Bug#946782: marked as done (cups: CVE-2019-2228)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Mon, 20 Jan 2020 23:18:08 +0000
with message-id <E1itgJ6-000EIu-Pj@fasolo.debian.org>
and subject line Bug#946782: fixed in cups 2.2.1-8+deb9u5
has caused the Debian Bug report #946782,
regarding cups: CVE-2019-2228
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
946782: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946782
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: cups: CVE-2019-2228
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Sun, 15 Dec 2019 21:06:42 +0100
• Message-id: <157644040276.697720.2529793640389677681.reportbug@eldamar.local>

Source: cups
Version: 2.3.0-7
Severity: important
Tags: security upstream
Control: found -1 2.2.10-6+deb10u1
Control: found -1 2.2.1-8+deb9u2
Control: found -1 2.2.1-8+deb9u4
Control: found -1 2.2.1-8

Hi,

The following vulnerability was published for cups.

CVE-2019-2228[0]:
| In array_find of array.c, there is a possible out-of-bounds read due
| to an incorrect bounds check. This could lead to local information
| disclosure in the printer spooler with no additional execution
| privileges needed. User interaction is not needed for
| exploitation.Product: AndroidVersions: Android-8.0 Android-8.1
| Android-9 Android-10Android ID: A-111210196


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-2228
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2228

Please adjust the affected versions in the BTS as needed.



-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.3.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---

--- Begin Message ---

• To: 946782-close@bugs.debian.org
• Subject: Bug#946782: fixed in cups 2.2.1-8+deb9u5
• From: Didier Raboud <odyx@debian.org>
• Date: Mon, 20 Jan 2020 23:18:08 +0000
• Message-id: <E1itgJ6-000EIu-Pj@fasolo.debian.org>

Source: cups
Source-Version: 2.2.1-8+deb9u5

We believe that the bug you reported is fixed in the latest version of
cups, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 946782@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Didier Raboud <odyx@debian.org> (supplier of updated cups package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 19 Jan 2020 09:53:03 +0100
Source: cups
Architecture: source
Version: 2.2.1-8+deb9u5
Distribution: stretch
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Didier Raboud <odyx@debian.org>
Closes: 946782
Changes:
 cups (2.2.1-8+deb9u5) stretch; urgency=medium
 .
   * Backport upstream security fix:
     - CVE-2019-2228: The `ippSetValuetag` function did not validate the
       default language value (Closes: #946782)
Checksums-Sha1:
 8e07a9d90eeeb71aa38dcf1325a9ba5b955dd2cd 3598 cups_2.2.1-8+deb9u5.dsc
 7ba9070d7da0123ae04f0acbce8816c308268ca4 367464 cups_2.2.1-8+deb9u5.debian.tar.xz
 5e8156e68cfae6ffd69f7ab2957de87fba39ac8b 9821 cups_2.2.1-8+deb9u5_source.buildinfo
Checksums-Sha256:
 7a471a36532fd5483c580e81cef94ff7a84835a1875dc27ac3a976e15221fe8b 3598 cups_2.2.1-8+deb9u5.dsc
 85c28a1c9b85d067d3df40563159a078810eea9dfc6b096eaa15e8dae7c600cb 367464 cups_2.2.1-8+deb9u5.debian.tar.xz
 56983d01cb9e03eeb2b4c99639d620c5136103a594d593d42b35e6622996b0c7 9821 cups_2.2.1-8+deb9u5_source.buildinfo
Files:
 cedc24512cf57559c22f7c0c234bd9aa 3598 net optional cups_2.2.1-8+deb9u5.dsc
 69f11792be18ca87411a3e5e7ebef22c 367464 net optional cups_2.2.1-8+deb9u5.debian.tar.xz
 5e232e302a44ba4f8c39b9c494b7a60d 9821 net optional cups_2.2.1-8+deb9u5_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEJ3k7rA0YCplkx4gZqcb6xg1jAWkFAl4kHLQACgkQqcb6xg1j
AWmp3RAAgvKlg12wWwrIwkwMLMzBJOB7f5tVFEw6VnUaxtB5UH2z+CzLfpcpLpqF
oh0HoueOYwCID9dlnkwilYNkSqyfa3wcUBSK2Q7wUiKddQPUlnR7HG4YLtlpeYOp
mkmtTYIIV7PDxk/EqMeFeNgoFNLinlrfer6Sy0lJvnZdJpebIlTGHuGUbU9dzMBJ
2hBuvg1ZfvEspP7aiTFm9QK6ptfvUoPOLzLDBFvO1PBR5gK3pSM4XJVEyQHaJXtj
2xre0EKNBbKIO3WB+TENlKs4QxqmJvUVgESzxn/VRlagLbafsMX9A4sbs/r7qupp
TR0BHvQtkaK0nx8pLDmOytxrh26ZyLytudKClXWZ1bnJXch5sdqB688QM4HZ7cZk
uLFCrah/5T6aGprGpDqClPqLd2WmFATcagsFs+NPZyKo6r8puUVWk45g+1fDPJLP
QdltqcScZbSndBbd1SrUaRVewND0Y2dIqDf4NCJB6hTNV8908WMwoTYoCtZkguca
reSE+TZ692s4Qh0MHzPVq0v4mwM8wgFlegFDi98YYQWpqlkeSo/9N/3rCXJ97rNf
ZwhRZtlpSgpnqBjoMmgM0VzMJO9fsBOrGxqrsVomNoankvpmms0/eZrNJRnBNCDA
WpR5bs0olVvdDvu4jiFzPBc+58jB6NdXz2DmkgmaWsZ3zTwzT6Q=
=CX42
-----END PGP SIGNATURE-----

--- End Message ---