--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: bullseye-pu: cups/2.3.3op2-3+deb11u3
- From: Thorsten Alteholz <debian@alteholz.de>
- Date: Sat, 24 Jun 2023 21:40:34 +0000 (UTC)
- Message-id: <alpine.DEB.2.21.2306242139270.30171@postfach.intern.alteholz.me>
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
The attached debdiff for cups fixes CVE-2023-32324 and CVE-2023-34241 in
Bullseye. Both CVE have been marked as no-dsa by the security team.
The same fixes have been already uploaded to Unstable and nobody
complained yet.
Thorsten
diff -Nru cups-2.3.3op2/debian/changelog cups-2.3.3op2/debian/changelog
--- cups-2.3.3op2/debian/changelog 2022-05-23 22:03:02.000000000 +0200
+++ cups-2.3.3op2/debian/changelog 2023-06-24 10:54:05.000000000 +0200
@@ -1,3 +1,14 @@
+cups (2.3.3op2-3+deb11u3) bullseye; urgency=medium
+
+ * CVE-2023-34241 (Closes: #1038885)
+ use-after-free in cupsdAcceptClient()
+
+ * CVE-2023-32324
+ A heap buffer overflow vulnerability would allow a remote attacker to
+ lauch a dos attack.
+
+ -- Thorsten Alteholz <debian@alteholz.de> Sat, 24 Jun 2023 10:54:05 +0200
+
cups (2.3.3op2-3+deb11u2) bullseye-security; urgency=high
* CVE-2022-26691
diff -Nru cups-2.3.3op2/debian/patches/0017-CVE-2023-32324.patch cups-2.3.3op2/debian/patches/0017-CVE-2023-32324.patch
--- cups-2.3.3op2/debian/patches/0017-CVE-2023-32324.patch 1970-01-01 01:00:00.000000000 +0100
+++ cups-2.3.3op2/debian/patches/0017-CVE-2023-32324.patch 2023-06-24 10:54:05.000000000 +0200
@@ -0,0 +1,29 @@
+From: Thorsten Alteholz <debian@alteholz.de>
+Date: Wed, 31 May 2023 23:20:58 +0200
+Subject: CVE-2023-32324
+
+---
+ cups/string.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/cups/string.c b/cups/string.c
+index 93cdad1..1f81d60 100644
+--- a/cups/string.c
++++ b/cups/string.c
+@@ -1,6 +1,7 @@
+ /*
+ * String functions for CUPS.
+ *
++ * Copyright © 2023 by OpenPrinting.
+ * Copyright © 2007-2019 by Apple Inc.
+ * Copyright © 1997-2007 by Easy Software Products.
+ *
+@@ -729,6 +730,8 @@ _cups_strlcpy(char *dst, /* O - Destination string */
+ {
+ size_t srclen; /* Length of source string */
+
++ if (size == 0)
++ return (0);
+
+ /*
+ * Figure out how much room is needed...
diff -Nru cups-2.3.3op2/debian/patches/0018-CVE-2023-34241.patch cups-2.3.3op2/debian/patches/0018-CVE-2023-34241.patch
--- cups-2.3.3op2/debian/patches/0018-CVE-2023-34241.patch 1970-01-01 01:00:00.000000000 +0100
+++ cups-2.3.3op2/debian/patches/0018-CVE-2023-34241.patch 2023-06-24 10:54:05.000000000 +0200
@@ -0,0 +1,57 @@
+From: Thorsten Alteholz <debian@alteholz.de>
+Date: Sat, 24 Jun 2023 19:51:21 +0200
+Subject: CVE-2023-34241
+
+---
+ scheduler/client.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/scheduler/client.c b/scheduler/client.c
+index 9730eea..48e19b9 100644
+--- a/scheduler/client.c
++++ b/scheduler/client.c
+@@ -192,13 +192,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
+ /*
+ * Can't have an unresolved IP address with double-lookups enabled...
+ */
+-
+- httpClose(con->http);
+-
+ cupsdLogClient(con, CUPSD_LOG_WARN,
+- "Name lookup failed - connection from %s closed!",
++ "Name lookup failed - closing connection from %s!",
+ httpGetHostname(con->http, NULL, 0));
+
++ httpClose(con->http);
+ free(con);
+ return;
+ }
+@@ -234,11 +232,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
+ * with double-lookups enabled...
+ */
+
+- httpClose(con->http);
+-
+ cupsdLogClient(con, CUPSD_LOG_WARN,
+- "IP lookup failed - connection from %s closed!",
++ "IP lookup failed - closing connection from %s!",
+ httpGetHostname(con->http, NULL, 0));
++
++ httpClose(con->http);
+ free(con);
+ return;
+ }
+@@ -255,11 +253,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
+
+ if (!hosts_access(&wrap_req))
+ {
+- httpClose(con->http);
+-
+ cupsdLogClient(con, CUPSD_LOG_WARN,
+ "Connection from %s refused by /etc/hosts.allow and "
+ "/etc/hosts.deny rules.", httpGetHostname(con->http, NULL, 0));
++
++ httpClose(con->http);
+ free(con);
+ return;
+ }
diff -Nru cups-2.3.3op2/debian/patches/series cups-2.3.3op2/debian/patches/series
--- cups-2.3.3op2/debian/patches/series 2022-05-23 22:03:02.000000000 +0200
+++ cups-2.3.3op2/debian/patches/series 2023-06-24 10:54:05.000000000 +0200
@@ -14,3 +14,5 @@
0014-Debian-Reproducibility-Run-testlang-for-each-provide.patch
0015-Debian-po4a-infrastructure-and-translations-for-manp.patch
0016-Fix-certificate-comparison-CVE-2022-26691.patch
+0017-CVE-2023-32324.patch
+0018-CVE-2023-34241.patch
--- End Message ---