Bug#916435: stretch-pu: package cups/2.2.1-8+deb9u3

Fri, 14 Dec 2018 05:12:48 -0800 

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu

CUPSĀ in stable has two no-dsa security issues in stretch which I'd like to fix:

- CVE-2017-18248: DBUS notifications could crash the scheduler
- CVE-2018-4700: Linux session cookies used a predictable random number seed

My proposed changelog entry is the following:

cups (2.2.1-8+deb9u3) stretch; urgency=low

  * Backport upstream fixes for:
    - CVE-2017-18248: DBUS notifications could crash the scheduler
    - CVE-2018-4700: Linux session cookies used a predictable random
      number seed (Closes: #915909)

I'm attaching the two upstream patches (mere cherry-picks from the
upstream-2.2 branch) and the proposed debdiff.

Thanks for your consideration, cheers,
   OdyX
 

diff -Nru cups-2.2.1/debian/changelog cups-2.2.1/debian/changelog
--- cups-2.2.1/debian/changelog 2018-07-03 07:45:20.000000000 +0200
+++ cups-2.2.1/debian/changelog 2018-12-14 13:58:47.000000000 +0100
@@ -1,7 +1,16 @@
+cups (2.2.1-8+deb9u3) stretch; urgency=low
+
+  * Backport upstream fixes for:
+    - CVE-2017-18248: DBUS notifications could crash the scheduler
+    - CVE-2018-4700: Linux session cookies used a predictable random
+      number seed (Closes: #915909)
+
+ -- Didier Raboud <o...@debian.org>  Fri, 14 Dec 2018 13:58:47 +0100
+
 cups (2.2.1-8+deb9u2) stretch-security; urgency=low
 
   * CVE-2018-6553: Fix AppArmor cupsd sandbox bypass due to use of hard links
-  * Backport upstream fix for:
+  * Backport upstream fixes for:
     - CVE-2018-4180 Local Privilege Escalation to Root in dnssd Backend 
(CUPS_SERVERBIN)
     - CVE-2018-4181 Limited Local File Reads as Root via cupsd.conf Include 
Directive
     - CVE-2018-4182 cups-exec Sandbox Bypass Due to Insecure Error Handling
@@ -9,7 +18,7 @@
     - CVE-2017-15400: Restrict IPP Everywhere filters to only list supported 
PDLs
       to fix CRLF and Code Injection in Printer Zeroconfig
 
- -- Didier Raboud <o...@debian.org>  Tue, 03 Jul 2018 07:45:20 +0200
+ -- Didier Raboud <o...@debian.org>  Wed, 11 Jul 2018 11:29:27 +0200
 
 cups (2.2.1-8+deb9u1) stretch; urgency=low
 
diff -Nru cups-2.2.1/debian/.git-dpm cups-2.2.1/debian/.git-dpm
--- cups-2.2.1/debian/.git-dpm  2018-07-03 07:45:20.000000000 +0200
+++ cups-2.2.1/debian/.git-dpm  2018-12-14 13:57:48.000000000 +0100
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-ed0d3345b936ea9d88356965770ddf5eecba46be
-ed0d3345b936ea9d88356965770ddf5eecba46be
+a40147f12081943df6c85b6b1f4d302633a6995c
+a40147f12081943df6c85b6b1f4d302633a6995c
 a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
 a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
 cups_2.2.1.orig.tar.gz
diff -Nru 
cups-2.2.1/debian/patches/0052-DBUS-notifications-could-crash-the-scheduler-Issue-5.patch
 
cups-2.2.1/debian/patches/0052-DBUS-notifications-could-crash-the-scheduler-Issue-5.patch
--- 
cups-2.2.1/debian/patches/0052-DBUS-notifications-could-crash-the-scheduler-Issue-5.patch
   1970-01-01 01:00:00.000000000 +0100
+++ 
cups-2.2.1/debian/patches/0052-DBUS-notifications-could-crash-the-scheduler-Issue-5.patch
   2018-12-14 13:57:46.000000000 +0100
@@ -0,0 +1,42 @@
+From f083e69ad83bd9445c1c3bfdf6878096ceb54113 Mon Sep 17 00:00:00 2001
+From: Michael Sweet <michael.r.sw...@gmail.com>
+Date: Mon, 23 Oct 2017 16:23:43 -0400
+Subject: DBUS notifications could crash the scheduler (Issue #5143)
+
+- scheduler/ipp.c: Make sure requesting-user-name string is valid UTF-8.
+
+Fixes: CVE-2017-18248
+---
+ scheduler/ipp.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/scheduler/ipp.c b/scheduler/ipp.c
+index dde976c72..50f5004b7 100644
+--- a/scheduler/ipp.c
++++ b/scheduler/ipp.c
+@@ -1576,6 +1576,16 @@ add_job(cupsd_client_t  *con,           /* I - Client 
connection */
+     return (NULL);
+   }
+ 
++  attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME);
++
++  if (attr && !ippValidateAttribute(attr))
++  {
++    send_ipp_status(con, IPP_ATTRIBUTES, _("Bad requesting-user-name value: 
%s"), cupsLastErrorString());
++    if ((attr = ippCopyAttribute(con->response, attr, 0)) != NULL)
++      attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
++    return (NULL);
++  }
++
+   if ((job = cupsdAddJob(priority, printer->name)) == NULL)
+   {
+     send_ipp_status(con, IPP_INTERNAL_ERROR,
+@@ -1594,8 +1604,6 @@ add_job(cupsd_client_t  *con,            /* I - Client 
connection */
+   add_job_uuid(job);
+   apply_printer_defaults(printer, job);
+ 
+-  attr = ippFindAttribute(job->attrs, "requesting-user-name", IPP_TAG_NAME);
+-
+   if (con->username[0])
+   {
+     cupsdSetString(&job->username, con->username);
diff -Nru 
cups-2.2.1/debian/patches/0053-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch
 
cups-2.2.1/debian/patches/0053-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch
--- 
cups-2.2.1/debian/patches/0053-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch
   1970-01-01 01:00:00.000000000 +0100
+++ 
cups-2.2.1/debian/patches/0053-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch
   2018-12-14 13:57:48.000000000 +0100
@@ -0,0 +1,32 @@
+From a40147f12081943df6c85b6b1f4d302633a6995c Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <michael.r.sw...@gmail.com>
+Date: Fri, 7 Dec 2018 12:09:00 -0500
+Subject: CVE-2018-4700: Linux session cookies used a predictable random number
+ seed.
+
+---
+ cgi-bin/var.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/cgi-bin/var.c b/cgi-bin/var.c
+index 6d02e1079..fb879a783 100644
+--- a/cgi-bin/var.c
++++ b/cgi-bin/var.c
+@@ -1209,6 +1209,7 @@ cgi_set_sid(void)
+   const char          *remote_addr,   /* REMOTE_ADDR */
+                       *server_name,   /* SERVER_NAME */
+                       *server_port;   /* SERVER_PORT */
++  struct timeval      curtime;        /* Current time */
+ 
+ 
+   if ((remote_addr = getenv("REMOTE_ADDR")) == NULL)
+@@ -1218,7 +1219,8 @@ cgi_set_sid(void)
+   if ((server_port = getenv("SERVER_PORT")) == NULL)
+     server_port = "SERVER_PORT";
+ 
+-  CUPS_SRAND(time(NULL));
++  gettimeofday(&curtime, NULL);
++  CUPS_SRAND(curtime.tv_sec + curtime.tv_usec);
+   snprintf(buffer, sizeof(buffer), 
"%s:%s:%s:%02X%02X%02X%02X%02X%02X%02X%02X",
+            remote_addr, server_name, server_port,
+          (unsigned)CUPS_RAND() & 255, (unsigned)CUPS_RAND() & 255,
diff -Nru cups-2.2.1/debian/patches/series cups-2.2.1/debian/patches/series
--- cups-2.2.1/debian/patches/series    2018-07-03 07:45:20.000000000 +0200
+++ cups-2.2.1/debian/patches/series    2018-12-14 13:57:48.000000000 +0100
@@ -49,3 +49,5 @@
 0049-Tweak-the-PDL-priority-Issue-4932.patch
 0050-Only-list-supported-PDLs-Issue-4923.patch
 0051-Fix-local-privilege-escalation-to-root-and-sandbox-b.patch
+0052-DBUS-notifications-could-crash-the-scheduler-Issue-5.patch
+0053-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch

>From f083e69ad83bd9445c1c3bfdf6878096ceb54113 Mon Sep 17 00:00:00 2001
From: Michael Sweet <michael.r.sw...@gmail.com>
Date: Mon, 23 Oct 2017 16:23:43 -0400
Subject: DBUS notifications could crash the scheduler (Issue #5143)

- scheduler/ipp.c: Make sure requesting-user-name string is valid UTF-8.

Fixes: CVE-2017-18248
---
 scheduler/ipp.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/scheduler/ipp.c b/scheduler/ipp.c
index dde976c72..50f5004b7 100644
--- a/scheduler/ipp.c
+++ b/scheduler/ipp.c
@@ -1576,6 +1576,16 @@ add_job(cupsd_client_t  *con,            /* I - Client 
connection */
     return (NULL);
   }
 
+  attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME);
+
+  if (attr && !ippValidateAttribute(attr))
+  {
+    send_ipp_status(con, IPP_ATTRIBUTES, _("Bad requesting-user-name value: 
%s"), cupsLastErrorString());
+    if ((attr = ippCopyAttribute(con->response, attr, 0)) != NULL)
+      attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
+    return (NULL);
+  }
+
   if ((job = cupsdAddJob(priority, printer->name)) == NULL)
   {
     send_ipp_status(con, IPP_INTERNAL_ERROR,
@@ -1594,8 +1604,6 @@ add_job(cupsd_client_t  *con,             /* I - Client 
connection */
   add_job_uuid(job);
   apply_printer_defaults(printer, job);
 
-  attr = ippFindAttribute(job->attrs, "requesting-user-name", IPP_TAG_NAME);
-
   if (con->username[0])
   {
     cupsdSetString(&job->username, con->username);

>From a40147f12081943df6c85b6b1f4d302633a6995c Mon Sep 17 00:00:00 2001
From: Michael R Sweet <michael.r.sw...@gmail.com>
Date: Fri, 7 Dec 2018 12:09:00 -0500
Subject: CVE-2018-4700: Linux session cookies used a predictable random number
 seed.

---
 cgi-bin/var.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/cgi-bin/var.c b/cgi-bin/var.c
index 6d02e1079..fb879a783 100644
--- a/cgi-bin/var.c
+++ b/cgi-bin/var.c
@@ -1209,6 +1209,7 @@ cgi_set_sid(void)
   const char           *remote_addr,   /* REMOTE_ADDR */
                        *server_name,   /* SERVER_NAME */
                        *server_port;   /* SERVER_PORT */
+  struct timeval       curtime;        /* Current time */
 
 
   if ((remote_addr = getenv("REMOTE_ADDR")) == NULL)
@@ -1218,7 +1219,8 @@ cgi_set_sid(void)
   if ((server_port = getenv("SERVER_PORT")) == NULL)
     server_port = "SERVER_PORT";
 
-  CUPS_SRAND(time(NULL));
+  gettimeofday(&curtime, NULL);
+  CUPS_SRAND(curtime.tv_sec + curtime.tv_usec);
   snprintf(buffer, sizeof(buffer), "%s:%s:%s:%02X%02X%02X%02X%02X%02X%02X%02X",
            remote_addr, server_name, server_port,
           (unsigned)CUPS_RAND() & 255, (unsigned)CUPS_RAND() & 255,

Reply via email to