Hi again,
Next in line: cups. Two fairly simple patches and this time the test
suite passes without a fuss, provided that the local hostname resolves
within the chroot. ;)
Packages, as usual, are available here, signed by me:
https://people.debian.org/~anarcat/debian/jessie-lts/
Debdiff also available above and attached.
A.
--
Arguing for surveillance because you have nothing to hide is no
different than making the claim, "I don't care about freedom of speech
because I have nothing to say."
- Edward Snowden
diff -Nru cups-1.7.5/debian/changelog cups-1.7.5/debian/changelog
--- cups-1.7.5/debian/changelog 2017-07-21 08:44:00.000000000 -0400
+++ cups-1.7.5/debian/changelog 2018-06-07 09:23:48.000000000 -0400
@@ -1,3 +1,11 @@
+cups (1.7.5-11+deb8u3) UNRELEASED; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * CVE-2017-18190: fix remote code execution through DNS rebinding
+ * CVE-2017-18248: fix remote crash through invalid username
+
+ -- Antoine Beaupré <anar...@debian.org> Thu, 07 Jun 2018 09:23:48 -0400
+
cups (1.7.5-11+deb8u2) jessie; urgency=high
* Disable SSLv3 and RC4 by default to address POODLE vulnerability
diff -Nru cups-1.7.5/debian/patches/CVE-2017-18190-0476c41.patch cups-1.7.5/debian/patches/CVE-2017-18190-0476c41.patch
--- cups-1.7.5/debian/patches/CVE-2017-18190-0476c41.patch 1969-12-31 19:00:00.000000000 -0500
+++ cups-1.7.5/debian/patches/CVE-2017-18190-0476c41.patch 2018-06-07 09:21:42.000000000 -0400
@@ -0,0 +1,24 @@
+From afa80cb2b457bf8d64f775bed307588610476c41 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <michaelrsw...@gmail.com>
+Date: Tue, 3 Jan 2017 13:52:47 -0500
+Subject: [PATCH] Don't treat "localhost.localdomain" as an allowed replacement
+ for localhost, since it isn't.
+
+---
+ scheduler/client.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+Index: b/scheduler/client.c
+===================================================================
+--- a/scheduler/client.c 2018-06-07 09:21:37.599660741 -0400
++++ b/scheduler/client.c 2018-06-07 09:21:37.599660741 -0400
+@@ -4220,9 +4220,6 @@ valid_host(cupsd_client_t *con) /* I -
+
+ return (!_cups_strcasecmp(con->clientname, "localhost") ||
+ !_cups_strcasecmp(con->clientname, "localhost.") ||
+-#ifdef __linux
+- !_cups_strcasecmp(con->clientname, "localhost.localdomain") ||
+-#endif /* __linux */
+ !strcmp(con->clientname, "127.0.0.1") ||
+ !strcmp(con->clientname, "[::1]"));
+ }
diff -Nru cups-1.7.5/debian/patches/CVE-2017-18248-6007df3.patch cups-1.7.5/debian/patches/CVE-2017-18248-6007df3.patch
--- cups-1.7.5/debian/patches/CVE-2017-18248-6007df3.patch 1969-12-31 19:00:00.000000000 -0500
+++ cups-1.7.5/debian/patches/CVE-2017-18248-6007df3.patch 2018-06-07 09:23:48.000000000 -0400
@@ -0,0 +1,41 @@
+From 49fa4983f25b64ec29d548ffa3b9782426007df3 Mon Sep 17 00:00:00 2001
+From: Michael Sweet <michael.r.sw...@gmail.com>
+Date: Mon, 23 Oct 2017 16:23:43 -0400
+Subject: [PATCH] DBUS notifications could crash the scheduler (Issue #5143)
+
+- scheduler/ipp.c: Make sure requesting-user-name string is valid UTF-8.
+---
+ CHANGES.md | 5 +++--
+ scheduler/ipp.c | 12 ++++++++++--
+ 2 files changed, 13 insertions(+), 4 deletions(-)
+
+Index: b/scheduler/ipp.c
+===================================================================
+--- a/scheduler/ipp.c 2018-06-07 09:27:21.594226134 -0400
++++ b/scheduler/ipp.c 2018-06-07 09:27:21.590226104 -0400
+@@ -1551,6 +1551,16 @@ add_job(cupsd_client_t *con, /* I - Cl
+ return (NULL);
+ }
+
++ attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME);
++
++ if (attr && !ippValidateAttribute(attr))
++ {
++ send_ipp_status(con, IPP_ATTRIBUTES, _("Bad requesting-user-name value: %s"), cupsLastErrorString());
++ if ((attr = ippCopyAttribute(con->response, attr, 0)) != NULL)
++ attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
++ return (NULL);
++ }
++
+ if ((job = cupsdAddJob(priority, printer->name)) == NULL)
+ {
+ send_ipp_status(con, IPP_INTERNAL_ERROR,
+@@ -1569,8 +1579,6 @@ add_job(cupsd_client_t *con, /* I - Cl
+ add_job_uuid(job);
+ apply_printer_defaults(printer, job);
+
+- attr = ippFindAttribute(job->attrs, "requesting-user-name", IPP_TAG_NAME);
+-
+ if (con->username[0])
+ {
+ cupsdSetString(&job->username, con->username);
diff -Nru cups-1.7.5/debian/patches/series cups-1.7.5/debian/patches/series
--- cups-1.7.5/debian/patches/series 2017-07-21 07:32:05.000000000 -0400
+++ cups-1.7.5/debian/patches/series 2018-06-07 09:23:48.000000000 -0400
@@ -66,3 +66,5 @@
# po4a might not be appropriate. It also needs to be high on the patch
# queue to catch all Debian-specific changes
manpage-translations.patch
+CVE-2017-18248-6007df3.patch
+CVE-2017-18190-0476c41.patch
