Bug#958953: stretch-pu: package cups/2.2.1-8+deb9u6

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu

CVE-2020-3898 and CVE-2019-8842 got fixed in unstable and pending for stable
(#958814), after coordinated disclosure.

I'd like to fix these in an oldstable upload too:

cups (2.2.1-8+deb9u6) stretch; urgency=medium

  * Backport upstream security fixes:
    - CVE-2020-3898: heap-buffer-overflow in libcups’s ppdFindOption()
      function in ppd-mark.c
    - CVE-2019-8842: The `ippReadIO` function may under-read an extension
      field

 -- Didier Raboud <o...@debian.org>  Mon, 27 Apr 2020 08:50:13 +0200

Debdiff and direct patches attached.

Regards,

OdyX

-- System Information:
Debian Release: bullseye/sid
  APT prefers buildd-unstable
  APT policy: (990, 'buildd-unstable'), (500, 'unstable-debug'), (500, 
'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (100, 
'experimental'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.5.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=fr_CH.UTF-8, LC_CTYPE=fr_CH.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_CH:fr (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru cups-2.2.1/debian/changelog cups-2.2.1/debian/changelog
--- cups-2.2.1/debian/changelog 2020-01-19 09:53:03.000000000 +0100
+++ cups-2.2.1/debian/changelog 2020-04-27 08:50:13.000000000 +0200
@@ -1,3 +1,13 @@
+cups (2.2.1-8+deb9u6) stretch; urgency=medium
+
+  * Backport upstream security fixes:
+    - CVE-2020-3898: heap-buffer-overflow in libcups’s ppdFindOption()
+      function in ppd-mark.c
+    - CVE-2019-8842: The `ippReadIO` function may under-read an extension
+      field
+
+ -- Didier Raboud <o...@debian.org>  Mon, 27 Apr 2020 08:50:13 +0200
+
 cups (2.2.1-8+deb9u5) stretch; urgency=medium
 
   * Backport upstream security fix:
diff -Nru cups-2.2.1/debian/.git-dpm cups-2.2.1/debian/.git-dpm
--- cups-2.2.1/debian/.git-dpm  2020-01-19 09:53:03.000000000 +0100
+++ cups-2.2.1/debian/.git-dpm  2020-04-27 08:49:57.000000000 +0200
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-44f7d84856de97443c6785cd9ab9c6915224b7a2
-44f7d84856de97443c6785cd9ab9c6915224b7a2
+70cf04f3bfe8b7387f3c45c27cf7b48fb7959614
+70cf04f3bfe8b7387f3c45c27cf7b48fb7959614
 a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
 a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
 cups_2.2.1.orig.tar.gz
diff -Nru 
cups-2.2.1/debian/patches/0056-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch
 
cups-2.2.1/debian/patches/0056-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch
--- 
cups-2.2.1/debian/patches/0056-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch
   1970-01-01 01:00:00.000000000 +0100
+++ 
cups-2.2.1/debian/patches/0056-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch
   2020-04-27 08:49:57.000000000 +0200
@@ -0,0 +1,56 @@
+From 8d851ace388e2f272770ec4dec361b2ae7007ea4 Mon Sep 17 00:00:00 2001
+From: Stephan Zeisberg <stephan.zeisb...@splone.com>
+Date: Fri, 10 Apr 2020 17:14:34 +0200
+Subject: =?UTF-8?q?CVE-2020-3898=20-=20heap-buffer-overflow=20in=20libcups?=
+ =?UTF-8?q?=E2=80=99s=20ppdFindOption()=20function=20in=20ppd-mark.c?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+---
+ cups/ppd.c           |  3 +--
+ ppdc/ppdc-source.cxx | 14 ++++++++------
+ 2 files changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/cups/ppd.c b/cups/ppd.c
+index 44a22c5cb..b806b22a5 100644
+--- a/cups/ppd.c
++++ b/cups/ppd.c
+@@ -1737,8 +1737,7 @@ _ppdOpen(
+                      constraint->choice1, constraint->option2,
+                    constraint->choice2))
+       {
+-        case 0 : /* Error */
+-      case 1 : /* Error */
++        default : /* Error */
+           pg->ppd_status = PPD_BAD_UI_CONSTRAINTS;
+           goto error;
+ 
+diff --git a/ppdc/ppdc-source.cxx b/ppdc/ppdc-source.cxx
+index 27f5c342d..47bce26c3 100644
+--- a/ppdc/ppdc-source.cxx
++++ b/ppdc/ppdc-source.cxx
+@@ -1746,15 +1746,17 @@ ppdcSource::get_resolution(ppdcFile *fp)// I - File to 
read
+ 
+   switch (sscanf(name, "%dx%d", &xdpi, &ydpi))
+   {
+-    case 0 :
+-        _cupsLangPrintf(stderr,
+-                      _("ppdc: Bad resolution name \"%s\" on line %d of "
+-                        "%s."), name, fp->line, fp->filename);
+-        break;
+     case 1 :
+         ydpi = xdpi;
+       break;
+-  }
++    case 2 :
++        break;
++    default :
++        _cupsLangPrintf(stderr,
++                  _("ppdc: Bad resolution name \"%s\" on line %d of "
++        "%s."), name, fp->line, fp->filename);
++        break;
++}
+ 
+   // Create the necessary PS commands...
+   snprintf(command, sizeof(command),
diff -Nru 
cups-2.2.1/debian/patches/0057-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch
 
cups-2.2.1/debian/patches/0057-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch
--- 
cups-2.2.1/debian/patches/0057-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch
   1970-01-01 01:00:00.000000000 +0100
+++ 
cups-2.2.1/debian/patches/0057-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch
   2020-04-27 08:49:57.000000000 +0200
@@ -0,0 +1,23 @@
+From 70cf04f3bfe8b7387f3c45c27cf7b48fb7959614 Mon Sep 17 00:00:00 2001
+From: Didier Raboud <o...@debian.org>
+Date: Sat, 25 Apr 2020 16:02:12 +0200
+Subject: CVE-2019-8842: The `ippReadIO` function may under-read an extension
+ field
+
+---
+ cups/ipp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cups/ipp.c b/cups/ipp.c
+index 8840a1d09..f2d27f78a 100644
+--- a/cups/ipp.c
++++ b/cups/ipp.c
+@@ -3131,7 +3131,7 @@ ippReadIO(void       *src,               /* I - Data 
source */
+             * Read 32-bit "extension" tag...
+             */
+ 
+-          if ((*cb)(src, buffer, 4) < 1)
++          if ((*cb)(src, buffer, 4) < 4)
+           {
+             DEBUG_puts("1ippReadIO: Callback returned EOF/error");
+             _cupsBufferRelease((char *)buffer);
diff -Nru cups-2.2.1/debian/patches/series cups-2.2.1/debian/patches/series
--- cups-2.2.1/debian/patches/series    2020-01-19 09:53:03.000000000 +0100
+++ cups-2.2.1/debian/patches/series    2020-04-27 08:49:57.000000000 +0200
@@ -53,3 +53,5 @@
 0053-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch
 0054-Fix-multiple-security-disclosure-issues.patch
 0055-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch
+0056-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch
+0057-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch

>From 8d851ace388e2f272770ec4dec361b2ae7007ea4 Mon Sep 17 00:00:00 2001
From: Stephan Zeisberg <stephan.zeisb...@splone.com>
Date: Fri, 10 Apr 2020 17:14:34 +0200
Subject: =?UTF-8?q?CVE-2020-3898=20-=20heap-buffer-overflow=20in=20libcups?=
 =?UTF-8?q?=E2=80=99s=20ppdFindOption()=20function=20in=20ppd-mark.c?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 cups/ppd.c           |  3 +--
 ppdc/ppdc-source.cxx | 14 ++++++++------
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/cups/ppd.c b/cups/ppd.c
index 44a22c5cb..b806b22a5 100644
--- a/cups/ppd.c
+++ b/cups/ppd.c
@@ -1737,8 +1737,7 @@ _ppdOpen(
                      constraint->choice1, constraint->option2,
                     constraint->choice2))
       {
-        case 0 : /* Error */
-       case 1 : /* Error */
+        default : /* Error */
            pg->ppd_status = PPD_BAD_UI_CONSTRAINTS;
            goto error;
 
diff --git a/ppdc/ppdc-source.cxx b/ppdc/ppdc-source.cxx
index 27f5c342d..47bce26c3 100644
--- a/ppdc/ppdc-source.cxx
+++ b/ppdc/ppdc-source.cxx
@@ -1746,15 +1746,17 @@ ppdcSource::get_resolution(ppdcFile *fp)// I - File to 
read
 
   switch (sscanf(name, "%dx%d", &xdpi, &ydpi))
   {
-    case 0 :
-        _cupsLangPrintf(stderr,
-                       _("ppdc: Bad resolution name \"%s\" on line %d of "
-                         "%s."), name, fp->line, fp->filename);
-        break;
     case 1 :
         ydpi = xdpi;
        break;
-  }
+    case 2 :
+        break;
+    default :
+        _cupsLangPrintf(stderr,
+                  _("ppdc: Bad resolution name \"%s\" on line %d of "
+        "%s."), name, fp->line, fp->filename);
+        break;
+}
 
   // Create the necessary PS commands...
   snprintf(command, sizeof(command),

>From 70cf04f3bfe8b7387f3c45c27cf7b48fb7959614 Mon Sep 17 00:00:00 2001
From: Didier Raboud <o...@debian.org>
Date: Sat, 25 Apr 2020 16:02:12 +0200
Subject: CVE-2019-8842: The `ippReadIO` function may under-read an extension
 field

---
 cups/ipp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cups/ipp.c b/cups/ipp.c
index 8840a1d09..f2d27f78a 100644
--- a/cups/ipp.c
+++ b/cups/ipp.c
@@ -3131,7 +3131,7 @@ ippReadIO(void       *src,                /* I - Data 
source */
             * Read 32-bit "extension" tag...
             */
 
-           if ((*cb)(src, buffer, 4) < 1)
+           if ((*cb)(src, buffer, 4) < 4)
            {
              DEBUG_puts("1ippReadIO: Callback returned EOF/error");
              _cupsBufferRelease((char *)buffer);