-1.1/zip.c +=== +--- minizip-1.1.orig/zip.c 2023-11-18 17:51:05.539763813 +0100 minizip-1.1/zip.c 2023-11-18 17:51:05.539763813 +0100 +@@ -1082,6 +1082,17 @@ + return ZIP_PARAMERROR; + #endif + ++// The filename and comment length must fit in 16 bits. ++if ((filename!=NULL) && (strlen(filename)>0x)) ++return ZIP_PARAMERROR; ++if ((comment!=NULL) && (strlen(comment)>0x)) ++return ZIP_PARAMERROR; ++// The extra field length must fit in 16 bits. If the member also requires ++// a Zip64 extra block, that will also need to fit within that 16-bit ++// length, but that will be checked for later. ++if ((size_extrafield_local>0x) || (size_extrafield_global>0x)) ++return ZIP_PARAMERROR; ++ + zi = (zip64_internal*)file; + + if (zi->in_opened_file_inzip == 1) diff -Nru minizip-1.1/debian/patches/series minizip-1.1/debian/patches/series --- minizip-1.1/debian/patches/series 2016-01-03 04:14:08.0 +0100 +++ minizip-1.1/debian/patches/series 2023-11-18 17:50:30.0 +0100 @@ -1,3 +1,5 @@ include.patch automake.patch traversal.patch + +CVE-2023-45853.patch
Bug#1056738: bullseye-pu: minizip/1.1-8+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu The attached debdiff for minizip fixes CVE-2023-45853 in Bullseye. This CVE has been marked as no-dsa by the security team. As this is the same version as in Bookworm, I don't expect any problems in Bullseye as well. Thorsten diff -Nru minizip-1.1/debian/changelog minizip-1.1/debian/changelog --- minizip-1.1/debian/changelog2016-01-03 04:24:26.0 +0100 +++ minizip-1.1/debian/changelog2023-11-25 13:03:02.0 +0100 @@ -1,3 +1,11 @@ +minizip (1.1-8+deb11u1) bullseye; urgency=high + + * Non-maintainer upload by the LTS Team. + * CVE-2023-45853 (Closes: #1056719) +Reject overflows of zip header fields in minizip. + + -- Thorsten Alteholz Sat, 25 Nov 2023 13:03:02 +0100 + minizip (1.1-8) unstable; urgency=medium * Fix implicit function declaration. diff -Nru minizip-1.1/debian/patches/CVE-2023-45853.patch minizip-1.1/debian/patches/CVE-2023-45853.patch --- minizip-1.1/debian/patches/CVE-2023-45853.patch 1970-01-01 01:00:00.0 +0100 +++ minizip-1.1/debian/patches/CVE-2023-45853.patch 2023-11-18 17:54:41.0 +0100 @@ -0,0 +1,34 @@ +commit 73331a6a0481067628f065ffe87bb1d8f787d10c +Author: Hans Wennborg +Date: Fri Aug 18 11:05:33 2023 +0200 + +Reject overflows of zip header fields in minizip. + +This checks the lengths of the file name, extra field, and comment +that would be put in the zip headers, and rejects them if they are +too long. They are each limited to 65535 bytes in length by the zip +format. This also avoids possible buffer overflows if the provided +fields are too long. + +Index: minizip-1.1/zip.c +=== +--- minizip-1.1.orig/zip.c 2023-11-18 17:51:05.539763813 +0100 minizip-1.1/zip.c 2023-11-18 17:51:05.539763813 +0100 +@@ -1082,6 +1082,17 @@ + return ZIP_PARAMERROR; + #endif + ++// The filename and comment length must fit in 16 bits. ++if ((filename!=NULL) && (strlen(filename)>0x)) ++return ZIP_PARAMERROR; ++if ((comment!=NULL) && (strlen(comment)>0x)) ++return ZIP_PARAMERROR; ++// The extra field length must fit in 16 bits. If the member also requires ++// a Zip64 extra block, that will also need to fit within that 16-bit ++// length, but that will be checked for later. ++if ((size_extrafield_local>0x) || (size_extrafield_global>0x)) ++return ZIP_PARAMERROR; ++ + zi = (zip64_internal*)file; + + if (zi->in_opened_file_inzip == 1) diff -Nru minizip-1.1/debian/patches/series minizip-1.1/debian/patches/series --- minizip-1.1/debian/patches/series 2016-01-03 04:14:08.0 +0100 +++ minizip-1.1/debian/patches/series 2023-11-18 17:54:50.0 +0100 @@ -1,3 +1,5 @@ include.patch automake.patch traversal.patch + +CVE-2023-45853.patch
Bug#1053523: bookworm-pu: cups/2.4.2-3+deb12u4
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu After uploading the fix for CVE-2023-4504 and CVE-2023-32360 to Buster I got some complaints: - the mentioned filename of the cupsd configuration contained a typo and several users were unsure what to do now ... - ... especially as the contents of debian/NEWS was also shown on computers where only cups client was installed. So this upload fixes the typo and removes debian/NEWS again, so that the text is only shown when cups-daemon will be updated. I know it is rather late for this, but maybe this makes things easier for our users. Thorsten diff -Nru cups-2.4.2/debian/changelog cups-2.4.2/debian/changelog --- cups-2.4.2/debian/changelog 2023-09-29 21:20:27.0 +0200 +++ cups-2.4.2/debian/changelog 2023-10-05 16:35:27.0 +0200 @@ -1,3 +1,11 @@ +cups (2.4.2-3+deb12u4) bookworm; urgency=medium + + * remove debian/NEWS again to avoid too much information when only +the client part is installed + * fix typo in config filename + + -- Thorsten Alteholz Thu, 05 Oct 2023 16:35:27 +0200 + cups (2.4.2-3+deb12u3) bookworm; urgency=medium * move debian/NEWS.Debian to debian/NEWS diff -Nru cups-2.4.2/debian/cups-daemon.NEWS cups-2.4.2/debian/cups-daemon.NEWS --- cups-2.4.2/debian/cups-daemon.NEWS 2023-09-29 21:20:27.0 +0200 +++ cups-2.4.2/debian/cups-daemon.NEWS 2023-10-05 16:35:27.0 +0200 @@ -4,7 +4,7 @@ unauthorized users to fetch documents over local or remote networks. Since this is a configuration fix, it might be that it does not reach you if you are updating 'cups-daemon' (rather than doing a fresh installation). - Please double check your /etc/cups/cupds.conf file, whether it limits the access + Please double check your /etc/cups/cupsd.conf file, whether it limits the access to CUPS-Get-Document with something like the following > >AuthType Default diff -Nru cups-2.4.2/debian/NEWS cups-2.4.2/debian/NEWS --- cups-2.4.2/debian/NEWS 2023-09-29 21:20:27.0 +0200 +++ cups-2.4.2/debian/NEWS 1970-01-01 01:00:00.0 +0100 @@ -1,16 +0,0 @@ -cups (2.4.2-3+deb12u3) bookworm; urgency=medium - - This release addresses a security issue (CVE-2023-32360) which allows - unauthorized users to fetch documents over local or remote networks. - Since this is a configuration fix, it might be that it does not reach you if you - are updating 'cups-daemon' (rather than doing a fresh installation). - Please double check your /etc/cups/cupds.conf file, whether it limits the access - to CUPS-Get-Document with something like the following - > - >AuthType Default - >Require user @OWNER @SYSTEM - >Order deny,allow - > - (The important line is the 'AuthType Default' in this section) - - -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200
Bug#1053522: bullseye-pu: cups/2.3.3op2-3+deb11u6
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu After uploading the fix for CVE-2023-4504 and CVE-2023-32360 to Buster I got some complaints: - the mentioned filename of the cupsd configuration contained a typo and several users were unsure what to do now ... - ... especially as the contents of debian/NEWS was also shown on computers where only cups client was installed. So this upload fixes the typo and removes debian/NEWS again, so that the text is only shown when cups-daemon will be updated. I know it is rather late for this, but maybe this makes things easier for our users. Thorsten diff -Nru cups-2.3.3op2/debian/changelog cups-2.3.3op2/debian/changelog --- cups-2.3.3op2/debian/changelog 2023-09-29 21:20:27.0 +0200 +++ cups-2.3.3op2/debian/changelog 2023-10-05 16:35:27.0 +0200 @@ -1,3 +1,11 @@ +cups (2.3.3op2-3+deb11u6) bullseye; urgency=medium + + * remove debian/NEWS again to avoid too much information when only +the client part is installed + * fix typo in config filename + + -- Thorsten Alteholz Thu, 05 Oct 2023 16:35:27 +0200 + cups (2.3.3op2-3+deb11u5) bullseye; urgency=medium * move debian/NEWS.Debian to debian/NEWS diff -Nru cups-2.3.3op2/debian/cups-daemon.NEWS cups-2.3.3op2/debian/cups-daemon.NEWS --- cups-2.3.3op2/debian/cups-daemon.NEWS 2023-09-29 21:20:27.0 +0200 +++ cups-2.3.3op2/debian/cups-daemon.NEWS 2023-10-05 16:35:27.0 +0200 @@ -4,7 +4,7 @@ unauthorized users to fetch documents over local or remote networks. Since this is a configuration fix, it might be that it does not reach you if you are updating 'cups-daemon' (rather than doing a fresh installation). - Please double check your /etc/cups/cupds.conf file, whether it limits the access + Please double check your /etc/cups/cupsd.conf file, whether it limits the access to CUPS-Get-Document with something like the following > >AuthType Default diff -Nru cups-2.3.3op2/debian/NEWS cups-2.3.3op2/debian/NEWS --- cups-2.3.3op2/debian/NEWS 2023-09-29 21:20:27.0 +0200 +++ cups-2.3.3op2/debian/NEWS 1970-01-01 01:00:00.0 +0100 @@ -1,16 +0,0 @@ -cups (2.3.3op2-3+deb11u5) bullseye; urgency=medium - - This release addresses a security issue (CVE-2023-32360) which allows - unauthorized users to fetch documents over local or remote networks. - Since this is a configuration fix, it might be that it does not reach you if you - are updating 'cups-daemon' (rather than doing a fresh installation). - Please double check your /etc/cups/cupds.conf file, whether it limits the access - to CUPS-Get-Document with something like the following - > - >AuthType Default - >Require user @OWNER @SYSTEM - >Order deny,allow - > - (The important line is the 'AuthType Default' in this section) - - -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200
Bug#1052361: bookworm-pu: cups/2.4.2-3+deb12u2
On Fri, 29 Sep 2023, Adam D. Barratt wrote: I should have spotted this before (particularly as we recently had the same issue with another package) but debian/NEWS.Debian should simply be debian/NEWS. dh_installchangelogs then renames it to NEWS.Debian in the binary package. ok, uploaded, I keep my fingers crossed. Thorsten
Bug#1052363: bullseye-pu: cups/2.3.3op2-3+deb11u4
On Fri, 29 Sep 2023, Adam D. Barratt wrote: I should have spotted this before (particularly as we recently had the same issue with another package) but debian/NEWS.Debian should simply be debian/NEWS. dh_installchangelogs then renames it to NEWS.Debian in the binary package. ok, uploaded, I keep my fingers crossed. Thorsten
Bug#1052363: bullseye-pu: cups/2.3.3op2-3+deb11u4
On 27.09.23 20:33, Adam D. Barratt wrote: Thanks; please go ahead. great, thanks, ... ... and uploaded. Thorsten
Bug#1052361: bookworm-pu: cups/2.4.2-3+deb12u2
On 27.09.23 20:32, Adam D. Barratt wrote: Please go ahead. great, thanks, ... ... and uploaded. Thorsten
Bug#1052363: bullseye-pu: cups/2.3.3op2-3+deb11u4
Control: tags 1052363 - moreinfo
On Sat, 23 Sep 2023, Adam D. Barratt wrote:
The same query as for bookworm applies here - do we expect users to
know how to find the patch?
... and the same new text for Bullseye.
Thorstendiff -Nru cups-2.3.3op2/debian/changelog cups-2.3.3op2/debian/changelog
--- cups-2.3.3op2/debian/changelog 2023-06-24 10:54:05.0 +0200
+++ cups-2.3.3op2/debian/changelog 2023-09-19 21:20:27.0 +0200
@@ -1,3 +1,12 @@
+cups (2.3.3op2-3+deb11u4) bullseye; urgency=medium
+
+ * CVE-2023-4504
+Postscript parsing heap-based buffer overflow
+ * CVE-2023-32360 (Closes: #1051953)
+authentication issue
+
+ -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200
+
cups (2.3.3op2-3+deb11u3) bullseye; urgency=medium
* CVE-2023-34241 (Closes: #1038885)
diff -Nru cups-2.3.3op2/debian/cups-daemon.NEWS
cups-2.3.3op2/debian/cups-daemon.NEWS
--- cups-2.3.3op2/debian/cups-daemon.NEWS 2023-06-22 23:22:40.0
+0200
+++ cups-2.3.3op2/debian/cups-daemon.NEWS 2023-09-19 21:20:27.0
+0200
@@ -1,3 +1,20 @@
+cups (2.3.3op2-3+deb11u4) bullseye; urgency=medium
+
+ This release addresses a security issue (CVE-2023-32360) which allows
+ unauthorized users to fetch documents over local or remote networks.
+ Since this is a configuration fix, it might be that it does not reach you if
you
+ are updating 'cups-daemon' (rather than doing a fresh installation).
+ Please double check your /etc/cups/cupds.conf file, whether it limits the
access
+ to CUPS-Get-Document with something like the following
+ >
+ >AuthType Default
+ >Require user @OWNER @SYSTEM
+ >Order deny,allow
+ >
+ (The important line is the 'AuthType Default' in this section)
+
+ -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200
+
cups (2.1.4-3) unstable; urgency=low
The default ErrorPolicy is changed from 'stop-printer' to 'retry-job',
diff -Nru cups-2.3.3op2/debian/NEWS.Debian cups-2.3.3op2/debian/NEWS.Debian
--- cups-2.3.3op2/debian/NEWS.Debian1970-01-01 01:00:00.0 +0100
+++ cups-2.3.3op2/debian/NEWS.Debian2023-09-19 21:20:27.0 +0200
@@ -0,0 +1,16 @@
+cups (2.3.3op2-3+deb11u4) bullseye; urgency=medium
+
+ This release addresses a security issue (CVE-2023-32360) which allows
+ unauthorized users to fetch documents over local or remote networks.
+ Since this is a configuration fix, it might be that it does not reach you if
you
+ are updating 'cups-daemon' (rather than doing a fresh installation).
+ Please double check your /etc/cups/cupds.conf file, whether it limits the
access
+ to CUPS-Get-Document with something like the following
+ >
+ >AuthType Default
+ >Require user @OWNER @SYSTEM
+ >Order deny,allow
+ >
+ (The important line is the 'AuthType Default' in this section)
+
+ -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200
diff -Nru cups-2.3.3op2/debian/patches/0019-CVE-2023-32360.patch
cups-2.3.3op2/debian/patches/0019-CVE-2023-32360.patch
--- cups-2.3.3op2/debian/patches/0019-CVE-2023-32360.patch 1970-01-01
01:00:00.0 +0100
+++ cups-2.3.3op2/debian/patches/0019-CVE-2023-32360.patch 2023-09-19
21:20:27.0 +0200
@@ -0,0 +1,27 @@
+From: Thorsten Alteholz
+Date: Wed, 20 Sep 2023 23:21:42 +0200
+Subject: CVE-2023-32360
+
+---
+ conf/cupsd.conf.in | 8 +++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in
+index 09059dc..67d1c8b 100644
+--- a/conf/cupsd.conf.in
b/conf/cupsd.conf.in
+@@ -65,7 +65,13 @@ WebInterface @CUPS_WEBIF@
+ Order deny,allow
+
+
+-
++
++Require user @OWNER @SYSTEM
++Order deny,allow
++
++
++
++AuthType Default
+ Require user @OWNER @SYSTEM
+ Order deny,allow
+
diff -Nru cups-2.3.3op2/debian/patches/0020-CVE-2023-4504.patch
cups-2.3.3op2/debian/patches/0020-CVE-2023-4504.patch
--- cups-2.3.3op2/debian/patches/0020-CVE-2023-4504.patch 1970-01-01
01:00:00.0 +0100
+++ cups-2.3.3op2/debian/patches/0020-CVE-2023-4504.patch 2023-09-19
21:20:27.0 +0200
@@ -0,0 +1,33 @@
+From: Thorsten Alteholz
+Date: Wed, 20 Sep 2023 23:22:44 +0200
+Subject: CVE-2023-4504
+
+---
+ cups/raster-interpret.c | 14 +-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
+index fbe52f3..89ef158 100644
+--- a/cups/raster-interpret.c
b/cups/raster-interpret.c
+@@ -1113,7 +1113,19 @@ scan_ps(_cups_ps_stack_t *st, /* I - Stack */
+
+ cur ++;
+
+-if (*cur == 'b')
++ /*
++ * Return NULL if we reached NULL terminator, a lone backslash
++* is not a valid character in PostScript.
++ */
++
++ if (!*cur)
++ {
++*ptr = NULL;
++
++return (NULL);
++ }
++
++ if (*cur == 'b')
+ *valptr++ = '\b';
+
Bug#1052361: bookworm-pu: cups/2.4.2-3+deb12u2
Control: tags 1052361 - moreinfo
Hi Adam,
On Sat, 23 Sep 2023, Adam D. Barratt wrote:
Hmm. Is there a better way we can point users to the required change
here that doesn't require them knowing how to find patches applied to
the source package?
yes, *sigh* the wording was bad and I also mangled the version numbers,
sorry.
What do you think of this version, which was thankfully provided by
IOhannes?
Thorstendiff -Nru cups-2.4.2/debian/changelog cups-2.4.2/debian/changelog
--- cups-2.4.2/debian/changelog 2023-06-24 10:54:05.0 +0200
+++ cups-2.4.2/debian/changelog 2023-09-19 21:20:27.0 +0200
@@ -1,3 +1,12 @@
+cups (2.4.2-3+deb12u2) bookworm; urgency=medium
+
+ * CVE-2023-4504
+Postscript parsing heap-based buffer overflow
+ * CVE-2023-32360 (Closes: #1051953)
+authentication issue
+
+ -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200
+
cups (2.4.2-3+deb12u1) bookworm; urgency=medium
* CVE-2023-34241 (Closes: #1038885)
diff -Nru cups-2.4.2/debian/cups-daemon.NEWS cups-2.4.2/debian/cups-daemon.NEWS
--- cups-2.4.2/debian/cups-daemon.NEWS 2023-06-22 23:22:40.0 +0200
+++ cups-2.4.2/debian/cups-daemon.NEWS 2023-09-19 21:20:27.0 +0200
@@ -1,3 +1,20 @@
+cups (2.4.2-3+deb12u2) bookworm; urgency=medium
+
+ This release addresses a security issue (CVE-2023-32360) which allows
+ unauthorized users to fetch documents over local or remote networks.
+ Since this is a configuration fix, it might be that it does not reach you if
you
+ are updating 'cups-daemon' (rather than doing a fresh installation).
+ Please double check your /etc/cups/cupds.conf file, whether it limits the
access
+ to CUPS-Get-Document with something like the following
+ >
+ >AuthType Default
+ >Require user @OWNER @SYSTEM
+ >Order deny,allow
+ >
+ (The important line is the 'AuthType Default' in this section)
+
+ -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200
+
cups (2.1.4-3) unstable; urgency=low
The default ErrorPolicy is changed from 'stop-printer' to 'retry-job',
diff -Nru cups-2.4.2/debian/NEWS.Debian cups-2.4.2/debian/NEWS.Debian
--- cups-2.4.2/debian/NEWS.Debian 1970-01-01 01:00:00.0 +0100
+++ cups-2.4.2/debian/NEWS.Debian 2023-09-19 21:20:27.0 +0200
@@ -0,0 +1,16 @@
+cups (2.4.2-3+deb12u2) bookworm; urgency=medium
+
+ This release addresses a security issue (CVE-2023-32360) which allows
+ unauthorized users to fetch documents over local or remote networks.
+ Since this is a configuration fix, it might be that it does not reach you if
you
+ are updating 'cups-daemon' (rather than doing a fresh installation).
+ Please double check your /etc/cups/cupds.conf file, whether it limits the
access
+ to CUPS-Get-Document with something like the following
+ >
+ >AuthType Default
+ >Require user @OWNER @SYSTEM
+ >Order deny,allow
+ >
+ (The important line is the 'AuthType Default' in this section)
+
+ -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200
diff -Nru cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch
cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch
--- cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch 1970-01-01
01:00:00.0 +0100
+++ cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch 2023-09-19
21:20:27.0 +0200
@@ -0,0 +1,33 @@
+From: Thorsten Alteholz
+Date: Wed, 20 Sep 2023 04:55:44 +0200
+Subject: CVE-2023-4504
+
+---
+ cups/raster-interpret.c | 14 +-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
+index fbe52f3..89ef158 100644
+--- a/cups/raster-interpret.c
b/cups/raster-interpret.c
+@@ -1113,7 +1113,19 @@ scan_ps(_cups_ps_stack_t *st, /* I - Stack */
+
+ cur ++;
+
+-if (*cur == 'b')
++ /*
++ * Return NULL if we reached NULL terminator, a lone backslash
++* is not a valid character in PostScript.
++ */
++
++ if (!*cur)
++ {
++*ptr = NULL;
++
++return (NULL);
++ }
++
++ if (*cur == 'b')
+ *valptr++ = '\b';
+ else if (*cur == 'f')
+ *valptr++ = '\f';
diff -Nru cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch
cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch
--- cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch 1970-01-01
01:00:00.0 +0100
+++ cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch 2023-09-19
21:20:27.0 +0200
@@ -0,0 +1,27 @@
+From: Thorsten Alteholz
+Date: Wed, 20 Sep 2023 04:56:47 +0200
+Subject: CVE-2023-32360
+
+---
+ conf/cupsd.conf.in | 8 +++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in
+index b258849..a07536f 100644
+--- a/conf/cupsd.conf.in
b/conf/cupsd.conf.in
+@@ -68,7 +68,13 @@ IdleExitTimeout @EXIT_TIMEOUT@
+ Order deny,allow
+
+
+-
++
++
Bug#1052363: bullseye-pu: cups/2.3.3op2-3+deb11u4
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for cups fixes CVE-2023-4504 and CVE-2023-32360 in
Bullseye. These CVEs have been marked as no-dsa by the security team, but
at least CVE-2023-32360 got anRC bug (#1051953).
Thorsten
PS: There already is 2.3.3op2-3+deb11u3 in P-Udiff -Nru cups-2.3.3op2/debian/changelog cups-2.3.3op2/debian/changelog
--- cups-2.3.3op2/debian/changelog 2023-06-24 10:54:05.0 +0200
+++ cups-2.3.3op2/debian/changelog 2023-09-19 21:20:27.0 +0200
@@ -1,3 +1,12 @@
+cups (2.3.3op2-3+deb11u4) bullseye; urgency=medium
+
+ * CVE-2023-4504
+Postscript parsing heap-based buffer overflow
+ * CVE-2023-32360 (Closes: #1051953)
+authentication issue
+
+ -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200
+
cups (2.3.3op2-3+deb11u3) bullseye; urgency=medium
* CVE-2023-34241 (Closes: #1038885)
diff -Nru cups-2.3.3op2/debian/cups-daemon.NEWS
cups-2.3.3op2/debian/cups-daemon.NEWS
--- cups-2.3.3op2/debian/cups-daemon.NEWS 2023-06-22 23:22:40.0
+0200
+++ cups-2.3.3op2/debian/cups-daemon.NEWS 2023-09-19 21:20:27.0
+0200
@@ -1,3 +1,11 @@
+cups (2.4.2-6) unstable; urgency=low
+
+ In case this is not a fresh installation of cups, please double check
+ whether your cupsd.conf really does contain the limitiation for
+ "CUPS-Get-Document" (see patch 0019-CVE-2023-32360.patch)
+
+ -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200
+
cups (2.1.4-3) unstable; urgency=low
The default ErrorPolicy is changed from 'stop-printer' to 'retry-job',
diff -Nru cups-2.3.3op2/debian/NEWS.Debian cups-2.3.3op2/debian/NEWS.Debian
--- cups-2.3.3op2/debian/NEWS.Debian1970-01-01 01:00:00.0 +0100
+++ cups-2.3.3op2/debian/NEWS.Debian2023-09-19 21:20:27.0 +0200
@@ -0,0 +1,7 @@
+cups (2.4.2-6) unstable; urgency=low
+
+ In case this is not a fresh installation of cups, please double check
+ whether your cupsd.conf really does contain the limitiation for
+ "CUPS-Get-Document" (see patch 0019-CVE-2023-32360.patch)
+
+ -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200
diff -Nru cups-2.3.3op2/debian/patches/0019-CVE-2023-32360.patch
cups-2.3.3op2/debian/patches/0019-CVE-2023-32360.patch
--- cups-2.3.3op2/debian/patches/0019-CVE-2023-32360.patch 1970-01-01
01:00:00.0 +0100
+++ cups-2.3.3op2/debian/patches/0019-CVE-2023-32360.patch 2023-09-19
21:20:27.0 +0200
@@ -0,0 +1,27 @@
+From: Thorsten Alteholz
+Date: Wed, 20 Sep 2023 23:21:42 +0200
+Subject: CVE-2023-32360
+
+---
+ conf/cupsd.conf.in | 8 +++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in
+index 09059dc..67d1c8b 100644
+--- a/conf/cupsd.conf.in
b/conf/cupsd.conf.in
+@@ -65,7 +65,13 @@ WebInterface @CUPS_WEBIF@
+ Order deny,allow
+
+
+-
++
++Require user @OWNER @SYSTEM
++Order deny,allow
++
++
++
++AuthType Default
+ Require user @OWNER @SYSTEM
+ Order deny,allow
+
diff -Nru cups-2.3.3op2/debian/patches/0020-CVE-2023-4504.patch
cups-2.3.3op2/debian/patches/0020-CVE-2023-4504.patch
--- cups-2.3.3op2/debian/patches/0020-CVE-2023-4504.patch 1970-01-01
01:00:00.0 +0100
+++ cups-2.3.3op2/debian/patches/0020-CVE-2023-4504.patch 2023-09-19
21:20:27.0 +0200
@@ -0,0 +1,33 @@
+From: Thorsten Alteholz
+Date: Wed, 20 Sep 2023 23:22:44 +0200
+Subject: CVE-2023-4504
+
+---
+ cups/raster-interpret.c | 14 +-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
+index fbe52f3..89ef158 100644
+--- a/cups/raster-interpret.c
b/cups/raster-interpret.c
+@@ -1113,7 +1113,19 @@ scan_ps(_cups_ps_stack_t *st, /* I - Stack */
+
+ cur ++;
+
+-if (*cur == 'b')
++ /*
++ * Return NULL if we reached NULL terminator, a lone backslash
++* is not a valid character in PostScript.
++ */
++
++ if (!*cur)
++ {
++*ptr = NULL;
++
++return (NULL);
++ }
++
++ if (*cur == 'b')
+ *valptr++ = '\b';
+ else if (*cur == 'f')
+ *valptr++ = '\f';
diff -Nru cups-2.3.3op2/debian/patches/series
cups-2.3.3op2/debian/patches/series
--- cups-2.3.3op2/debian/patches/series 2023-06-24 10:54:05.0 +0200
+++ cups-2.3.3op2/debian/patches/series 2023-09-19 21:20:27.0 +0200
@@ -16,3 +16,5 @@
0016-Fix-certificate-comparison-CVE-2022-26691.patch
0017-CVE-2023-32324.patch
0018-CVE-2023-34241.patch
+0019-CVE-2023-32360.patch
+0020-CVE-2023-4504.patch
Bug#1052361: bookworm-pu: cups/2.4.2-3+deb12u2
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for cups fixes CVE-2023-4504 and CVE-2023-32360 in
Bookworm. These CVEs have been marked as no-dsa by the security team,
but at least CVE-2023-32360 got an RC bug (#1051953).
Thorstendiff -Nru cups-2.4.2/debian/changelog cups-2.4.2/debian/changelog
--- cups-2.4.2/debian/changelog 2023-06-24 10:54:05.0 +0200
+++ cups-2.4.2/debian/changelog 2023-09-19 21:20:27.0 +0200
@@ -1,3 +1,12 @@
+cups (2.4.2-3+deb12u2) bookworm; urgency=medium
+
+ * CVE-2023-4504
+Postscript parsing heap-based buffer overflow
+ * CVE-2023-32360 (Closes: #1051953)
+authentication issue
+
+ -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200
+
cups (2.4.2-3+deb12u1) bookworm; urgency=medium
* CVE-2023-34241 (Closes: #1038885)
diff -Nru cups-2.4.2/debian/cups-daemon.NEWS cups-2.4.2/debian/cups-daemon.NEWS
--- cups-2.4.2/debian/cups-daemon.NEWS 2023-06-22 23:22:40.0 +0200
+++ cups-2.4.2/debian/cups-daemon.NEWS 2023-09-19 21:20:27.0 +0200
@@ -1,3 +1,11 @@
+cups (2.4.2-6) unstable; urgency=low
+
+ In case this is not a fresh installation of cups, please double check
+ whether your cupsd.conf really does contain the limitiation for
+ "CUPS-Get-Document" (see patch 0015-CVE-2023-32360.patch)
+
+ -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200
+
cups (2.1.4-3) unstable; urgency=low
The default ErrorPolicy is changed from 'stop-printer' to 'retry-job',
diff -Nru cups-2.4.2/debian/NEWS.Debian cups-2.4.2/debian/NEWS.Debian
--- cups-2.4.2/debian/NEWS.Debian 1970-01-01 01:00:00.0 +0100
+++ cups-2.4.2/debian/NEWS.Debian 2023-09-19 21:20:27.0 +0200
@@ -0,0 +1,7 @@
+cups (2.4.2-6) unstable; urgency=low
+
+ In case this is not a fresh installation of cups, please double check
+ whether your cupsd.conf really does contain the limitiation for
+ "CUPS-Get-Document" (see patch 0015-CVE-2023-32360.patch)
+
+ -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200
diff -Nru cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch
cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch
--- cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch 1970-01-01
01:00:00.0 +0100
+++ cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch 2023-09-19
21:20:27.0 +0200
@@ -0,0 +1,33 @@
+From: Thorsten Alteholz
+Date: Wed, 20 Sep 2023 04:55:44 +0200
+Subject: CVE-2023-4504
+
+---
+ cups/raster-interpret.c | 14 +-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
+index fbe52f3..89ef158 100644
+--- a/cups/raster-interpret.c
b/cups/raster-interpret.c
+@@ -1113,7 +1113,19 @@ scan_ps(_cups_ps_stack_t *st, /* I - Stack */
+
+ cur ++;
+
+-if (*cur == 'b')
++ /*
++ * Return NULL if we reached NULL terminator, a lone backslash
++* is not a valid character in PostScript.
++ */
++
++ if (!*cur)
++ {
++*ptr = NULL;
++
++return (NULL);
++ }
++
++ if (*cur == 'b')
+ *valptr++ = '\b';
+ else if (*cur == 'f')
+ *valptr++ = '\f';
diff -Nru cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch
cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch
--- cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch 1970-01-01
01:00:00.0 +0100
+++ cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch 2023-09-19
21:20:27.0 +0200
@@ -0,0 +1,27 @@
+From: Thorsten Alteholz
+Date: Wed, 20 Sep 2023 04:56:47 +0200
+Subject: CVE-2023-32360
+
+---
+ conf/cupsd.conf.in | 8 +++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in
+index b258849..a07536f 100644
+--- a/conf/cupsd.conf.in
b/conf/cupsd.conf.in
+@@ -68,7 +68,13 @@ IdleExitTimeout @EXIT_TIMEOUT@
+ Order deny,allow
+
+
+-
++
++Require user @OWNER @SYSTEM
++Order deny,allow
++
++
++
++AuthType Default
+ Require user @OWNER @SYSTEM
+ Order deny,allow
+
diff -Nru cups-2.4.2/debian/patches/series cups-2.4.2/debian/patches/series
--- cups-2.4.2/debian/patches/series2023-06-24 10:54:05.0 +0200
+++ cups-2.4.2/debian/patches/series2023-09-19 21:20:27.0 +0200
@@ -12,3 +12,5 @@
0012-add-pt.patch
0013-CVE-2023-32324.patch
0014-CVE-2023-34241.patch
+0015-CVE-2023-4504.patch
+0016-CVE-2023-32360.patch
Bug#1039862: bookworm-pu: cpdb-libs/1.2.0-2+deb12u1
On Thu, 29 Jun 2023, Jonathan Wiltshire wrote: Please go ahead. Great, thanks ... ... and uploaded. Thorsten
Bug#1039040: bullseye-pu: cups/2.3.3op2-3+deb11u3
On Mon, 26 Jun 2023, Jonathan Wiltshire wrote: Please go ahead. Great, thanks ... ... and uploaded. Thorsten
Bug#1039862: bookworm-pu: cpdb-libs/1.2.0-2+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for cpdb-libs fixes CVE-2023-34095 Bookworm. This CVE
has been marked as no-dsa by the security team.
The fix just restricts the usable buffer and should have no side effects.
Thorsten
diff -Nru cpdb-libs-1.2.0/debian/changelog cpdb-libs-1.2.0/debian/changelog
--- cpdb-libs-1.2.0/debian/changelog2023-01-12 22:03:02.0 +0100
+++ cpdb-libs-1.2.0/debian/changelog2023-06-27 22:03:02.0 +0200
@@ -1,3 +1,10 @@
+cpdb-libs (1.2.0-2+deb12u1) bookworm; urgency=medium
+
+ * CVE-2023-34095 (Closes: #1038253)
+buffer overflow via improper use of scanf()/fscanf()
+
+ -- Thorsten Alteholz Tue, 27 Jun 2023 22:03:02 +0200
+
cpdb-libs (1.2.0-2) unstable; urgency=medium
* source upload
diff -Nru cpdb-libs-1.2.0/debian/patches/CVE-2023-34095.patch
cpdb-libs-1.2.0/debian/patches/CVE-2023-34095.patch
--- cpdb-libs-1.2.0/debian/patches/CVE-2023-34095.patch 1970-01-01
01:00:00.0 +0100
+++ cpdb-libs-1.2.0/debian/patches/CVE-2023-34095.patch 2023-06-27
22:03:02.0 +0200
@@ -0,0 +1,161 @@
+Description: backported fix for CVE-2023-34095
+Index: cpdb-libs/demo/print_frontend.c
+===
+--- cpdb-libs.orig/demo/print_frontend.c 2023-06-28 06:57:31.699739106
+0200
cpdb-libs/demo/print_frontend.c2023-06-28 08:01:19.416613086 +0200
+@@ -48,7 +48,7 @@
+ {
+ printf("> ");
+ fflush(stdout);
+-scanf("%s", buf);
++scanf("%99s", buf);
+ if (strcmp(buf, "stop") == 0)
+ {
+ disconnect_from_dbus(f);
+@@ -84,7 +84,7 @@
+ {
+ char printer_id[100];
+ char backend_name[100];
+-scanf("%s%s", printer_id, backend_name);
++scanf("%99s%99s", printer_id, backend_name);
+ g_message("Getting all attributes ..\n");
+ PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+
+@@ -106,7 +106,7 @@
+ else if (strcmp(buf, "get-default") == 0)
+ {
+ char printer_id[100], backend_name[100], option_name[100];
+-scanf("%s%s%s", option_name, printer_id, backend_name);
++scanf("%99s%99s%99s", option_name, printer_id, backend_name);
+ PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+ char *ans = get_default(p, option_name);
+ if (!ans)
+@@ -117,7 +117,7 @@
+ else if (strcmp(buf, "get-setting") == 0)
+ {
+ char printer_id[100], backend_name[100], setting_name[100];
+-scanf("%s%s%s", setting_name, printer_id, backend_name);
++scanf("%99s%99s%99s", setting_name, printer_id, backend_name);
+ PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+ char *ans = get_setting(p, setting_name);
+ if (!ans)
+@@ -128,7 +128,7 @@
+ else if (strcmp(buf, "get-current") == 0)
+ {
+ char printer_id[100], backend_name[100], option_name[100];
+-scanf("%s%s%s", option_name, printer_id, backend_name);
++scanf("%99s%99s%99s", option_name, printer_id, backend_name);
+ PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+ char *ans = get_current(p, option_name);
+ if (!ans)
+@@ -139,7 +139,7 @@
+ else if (strcmp(buf, "add-setting") == 0)
+ {
+ char printer_id[100], backend_name[100], option_name[100],
option_val[100];
+-scanf("%s %s %s %s", option_name, option_val, printer_id,
backend_name);
++scanf("%99s %99s %99s %99s", option_name, option_val, printer_id,
backend_name);
+ PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+ printf("%s : %s\n", option_name, option_val);
+ add_setting_to_printer(p, get_string_copy(option_name),
get_string_copy(option_val));
+@@ -147,7 +147,7 @@
+ else if (strcmp(buf, "clear-setting") == 0)
+ {
+ char printer_id[100], backend_name[100], option_name[100];
+-scanf("%s%s%s", option_name, printer_id, backend_name);
++scanf("%99s%99s%99s", option_name, printer_id, backend_name);
+ PrinterObj *p = find_PrinterObj(f, printer_id, backend_name);
+ clear_setting_from_printer(p, option_name);
+ }
+@@ -155,7 +155,7 @@
+ {
+ char printer_id[100];
+ char backend_name[100];
+-scanf("%s%s", printer_id, backend_name);
++scanf("%99s%99s", printer_id, backend_name);
+
Bug#1039026: bookworm-pu: cups/2.4.2-3+deb12u1
On Sun, 25 Jun 2023, Jonathan Wiltshire wrote: Please go ahead. Great, thanks ... ... and uploaded. Thorsten
Bug#1039040: bullseye-pu: cups/2.3.3op2-3+deb11u3
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for cups fixes CVE-2023-32324 and CVE-2023-34241 in
Bullseye. Both CVE have been marked as no-dsa by the security team.
The same fixes have been already uploaded to Unstable and nobody
complained yet.
Thorsten
diff -Nru cups-2.3.3op2/debian/changelog cups-2.3.3op2/debian/changelog
--- cups-2.3.3op2/debian/changelog 2022-05-23 22:03:02.0 +0200
+++ cups-2.3.3op2/debian/changelog 2023-06-24 10:54:05.0 +0200
@@ -1,3 +1,14 @@
+cups (2.3.3op2-3+deb11u3) bullseye; urgency=medium
+
+ * CVE-2023-34241 (Closes: #1038885)
+use-after-free in cupsdAcceptClient()
+
+ * CVE-2023-32324
+A heap buffer overflow vulnerability would allow a remote attacker to
+lauch a dos attack.
+
+ -- Thorsten Alteholz Sat, 24 Jun 2023 10:54:05 +0200
+
cups (2.3.3op2-3+deb11u2) bullseye-security; urgency=high
* CVE-2022-26691
diff -Nru cups-2.3.3op2/debian/patches/0017-CVE-2023-32324.patch
cups-2.3.3op2/debian/patches/0017-CVE-2023-32324.patch
--- cups-2.3.3op2/debian/patches/0017-CVE-2023-32324.patch 1970-01-01
01:00:00.0 +0100
+++ cups-2.3.3op2/debian/patches/0017-CVE-2023-32324.patch 2023-06-24
10:54:05.0 +0200
@@ -0,0 +1,29 @@
+From: Thorsten Alteholz
+Date: Wed, 31 May 2023 23:20:58 +0200
+Subject: CVE-2023-32324
+
+---
+ cups/string.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/cups/string.c b/cups/string.c
+index 93cdad1..1f81d60 100644
+--- a/cups/string.c
b/cups/string.c
+@@ -1,6 +1,7 @@
+ /*
+ * String functions for CUPS.
+ *
++ * Copyright © 2023 by OpenPrinting.
+ * Copyright © 2007-2019 by Apple Inc.
+ * Copyright © 1997-2007 by Easy Software Products.
+ *
+@@ -729,6 +730,8 @@ _cups_strlcpy(char *dst, /* O -
Destination string */
+ {
+ size_t srclen; /* Length of source string */
+
++ if (size == 0)
++return (0);
+
+ /*
+ * Figure out how much room is needed...
diff -Nru cups-2.3.3op2/debian/patches/0018-CVE-2023-34241.patch
cups-2.3.3op2/debian/patches/0018-CVE-2023-34241.patch
--- cups-2.3.3op2/debian/patches/0018-CVE-2023-34241.patch 1970-01-01
01:00:00.0 +0100
+++ cups-2.3.3op2/debian/patches/0018-CVE-2023-34241.patch 2023-06-24
10:54:05.0 +0200
@@ -0,0 +1,57 @@
+From: Thorsten Alteholz
+Date: Sat, 24 Jun 2023 19:51:21 +0200
+Subject: CVE-2023-34241
+
+---
+ scheduler/client.c | 16 +++-
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/scheduler/client.c b/scheduler/client.c
+index 9730eea..48e19b9 100644
+--- a/scheduler/client.c
b/scheduler/client.c
+@@ -192,13 +192,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener
socket */
+/*
+ * Can't have an unresolved IP address with double-lookups enabled...
+ */
+-
+-httpClose(con->http);
+-
+ cupsdLogClient(con, CUPSD_LOG_WARN,
+-"Name lookup failed - connection from %s closed!",
++"Name lookup failed - closing connection from %s!",
+ httpGetHostname(con->http, NULL, 0));
+
++httpClose(con->http);
+ free(con);
+ return;
+ }
+@@ -234,11 +232,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener
socket */
+ * with double-lookups enabled...
+ */
+
+- httpClose(con->http);
+-
+ cupsdLogClient(con, CUPSD_LOG_WARN,
+- "IP lookup failed - connection from %s closed!",
++ "IP lookup failed - closing connection from %s!",
+ httpGetHostname(con->http, NULL, 0));
++
++ httpClose(con->http);
+ free(con);
+ return;
+ }
+@@ -255,11 +253,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener
socket */
+
+ if (!hosts_access(_req))
+ {
+-httpClose(con->http);
+-
+ cupsdLogClient(con, CUPSD_LOG_WARN,
+ "Connection from %s refused by /etc/hosts.allow and "
+ "/etc/hosts.deny rules.", httpGetHostname(con->http, NULL,
0));
++
++httpClose(con->http);
+ free(con);
+ return;
+ }
diff -Nru cups-2.3.3op2/debian/patches/series
cups-2.3.3op2/debian/patches/series
--- cups-2.3.3op2/debian/patches/series 2022-05-23 22:03:02.0 +0200
+++ cups-2.3.3op2/debian/patches/series 2023-06-24 10:54:05.0 +0200
@@ -14,3 +14,5 @@
0014-Debian-Reproducibility-Run-testlang-for-each-provide.patch
0015-Debian-po4a-infrastructure-and-translations-for-manp.patch
0016-Fix-certificate-comparison-CVE-2022-26691.patch
+0017-CVE-2023-32324.patch
+0018-CVE-2023-34241.patch
Bug#1039026: bookworm-pu: cups/2.4.2-3+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for cups fixes CVE-2023-32324 and CVE-2023-34241 in
Bookworm. Both CVE have been marked as no-dsa by the security team.
The same fixes have been already uploaded to Unstable and nobody
complained yet.
Thorsten
diff -Nru cups-2.4.2/debian/changelog cups-2.4.2/debian/changelog
--- cups-2.4.2/debian/changelog 2023-03-26 10:54:05.0 +0200
+++ cups-2.4.2/debian/changelog 2023-06-24 10:54:05.0 +0200
@@ -1,3 +1,14 @@
+cups (2.4.2-3+deb12u1) bookworm; urgency=medium
+
+ * CVE-2023-34241 (Closes: #1038885)
+use-after-free in cupsdAcceptClient()
+
+ * CVE-2023-32324
+A heap buffer overflow vulnerability would allow a remote attacker to
+lauch a dos attack.
+
+ -- Thorsten Alteholz Sat, 24 Jun 2023 10:54:05 +0200
+
cups (2.4.2-3) unstable; urgency=medium
[ Helge Kreutzmann ]
diff -Nru cups-2.4.2/debian/patches/0013-CVE-2023-32324.patch
cups-2.4.2/debian/patches/0013-CVE-2023-32324.patch
--- cups-2.4.2/debian/patches/0013-CVE-2023-32324.patch 1970-01-01
01:00:00.0 +0100
+++ cups-2.4.2/debian/patches/0013-CVE-2023-32324.patch 2023-06-24
10:54:05.0 +0200
@@ -0,0 +1,29 @@
+From: Thorsten Alteholz
+Date: Sat, 24 Jun 2023 11:06:49 +0200
+Subject: CVE-2023-32324
+
+---
+ cups/string.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/cups/string.c b/cups/string.c
+index 93cdad1..1f81d60 100644
+--- a/cups/string.c
b/cups/string.c
+@@ -1,6 +1,7 @@
+ /*
+ * String functions for CUPS.
+ *
++ * Copyright © 2023 by OpenPrinting.
+ * Copyright © 2007-2019 by Apple Inc.
+ * Copyright © 1997-2007 by Easy Software Products.
+ *
+@@ -729,6 +730,8 @@ _cups_strlcpy(char *dst, /* O -
Destination string */
+ {
+ size_t srclen; /* Length of source string */
+
++ if (size == 0)
++return (0);
+
+ /*
+ * Figure out how much room is needed...
diff -Nru cups-2.4.2/debian/patches/0014-CVE-2023-34241.patch
cups-2.4.2/debian/patches/0014-CVE-2023-34241.patch
--- cups-2.4.2/debian/patches/0014-CVE-2023-34241.patch 1970-01-01
01:00:00.0 +0100
+++ cups-2.4.2/debian/patches/0014-CVE-2023-34241.patch 2023-06-24
10:54:05.0 +0200
@@ -0,0 +1,57 @@
+From: Thorsten Alteholz
+Date: Sat, 24 Jun 2023 11:07:10 +0200
+Subject: CVE-2023-34241
+
+---
+ scheduler/client.c | 16 +++-
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/scheduler/client.c b/scheduler/client.c
+index e7e419f..441c1d7 100644
+--- a/scheduler/client.c
b/scheduler/client.c
+@@ -193,13 +193,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener
socket */
+/*
+ * Can't have an unresolved IP address with double-lookups enabled...
+ */
+-
+-httpClose(con->http);
+-
+ cupsdLogClient(con, CUPSD_LOG_WARN,
+-"Name lookup failed - connection from %s closed!",
++"Name lookup failed - closing connection from %s!",
+ httpGetHostname(con->http, NULL, 0));
+
++httpClose(con->http);
+ free(con);
+ return;
+ }
+@@ -235,11 +233,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener
socket */
+ * with double-lookups enabled...
+ */
+
+- httpClose(con->http);
+-
+ cupsdLogClient(con, CUPSD_LOG_WARN,
+- "IP lookup failed - connection from %s closed!",
++ "IP lookup failed - closing connection from %s!",
+ httpGetHostname(con->http, NULL, 0));
++
++ httpClose(con->http);
+ free(con);
+ return;
+ }
+@@ -256,11 +254,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener
socket */
+
+ if (!hosts_access(_req))
+ {
+-httpClose(con->http);
+-
+ cupsdLogClient(con, CUPSD_LOG_WARN,
+ "Connection from %s refused by /etc/hosts.allow and "
+ "/etc/hosts.deny rules.", httpGetHostname(con->http, NULL,
0));
++
++httpClose(con->http);
+ free(con);
+ return;
+ }
diff -Nru cups-2.4.2/debian/patches/series cups-2.4.2/debian/patches/series
--- cups-2.4.2/debian/patches/series2023-03-26 10:54:05.0 +0200
+++ cups-2.4.2/debian/patches/series2023-06-24 10:54:05.0 +0200
@@ -10,3 +10,5 @@
0015-Debian-Reproducibility-Do-not-run-stp-tests-as-root.patch
0016-Debian-po4a-infrastructure-and-translations-for-manp.patch
0012-add-pt.patch
+0013-CVE-2023-32324.patch
+0014-CVE-2023-34241.patch
Bug#1036749: unblock: udm/1.0.0.322-4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package udm [ Reason ] Due to a recent change in lazarus, the package could no longer be built. [ Impact ] The user would not be able to build the package. [ Tests ] As there is no code change but only a changed debian/rules file, no new tests are added. [ Risks ] As there is no code change, the risk should be low for this leaf package. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock udm/1.0.0.322-4 diff -Nru udm-1.0.0.322/debian/changelog udm-1.0.0.322/debian/changelog --- udm-1.0.0.322/debian/changelog 2023-02-06 22:43:07.0 +0100 +++ udm-1.0.0.322/debian/changelog 2023-05-23 17:43:07.0 +0200 @@ -1,3 +1,11 @@ +udm (1.0.0.322-4) unstable; urgency=medium + + * fix FTBFS (due to upload of new version of lazarus) +(the solution leaves room for improvement) +(Closes: #1036257) + + -- Thorsten Alteholz Tue, 23 May 2023 17:43:07 +0200 + udm (1.0.0.322-3) unstable; urgency=medium * add patch to use correct path for file installation diff -Nru udm-1.0.0.322/debian/rules udm-1.0.0.322/debian/rules --- udm-1.0.0.322/debian/rules 2023-02-06 12:27:35.0 +0100 +++ udm-1.0.0.322/debian/rules 2023-05-23 13:48:12.0 +0200 @@ -15,56 +15,56 @@ mkdir $(HOME) echo "#INCLUDE /etc/fpc.cfg" > $(HOME)/.fpc.cfg echo "-dLCLGTK2" >> $(HOME)/.fpc.cfg - echo "-Fu/usr/lib/lazarus/2.2.4/components/lazutils/lib/x86_64-linux" >> $(HOME)/.fpc.cfg - echo "-Fu/usr/lib/lazarus/2.2.4/packager/units/x86_64-linux" >> $(HOME)/.fpc.cfg - echo "-Fu/usr/lib/lazarus/2.2.4/lcl/units/x86_64-linux" >> $(HOME)/.fpc.cfg - echo "-Fu/usr/lib/lazarus/2.2.4/components/ideintf/units/x86_64-linux/gtk2/" >> $(HOME)/.fpc.cfg - echo "-Fu/usr/lib/lazarus/2.2.4/components/lazcontrols/lib/x86_64-linux/gtk2/" >> $(HOME)/.fpc.cfg - echo "-Fu/usr/lib/lazarus/2.2.4/components/synedit/units/x86_64-linux/gtk2/" >> $(HOME)/.fpc.cfg - echo "-Fu/usr/lib/lazarus/2.2.4/components/tachart/lib/x86_64-linux/gtk2/" >> $(HOME)/.fpc.cfg - echo "-Fu/usr/lib/lazarus/2.2.4/components/printers/lib/x86_64-linux/gtk2/" >> $(HOME)/.fpc.cfg - echo "-Fu/usr/lib/lazarus/2.2.4/components/cairocanvas/lib/x86_64-linux/gtk2/" >> $(HOME)/.fpc.cfg - echo "-Fu/usr/lib/lazarus/2.2.4/lcl/units/x86_64-linux/gtk2/" >> $(HOME)/.fpc.cfg + echo "-Fu/usr/lib/lazarus/2.2.6/components/lazutils/lib/x86_64-linux" >> $(HOME)/.fpc.cfg + echo "-Fu/usr/lib/lazarus/2.2.6/packager/units/x86_64-linux" >> $(HOME)/.fpc.cfg + echo "-Fu/usr/lib/lazarus/2.2.6/lcl/units/x86_64-linux" >> $(HOME)/.fpc.cfg + echo "-Fu/usr/lib/lazarus/2.2.6/components/ideintf/units/x86_64-linux/gtk2/" >> $(HOME)/.fpc.cfg + echo "-Fu/usr/lib/lazarus/2.2.6/components/lazcontrols/lib/x86_64-linux/gtk2/" >> $(HOME)/.fpc.cfg + echo "-Fu/usr/lib/lazarus/2.2.6/components/synedit/units/x86_64-linux/gtk2/" >> $(HOME)/.fpc.cfg + echo "-Fu/usr/lib/lazarus/2.2.6/components/tachart/lib/x86_64-linux/gtk2/" >> $(HOME)/.fpc.cfg + echo "-Fu/usr/lib/lazarus/2.2.6/components/printers/lib/x86_64-linux/gtk2/" >> $(HOME)/.fpc.cfg + echo "-Fu/usr/lib/lazarus/2.2.6/components/cairocanvas/lib/x86_64-linux/gtk2/" >> $(HOME)/.fpc.cfg + echo "-Fu/usr/lib/lazarus/2.2.6/lcl/units/x86_64-linux/gtk2/" >> $(HOME)/.fpc.cfg - ln -s /usr/lib/lazarus/2.2.4/components/freetype/ttcalc4.inc - ln -s /usr/lib/lazarus/2.2.4/components/freetype/ttconfig.inc - ln -s /usr/lib/lazarus/2.2.4/components/freetype/ttraster_sweep.inc + ln -s /usr/lib/lazarus/2.2.6/components/freetype/ttcalc4.inc + ln -s /usr/lib/lazarus/2.2.6/components/freetype/ttconfig.inc + ln -s /usr/lib/lazarus/2.2.6/components/freetype/ttraster_sweep.inc - ln -s /usr/lib/lazarus/2.2.4/components/opengl/openglcontext.res + ln -s /usr/lib/lazarus/2.2.6/components/opengl/openglcontext.res - ln -s /usr/lib/lazarus/2.2.4/components/buildintf/ideoptionsintf.pas - ln -s /usr/lib/lazarus/2.2.4/components/buildintf/baseideintf.pas - ln -s /usr/lib/lazarus/2.2.4/components/buildintf/macrointf.pas - ln -s /usr/lib/lazarus/2.2.4/components/buildintf/macrodefintf.pas - ln -s /usr/lib/lazarus/2.2.4/components/buildintf/compoptsintf.pas - ln -s /usr/lib/lazarus/2.2.4/components/buildintf/projectin
Bug#1036748: unblock: libricohcamerasdk/1.1.0-4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package libricohcamerasdk [ Reason ] Due to some magic in debhelper/ldconfig a link to nowhere remained on the computer. This link will be removed in postinst/postrm now. [ Impact ] The user will keep a link to a non existing file on his computer. [ Tests ] As there is no code change, no new test was added. [ Risks ] There should be no risks for this leaf package in non-free. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock libricohcamerasdk/1.1.0-4 diff -Nru libricohcamerasdk-1.1.0/debian/changelog libricohcamerasdk-1.1.0/debian/changelog --- libricohcamerasdk-1.1.0/debian/changelog2022-05-18 23:30:36.0 +0200 +++ libricohcamerasdk-1.1.0/debian/changelog2023-05-18 11:30:36.0 +0200 @@ -1,3 +1,10 @@ +libricohcamerasdk (1.1.0-4) unstable; urgency=medium + + * add postrm/postinst script to remove bad link +(Closes: #1035795) + + -- Thorsten Alteholz Thu, 18 May 2023 11:30:36 +0200 + libricohcamerasdk (1.1.0-3) unstable; urgency=medium * manual build on: amd64 armhf diff -Nru libricohcamerasdk-1.1.0/debian/libricohcamerasdk.postinst libricohcamerasdk-1.1.0/debian/libricohcamerasdk.postinst --- libricohcamerasdk-1.1.0/debian/libricohcamerasdk.postinst 1970-01-01 01:00:00.0 +0100 +++ libricohcamerasdk-1.1.0/debian/libricohcamerasdk.postinst 2023-05-18 11:30:36.0 +0200 @@ -0,0 +1,33 @@ +#!/bin/sh + +set +e + +linkfile=$(ls -1 /usr/lib/*/libRicohCameraSDKCpp.so 2> /dev/null) +readlinkfile="" +if [ ! -z "$linkfile" ]; then + readlinkfile=$(readlink $linkfile 2> /dev/null) +fi + +set -e + +case "$1" in +configure) + # we shall not have a link from libRicohCameraSDKCpp.so to libRicohCameraSDKCpp.so.1.1.0 + if [ -L "$linkfile" ]; then + if [ "$readlinkfile" = "libRicohCameraSDKCpp.so.1.1.0" ]; then + echo "D: wrong link detected, remove it again" + rm $linkfile + fi + fi + ;; +abort-upgrade|abort-remove|abort-deconfigure) + ;; +*) +echo "postinst called with unknown argument \`$1'" >&2 +exit 1 +;; +esac + +#DEBHELPER# + +exit 0 diff -Nru libricohcamerasdk-1.1.0/debian/libricohcamerasdk.postrm libricohcamerasdk-1.1.0/debian/libricohcamerasdk.postrm --- libricohcamerasdk-1.1.0/debian/libricohcamerasdk.postrm 1970-01-01 01:00:00.0 +0100 +++ libricohcamerasdk-1.1.0/debian/libricohcamerasdk.postrm 2023-05-18 11:30:36.0 +0200 @@ -0,0 +1,34 @@ +#!/bin/sh + +set +e + +linkfile=$(ls -1 /usr/lib/*/libRicohCameraSDKCpp.so 2> /dev/null) +readlinkfile="" +if [ ! -z "$linkfile" ]; then + readlinkfile=$(readlink $linkfile 2> /dev/null) +fi + +set -e + + +case "$1" in +purge|remove) + # we shall not have a link from libRicohCameraSDKCpp.so to libRicohCameraSDKCpp.so.1.1.0 + if [ -L "$linkfile" ]; then + if [ "$readlinkfile" = "libRicohCameraSDKCpp.so.1.1.0" ]; then + echo "D: wrong link detected, remove it again" + rm $linkfile + fi + fi + ;; +upgrade|failed-upgrade) + ;; +*) + echo "postrm called with unknown argument \`$1'" >&2 +exit 1 + ;; +esac + +#DEBHELPER# + +exit 0
Bug#1036747: unblock: osmo-iuh/1.3.0+dfsg1-5
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package osmo-iuh [ Reason ] The current version has a superficial autopkgtest that failed. The new version still has a superficial autopkgtest but this no longer fails. [ Impact ] Everywhere a autopkgtest of the package is required, a failure would be shown for this package. [ Tests ] This is only a change in the autopkgtests. [ Risks ] As there is no code change, there should be no risk. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock osmo-iuh/1.3.0+dfsg1-5 diff -Nru osmo-iuh-1.3.0+dfsg1/debian/changelog osmo-iuh-1.3.0+dfsg1/debian/changelog --- osmo-iuh-1.3.0+dfsg1/debian/changelog 2022-10-13 22:23:21.0 +0200 +++ osmo-iuh-1.3.0+dfsg1/debian/changelog 2023-05-22 23:23:21.0 +0200 @@ -1,3 +1,20 @@ +osmo-iuh (1.3.0+dfsg1-5) unstable; urgency=medium + + * really "fix" autopkgtest +at the moment there is no binary in the binary packages available +so make the superficial test a bit more superficial + + -- Thorsten Alteholz Mon, 22 May 2023 23:23:21 +0200 + +osmo-iuh (1.3.0+dfsg1-4) unstable; urgency=medium + + * "fix" autopkgtest +at the moment there is no binary in the binary packages available +so make the superficial test a bit more superficial +(Closes: #1033823) + + -- Thorsten Alteholz Thu, 18 May 2023 13:23:21 +0200 + osmo-iuh (1.3.0+dfsg1-3) unstable; urgency=medium * upload to unstable diff -Nru osmo-iuh-1.3.0+dfsg1/debian/tests/can-show-help osmo-iuh-1.3.0+dfsg1/debian/tests/can-show-help --- osmo-iuh-1.3.0+dfsg1/debian/tests/can-show-help 2022-10-13 22:23:21.0 +0200 +++ osmo-iuh-1.3.0+dfsg1/debian/tests/can-show-help 2023-05-22 23:23:21.0 +0200 @@ -2,5 +2,7 @@ set -e -osmo-hnbgw -h +# at the moment there is no binary in the binary packages available +# so make the superficial test a bit more superficial +#osmo-hnbgw -h echo "run: OK" diff -Nru osmo-iuh-1.3.0+dfsg1/debian/tests/control osmo-iuh-1.3.0+dfsg1/debian/tests/control --- osmo-iuh-1.3.0+dfsg1/debian/tests/control 2022-10-13 22:23:21.0 +0200 +++ osmo-iuh-1.3.0+dfsg1/debian/tests/control 2023-05-22 23:23:21.0 +0200 @@ -1,4 +1,4 @@ Tests: can-show-help -Depends: osmo-hnbgw +#Depends: osmo-hnbgw Restrictions: superficial
Bug#1036595: unblock: lprint/1.1.0-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package lprint [ Reason ] The service file was installed to the wrong directory. [ Impact ] The service now is at a location that it can not be used by systemd. [ Tests ] There was no code change, so no test was done. [ Risks ] The package is a leaf package and the risk should be low. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock lprint/1.1.0-3 diff -Nru lprint-1.1.0/debian/changelog lprint-1.1.0/debian/changelog --- lprint-1.1.0/debian/changelog 2023-02-24 22:17:35.0 +0100 +++ lprint-1.1.0/debian/changelog 2023-03-22 18:17:35.0 +0100 @@ -1,3 +1,10 @@ +lprint (1.1.0-3) unstable; urgency=medium + + * move service file to correct dir +(Closes: #1036022, #1036178, #1035601) + + -- Thorsten Alteholz Mon, 22 Mar 2023 19:17:35 +0200 + lprint (1.1.0-2) unstable; urgency=medium * add patch to use /usr/bin instead of /usr/local/bin in service file diff -Nru lprint-1.1.0/debian/patches/0004-move-service-file-to-better-directory.patch lprint-1.1.0/debian/patches/0004-move-service-file-to-better-directory.patch --- lprint-1.1.0/debian/patches/0004-move-service-file-to-better-directory.patch 1970-01-01 01:00:00.0 +0100 +++ lprint-1.1.0/debian/patches/0004-move-service-file-to-better-directory.patch 2023-03-22 18:17:35.0 +0100 @@ -0,0 +1,25 @@ +From: Thorsten Alteholz +Date: Mon, 22 May 2023 23:59:38 +0200 +Subject: move service file to better directory + +--- + Makefile.in | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/Makefile.in b/Makefile.in +index f5108e0..965253a 100644 +--- a/Makefile.in b/Makefile.in +@@ -130,9 +130,9 @@ install: all + $(INSTALL) -d -m 755 $(BUILDROOT)/Library/LaunchDaemons; \ + $(INSTALL) -c -m 644 org.msweet.lprint.plist $(BUILDROOT)/Library/LaunchDaemons; \ + else \ +- echo "Installing systemd service to $(BUILDROOT)$(sysconfdir)/systemd/system..."; \ +- $(INSTALL) -d -m 755 $(BUILDROOT)$(sysconfdir)/systemd/system; \ +- $(INSTALL) -c -m 644 lprint.service $(BUILDROOT)$(libdir)/systemd/system; \ ++ echo "Installing systemd service to $(BUILDROOT)/lib/systemd/system..."; \ ++ $(INSTALL) -d -m 755 $(BUILDROOT)/lib/systemd/system; \ ++ $(INSTALL) -c -m 644 lprint.service $(BUILDROOT)/lib/systemd/system; \ + fi + + diff -Nru lprint-1.1.0/debian/patches/series lprint-1.1.0/debian/patches/series --- lprint-1.1.0/debian/patches/series 2023-02-24 22:17:35.0 +0100 +++ lprint-1.1.0/debian/patches/series 2023-03-22 18:17:35.0 +0100 @@ -1,3 +1,4 @@ 0001-Let-compilation-be-verbose-not-silent.patch 0002-let-service-file-point-to-usr-bin-instead-of-usr-loc.patch 0003-put-service-file-into-libdir.patch +0004-move-service-file-to-better-directory.patch
Bug#1036548: unblock: cups-filters/1.28.17-3
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock and age package cups-filters
[ Reason ]
CVE-2023-24805 (RCE due to missing input sanitising)
[ Impact ]
The user would be vulnerable to remote code execution.
[ Tests ]
There is no special test for this patch, only a POC that no
longer worked after applying the patch.
[ Risks ]
The patch was provided by upstream and approved by the security team
(upload to Bullseye already done).
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock cups-filters/1.28.17-3diff -Nru cups-filters-1.28.17/debian/changelog
cups-filters-1.28.17/debian/changelog
--- cups-filters-1.28.17/debian/changelog 2023-03-10 19:25:20.0
+0100
+++ cups-filters-1.28.17/debian/changelog 2023-05-19 18:25:20.0
+0200
@@ -1,3 +1,14 @@
+cups-filters (1.28.17-3) unstable; urgency=medium
+
+ * CVE-2023-24805
+prevent arbitrary command execution by escaping the quoting
+of the arguments in a job with a forged job title
+more information are available in the commit message at:
+https://github.com/OpenPrinting/cups-filters/commit/93e60d3df35
+(Closes: #1036224)
+
+ -- Thorsten Alteholz Fri, 19 May 2023 18:25:20 +0200
+
cups-filters (1.28.17-2) unstable; urgency=medium
* qpdf needs at least c++17
diff -Nru cups-filters-1.28.17/debian/patches/0003-fix-CVE-2023-24805.patch
cups-filters-1.28.17/debian/patches/0003-fix-CVE-2023-24805.patch
--- cups-filters-1.28.17/debian/patches/0003-fix-CVE-2023-24805.patch
1970-01-01 01:00:00.0 +0100
+++ cups-filters-1.28.17/debian/patches/0003-fix-CVE-2023-24805.patch
2023-05-19 10:50:03.0 +0200
@@ -0,0 +1,176 @@
+From: Thorsten Alteholz
+Date: Fri, 19 May 2023 10:49:35 +0200
+Subject: fix CVE-2023-24805
+
+---
+ backend/beh.c | 107 +-
+ 1 file changed, 84 insertions(+), 23 deletions(-)
+
+diff --git a/backend/beh.c b/backend/beh.c
+index 225fd27..8d51235 100644
+--- a/backend/beh.c
b/backend/beh.c
+@@ -22,12 +22,13 @@
+ #include "backend-private.h"
+ #include
+ #include
++#include
+
+ /*
+ * Local globals...
+ */
+
+-static intjob_canceled = 0; /* Set to 1 on SIGTERM */
++static volatile int job_canceled = 0; /* Set to 1 on SIGTERM */
+
+ /*
+ * Local functions...
+@@ -213,21 +214,40 @@ call_backend(char *uri, /* I - URI of
final destination */
+char **argv, /* I - Command-line arguments */
+char *filename) { /* I - File name of input data */
+ const char *cups_serverbin;/* Location of programs */
++ char *backend_argv[8]; /* Arguments for backend */
+ charscheme[1024], /* Scheme from URI */
+ *ptr, /* Pointer into scheme */
+- cmdline[65536]; /* Backend command line */
+- int retval;
++ backend_path[2048]; /* Backend path */
++ int pid = 0, /* Process ID of backend */
++wait_pid, /* Process ID from wait() */
++wait_status, /* Status from child */
++retval = 0;
++ int bytes;
+
+ /*
+ * Build the backend command line...
+ */
+
+- strncpy(scheme, uri, sizeof(scheme) - 1);
+- if (strlen(uri) > 1023)
+-scheme[1023] = '\0';
++ scheme[0] = '\0';
++ strncat(scheme, uri, sizeof(scheme) - 1);
+ if ((ptr = strchr(scheme, ':')) != NULL)
+ *ptr = '\0';
+-
++ else {
++fprintf(stderr,
++ "ERROR: beh: Invalid URI, no colon (':') to mark end of scheme
part.\n");
++exit (CUPS_BACKEND_FAILED);
++ }
++ if (strchr(scheme, '/')) {
++fprintf(stderr,
++ "ERROR: beh: Invalid URI, scheme contains a slash ('/').\n");
++exit (CUPS_BACKEND_FAILED);
++ }
++ if (!strcmp(scheme, ".") || !strcmp(scheme, "..")) {
++fprintf(stderr,
++ "ERROR: beh: Invalid URI, scheme (\"%s\") is a directory.\n",
++ scheme);
++exit (CUPS_BACKEND_FAILED);
++ }
+ if ((cups_serverbin = getenv("CUPS_SERVERBIN")) == NULL)
+ cups_serverbin = CUPS_SERVERBIN;
+
+@@ -235,16 +255,29 @@ call_backend(char *uri, /* I - URI of
final destination */
+ fprintf(stderr,
+ "ERROR: beh: Direct output into a file not supported.\n");
+ exit (CUPS_BACKEND_FAILED);
+- } else
+-snprintf(cmdline, sizeof(cmdline),
+- "%s/backend/%s '%s' '%s' '%s' '%s' '%s' %s",
+- cups_serverbin, scheme, argv[1], argv[2], argv[3],
+- /* Apply number of copies only if beh was called with a
+- file name and not
Bug#1036119: unblock: meep-mpi-default/1.25.0-2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package meep-mpi-default
[ Reason ]
There was a Conflict: missing for the python3-meep-mpi-default package.
[ Impact ]
The user gets an error message when trying to switch from meep-mpi-default
to for example meep-openmpi.
[ Tests ]
none
[ Risks ]
There is no code change but only a change in the Debian metadata.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock meep-mpi-default/1.25.0-2
diff -Nru meep-mpi-default-1.25.0/debian/changelog
meep-mpi-default-1.25.0/debian/changelog
--- meep-mpi-default-1.25.0/debian/changelog2022-12-07 08:49:17.0
+0100
+++ meep-mpi-default-1.25.0/debian/changelog2023-05-09 22:49:17.0
+0200
@@ -1,9 +1,9 @@
-meep-mpi-default (1.25.0-1) unstable; urgency=medium
+meep-mpi-default (1.25.0-2) unstable; urgency=medium
- * New upstream release.
- * debian/watch: update github watch file
+ * debian/control: also add Conflicts: for python3 packages
+(Closes: #1034954)
- -- Thorsten Alteholz Wed, 07 Dec 2022 08:49:17 +0100
+ -- Thorsten Alteholz Tue, 09 May 2023 22:49:17 +0200
meep-mpi-default (1.24.0-1) unstable; urgency=medium
diff -Nru meep-mpi-default-1.25.0/debian/control
meep-mpi-default-1.25.0/debian/control
--- meep-mpi-default-1.25.0/debian/control 2022-12-07 08:49:17.0
+0100
+++ meep-mpi-default-1.25.0/debian/control 2023-05-09 22:49:17.0
+0200
@@ -197,6 +197,7 @@
, ${shlibs:Depends}
, python3-numpy
, python3
+Conflicts: python3-meep-openmpi, python3-meep
Description: software package for FDTD simulation with Python
Meep is a free and open-source software package for electromagnetics
simulation via the finite-difference time-domain (FDTD) method.
Bug#1036117: unblock: meep/1.25.0-2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package meep
[ Reason ]
There was a Conflict: missing for the python3-meep package.
[ Impact ]
The user gets an error message when trying to switch from meep to for
example meep-openmpi.
[ Tests ]
none
[ Risks ]
There is no code change but only a change in the Debian metadata.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock meep/1.25.0-2
diff -Nru meep-1.25.0/debian/changelog meep-1.25.0/debian/changelog
--- meep-1.25.0/debian/changelog2022-12-07 00:04:02.0 +0100
+++ meep-1.25.0/debian/changelog2023-05-09 22:49:17.0 +0200
@@ -1,3 +1,10 @@
+meep (1.25.0-2) unstable; urgency=medium
+
+ * debian/control: also add Conflicts: for python3 packages
+(Closes: #1034988)
+
+ -- Thorsten Alteholz Tue, 09 May 2023 22:49:17 +0200
+
meep (1.25.0-1) unstable; urgency=medium
* New upstream release.
diff -Nru meep-1.25.0/debian/control meep-1.25.0/debian/control
--- meep-1.25.0/debian/control 2022-12-07 00:04:02.0 +0100
+++ meep-1.25.0/debian/control 2023-05-09 22:49:17.0 +0200
@@ -203,6 +203,7 @@
, ${shlibs:Depends}
, python3-numpy
, python3
+Conflicts: python3-meep-openmpi, python3-meep-mpi-default
Description: software package for FDTD simulation with Python
Meep is a free and open-source software package for electromagnetics
simulation via the finite-difference time-domain (FDTD) method.
Bug#1036118: unblock: libahp-gt/1.6.1-2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package libahp-gt
[ Reason ]
There was a missing dependency to the library package within the -dev
package.
[ Impact ]
There might be a broken symlink on the users system.
[ Tests ]
none
[ Risks ]
There is no code change but only a change in the Debian metadata.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock libahp-gt/1.6.1-2
diff -Nru libahp-gt-1.6.1/debian/changelog libahp-gt-1.6.1/debian/changelog
--- libahp-gt-1.6.1/debian/changelog2023-01-21 12:35:04.0 +0100
+++ libahp-gt-1.6.1/debian/changelog2023-05-08 22:35:04.0 +0200
@@ -1,3 +1,10 @@
+libahp-gt (1.6.1-2) unstable; urgency=medium
+
+ * debian/control: add correct dependencies
+(Closes. #1035448
+
+ -- Thorsten Alteholz Mon, 08 May 2023 22:35:04 +0200
+
libahp-gt (1.6.1-1) unstable; urgency=medium
* New upstream release
diff -Nru libahp-gt-1.6.1/debian/control libahp-gt-1.6.1/debian/control
--- libahp-gt-1.6.1/debian/control 2023-01-21 12:34:45.0 +0100
+++ libahp-gt-1.6.1/debian/control 2023-05-08 22:35:04.0 +0200
@@ -25,7 +25,8 @@
Section: libdevel
Architecture: any
Multi-Arch: same
-Depends: ${shlibs:Depends}, ${misc:Depends},
+Depends: ${shlibs:Depends}, ${misc:Depends}
+ , libahp-gt1 (= ${binary:Version})
Pre-Depends: ${misc:Pre-Depends}
Description: AHP GT telescope mount controllers programming - development files
This package contains a library to program the AHP GT telescope mount
Bug#1036116: unblock: meep-openmpi/1.25.0-2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package meep-openmpi
[ Reason ]
There was a Conflict: missing for the python3-meep-openmpi package.
[ Impact ]
The user gets an error message when trying to switch from meep-openmpi to
for example meep-mpi-default.
[ Tests ]
none
[ Risks ]
There is no code change but only a change in the Debian metadata.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock meep-openmpi/1.25.0-2
diff -Nru meep-openmpi-1.25.0/debian/changelog
meep-openmpi-1.25.0/debian/changelog
--- meep-openmpi-1.25.0/debian/changelog2022-12-07 08:45:00.0
+0100
+++ meep-openmpi-1.25.0/debian/changelog2023-05-09 22:49:17.0
+0200
@@ -1,3 +1,10 @@
+meep-openmpi (1.25.0-2) unstable; urgency=medium
+
+ * debian/control: also add Conflicts: for python3 packages
+(Closes: #1035003)
+
+ -- Thorsten Alteholz Tue, 09 May 2023 22:49:17 +0200
+
meep-openmpi (1.25.0-1) unstable; urgency=medium
* New upstream release.
diff -Nru meep-openmpi-1.25.0/debian/control meep-openmpi-1.25.0/debian/control
--- meep-openmpi-1.25.0/debian/control 2022-12-07 08:45:00.0 +0100
+++ meep-openmpi-1.25.0/debian/control 2023-05-09 22:49:17.0 +0200
@@ -199,6 +199,7 @@
, ${shlibs:Depends}
, python3-numpy
, python3
+Conflicts: python3-meep-mpi-default, python3-meep
Description: software package for FDTD simulation with Python
Meep is a free and open-source software package for electromagnetics
simulation via the finite-difference time-domain (FDTD) method.
Bug#1035084: unblock: planetary-system-stacker/0.8.32~git20221019.66d7558-2
Subject: unblock: planetary-system-stacker/0.8.32~git20221019.66d7558-2
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock
Severity: normal
Please unblock package planetary-system-stacker
[ Reason ]
Due to a change in numpy, the current version in testing does no longer
work.
(-> #1034748)
[ Impact ]
The software does not work.
[ Tests ]
After applying the patch, the software starts again and analyses data
like before.
[ Risks ]
The change is trivial and it is a leaf package without alternatives.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock planetary-system-stacker/0.8.32~git20221019.66d7558-2
diff -Nru planetary-system-stacker-0.8.32~git20221019.66d7558/debian/changelog
planetary-system-stacker-0.8.32~git20221019.66d7558/debian/changelog
--- planetary-system-stacker-0.8.32~git20221019.66d7558/debian/changelog
2022-12-15 00:35:45.0 +0100
+++ planetary-system-stacker-0.8.32~git20221019.66d7558/debian/changelog
2023-04-23 09:35:45.0 +0200
@@ -1,3 +1,9 @@
+planetary-system-stacker (0.8.32~git20221019.66d7558-2) unstable;
urgency=medium
+
+ * adapt to new version of numpy (Closes: #1034748)
+
+ -- Thorsten Alteholz Sun, 23 Apr 2023 09:35:45 +0200
+
planetary-system-stacker (0.8.32~git20221019.66d7558-1) unstable;
urgency=medium
* New upstream release.
diff -Nru
planetary-system-stacker-0.8.32~git20221019.66d7558/debian/patches/new-numpy-version.patch
planetary-system-stacker-0.8.32~git20221019.66d7558/debian/patches/new-numpy-version.patch
---
planetary-system-stacker-0.8.32~git20221019.66d7558/debian/patches/new-numpy-version.patch
1970-01-01 01:00:00.0 +0100
+++
planetary-system-stacker-0.8.32~git20221019.66d7558/debian/patches/new-numpy-version.patch
2023-04-23 09:35:45.0 +0200
@@ -0,0 +1,17 @@
+Description: due to a recent change in numpy planetary-system-stacker does not
start anylonger
+ upstream fixes this with versions in setup.py :-(
+Author: Thorsten Alteholz
+Forwarded: not-needed
+Index:
planetary-system-stacker-0.8.32~git20221019.66d7558/planetary_system_stacker/stack_frames.py
+===
+---
planetary-system-stacker-0.8.32~git20221019.66d7558.orig/planetary_system_stacker/stack_frames.py
2022-10-19 15:10:13.0 +0200
planetary-system-stacker-0.8.32~git20221019.66d7558/planetary_system_stacker/stack_frames.py
2023-04-22 10:34:56.216304551 +0200
+@@ -30,7 +30,7 @@
+ matplotlib.use('Agg')
+ import matplotlib.pyplot as plt
+ from cv2 import FONT_HERSHEY_SIMPLEX, putText, resize, INTER_CUBIC,
INTER_LINEAR
+-from numpy import int as np_int
++from numpy import integer as np_int
+ from numpy import ma as np_ma
+ from numpy import zeros, full, empty, float32, newaxis, arange,
count_nonzero, \
+ sqrt, uint16, clip, minimum, mean
diff -Nru
planetary-system-stacker-0.8.32~git20221019.66d7558/debian/patches/series
planetary-system-stacker-0.8.32~git20221019.66d7558/debian/patches/series
--- planetary-system-stacker-0.8.32~git20221019.66d7558/debian/patches/series
1970-01-01 01:00:00.0 +0100
+++ planetary-system-stacker-0.8.32~git20221019.66d7558/debian/patches/series
2023-04-22 10:34:39.0 +0200
@@ -0,0 +1 @@
+new-numpy-version.patch
Bug#1029976: bullseye-pu: libzen/0.4.38-1+deb11u1
On 19.04.23 19:00, Adam D. Barratt wrote: This got missed for a while due to the typoed suite tag (since fixed). Oh, thanks for still finding it. I totally forgot this ... Please go ahead. ... and uploaded. Thorsten
Bug#1033759: bullseye-pu: duktape/2.5.0-2+deb11u1
On 01.04.23 20:51, Adam D. Barratt wrote: Please go ahead. Great, thanks, ... and done. Thorsten
Bug#1033759: bullseye-pu: duktape/2.5.0-2+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for duktape fixes CVE-2021-46322 in Bullseye. This
CVE has been marked as no-dsa by thesecurity team.
The same fixes have been already uploaded to Unstable.
Thorsten
diff -Nru duktape-2.5.0/debian/changelog duktape-2.5.0/debian/changelog
--- duktape-2.5.0/debian/changelog 2020-03-14 16:44:16.0 +0100
+++ duktape-2.5.0/debian/changelog 2023-03-26 14:03:02.0 +0200
@@ -1,3 +1,11 @@
+duktape (2.5.0-2+deb11u1) bullseye; urgency=medium
+
+ * upload by the LTS Team.
+ * CVE-2021-46322
+a SEGV issue was discovered when some stack limits are reached
+
+ -- Thorsten Alteholz Sun, 26 Mar 2023 14:03:02 +0200
+
duktape (2.5.0-2) unstable; urgency=medium
* debian/copyright: update file (Closes: #951903)
diff -Nru duktape-2.5.0/debian/patches/CVE-2021-46322.patch
duktape-2.5.0/debian/patches/CVE-2021-46322.patch
--- duktape-2.5.0/debian/patches/CVE-2021-46322.patch 1970-01-01
01:00:00.0 +0100
+++ duktape-2.5.0/debian/patches/CVE-2021-46322.patch 2023-03-26
14:03:02.0 +0200
@@ -0,0 +1,80 @@
+commit a851d8a5687356b1d6ad0f8f39d6226947f17b27
+Author: Sami Vaarala
+Date: Tue Jan 11 01:34:02 2022 +0200
+
+Fix segfault in call setup when valstack limit hit
+
+Index: duktape-2.5.0/src-input/duk_js_call.c
+===
+--- duktape-2.5.0.orig/src-input/duk_js_call.c 2023-03-27 19:32:09.275869100
+0200
duktape-2.5.0/src-input/duk_js_call.c 2023-03-27 19:32:09.275869100
+0200
+@@ -2151,6 +2151,15 @@
+ /* [ ... func this arg1 ... argN ] */
+
+ /*
++ * Grow value stack to required size before env setup. This
++ * must happen before env setup to handle some corner cases
++ * correctly, e.g. test-bug-scope-segv-gh2448.js.
++ */
++
++ duk_valstack_grow_check_throw(thr, vs_min_bytes);
++ act->reserve_byteoff = (duk_size_t) ((duk_uint8_t *) thr->valstack_end
- (duk_uint8_t *) thr->valstack);
++
++ /*
+* Environment record creation and 'arguments' object creation.
+* Named function expression name binding is handled by the
+* compiler; the compiled function's parent env will contain
+@@ -2171,13 +2180,8 @@
+* Setup value stack: clamp to 'nargs', fill up to 'nregs',
+* ensure value stack size matches target requirements, and
+* switch value stack bottom. Valstack top is kept.
+- *
+- * Value stack can only grow here.
+*/
+
+- duk_valstack_grow_check_throw(thr, vs_min_bytes);
+- act->reserve_byteoff = (duk_size_t) ((duk_uint8_t *) thr->valstack_end
- (duk_uint8_t *) thr->valstack);
+-
+ if (use_tailcall) {
+ DUK_ASSERT(nregs >= 0);
+ DUK_ASSERT(nregs >= nargs);
+Index: duktape-2.5.0/tests/ecmascript/test-bug-scope-segv-gh2448.js
+===
+--- /dev/null 1970-01-01 00:00:00.0 +
duktape-2.5.0/tests/ecmascript/test-bug-scope-segv-gh2448.js
2023-03-27 19:32:09.275869100 +0200
+@@ -0,0 +1,35 @@
++// https://github.com/svaarala/duktape/issues/2448
++
++/*===
++RangeError
++===*/
++
++function JSEtest() {
++var src = [];
++var i;
++
++src.push('(function test() {');
++for (i = 0; i < 1e4; i++) {
++src.push('var x' + i + ' = ' + i + ';');
++}
++src.push('var arguments = test(); return "dummy"; })');
++src = src.join('');
++//print(src);
++
++var f = eval(src)(src);
++
++try {
++f();
++} catch (e) {
++print(e.name + ': ' + e.message);
++}
++
++print('still here');
++}
++
++try {
++JSEtest();
++} catch (e) {
++//print(e.stack || e);
++print(e.name);
++}
diff -Nru duktape-2.5.0/debian/patches/series
duktape-2.5.0/debian/patches/series
--- duktape-2.5.0/debian/patches/series 2020-03-13 21:44:00.0 +0100
+++ duktape-2.5.0/debian/patches/series 2023-03-26 14:03:02.0 +0200
@@ -1,3 +1,5 @@
#XXX hardening.patch
hardening.patch
debug-symbols.patch
+
+CVE-2021-46322.patch
Bug#1032961: debdiff now attached
... and now even with the debdiff attached. Thorstendiff -Nru cups-filters-1.28.17/debian/changelog cups-filters-1.28.17/debian/changelog --- cups-filters-1.28.17/debian/changelog 2023-02-05 00:25:20.0 +0100 +++ cups-filters-1.28.17/debian/changelog 2023-03-10 19:25:20.0 +0100 @@ -1,3 +1,11 @@ +cups-filters (1.28.17-2) unstable; urgency=medium + + * qpdf needs at least c++17 +(Closes: #1032546) + * update lintian-overrides to really see what is wrong + + -- Thorsten Alteholz Fri, 10 Mar 2023 19:25:20 +0100 + cups-filters (1.28.17-1) unstable; urgency=medium * Update to new upstream version 1.28.17. diff -Nru cups-filters-1.28.17/debian/cups-browsed.lintian-overrides cups-filters-1.28.17/debian/cups-browsed.lintian-overrides --- cups-filters-1.28.17/debian/cups-browsed.lintian-overrides 2023-02-05 00:17:45.0 +0100 +++ cups-filters-1.28.17/debian/cups-browsed.lintian-overrides 2023-03-10 19:25:20.0 +0100 @@ -1,4 +1,5 @@ # Upstream choices; they need to be run as root -cups-browsed: executable-is-not-world-readable usr/lib/cups/backend/implicitclass 0700 +cups-browsed: executable-is-not-world-readable 0700 [usr/lib/cups/backend/implicitclass] # That's how CUPS does it -cups-browsed: executable-in-usr-lib usr/lib/cups/backend/implicitclass +cups-browsed: executable-in-usr-lib [usr/lib/cups/backend/implicitclass] +cups-browsed: non-standard-executable-perm 0700 != 0755 [usr/lib/cups/backend/implicitclass] diff -Nru cups-filters-1.28.17/debian/cups-filters-core-drivers.lintian-overrides cups-filters-1.28.17/debian/cups-filters-core-drivers.lintian-overrides --- cups-filters-1.28.17/debian/cups-filters-core-drivers.lintian-overrides 2023-02-05 00:17:45.0 +0100 +++ cups-filters-1.28.17/debian/cups-filters-core-drivers.lintian-overrides 2023-03-10 19:25:20.0 +0100 @@ -1,11 +1,11 @@ # That's how CUPS does it -cups-filters-core-drivers: executable-in-usr-lib usr/lib/cups/driver/driverless -cups-filters-core-drivers: executable-in-usr-lib usr/lib/cups/filter/imagetopdf -cups-filters-core-drivers: executable-in-usr-lib usr/lib/cups/filter/pdftopdf -cups-filters-core-drivers: executable-in-usr-lib usr/lib/cups/filter/pdftops -cups-filters-core-drivers: executable-in-usr-lib usr/lib/cups/filter/pdftoraster -cups-filters-core-drivers: executable-in-usr-lib usr/lib/cups/filter/rastertopclm -cups-filters-core-drivers: executable-in-usr-lib usr/lib/cups/filter/rastertopclx -cups-filters-core-drivers: executable-in-usr-lib usr/lib/cups/filter/rastertopdf -cups-filters-core-drivers: executable-in-usr-lib usr/lib/cups/filter/rastertops -cups-filters-core-drivers: executable-in-usr-lib usr/lib/cups/filter/sys5ippprinter +cups-filters-core-drivers: executable-in-usr-lib [usr/lib/cups/driver/driverless] +cups-filters-core-drivers: executable-in-usr-lib [usr/lib/cups/filter/imagetopdf] +cups-filters-core-drivers: executable-in-usr-lib [usr/lib/cups/filter/pdftopdf] +cups-filters-core-drivers: executable-in-usr-lib [usr/lib/cups/filter/pdftops] +cups-filters-core-drivers: executable-in-usr-lib [usr/lib/cups/filter/pdftoraster] +cups-filters-core-drivers: executable-in-usr-lib [usr/lib/cups/filter/rastertopclm] +cups-filters-core-drivers: executable-in-usr-lib [usr/lib/cups/filter/rastertopclx] +cups-filters-core-drivers: executable-in-usr-lib [usr/lib/cups/filter/rastertopdf] +cups-filters-core-drivers: executable-in-usr-lib [usr/lib/cups/filter/rastertops] +cups-filters-core-drivers: executable-in-usr-lib [usr/lib/cups/filter/sys5ippprinter] diff -Nru cups-filters-1.28.17/debian/cups-filters.lintian-overrides cups-filters-1.28.17/debian/cups-filters.lintian-overrides --- cups-filters-1.28.17/debian/cups-filters.lintian-overrides 2023-02-05 00:17:45.0 +0100 +++ cups-filters-1.28.17/debian/cups-filters.lintian-overrides 2023-03-10 19:25:20.0 +0100 @@ -1,39 +1,39 @@ # Upstream choices; they need to be run as root -cups-filters: executable-is-not-world-readable usr/lib/cups/backend/cups-brf 0700 +executable-is-not-world-readable 0700 [usr/lib/cups/backend/cups-brf] # Upstream choices; they need to be run as root -cups-filters: non-standard-executable-perm usr/lib/cups/backend/serial 0744 != 0755 +cups-filters: non-standard-executable-perm 0744 != 0755 [usr/lib/cups/backend/serial] # Historical reasons -cups-filters: executable-not-elf-or-script usr/share/cups/braille/cups-braille.sh -cups-filters: executable-not-elf-or-script usr/share/cups/braille/index.sh -cups-filters: executable-not-elf-or-script usr/share/cups/braille/indexv3.sh -cups-filters: executable-not-elf-or-script usr/share/cups/braille/indexv4.sh +cups-filters: executable-not-elf-or-script [usr/share/cups/braille/cups-braille.sh] +cups-filters: executable-not-elf-or-script [usr/share/cups/braille/index.sh] +cups-filters: executable-not-elf-or-script [usr/share/cups/braille/indexv3.sh] +cups-filters: executable-not-elf-or-script
Bug#1032961: unblock: cups-filters/1.28.17-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package cups-filters [ Reason ] After the upload of qpdf (11.3.0-1), cups-filters started to FTBFS (-> #1032546) This is due to qpdf now requiring C++17. [ Impact ] cups-filters can no longer be built. [ Tests ] The package has a small testsuite that passes. [ Risks ] There is no code change but "only" a removal of -std=c++0x from the CXXFLAGS. So there seems to be just a low risk. cups-filters is a key package with no alternatives. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] In order to not being swamped by lintian messages, I also had to update some lintian-overrides. (yes timing of lintian update could have been better) unblock cups-filters/1.28.17-2
Bug#1029976: bullseye-pu: libzen/0.4.38-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bulleye
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for libzen fixes CVE-2020-36646 in Bullseye.
It has been already uploaded to all releases from Jessie to Buster.
This CVE has been marked as no-dsa by the security team.
Thorsten
diff -Nru libzen-0.4.38/debian/changelog libzen-0.4.38/debian/changelog
--- libzen-0.4.38/debian/changelog 2020-04-10 17:32:09.0 +0200
+++ libzen-0.4.38/debian/changelog 2023-01-28 13:03:02.0 +0100
@@ -1,3 +1,11 @@
+libzen (0.4.38-1+deb11u1) bullseye; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2020-36646
+fix for possible null pointer dereference
+
+ -- Thorsten Alteholz Sat, 28 Jan 2023 13:03:02 +0100
+
libzen (0.4.38-1) unstable; urgency=medium
* [7cc8350] New upstream version 0.4.38
diff -Nru libzen-0.4.38/debian/patches/CVE-2020-36646.patch
libzen-0.4.38/debian/patches/CVE-2020-36646.patch
--- libzen-0.4.38/debian/patches/CVE-2020-36646.patch 1970-01-01
01:00:00.0 +0100
+++ libzen-0.4.38/debian/patches/CVE-2020-36646.patch 2023-01-28
13:03:02.0 +0100
@@ -0,0 +1,27 @@
+commit 6475fcccd37c9cf17e0cfe263b5fe0e2e47a8408
+Author: Pave Pimenov
+Date: Sat Sep 12 07:46:47 2020 +0300
+
+fix V522 [CWE-690] There might be dereferencing of a potential null
pointer 'Gmt'.
+
+diff --git a/Source/ZenLib/Ztring.cpp b/Source/ZenLib/Ztring.cpp
+index bc38fe4..21bbc58 100644
+--- a/Source/ZenLib/Ztring.cpp
b/Source/ZenLib/Ztring.cpp
+@@ -1364,6 +1364,8 @@ Ztring& Ztring::Date_From_Seconds_1970_Local (const
int32u Value)
+ #endif
+ Ztring DateT;
+ Ztring Date;
++if (Gmt)
++{
+ Date+=Ztring::ToZtring((Gmt->tm_year+1900));
+ Date+=__T("-");
+ DateT.From_Number(Gmt->tm_mon+1); if
(DateT.size()<2){DateT=Ztring(__T("0"))+Ztring::ToZtring(Gmt->tm_mon+1);}
+@@ -1381,6 +1383,7 @@ Ztring& Ztring::Date_From_Seconds_1970_Local (const
int32u Value)
+ DateT.From_Number(Gmt->tm_sec); if
(DateT.size()<2){DateT=Ztring(__T("0"))+Ztring::ToZtring(Gmt->tm_sec);}
+ Date+=DateT;
+ assign (Date.c_str());
++}
+ return *this;
+ }
+
diff -Nru libzen-0.4.38/debian/patches/series
libzen-0.4.38/debian/patches/series
--- libzen-0.4.38/debian/patches/series 1970-01-01 01:00:00.0 +0100
+++ libzen-0.4.38/debian/patches/series 2023-01-28 13:03:02.0 +0100
@@ -0,0 +1 @@
+CVE-2020-36646.patch
Bug#1020596: bullseye-pu: mod-wsgi/4.7.1-3+deb11u1
On Fri, 14 Oct 2022, Adam D. Barratt wrote: Please go ahead. Great, thanks ... and uploaded. Thorsten
Bug#1020596: bullseye-pu: mod-wsgi/4.7.1-3+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for mod-wsgi fixes CVE-2022-2255 in Bullseye. This
CVE has been marked as no-dsa by the security team.
The same fix has already been uploaded to Unstable/Testing, Stretch,
Jessie and Buster and nobody complained yet.
Thorsten
diff -Nru mod-wsgi-4.7.1/debian/changelog mod-wsgi-4.7.1/debian/changelog
--- mod-wsgi-4.7.1/debian/changelog 2020-10-15 21:48:24.0 +0200
+++ mod-wsgi-4.7.1/debian/changelog 2022-09-12 23:03:02.0 +0200
@@ -1,3 +1,11 @@
+mod-wsgi (4.7.1-3+deb11u1) bullseye; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2022-2255 (Closes: #1016476)
+drop X-Client-IP header when is not a trusted header
+
+ -- Thorsten Alteholz Mon, 12 Sep 2022 23:03:02 +0200
+
mod-wsgi (4.7.1-3) unstable; urgency=medium
[ Stefano Rivera ]
diff -Nru mod-wsgi-4.7.1/debian/patches/CVE-2022-2255.patch
mod-wsgi-4.7.1/debian/patches/CVE-2022-2255.patch
--- mod-wsgi-4.7.1/debian/patches/CVE-2022-2255.patch 1970-01-01
01:00:00.0 +0100
+++ mod-wsgi-4.7.1/debian/patches/CVE-2022-2255.patch 2022-07-31
02:01:02.0 +0200
@@ -0,0 +1,18 @@
+commit af3c0c2736bc0b0b01fa0f0aad3c904b7fa9c751
+Author: Graham Dumpleton
+Date: Mon Jul 18 12:29:38 2022 +1000
+
+Add fix to ensure that X-Client-IP header is dropped when is not a trusted
header.
+
+Index: mod-wsgi-4.7.1/src/server/mod_wsgi.c
+===
+--- mod-wsgi-4.7.1.orig/src/server/mod_wsgi.c 2022-07-31 02:00:58.799486663
+0200
mod-wsgi-4.7.1/src/server/mod_wsgi.c 2022-07-31 02:00:58.795486661
+0200
+@@ -13942,6 +13942,7 @@
+ name = ((const char**)trusted_proxy_headers->elts)[i];
+
+ if (!strcmp(name, "HTTP_X_FORWARDED_FOR") ||
++ !strcmp(name, "HTTP_X_CLIENT_IP") ||
+ !strcmp(name, "HTTP_X_REAL_IP")) {
+
+ match_client_header = 1;
diff -Nru mod-wsgi-4.7.1/debian/patches/series
mod-wsgi-4.7.1/debian/patches/series
--- mod-wsgi-4.7.1/debian/patches/series1970-01-01 01:00:00.0
+0100
+++ mod-wsgi-4.7.1/debian/patches/series2022-07-31 02:00:46.0
+0200
@@ -0,0 +1 @@
+CVE-2022-2255.patch
Bug#1016391: bullseye-pu: libhttp-daemon-perl/6.12-1+deb11u1
On Sat, 6 Aug 2022, Adam D. Barratt wrote: Please go ahead. ... and uploaded. Thanks! Thorsten
Bug#1008578: buster-pu: golang-github-russellhaering-goxmldsig/0.0~git20170911.b7efc62-1+deb10u1
On Fri, 5 Aug 2022, Adam D. Barratt wrote: Please go ahead. ... and uploaded. Thanks! Thorsten
Bug#1010380: buster-pu: flac/1.3.2-3+deb10u2
On Fri, 5 Aug 2022, Adam D. Barratt wrote: Please go ahead; sorry for the delay. ... and uploaded. Thanks! Thorsten
Bug#1009251: buster-pu: fribidi/1.0.5-3.1+deb10u2
On Fri, 5 Aug 2022, Adam D. Barratt wrote: Please go ahead; sorry for the delay. ... and uploaded. Thanks! Thorsten
Bug#1009076: buster-pu: minidlna/1.2.1+dfsg-2+deb10u3
On Fri, 5 Aug 2022, Adam D. Barratt wrote: Please go ahead; sorry for the delay. ... and uploaded. Thanks! Thorsten
Bug#1016391: bullseye-pu: libhttp-daemon-perl/6.12-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bulleye
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for libhttp-daemon-perl fixes CVE-2022-31081 in
Bullseye. This CVE has been marked as no-dsa by the security team.
The patch is accompanied by a new test and should not create any issue.
It had been used to fix unstable and will be used for Buster, Jessie as well.
Thorstendiff -Nru libhttp-daemon-perl-6.12/debian/changelog
libhttp-daemon-perl-6.12/debian/changelog
--- libhttp-daemon-perl-6.12/debian/changelog 2020-06-06 03:12:55.0
+0200
+++ libhttp-daemon-perl-6.12/debian/changelog 2022-07-26 20:08:59.0
+0200
@@ -1,3 +1,11 @@
+libhttp-daemon-perl (6.12-1+deb11u1) bullseye; urgency=high
+
+ * Non-maintainer upload by the ELTS Team.
+ * CVE-2022-31081 (Closes: #1014808)
+improved Content-Length: handling in HTTP-header
+
+ -- Thorsten Alteholz Tue, 26 Jul 2022 20:08:59 +0200
+
libhttp-daemon-perl (6.12-1) unstable; urgency=medium
* Import upstream version 6.12.
diff -Nru libhttp-daemon-perl-6.12/debian/patches/CVE-2022-31081-1.patch
libhttp-daemon-perl-6.12/debian/patches/CVE-2022-31081-1.patch
--- libhttp-daemon-perl-6.12/debian/patches/CVE-2022-31081-1.patch
1970-01-01 01:00:00.0 +0100
+++ libhttp-daemon-perl-6.12/debian/patches/CVE-2022-31081-1.patch
2022-07-26 20:08:59.0 +0200
@@ -0,0 +1,48 @@
+commit e84475de51d6fd7b29354a997413472a99db70b2
+Author: Theo van Hoesel
+Date: Thu Jun 16 08:28:30 2022 +
+
+Fix Content-Length ', '-separated string issues
+
+After a security issue, we ensure we comply to
+RFC-7230 -- HTTP/1.1 Message Syntax and Routing
+- section 3.3.2 -- Content-Length
+- section 3.3.3 -- Message Body Length
+
+diff --git a/lib/HTTP/Daemon.pm b/lib/HTTP/Daemon.pm
+index c0cdf76..a5112b3 100644
+--- a/lib/HTTP/Daemon.pm
b/lib/HTTP/Daemon.pm
+@@ -288,6 +288,32 @@ READ_HEADER:
+ }
+ elsif ($ct_len) {
+
++# After a security issue, we ensure we comply to
++# RFC-7230 -- HTTP/1.1 Message Syntax and Routing
++# section 3.3.2 -- Content-Length
++# section 3.3.3 -- Message Body Length
++
++# split and clean up Content-Length ', ' separated string
++my @vals = map {my $str = $_; $str =~ s/^\s+//; $str =~ s/\s+$//;
$str }
++split ',', $ct_len;
++# check that they are all numbers (RFC: Content-Length = 1*DIGIT)
++my @nums = grep { /^[0-9]+$/} @vals;
++unless (@vals == @nums) {
++$self->send_error(400);
++$self->reason("Content-Length value must be a unsigned integer");
++return;
++}
++# check they are all the same
++my $ct_len = shift @nums;
++foreach (@nums) {
++next if $_ == $ct_len;
++$self->send_error(400);
++$self->reason("Content-Length values are not the same");
++return;
++}
++# ensure we have now a fixed header, with only 1 value
++$r->header('Content-Length' => $ct_len);
++
+ # Plain body specified by "Content-Length"
+ my $missing = $ct_len - length($buf);
+ while ($missing > 0) {
diff -Nru libhttp-daemon-perl-6.12/debian/patches/CVE-2022-31081-2.patch
libhttp-daemon-perl-6.12/debian/patches/CVE-2022-31081-2.patch
--- libhttp-daemon-perl-6.12/debian/patches/CVE-2022-31081-2.patch
1970-01-01 01:00:00.0 +0100
+++ libhttp-daemon-perl-6.12/debian/patches/CVE-2022-31081-2.patch
2022-07-26 20:08:59.0 +0200
@@ -0,0 +1,33 @@
+commit 8dc5269d59e2d5d9eb1647d82c449ccd880f7fd0
+Author: Theo van Hoesel
+Date: Tue Jun 21 20:00:47 2022 +
+
+Include reason in response body content
+
+diff --git a/lib/HTTP/Daemon.pm b/lib/HTTP/Daemon.pm
+index a5112b3..2d022ae 100644
+--- a/lib/HTTP/Daemon.pm
b/lib/HTTP/Daemon.pm
+@@ -299,16 +299,18 @@ READ_HEADER:
+ # check that they are all numbers (RFC: Content-Length = 1*DIGIT)
+ my @nums = grep { /^[0-9]+$/} @vals;
+ unless (@vals == @nums) {
+-$self->send_error(400);
+-$self->reason("Content-Length value must be a unsigned integer");
++my $reason = "Content-Length value must be an unsigned integer";
++$self->send_error(400, $reason);
++$self->reason($reason);
+ return;
+ }
+ # check they are all the same
+ my $ct_len = shift @nums;
+ foreach (@nums) {
+ next if $_ == $ct_len;
+-$self->send_error(400);
+-$self->reason("Content-Length values are not the same");
++my $reason = "Content-Length values are not the same";
++$self->send_error(400, $reason);
++$self->reason($reason);
+ return;
+ }
+
Bug#1009250: bullseye-pu: fribidi/1.0.8-2+deb11u1
On Sat, 28 May 2022, Adam D. Barratt wrote: This looks OK to me, thanks, but will need a KiBi-ack as fribidi produces a udeb; CCing and tagging accordingly. ... and uploaded. Thorsten
Bug#1008577: bullseye-pu: golang-github-russellhaering-goxmldsig/1.1.0-1+deb11u1
On Sat, 28 May 2022, Adam D. Barratt wrote: Please go ahead. Great, thanks ... and uploaded. Thorsten
Bug#1009077: bullseye-pu: minidlna/1.3.0+dfsg-2+deb11u1
On Sat, 28 May 2022, Adam D. Barratt wrote: Please go ahead, thanks. Great, thanks, ... and uploaded. Thorsten
Bug#1010380: buster-pu: flac/1.3.2-3+deb10u2
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for flac fixes CVE-2021-0561 in Buster. This CVE
has been marked as no-dsa by the security team.
The same patch has been already uploaded to all other releases.
Thorsten
diff -Nru flac-1.3.2/debian/changelog flac-1.3.2/debian/changelog
--- flac-1.3.2/debian/changelog 2022-01-16 19:54:01.0 +0100
+++ flac-1.3.2/debian/changelog 2022-04-27 22:03:02.0 +0200
@@ -1,3 +1,11 @@
+flac (1.3.2-3+deb10u2) buster; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2021-0561 (Closes: #1006339)
+Add patch to exit at EOS in verify mode.
+
+ -- Thorsten Alteholz Wed, 27 Apr 2022 22:03:02 +0200
+
flac (1.3.2-3+deb10u1) buster; urgency=medium
* Non-maintainer upload.
diff -Nru flac-1.3.2/debian/patches/CVE-2021-0561.patch
flac-1.3.2/debian/patches/CVE-2021-0561.patch
--- flac-1.3.2/debian/patches/CVE-2021-0561.patch 1970-01-01
01:00:00.0 +0100
+++ flac-1.3.2/debian/patches/CVE-2021-0561.patch 2022-04-27
22:03:02.0 +0200
@@ -0,0 +1,30 @@
+From e1575e4a7c5157cbf4e4a16dbd39b74f7174c7be Mon Sep 17 00:00:00 2001
+From: Neelkamal Semwal
+Date: Fri, 18 Dec 2020 22:28:36 +0530
+Subject: [PATCH] libFlac: Exit at EOS in verify mode
+
+When verify mode is enabled, once decoder flags end of stream,
+encode processing is considered complete.
+
+CVE-2021-0561
+
+Signed-off-by: Ralph Giles
+---
+ src/libFLAC/stream_encoder.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+Index: flac-1.3.2/src/libFLAC/stream_encoder.c
+===
+--- flac-1.3.2.orig/src/libFLAC/stream_encoder.c 2022-04-27
23:58:24.569563774 +0200
flac-1.3.2/src/libFLAC/stream_encoder.c2022-04-27 23:58:24.569563774
+0200
+@@ -2578,7 +2578,9 @@
+ encoder->private_->verify.needs_magic_hack = true;
+ }
+ else {
+-
if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder)) {
++
if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder)
++ || (!is_last_block
++ &&
(FLAC__stream_encoder_get_verify_decoder_state(encoder) ==
FLAC__STREAM_DECODER_END_OF_STREAM))) {
+
FLAC__bitwriter_release_buffer(encoder->private_->frame);
+ FLAC__bitwriter_clear(encoder->private_->frame);
+ if(encoder->protected_->state !=
FLAC__STREAM_ENCODER_VERIFY_MISMATCH_IN_AUDIO_DATA)
diff -Nru flac-1.3.2/debian/patches/series flac-1.3.2/debian/patches/series
--- flac-1.3.2/debian/patches/series2022-01-16 19:53:49.0 +0100
+++ flac-1.3.2/debian/patches/series2022-04-27 22:03:02.0 +0200
@@ -5,3 +5,5 @@
0051-metaflac-Fix-a-memory-leak.patch
0001-remove-build-path-from-generated-FLAC.tag-file.patch
0001-libFLAC-bitreader.c-Fix-out-of-bounds-read.patch
+
+CVE-2021-0561.patch
Re: security updates of Golang packages
Hi Paul, On Tue, 26 Apr 2022, Paul Gevers wrote: But if you have the tooling to create such versioned dependencies (and you'd need those to get everything right), than we could use the same tools to add Depwait on the binNMUs and the build order would be correct again. hmm, Depwaits are new to me. If I have package A with version 1-1 that gets a fix in version 1-2, than I can add: dw B . amd64 . bullseye . -m "A (>=1-2)" But what do I need to write to let package C wait for the rebuilt of B? Sure tooling is a big problem, but on top of that a big problem with the security archive is that it doesn't have the sources for packages that have never seen a security upload. Which means we can't even binNMU there in those cases. Until the space problem on seger is fixed, the tooling could also create a script that copies all packages. This would be a manual ftpmaster-step before the binNMU, but at least this is better than no fix at all. Thorsten
Re: security updates of Golang packages
Hi Paul, On Sun, 24 Apr 2022, Paul Gevers wrote: If I understand correctly, if this is only about rebuilds, just request an binNMU with the usual process (reportbug recommended). from my point of view binNMUs are not the right way here. Due to possibly long dependency chains of golang packages, the order of uploads would be important. Trying to keep this order with binNMU bugs seems to be rather error-prone. Especially as the buildds on different architectures work at different rates. What I had in mind was to change the dependencies of all affected packages to versioned dependencies with (>= the new version). So the uploads are not only rebuilds but really new verions of a package. Your link [1] points at the issues we have with security support *via the security archive*. Yes, but those updates would have the same problem, right? And both have in common that currently there is no tooling available ... Thorsten
security updates of Golang packages
Hi everybody, I would like to improve the situation of security support for Golang packages (as already criticised long time ago[1]). Uploads to Unstable should be no problem, but how would you like to handle stable/oldstable updates for CVEs that are marked as no-dsa from the security team? For example the fix of CVE-2021-42836 in golang-github-tidwall-gjson for Bullseye requires eight uploads of reverse dependencies. Do you want to handle each of them with different PU-bugs? Thorsten [1] https://lists.debian.org/debian-release/2018/06/msg00725.html
Bug#1009250: bullseye-pu: fribidi/1.0.8-2+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for fribidi fixes CVE-2022-25308, CVE-2022-25309 and
CVE-2022-25310 in Bullseye. These CVEs have been marked as no-dsa by the
security team.
The same fixes have been already uploaded to Unstable.
Thorsten
diff -Nru fribidi-1.0.8/debian/changelog fribidi-1.0.8/debian/changelog
--- fribidi-1.0.8/debian/changelog 2019-12-21 03:11:40.0 +0100
+++ fribidi-1.0.8/debian/changelog 2022-04-05 22:03:02.0 +0200
@@ -1,3 +1,16 @@
+fribidi (1.0.8-2+deb11u1) bullseye; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2022-25308
+stack-buffer-overflow issue in main()
+ * CVE-2022-25309
+heap-buffer-overflow issue in fribidi_cap_rtl_to_unicode()
+ * CVE-2022-25310
+SEGV issue in fribidi_remove_bidi_marks()
+(Closes: #1008793)
+
+ -- Thorsten Alteholz Tue, 05 Apr 2022 22:03:02 +0200
+
fribidi (1.0.8-2) unstable; urgency=medium
* Add revert_log2vis_get_embedding_levels.diff patch to revert back
diff -Nru fribidi-1.0.8/debian/patches/CVE-2022-25308.patch
fribidi-1.0.8/debian/patches/CVE-2022-25308.patch
--- fribidi-1.0.8/debian/patches/CVE-2022-25308.patch 1970-01-01
01:00:00.0 +0100
+++ fribidi-1.0.8/debian/patches/CVE-2022-25308.patch 2022-03-31
10:31:22.0 +0200
@@ -0,0 +1,43 @@
+commit ad3a19e6372b1e667128ed1ea2f49919884587e1
+Author: Akira TAGOH
+Date: Thu Feb 17 17:30:12 2022 +0900
+
+Fix the stack buffer overflow issue
+
+strlen() could returns 0. Without a conditional check for len,
+accessing S_ pointer with len - 1 may causes a stack buffer overflow.
+
+AddressSanitizer reports this like:
+==1219243==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffdce043c1f at pc 0x00403547 bp 0x7ffdce0
+43b30 sp 0x7ffdce043b28
+READ of size 1 at 0x7ffdce043c1f thread T0
+#0 0x403546 in main ../bin/fribidi-main.c:393
+#1 0x7f226804e58f in __libc_start_call_main (/lib64/libc.so.6+0x2d58f)
+#2 0x7f226804e648 in __libc_start_main_impl (/lib64/libc.so.6+0x2d648)
+#3 0x4036f4 in _start (/tmp/fribidi/build/bin/fribidi+0x4036f4)
+
+Address 0x7ffdce043c1f is located in stack of thread T0 at offset 63 in
frame
+#0 0x4022bf in main ../bin/fribidi-main.c:193
+
+ This frame has 5 object(s):
+[32, 36) 'option_index' (line 233)
+[48, 52) 'base' (line 386)
+[64, 65064) 'S_' (line 375) <== Memory access at offset 63 underflows
this variable
+[65328, 130328) 'outstring' (line 385)
+[130592, 390592) 'logical' (line 384)
+
+This fixes https://github.com/fribidi/fribidi/issues/181
+
+diff --git a/bin/fribidi-main.c b/bin/fribidi-main.c
+index 3cf9fe1..3ae4fb6 100644
+--- a/bin/fribidi-main.c
b/bin/fribidi-main.c
+@@ -390,7 +390,7 @@ FRIBIDI_END_IGNORE_DEPRECATIONS
+ S_[sizeof (S_) - 1] = 0;
+ len = strlen (S_);
+ /* chop */
+- if (S_[len - 1] == '\n')
++ if (len > 0 && S_[len - 1] == '\n')
+ {
+ len--;
+ S_[len] = '\0';
diff -Nru fribidi-1.0.8/debian/patches/CVE-2022-25309.patch
fribidi-1.0.8/debian/patches/CVE-2022-25309.patch
--- fribidi-1.0.8/debian/patches/CVE-2022-25309.patch 1970-01-01
01:00:00.0 +0100
+++ fribidi-1.0.8/debian/patches/CVE-2022-25309.patch 2022-03-31
10:31:22.0 +0200
@@ -0,0 +1,24 @@
+commit f22593b82b5d1668d1997dbccd10a9c31ffea3b3
+Author: Dov Grobgeld
+Date: Fri Mar 25 09:09:49 2022 +0300
+
+Protected against garbage in the CapRTL encoder
+
+diff --git a/lib/fribidi-char-sets-cap-rtl.c b/lib/fribidi-char-sets-cap-rtl.c
+index b0c0e4a..f74e010 100644
+--- a/lib/fribidi-char-sets-cap-rtl.c
b/lib/fribidi-char-sets-cap-rtl.c
+@@ -232,7 +232,12 @@ fribidi_cap_rtl_to_unicode (
+ }
+ }
+ else
+- us[j++] = caprtl_to_unicode[(int) s[i]];
++ {
++if ((int)s[i] < 0)
++ us[j++] = '?';
++else
++ us[j++] = caprtl_to_unicode[(int) s[i]];
++ }
+ }
+
+ return j;
diff -Nru fribidi-1.0.8/debian/patches/CVE-2022-25310.patch
fribidi-1.0.8/debian/patches/CVE-2022-25310.patch
--- fribidi-1.0.8/debian/patches/CVE-2022-25310.patch 1970-01-01
01:00:00.0 +0100
+++ fribidi-1.0.8/debian/patches/CVE-2022-25310.patch 2022-03-31
10:31:22.0 +0200
@@ -0,0 +1,23 @@
+commit 175850b03e1af251d705c1d04b2b9b3c1c06e48f
+Author: Akira TAGOH
+Date: Thu Feb 17 19:06:10 2022 +0900
+
+Fix SEGV issue in fribidi_remove_bidi_marks
+
+Escape from fribidi_remove_bidi_marks() immediately if str is null.
+
+This fixes https://github.com/fribidi/fribidi/issues/183
+
+diff --git a/lib/fribidi.c b/lib/fribidi.c
+index f5da0da..70bdab2 100644
+--- a/lib/fribidi.c
b/lib/fribidi.c
+@@ -74,7 +74,7 @@ fribidi_
Bug#1009251: buster-pu: fribidi/1.0.5-3.1+deb10u2
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for fribidi fixes CVE-2022-25308, CVE-2022-25309 and
CVE-2022-25310 in Buster. These CVEs have been marked as no-dsa by the
security team.
The same fixes have been already uploaded to Unstable.
Thorsten
diff -Nru fribidi-1.0.5/debian/changelog fribidi-1.0.5/debian/changelog
--- fribidi-1.0.5/debian/changelog 2019-11-06 07:48:41.0 +0100
+++ fribidi-1.0.5/debian/changelog 2022-04-05 22:03:02.0 +0200
@@ -1,3 +1,16 @@
+fribidi (1.0.5-3.1+deb10u2) buster; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2022-25308
+stack-buffer-overflow issue in main()
+ * CVE-2022-25309
+heap-buffer-overflow issue in fribidi_cap_rtl_to_unicode()
+ * CVE-2022-25310
+SEGV issue in fribidi_remove_bidi_marks()
+(Closes: #1008793)
+
+ -- Thorsten Alteholz Tue, 05 Apr 2022 22:03:02 +0200
+
fribidi (1.0.5-3.1+deb10u1) buster-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru fribidi-1.0.5/debian/patches/CVE-2022-25308.patch
fribidi-1.0.5/debian/patches/CVE-2022-25308.patch
--- fribidi-1.0.5/debian/patches/CVE-2022-25308.patch 1970-01-01
01:00:00.0 +0100
+++ fribidi-1.0.5/debian/patches/CVE-2022-25308.patch 2022-03-31
10:33:34.0 +0200
@@ -0,0 +1,43 @@
+commit ad3a19e6372b1e667128ed1ea2f49919884587e1
+Author: Akira TAGOH
+Date: Thu Feb 17 17:30:12 2022 +0900
+
+Fix the stack buffer overflow issue
+
+strlen() could returns 0. Without a conditional check for len,
+accessing S_ pointer with len - 1 may causes a stack buffer overflow.
+
+AddressSanitizer reports this like:
+==1219243==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffdce043c1f at pc 0x00403547 bp 0x7ffdce0
+43b30 sp 0x7ffdce043b28
+READ of size 1 at 0x7ffdce043c1f thread T0
+#0 0x403546 in main ../bin/fribidi-main.c:393
+#1 0x7f226804e58f in __libc_start_call_main (/lib64/libc.so.6+0x2d58f)
+#2 0x7f226804e648 in __libc_start_main_impl (/lib64/libc.so.6+0x2d648)
+#3 0x4036f4 in _start (/tmp/fribidi/build/bin/fribidi+0x4036f4)
+
+Address 0x7ffdce043c1f is located in stack of thread T0 at offset 63 in
frame
+#0 0x4022bf in main ../bin/fribidi-main.c:193
+
+ This frame has 5 object(s):
+[32, 36) 'option_index' (line 233)
+[48, 52) 'base' (line 386)
+[64, 65064) 'S_' (line 375) <== Memory access at offset 63 underflows
this variable
+[65328, 130328) 'outstring' (line 385)
+[130592, 390592) 'logical' (line 384)
+
+This fixes https://github.com/fribidi/fribidi/issues/181
+
+diff --git a/bin/fribidi-main.c b/bin/fribidi-main.c
+index 3cf9fe1..3ae4fb6 100644
+--- a/bin/fribidi-main.c
b/bin/fribidi-main.c
+@@ -390,7 +390,7 @@ FRIBIDI_END_IGNORE_DEPRECATIONS
+ S_[sizeof (S_) - 1] = 0;
+ len = strlen (S_);
+ /* chop */
+- if (S_[len - 1] == '\n')
++ if (len > 0 && S_[len - 1] == '\n')
+ {
+ len--;
+ S_[len] = '\0';
diff -Nru fribidi-1.0.5/debian/patches/CVE-2022-25309.patch
fribidi-1.0.5/debian/patches/CVE-2022-25309.patch
--- fribidi-1.0.5/debian/patches/CVE-2022-25309.patch 1970-01-01
01:00:00.0 +0100
+++ fribidi-1.0.5/debian/patches/CVE-2022-25309.patch 2022-03-31
10:33:34.0 +0200
@@ -0,0 +1,24 @@
+commit f22593b82b5d1668d1997dbccd10a9c31ffea3b3
+Author: Dov Grobgeld
+Date: Fri Mar 25 09:09:49 2022 +0300
+
+Protected against garbage in the CapRTL encoder
+
+diff --git a/lib/fribidi-char-sets-cap-rtl.c b/lib/fribidi-char-sets-cap-rtl.c
+index b0c0e4a..f74e010 100644
+--- a/lib/fribidi-char-sets-cap-rtl.c
b/lib/fribidi-char-sets-cap-rtl.c
+@@ -232,7 +232,12 @@ fribidi_cap_rtl_to_unicode (
+ }
+ }
+ else
+- us[j++] = caprtl_to_unicode[(int) s[i]];
++ {
++if ((int)s[i] < 0)
++ us[j++] = '?';
++else
++ us[j++] = caprtl_to_unicode[(int) s[i]];
++ }
+ }
+
+ return j;
diff -Nru fribidi-1.0.5/debian/patches/CVE-2022-25310.patch
fribidi-1.0.5/debian/patches/CVE-2022-25310.patch
--- fribidi-1.0.5/debian/patches/CVE-2022-25310.patch 1970-01-01
01:00:00.0 +0100
+++ fribidi-1.0.5/debian/patches/CVE-2022-25310.patch 2022-03-31
10:54:43.0 +0200
@@ -0,0 +1,23 @@
+commit 175850b03e1af251d705c1d04b2b9b3c1c06e48f
+Author: Akira TAGOH
+Date: Thu Feb 17 19:06:10 2022 +0900
+
+Fix SEGV issue in fribidi_remove_bidi_marks
+
+Escape from fribidi_remove_bidi_marks() immediately if str is null.
+
+This fixes https://github.com/fribidi/fribidi/issues/183
+
+Index: fribidi-1.0.5/lib/fribidi-deprecated.c
+===
+--- fribidi-1.0.5.orig/lib/fribidi-deprecated.c
Bug#1009077: bullseye-pu: minidlna/1.3.0+dfsg-2+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for minidlna fixes CVE-2022-26505 in Bullseye. This
CVE has been marked as no-dsa by the security team.
The same fix has been already uploaded to Unstable.
Thorsten
diff -Nru minidlna-1.3.0+dfsg/debian/changelog
minidlna-1.3.0+dfsg/debian/changelog
--- minidlna-1.3.0+dfsg/debian/changelog2021-01-31 16:56:14.0
+0100
+++ minidlna-1.3.0+dfsg/debian/changelog2022-03-24 22:03:02.0
+0100
@@ -1,3 +1,13 @@
+minidlna (1.3.0+dfsg-2+deb11u1) bullseye; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2022-26505
+Validate HTTP requests to protect against DNS rebinding, thus forbid
+a remote web server to exfiltrate media files.
+(Closes: #1006798)
+
+ -- Thorsten Alteholz Thu, 24 Mar 2022 22:03:02 +0100
+
minidlna (1.3.0+dfsg-2) unstable; urgency=medium
[ Debian Janitor ]
diff -Nru minidlna-1.3.0+dfsg/debian/patches/CVE-2022-26505.patch
minidlna-1.3.0+dfsg/debian/patches/CVE-2022-26505.patch
--- minidlna-1.3.0+dfsg/debian/patches/CVE-2022-26505.patch 1970-01-01
01:00:00.0 +0100
+++ minidlna-1.3.0+dfsg/debian/patches/CVE-2022-26505.patch 2022-03-24
22:03:02.0 +0100
@@ -0,0 +1,56 @@
+commit c21208508dbc131712281ec5340687e5ae89e940
+Author: Justin Maggard
+Date: Wed Feb 9 18:32:50 2022 -0800
+
+upnphttp: Protect against DNS rebinding attacks
+
+Validate HTTP requests to protect against DNS rebinding.
+
+diff --git a/upnphttp.c b/upnphttp.c
+index c8b5e99..62db89a 100644
+--- a/upnphttp.c
b/upnphttp.c
+@@ -273,6 +273,11 @@ ParseHttpHeaders(struct upnphttp * h)
+ p = colon + 1;
+ while(isspace(*p))
+ p++;
++ n = 0;
++ while(p[n] >= ' ')
++ n++;
++ h->req_Host = p;
++ h->req_HostLen = n;
+ for(n = 0; n < n_lan_addr; n++)
+ {
+ for(i = 0; lan_addr[n].str[i]; i++)
+@@ -909,6 +914,18 @@ ProcessHttpQuery_upnphttp(struct upnphttp * h)
+ }
+
+ DPRINTF(E_DEBUG, L_HTTP, "HTTP REQUEST: %.*s\n", h->req_buflen,
h->req_buf);
++ if(h->req_Host && h->req_HostLen > 0) {
++ const char *ptr = h->req_Host;
++ DPRINTF(E_MAXDEBUG, L_HTTP, "Host: %.*s\n", h->req_HostLen,
h->req_Host);
++ for(i = 0; i < h->req_HostLen; i++) {
++ if(*ptr != ':' && *ptr != '.' && (*ptr > '9' || *ptr <
'0')) {
++ DPRINTF(E_ERROR, L_HTTP, "DNS rebinding attack
suspected (Host: %.*s)", h->req_HostLen, h->req_Host);
++ Send404(h);/* 403 */
++ return;
++ }
++ ptr++;
++ }
++ }
+ if(strcmp("POST", HttpCommand) == 0)
+ {
+ h->req_command = EPost;
+diff --git a/upnphttp.h b/upnphttp.h
+index e28a943..57eb2bb 100644
+--- a/upnphttp.h
b/upnphttp.h
+@@ -89,6 +89,8 @@ struct upnphttp {
+ struct client_cache_s * req_client;
+ const char * req_soapAction;
+ int req_soapActionLen;
++ const char * req_Host;/* Host: header */
++ int req_HostLen;
+ const char * req_Callback; /* For SUBSCRIBE */
+ int req_CallbackLen;
+ const char * req_NT;
diff -Nru minidlna-1.3.0+dfsg/debian/patches/series
minidlna-1.3.0+dfsg/debian/patches/series
--- minidlna-1.3.0+dfsg/debian/patches/series 2021-01-31 16:53:51.0
+0100
+++ minidlna-1.3.0+dfsg/debian/patches/series 2022-03-24 22:03:02.0
+0100
@@ -5,3 +5,5 @@
08-Fix-testupnpdescgen-build.patch
09-do-not-disable-logs-with-systemd.patch
10-do-not-close-socket-on-sighup.patch
+
+CVE-2022-26505.patch
Bug#1009076: buster-pu: minidlna/1.2.1+dfsg-2+deb10u3
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for minidlna fixes CVE-2022-26505 in Buster. This
CVE has been marked as no-dsa by the security team.
The same fix has been already uploaded to Unstable.
Thorsten
diff -Nru minidlna-1.2.1+dfsg/debian/changelog
minidlna-1.2.1+dfsg/debian/changelog
--- minidlna-1.2.1+dfsg/debian/changelog2021-01-03 17:16:43.0
+0100
+++ minidlna-1.2.1+dfsg/debian/changelog2022-03-24 22:03:02.0
+0100
@@ -1,3 +1,13 @@
+minidlna (1.2.1+dfsg-2+deb10u3) buster; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2022-26505
+Validate HTTP requests to protect against DNS rebinding, thus forbid
+a remote web server to exfiltrate media files.
+(Closes: #1006798)
+
+ -- Thorsten Alteholz Thu, 24 Mar 2022 22:03:02 +0100
+
minidlna (1.2.1+dfsg-2+deb10u2) buster-security; urgency=medium
* d/minidlna.postrm: Do not fail on purge (Closes: #975372). This fixes the
diff -Nru minidlna-1.2.1+dfsg/debian/patches/CVE-2022-26505.patch
minidlna-1.2.1+dfsg/debian/patches/CVE-2022-26505.patch
--- minidlna-1.2.1+dfsg/debian/patches/CVE-2022-26505.patch 1970-01-01
01:00:00.0 +0100
+++ minidlna-1.2.1+dfsg/debian/patches/CVE-2022-26505.patch 2022-03-24
22:03:02.0 +0100
@@ -0,0 +1,56 @@
+commit c21208508dbc131712281ec5340687e5ae89e940
+Author: Justin Maggard
+Date: Wed Feb 9 18:32:50 2022 -0800
+
+upnphttp: Protect against DNS rebinding attacks
+
+Validate HTTP requests to protect against DNS rebinding.
+
+Index: minidlna-1.2.1+dfsg/upnphttp.c
+===
+--- minidlna-1.2.1+dfsg.orig/upnphttp.c2022-03-25 00:26:07.789929728
+0100
minidlna-1.2.1+dfsg/upnphttp.c 2022-03-25 00:28:13.477909761 +0100
+@@ -268,6 +268,11 @@
+ p = colon + 1;
+ while(isspace(*p))
+ p++;
++n = 0;
++while(p[n] >= ' ')
++n++;
++h->req_Host = p;
++h->req_HostLen = n;
+ for(n = 0; nreq_buflen,
h->req_buf);
++ if(h->req_Host && h->req_HostLen > 0) {
++ const char *ptr = h->req_Host;
++ DPRINTF(E_MAXDEBUG, L_HTTP, "Host: %.*s\n", h->req_HostLen,
h->req_Host);
++ for(i = 0; i < h->req_HostLen; i++) {
++ if(*ptr != ':' && *ptr != '.' && (*ptr > '9' || *ptr <
'0')) {
++ DPRINTF(E_ERROR, L_HTTP, "DNS rebinding attack
suspected (Host: %.*s)", h->req_HostLen, h->req_Host);
++ Send404(h);/* 403 */
++ return;
++ }
++ ptr++;
++ }
++ }
+ if(strcmp("POST", HttpCommand) == 0)
+ {
+ h->req_command = EPost;
+Index: minidlna-1.2.1+dfsg/upnphttp.h
+===
+--- minidlna-1.2.1+dfsg.orig/upnphttp.h2022-03-25 00:26:07.789929728
+0100
minidlna-1.2.1+dfsg/upnphttp.h 2022-03-25 00:26:07.789929728 +0100
+@@ -89,6 +89,8 @@
+ struct client_cache_s * req_client;
+ const char * req_soapAction;
+ int req_soapActionLen;
++ const char * req_Host;/* Host: header */
++ int req_HostLen;
+ const char * req_Callback; /* For SUBSCRIBE */
+ int req_CallbackLen;
+ const char * req_NT;
diff -Nru minidlna-1.2.1+dfsg/debian/patches/series
minidlna-1.2.1+dfsg/debian/patches/series
--- minidlna-1.2.1+dfsg/debian/patches/series 2020-12-22 08:53:42.0
+0100
+++ minidlna-1.2.1+dfsg/debian/patches/series 2022-03-24 22:03:02.0
+0100
@@ -10,3 +10,5 @@
15-use-newer-ip_multicast_if-api.patch
0011-upnphttp-Disallow-negative-HTTP-chunk-lengths.patch
0012-upnphttp-Validate-SUBSCRIBE-callback-URL.patch
+
+CVE-2022-26505.patch
Bug#1008578: buster-pu: golang-github-russellhaering-goxmldsig/0.0~git20170911.b7efc62-1+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu The attached debdiff for golang-github-russellhaering-goxmldsig fixes CVE-2020-7711 in Buster. This CVE has been marked as no-dsa by the security team. Thorsten golang-github-russellhaering-goxmldsig_0.0~git20170911.b7efc62-1+deb10u1.debdiff Description: Binary data
Bug#1008577: bullseye-pu: golang-github-russellhaering-goxmldsig/1.1.0-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for golang-github-russellhaering-goxmldsig fixes
CVE-2020-7711 in Bullseye. This CVE has been marked as no-dsa by the
security team.
Thorsten
diff -Nru golang-github-russellhaering-goxmldsig-1.1.0/debian/changelog
golang-github-russellhaering-goxmldsig-1.1.0/debian/changelog
--- golang-github-russellhaering-goxmldsig-1.1.0/debian/changelog
2021-01-08 00:13:56.0 +0100
+++ golang-github-russellhaering-goxmldsig-1.1.0/debian/changelog
2022-03-28 22:32:49.0 +0200
@@ -1,3 +1,12 @@
+golang-github-russellhaering-goxmldsig (1.1.0-1+deb11u1) bullseye;
urgency=medium
+
+ * CVE-2020-7711
+null pointer dereference caused by crafted XML signatures
+(Closes: #968928)
+ * according to ratt, nothing else has to be built
+
+ -- Thorsten Alteholz Mon, 28 Mar 2022 22:32:49 +0200
+
golang-github-russellhaering-goxmldsig (1.1.0-1) unstable; urgency=medium
* New upstream release (Closes: #971615)
diff -Nru
golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/CVE-2020-7711.patch
golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/CVE-2020-7711.patch
---
golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/CVE-2020-7711.patch
1970-01-01 01:00:00.0 +0100
+++
golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/CVE-2020-7711.patch
2022-03-24 02:38:42.0 +0100
@@ -0,0 +1,23 @@
+commit fb23e0af61c023e3a6dae8ad30dbd0f04d8a4d8f
+Merge: 3541f5e ca2b448
+Author: Russell Haering
+Date: Fri Aug 27 20:19:01 2021 -0700
+
+Merge pull request #71 from aporcupine/patch-1
+
+Explicitly check for case where SignatureValue is nil
+
+Index: golang-github-russellhaering-goxmldsig-1.1.0/validate.go
+===
+--- golang-github-russellhaering-goxmldsig-1.1.0.orig/validate.go
2022-03-24 02:38:38.797524728 +0100
golang-github-russellhaering-goxmldsig-1.1.0/validate.go 2022-03-24
02:38:38.797524728 +0100
+@@ -271,6 +271,9 @@
+ if !bytes.Equal(digest, decodedDigestValue) {
+ return nil, errors.New("Signature could not be verified")
+ }
++ if sig.SignatureValue == nil {
++ return nil, errors.New("Signature could not be verified")
++ }
+
+ // Decode the 'SignatureValue' so we can compare against it
+ decodedSignature, err :=
base64.StdEncoding.DecodeString(sig.SignatureValue.Data)
diff -Nru golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/series
golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/series
--- golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/series
1970-01-01 01:00:00.0 +0100
+++ golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/series
2022-03-24 02:39:15.0 +0100
@@ -0,0 +1 @@
+CVE-2020-7711.patch
Bug#1007938: buster-pu: package cups/2.2.10-6+deb10u5
On Sat, 19 Mar 2022, Adam D. Barratt wrote: Please go ahead. Great, thanks, ... and uploaded. Thorsten
Bug#1007262: bullseye-pu: package cups-filters/1.28.7-1+deb11u1
On Sat, 19 Mar 2022, Adam D. Barratt wrote: Please go ahead. Great, thanks, ... and uploaded. Thorsten
Bug#1006494: buster-pu: htmldoc/1.9.3-1+deb10u3
On Fri, 18 Mar 2022, Adam D. Barratt wrote: Please go ahead. Great, thanks, ... and uploaded. Thorsten
Bug#1006493: bullseye-pu: htmldoc/1.9.11-4+deb11u2
On Tue, 15 Mar 2022, Adam D. Barratt wrote: Control: tags -1 + confirmed On Sat, 2022-02-26 at 10:55 +, Thorsten Alteholz wrote: The attached debdiff for htmldoc fixes CVE-2022-0534 in Bullseye. Please go ahead. Great, thanks, ... and uploaded. Thorsten
Bug#1007938: buster-pu: package cups/2.2.10-6+deb10u5
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for cups fixes CVE-2020-10001 in Buster. This CVE has
been marked as no-dsa by the security team.
The same patch has been uploaded to Stretch already and nobody complained
yet.
Thorsten
diff -Nru cups-2.2.10/debian/changelog cups-2.2.10/debian/changelog
--- cups-2.2.10/debian/changelog2020-11-28 12:09:48.0 +0100
+++ cups-2.2.10/debian/changelog2022-02-23 22:03:02.0 +0100
@@ -1,3 +1,12 @@
+cups (2.2.10-6+deb10u5) buster; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2020-10001.patch
+An input validation issue might allow a malicious application
+to read restricted memory.
+
+ -- Thorsten Alteholz Wed, 23 Feb 2022 22:03:02 +0100
+
cups (2.2.10-6+deb10u4) buster; urgency=medium
* Backport upstream fix:
diff -Nru cups-2.2.10/debian/.git-dpm cups-2.2.10/debian/.git-dpm
--- cups-2.2.10/debian/.git-dpm 2020-11-28 12:09:48.0 +0100
+++ cups-2.2.10/debian/.git-dpm 2022-02-23 22:03:02.0 +0100
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-e512765460ec633ad43872436b243021f252a69a
-e512765460ec633ad43872436b243021f252a69a
+cd650ee595b7905afba01cfe9c4479823f22704d
+cd650ee595b7905afba01cfe9c4479823f22704d
25b2338346ef3abbb93ea88476887cba7b2b86f8
25b2338346ef3abbb93ea88476887cba7b2b86f8
cups_2.2.10.orig.tar.gz
diff -Nru cups-2.2.10/debian/patches/0053-CVE-2020-10001.patch
cups-2.2.10/debian/patches/0053-CVE-2020-10001.patch
--- cups-2.2.10/debian/patches/0053-CVE-2020-10001.patch1970-01-01
01:00:00.0 +0100
+++ cups-2.2.10/debian/patches/0053-CVE-2020-10001.patch2022-02-23
22:03:02.0 +0100
@@ -0,0 +1,49 @@
+From cd650ee595b7905afba01cfe9c4479823f22704d Mon Sep 17 00:00:00 2001
+From: Thorsten Alteholz
+Date: Sat, 26 Feb 2022 02:20:21 +0100
+Subject: CVE-2020-10001
+
+---
+ cups/ipp.c | 8 +---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/cups/ipp.c b/cups/ipp.c
+index 4ebb1da9c..ead8856c5 100644
+--- a/cups/ipp.c
b/cups/ipp.c
+@@ -2870,7 +2870,8 @@ ippReadIO(void *src, /* I - Data
source */
+ unsigned char *buffer,/* Data buffer */
+ string[IPP_MAX_TEXT],
+ /* Small string buffer */
+- *bufptr;/* Pointer into buffer */
++ *bufptr,/* Pointer into buffer */
++ *bufend;/* End of buffer */
+ ipp_attribute_t *attr; /* Current attribute */
+ ipp_tag_t tag;/* Current tag */
+ ipp_tag_t value_tag; /* Current value tag */
+@@ -3440,6 +3441,7 @@ ippReadIO(void *src, /* I - Data
source */
+ }
+
+ bufptr = buffer;
++bufend = buffer + n;
+
+ /*
+ * text-with-language and name-with-language are composite
+@@ -3453,7 +3455,7 @@ ippReadIO(void *src, /* I - Data
source */
+
+ n = (bufptr[0] << 8) | bufptr[1];
+
+- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >=
(int)sizeof(string))
++ if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string))
+ {
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
+ _("IPP language length overflows value."), 1);
+@@ -3480,7 +3482,7 @@ ippReadIO(void *src, /* I - Data
source */
+ bufptr += 2 + n;
+ n = (bufptr[0] << 8) | bufptr[1];
+
+- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE))
++ if ((bufptr + 2 + n) > bufend)
+ {
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
+ _("IPP string length overflows value."), 1);
diff -Nru cups-2.2.10/debian/patches/series cups-2.2.10/debian/patches/series
--- cups-2.2.10/debian/patches/series 2020-11-28 12:09:48.0 +0100
+++ cups-2.2.10/debian/patches/series 2022-02-23 22:03:02.0 +0100
@@ -50,3 +50,4 @@
0050-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch
0051-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch
0052-backend-scheduler-ipp.c-Fix-printer-alert-invalid-fr.patch
+0053-CVE-2020-10001.patch
Bug#1007262: bullseye-pu: package cups-filters/1.28.7-1+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu As written in #1006183 [1] and #1005813 [2], the Debian Edu team has a somewhat strange handling of config files. In order to make their life a bit easier, they asked to add another file entry to the apparmor configuration of cups-filters. Do you mind allowing this change for Bullseye as well? The same patch was already uploaded to Testing/Unstable and nobody complained yet. Thorsten [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006183 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005813diff -Nru cups-filters-1.28.7/debian/apparmor/usr.sbin.cups-browsed cups-filters-1.28.7/debian/apparmor/usr.sbin.cups-browsed --- cups-filters-1.28.7/debian/apparmor/usr.sbin.cups-browsed 2021-01-08 10:40:57.0 +0100 +++ cups-filters-1.28.7/debian/apparmor/usr.sbin.cups-browsed 2022-03-14 22:03:02.0 +0100 @@ -15,6 +15,9 @@ /var/log/cups/* rw, /tmp/** rw, + # Courtesy to the Debian Edu team... + /etc/cups/cups-browsed-debian-edu.conf r, + # Site-specific additions and overrides. See local/README for details. #include } diff -Nru cups-filters-1.28.7/debian/changelog cups-filters-1.28.7/debian/changelog --- cups-filters-1.28.7/debian/changelog2021-01-08 10:40:57.0 +0100 +++ cups-filters-1.28.7/debian/changelog2022-03-14 22:03:02.0 +0100 @@ -1,3 +1,12 @@ +cups-filters (1.28.7-1+deb11u1) bullseye; urgency=medium + + * debian/apparmor/usr.sbin.cups-browsed: Allow reading from Debian Edu's +cups-browsed config file (/etc/cups/cups-browsed-debian-edu.conf). +(Closes: #1006183). (patch provided by Mike Gabriel) + * debian/control: add myself to Uploaders: + + -- Thorsten Alteholz Mon, 14 Mar 2022 22:03:02 +0100 + cups-filters (1.28.7-1) unstable; urgency=medium * 1.28.7 upstream release diff -Nru cups-filters-1.28.7/debian/control cups-filters-1.28.7/debian/control --- cups-filters-1.28.7/debian/control 2021-01-08 10:40:57.0 +0100 +++ cups-filters-1.28.7/debian/control 2022-03-14 22:03:02.0 +0100 @@ -1,7 +1,8 @@ Source: cups-filters Maintainer: Debian Printing Team Uploaders: Till Kamppeter , - Didier Raboud + Didier Raboud , + Thorsten Alteholz Section: net Priority: optional Build-Depends: autoconf,
Bug#1006494: buster-pu: htmldoc/1.9.3-1+deb10u3
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for htmldoc fixes CVE-2022-0534, CVE-2021-43579 and
CVE-2021-40985 in Buster. These CVEs are marked as uninportant by the
security team, yet they are bugs. CVE-2021-43579 even has the possibility
of remote code execution.
Thorsten
diff -Nru htmldoc-1.9.3/debian/changelog htmldoc-1.9.3/debian/changelog
--- htmldoc-1.9.3/debian/changelog 2021-06-07 16:25:54.0 +0200
+++ htmldoc-1.9.3/debian/changelog 2022-02-25 22:03:02.0 +0100
@@ -1,3 +1,19 @@
+htmldoc (1.9.3-1+deb10u3) buster; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2022-0534
+A crafted GIF file could lead to a stack out-of-bounds read,
+which could result in a crash (segmentation fault).
+ * CVE-2021-43579
+Converting an HTML document, which links to a crafted BMP file,
+could lead to a stack-based buffer overflow, which could result
+in remote code execution.
+ * CVE-2021-40985
+A crafted BMP image could lead to a buffer overflow, which could
+cause a denial of service.
+
+ -- Thorsten Alteholz Fri, 25 Feb 2022 22:03:02 +0100
+
htmldoc (1.9.3-1+deb10u2) buster-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru htmldoc-1.9.3/debian/patches/CVE-2021-40985.patch
htmldoc-1.9.3/debian/patches/CVE-2021-40985.patch
--- htmldoc-1.9.3/debian/patches/CVE-2021-40985.patch 1970-01-01
01:00:00.0 +0100
+++ htmldoc-1.9.3/debian/patches/CVE-2021-40985.patch 2022-02-25
22:03:02.0 +0100
@@ -0,0 +1,38 @@
+commit f12b9666e582a8e7b70f11b28e5ffc49ad625d43
+Author: Michael R Sweet
+Date: Sat Sep 11 18:12:33 2021 -0400
+
+Fix BMP crash bug (Issue #444)
+
+Index: htmldoc-1.9.3/htmldoc/image.cxx
+===
+--- htmldoc-1.9.3.orig/htmldoc/image.cxx 2022-02-26 01:01:53.117543638
+0100
htmldoc-1.9.3/htmldoc/image.cxx2022-02-26 01:01:53.117543638 +0100
+@@ -900,6 +900,9 @@
+ colors_used = (int)read_dword(fp);
+ read_dword(fp);
+
++ if (img->width <= 0 || img->width > 8192 || img->height <= 0 || img->height
> 8192)
++return (-1);
++
+ if (info_size > 40)
+ for (info_size -= 40; info_size > 0; info_size --)
+ getc(fp);
+@@ -911,7 +914,7 @@
+ fread(colormap, (size_t)colors_used, 4, fp);
+
+ // Setup image and buffers...
+- img->depth = gray ? 1 : 3;
++ img->depth = gray ? 1 : 3;
+
+ // If this image is indexed and we are writing an encrypted PDF file, bump
the use count so
+ // we create an image object (Acrobat 6 bug workaround)
+@@ -1061,7 +1064,7 @@
+ if (bit == 0xf0)
+ {
+ if (color < 0)
+- temp = getc(fp);
++ temp = getc(fp) & 255;
+ else
+ temp = color;
+
diff -Nru htmldoc-1.9.3/debian/patches/CVE-2021-43579.patch
htmldoc-1.9.3/debian/patches/CVE-2021-43579.patch
--- htmldoc-1.9.3/debian/patches/CVE-2021-43579.patch 1970-01-01
01:00:00.0 +0100
+++ htmldoc-1.9.3/debian/patches/CVE-2021-43579.patch 2022-02-25
22:03:02.0 +0100
@@ -0,0 +1,27 @@
+commit 27d08989a5a567155d506ac870ae7d8cc88fa58b
+Author: Michael R Sweet
+Date: Fri Nov 5 09:35:10 2021 -0400
+
+Fix potential BMP stack overflow (Issue #453)
+
+Index: htmldoc-1.9.3/htmldoc/image.cxx
+===
+--- htmldoc-1.9.3.orig/htmldoc/image.cxx 2022-02-26 01:02:38.045520508
+0100
htmldoc-1.9.3/htmldoc/image.cxx2022-02-26 01:02:38.045520508 +0100
+@@ -904,12 +904,16 @@
+ return (-1);
+
+ if (info_size > 40)
++ {
+ for (info_size -= 40; info_size > 0; info_size --)
+ getc(fp);
++ }
+
+ // Get colormap...
+ if (colors_used == 0 && depth <= 8)
+ colors_used = 1 << depth;
++ else if (colors_used > 256)
++return (-1);
+
+ fread(colormap, (size_t)colors_used, 4, fp);
+
diff -Nru htmldoc-1.9.3/debian/patches/CVE-2022-0534-1.patch
htmldoc-1.9.3/debian/patches/CVE-2022-0534-1.patch
--- htmldoc-1.9.3/debian/patches/CVE-2022-0534-1.patch 1970-01-01
01:00:00.0 +0100
+++ htmldoc-1.9.3/debian/patches/CVE-2022-0534-1.patch 2022-02-25
22:03:02.0 +0100
@@ -0,0 +1,38 @@
+commit 776cf0fc4c760f1fb7b966ce28dc92dd7d44ed50
+Author: Michael R Sweet
+Date: Fri Jan 7 10:21:58 2022 -0500
+
+Fix potential stack overflow with GIF images (Issue #463)
+
+Index: htmldoc-1.9.3/htmldoc/image.cxx
+===
+--- htmldoc-1.9.3.orig/htmldoc/image.cxx 2022-02-26 01:03:05.161506575
+0100
htmldoc-1.9.3/htmldoc/image.cxx2022-02-26 01:03:05.161506575 +0100
+@@ -213,8 +213,7 @@
+
+ if (done)
+ {
+- progress_error(HD_ERROR_READ_ERROR,
+- "No
Bug#1006493: bullseye-pu: htmldoc/1.9.11-4+deb11u2
Package: release.debian.org
Severity: normal
Tags: bulleye
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for htmldoc fixes CVE-2022-0534 in Bullseye. This
CVE has been marked as uninportant by the security team, yet it is a bug.
Thorsten
diff -Nru htmldoc-1.9.11/debian/changelog htmldoc-1.9.11/debian/changelog
--- htmldoc-1.9.11/debian/changelog 2021-11-15 17:13:36.0 +0100
+++ htmldoc-1.9.11/debian/changelog 2022-02-25 22:03:02.0 +0100
@@ -1,3 +1,12 @@
+htmldoc (1.9.11-4+deb11u2) bullseye; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2022-0534
+A crafted GIF file could lead to a stack out-of-bounds read,
+which could result in a crash (segmentation fault).
+
+ -- Thorsten Alteholz Fri, 25 Feb 2022 22:03:02 +0100
+
htmldoc (1.9.11-4+deb11u1) bullseye; urgency=medium
* Add patch from upstream to fix CVEs:
diff -Nru htmldoc-1.9.11/debian/patches/CVE-2022-0534-1.patch
htmldoc-1.9.11/debian/patches/CVE-2022-0534-1.patch
--- htmldoc-1.9.11/debian/patches/CVE-2022-0534-1.patch 1970-01-01
01:00:00.0 +0100
+++ htmldoc-1.9.11/debian/patches/CVE-2022-0534-1.patch 2022-02-25
22:03:02.0 +0100
@@ -0,0 +1,38 @@
+commit 776cf0fc4c760f1fb7b966ce28dc92dd7d44ed50
+Author: Michael R Sweet
+Date: Fri Jan 7 10:21:58 2022 -0500
+
+Fix potential stack overflow with GIF images (Issue #463)
+
+Index: htmldoc-1.9.11/htmldoc/image.cxx
+===
+--- htmldoc-1.9.11.orig/htmldoc/image.cxx 2022-02-26 01:11:08.773261658
+0100
htmldoc-1.9.11/htmldoc/image.cxx 2022-02-26 01:11:08.773261658 +0100
+@@ -213,8 +213,7 @@
+
+ if (done)
+ {
+- progress_error(HD_ERROR_READ_ERROR,
+- "Not enough data left to read GIF compression code.");
++ progress_error(HD_ERROR_READ_ERROR, "Not enough data left to read GIF
compression code.");
+ return (-1);/* Sorry, no more... */
+ }
+
+@@ -238,7 +237,7 @@
+ * Read in another buffer...
+ */
+
+-if ((count = gif_get_block (fp, buf + last_byte)) <= 0)
++if ((count = gif_get_block(fp, buf + last_byte)) <= 0)
+ {
+ /*
+ * Whoops, no more data!
+@@ -252,7 +251,7 @@
+ * Update buffer state...
+ */
+
+-curbit= (curbit - lastbit) + 8 * last_byte;
++curbit= curbit + 8 * last_byte - lastbit;
+ last_byte += (unsigned)count;
+ lastbit = last_byte * 8;
+ }
diff -Nru htmldoc-1.9.11/debian/patches/CVE-2022-0534-2.patch
htmldoc-1.9.11/debian/patches/CVE-2022-0534-2.patch
--- htmldoc-1.9.11/debian/patches/CVE-2022-0534-2.patch 1970-01-01
01:00:00.0 +0100
+++ htmldoc-1.9.11/debian/patches/CVE-2022-0534-2.patch 2022-02-25
22:03:02.0 +0100
@@ -0,0 +1,32 @@
+commit 312f0f9c12f26fbe015cd0e6cefa40e4b99017d9
+Author: Michael R Sweet
+Date: Fri Jan 7 18:21:53 2022 -0500
+
+Block GIF images with a code size > 12 (Issue #463)
+
+Index: htmldoc-1.9.11/htmldoc/image.cxx
+===
+--- htmldoc-1.9.11.orig/htmldoc/image.cxx 2022-02-26 01:11:13.177259451
+0100
htmldoc-1.9.11/htmldoc/image.cxx 2022-02-26 01:11:13.173259454 +0100
+@@ -293,6 +293,12 @@
+ pass = 0;
+ code_size = (uchar)getc(fp);
+
++ if (code_size > 12)
++ {
++progress_error(HD_ERROR_READ_ERROR, "Bad GIF file \"%s\" - invalid code
size %d.", img->filename, code_size);
++return (-1);
++ }
++
+ if (gif_read_lzw(fp, 1, code_size) < 0)
+ return (-1);
+
+@@ -420,7 +426,7 @@
+ if (sp > stack)
+ return (*--sp);
+
+- while ((code = gif_get_code (fp, code_size, 0)) >= 0)
++ while ((code = gif_get_code(fp, code_size, 0)) >= 0)
+ {
+ if (code == clear_code)
+ {
diff -Nru htmldoc-1.9.11/debian/patches/series
htmldoc-1.9.11/debian/patches/series
--- htmldoc-1.9.11/debian/patches/series2021-11-15 17:13:36.0
+0100
+++ htmldoc-1.9.11/debian/patches/series2022-02-25 22:03:02.0
+0100
@@ -14,3 +14,7 @@
CVE-2021-26948.patch
CVE-2021-40985.patch
CVE-2021-43579.patch
+
+CVE-2022-0534-1.patch
+CVE-2022-0534-2.patch
+
Bug#1004049: Bug#1004050: bullseye-pu: package zziplib/0.13.62-3.3+deb11u1.debdiff
Hi Adam, On 19.02.22 20:11, Adam D. Barratt wrote: Please go ahead. ok, thanks, uploaded. While being at it, I also uploaded zziplib/0.13.62-3.2+deb10u1 which is handled by #1004049. I hope you don't mind. Thorsten
Bug#1004055: buster-pu: package raptor2/2.0.14-1.1~deb10u2
ok, thanks, uploaded. Thorsten
Bug#1004056: buster-pu: package libsdl1.2/1.2.15+dfsg2-4+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for libsdl1.2 fixes lots of CVEs in Buster. These
CVEs are marked as no-dsa by the security team.
The same patches are uploaded to Stretch already and nobody complained
yet.
Thorstendiff -Nru libsdl1.2-1.2.15+dfsg2/debian/changelog
libsdl1.2-1.2.15+dfsg2/debian/changelog
--- libsdl1.2-1.2.15+dfsg2/debian/changelog 2018-10-25 01:47:02.0
+0200
+++ libsdl1.2-1.2.15+dfsg2/debian/changelog 2022-01-19 23:03:02.0
+0100
@@ -1,3 +1,34 @@
+libsdl1.2 (1.2.15+dfsg2-4+deb10u1) buster; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2019-7572: Buffer over-read in IMA_ADPCM_nibble
+in audio/SDL_wave.c.
+ * CVE-2019-7573: Heap-based buffer over-read in InitMS_ADPCM
+in audio/SDL_wave.c.
+ * CVE-2019-7574: Heap-based buffer over-read in IMA_ADPCM_decode
+in audio/SDL_wave.c.
+ * CVE-2019-7575: Heap-based buffer overflow in MS_ADPCM_decode
+in audio/SDL_wave.c.
+ * CVE-2019-7576: Heap-based buffer over-read in InitMS_ADPCM
+in audio/SDL_wave.c.
+ * CVE-2019-7577: Buffer over-read in SDL_LoadWAV_RW
+in audio/SDL_wave.c.
+ * CVE-2019-7578: Heap-based buffer over-read in InitIMA_ADPCM
+in audio/SDL_wave.c.
+ * CVE-2019-7635: Heap-based buffer over-read in Blit1to4
+in video/SDL_blit_1.c.
+ * CVE-2019-7636: Heap-based buffer over-read in SDL_GetRGB
+in video/SDL_pixels.c.
+ * CVE-2019-7637: Heap-based buffer overflow in SDL_FillRect
+in video/SDL_surface.c.
+ * CVE-2019-7638: Heap-based buffer over-read in Map1toN
+in video/SDL_pixels.c.
+ * CVE-2019-13616: Heap-based buffer over-read in BlitNtoN
+in video/SDL_blit_N.c.
+(patches prepared for LTS by Adrian Bunk)
+
+ -- Thorsten Alteholz Wed, 19 Jan 2022 23:03:02 +0100
+
libsdl1.2 (1.2.15+dfsg2-4) unstable; urgency=medium
* d/rules: Add @ in 'tar --mtime="@$(SOURCE_DATE_EPOCH)"', otherwise the
diff -Nru libsdl1.2-1.2.15+dfsg2/debian/patches/CVE-2019-13616.patch
libsdl1.2-1.2.15+dfsg2/debian/patches/CVE-2019-13616.patch
--- libsdl1.2-1.2.15+dfsg2/debian/patches/CVE-2019-13616.patch 1970-01-01
01:00:00.0 +0100
+++ libsdl1.2-1.2.15+dfsg2/debian/patches/CVE-2019-13616.patch 2021-11-21
11:28:17.0 +0100
@@ -0,0 +1,22 @@
+# HG changeset patch
+# User Ozkan Sezer
+# Date 1564511424 -10800
+# Node ID ad1bbfbca760cbf5bf8131580b24637e5e7d9411
+# Parent 87d60cae0273307b2721685daf3265de5dfda634
+Fixed bug 4538 - validate image size when loading BMP files
+
+diff -r 87d60cae0273 -r ad1bbfbca760 src/video/SDL_bmp.c
+--- a/src/video/SDL_bmp.c Tue Jun 18 23:31:40 2019 +0100
b/src/video/SDL_bmp.c Tue Jul 30 21:30:24 2019 +0300
+@@ -143,6 +143,11 @@
+ (void) biYPelsPerMeter;
+ (void) biClrImportant;
+
++ if (biWidth <= 0 || biHeight == 0) {
++ SDL_SetError("BMP file with bad dimensions (%dx%d)", biWidth,
biHeight);
++ was_error = SDL_TRUE;
++ goto done;
++ }
+ if (biHeight < 0) {
+ topDown = SDL_TRUE;
+ biHeight = -biHeight;
diff -Nru
libsdl1.2-1.2.15+dfsg2/debian/patches/CVE-2019-7572_CVE-2019-7574.patch
libsdl1.2-1.2.15+dfsg2/debian/patches/CVE-2019-7572_CVE-2019-7574.patch
--- libsdl1.2-1.2.15+dfsg2/debian/patches/CVE-2019-7572_CVE-2019-7574.patch
1970-01-01 01:00:00.0 +0100
+++ libsdl1.2-1.2.15+dfsg2/debian/patches/CVE-2019-7572_CVE-2019-7574.patch
2021-11-21 11:28:17.0 +0100
@@ -0,0 +1,105 @@
+Description: CVE-2019-7572, CVE-2019-7574
+ CVE-2019-7572: a buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c.
+ CVE-2019-7574: a heap-based buffer over-read in IMA_ADPCM_decode in
audio/SDL_wave.c.
+
+---
+Author: Abhijith PA
+Origin: https://bugzilla-attachments.libsdl.org/attachment.cgi?id=3610
+https://bugzilla.libsdl.org/attachment.cgi?id=3612
+https://bugzilla.libsdl.org/attachment.cgi?id=3618
+Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4496
+ https://bugzilla.libsdl.org/show_bug.cgi?id=4495
+Last-Update: <2018-03-05>
+
+Index: libsdl1.2-1.2.15/src/audio/SDL_wave.c
+===
+--- libsdl1.2-1.2.15.orig/src/audio/SDL_wave.c
libsdl1.2-1.2.15/src/audio/SDL_wave.c
+@@ -264,6 +264,14 @@ static Sint32 IMA_ADPCM_nibble(struct IM
+ };
+ Sint32 delta, step;
+
++ /* Clamp index value. The inital value can be invalid. */
++ if ( state->index > 88 ) {
++ state->index = 88;
++ } else
++ if ( state->index < 0 ) {
++ state->index = 0;
++ }
++
+ /* Compute difference and new sample value */
+ step = step_table[state->index];
+ delta = step >> 3;
+@@ -275,12 +283,6 @@ static Sint32 IMA_ADPCM_nibble(struct IM
+
+ /* Update index value */
+ sta
Bug#1004055: buster-pu: package raptor2/2.0.14-1.1~deb10u2
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for raptor2 fixes CVE-2020-25713 in Buster. This CVE
is marked as no-dsa by the security team.
The same patch is uploaded to Stretch already and nobody complained yet.
Thorstendiff -Nru raptor2-2.0.14/debian/changelog raptor2-2.0.14/debian/changelog
--- raptor2-2.0.14/debian/changelog 2020-11-06 22:46:38.0 +0100
+++ raptor2-2.0.14/debian/changelog 2021-12-27 22:03:02.0 +0100
@@ -1,3 +1,11 @@
+raptor2 (2.0.14-1.1~deb10u2) buster; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2020-25713
+Malformed input file can lead to a segfault.
+
+ -- Thorsten Alteholz Mon, 27 Dec 2021 22:03:02 +0100
+
raptor2 (2.0.14-1.1~deb10u1) buster-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru
raptor2-2.0.14/debian/patches/CVE-2020-25713-raptor2-malformed-input-file-can-lead.patch
raptor2-2.0.14/debian/patches/CVE-2020-25713-raptor2-malformed-input-file-can-lead.patch
---
raptor2-2.0.14/debian/patches/CVE-2020-25713-raptor2-malformed-input-file-can-lead.patch
1970-01-01 01:00:00.0 +0100
+++
raptor2-2.0.14/debian/patches/CVE-2020-25713-raptor2-malformed-input-file-can-lead.patch
2021-12-27 22:03:02.0 +0100
@@ -0,0 +1,30 @@
+From a549457461874157c8c8e8e8a6e0eec06da4fbd0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?=
+Date: Tue, 24 Nov 2020 10:30:20 +
+Subject: [PATCH] CVE-2020-25713 raptor2: malformed input file can lead to a
+ segfault
+
+due to an out of bounds array access in
+raptor_xml_writer_start_element_common
+
+See:
+https://bugs.mageia.org/show_bug.cgi?id=27605
+https://www.openwall.com/lists/oss-security/2020/11/13/1
+https://gerrit.libreoffice.org/c/core/+/106249
+---
+ src/raptor_xml_writer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: raptor2-2.0.14/src/raptor_xml_writer.c
+===
+--- raptor2-2.0.14.orig/src/raptor_xml_writer.c2021-12-29
23:35:29.272438731 +0100
raptor2-2.0.14/src/raptor_xml_writer.c 2021-12-29 23:35:29.272438731
+0100
+@@ -221,7 +221,7 @@
+
+ /* check it wasn't an earlier declaration too */
+ for(j = 0; j < nspace_declarations_count; j++)
+-if(nspace_declarations[j].nspace ==
element->attributes[j]->nspace) {
++if(nspace_declarations[j].nspace ==
element->attributes[i]->nspace) {
+ declare_me = 0;
+ break;
+ }
diff -Nru raptor2-2.0.14/debian/patches/series
raptor2-2.0.14/debian/patches/series
--- raptor2-2.0.14/debian/patches/series2020-11-06 22:46:38.0
+0100
+++ raptor2-2.0.14/debian/patches/series2021-12-27 22:03:02.0
+0100
@@ -1 +1,2 @@
Calcualte-max-nspace-declarations-correctly-for-XML-.patch
+CVE-2020-25713-raptor2-malformed-input-file-can-lead.patch
Bug#1004049: buster-pu: package zziplib/0.13.62-3.2+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for zziplib fixes CVE-2020-18442 in Buster. This CVE
is marked as no-dsa by the security team.
The same patch is uploaded to Stretch already and nobody complained yet.
Thorsten
diff -Nru zziplib-0.13.62/debian/changelog zziplib-0.13.62/debian/changelog
--- zziplib-0.13.62/debian/changelog2019-03-04 22:43:14.0 +0100
+++ zziplib-0.13.62/debian/changelog2021-12-26 00:03:02.0 +0100
@@ -1,3 +1,12 @@
+zziplib (0.13.62-3.2+deb10u1) buster; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2020-18442
+Because of mishandling a return value, an attacker might cause a
+denial of service due to an infinite loop.
+
+ -- Thorsten Alteholz Sun, 26 Dec 2021 00:03:02 +0100
+
zziplib (0.13.62-3.2) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru zziplib-0.13.62/debian/patches/CVE-2020-18442-2.patch
zziplib-0.13.62/debian/patches/CVE-2020-18442-2.patch
--- zziplib-0.13.62/debian/patches/CVE-2020-18442-2.patch 1970-01-01
01:00:00.0 +0100
+++ zziplib-0.13.62/debian/patches/CVE-2020-18442-2.patch 2021-12-26
00:03:02.0 +0100
@@ -0,0 +1,28 @@
+commit 7e786544084548da7fcfcd9090d3c4e7f5777f7e
+Author: Guido Draheim
+Date: Mon Jan 4 21:50:26 2021 +0100
+
+#68 return value of zzip_mem_disk_fread is signed
+
+Index: zziplib-0.13.62/bins/unzip-mem.c
+===
+--- zziplib-0.13.62.orig/bins/unzip-mem.c 2021-12-26 00:59:28.017867652
+0100
zziplib-0.13.62/bins/unzip-mem.c 2021-12-26 00:59:28.013867656 +0100
+@@ -90,7 +90,7 @@
+ if (file)
+ {
+ char buffer[1024]; int len;
+- while ((len = zzip_mem_disk_fread (buffer, 1024, 1, file)))
++ while (0 < (len = zzip_mem_disk_fread (buffer, 1024, 1, file)))
+ fwrite (buffer, len, 1, out);
+
+ zzip_mem_disk_fclose (file);
+@@ -124,7 +124,7 @@
+ {
+ unsigned long crc = crc32 (0L, NULL, 0);
+ unsigned char buffer[1024]; int len;
+- while ((len = zzip_mem_disk_fread (buffer, 1024, 1, file))) {
++ while (0 < (len = zzip_mem_disk_fread (buffer, 1024, 1, file))) {
+ crc = crc32 (crc, buffer, len);
+ }
+
diff -Nru zziplib-0.13.62/debian/patches/CVE-2020-18442-4.patch
zziplib-0.13.62/debian/patches/CVE-2020-18442-4.patch
--- zziplib-0.13.62/debian/patches/CVE-2020-18442-4.patch 1970-01-01
01:00:00.0 +0100
+++ zziplib-0.13.62/debian/patches/CVE-2020-18442-4.patch 2021-12-26
00:03:02.0 +0100
@@ -0,0 +1,28 @@
+commit 0a9db9ded9d15fbdb63bf5cf451920d0a368c00e
+Author: Guido Draheim
+Date: Mon Jan 4 21:51:56 2021 +0100
+
+#68 return value of zzip_mem_disk_fread is signed
+
+Index: zziplib-0.13.62/bins/unzzipcat-mem.c
+===
+--- zziplib-0.13.62.orig/bins/unzzipcat-mem.c 2021-12-26 00:59:59.133843763
+0100
zziplib-0.13.62/bins/unzzipcat-mem.c 2021-12-26 00:59:59.129843767
+0100
+@@ -40,7 +40,7 @@
+ if (file)
+ {
+ char buffer[1024]; int len;
+- while ((len = zzip_mem_disk_fread (buffer, 1024, 1, file)))
++ while (0 < (len = zzip_mem_disk_fread (buffer, 1024, 1, file)))
+ fwrite (buffer, len, 1, out);
+
+ zzip_mem_disk_fclose (file);
+@@ -53,7 +53,7 @@
+ if (file)
+ {
+ char buffer[1024]; int len;
+- while ((len = zzip_mem_disk_fread (buffer, 1, 1024, file)))
++ while (0 < (len = zzip_mem_disk_fread (buffer, 1, 1024, file)))
+ {
+ fwrite (buffer, 1, len, out);
+ }
diff -Nru zziplib-0.13.62/debian/patches/series
zziplib-0.13.62/debian/patches/series
--- zziplib-0.13.62/debian/patches/series 2019-03-04 22:43:14.0
+0100
+++ zziplib-0.13.62/debian/patches/series 2021-12-26 00:03:02.0
+0100
@@ -17,3 +17,8 @@
Avoid-memory-leak-from-__zzip_parse_root_directory-1.patch
Avoid-memory-leak-from-__zzip_parse_root_directory-2.patch
One-more-free-to-avoid-memory-leak.patch
+
+# not all of the seven patches mentioned in the security tracker
+# for this CVE are needed in every release
+CVE-2020-18442-2.patch
+CVE-2020-18442-4.patch
