Bug#1073518: marked as done (bookworm-pu: cups/2.4.2-3+deb12u6)

Sat, 31 Aug 2024 04:41:06 -0700 

Your message dated Sat, 31 Aug 2024 12:34:14 +0100
with message-id 
<9e3e8b8cd0db3b52d4adb2cfad04baa007c8e3e8.ca...@adam-barratt.org.uk>
and subject line Closing bugs for 12.7
has caused the Debian Bug report #1073518,
regarding bookworm-pu: cups/2.4.2-3+deb12u6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1073518: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073518
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
The attached debdiff for cups fixes CVE-2024-35235 in Bookworm. The CVE has been marked as no-dsa by the security team. The same patch has been already uploaded to unstable. 

  Thorsten
diff -Nru cups-2.4.2/debian/changelog cups-2.4.2/debian/changelog
--- cups-2.4.2/debian/changelog 2023-12-01 20:35:27.000000000 +0100
+++ cups-2.4.2/debian/changelog 2024-06-11 19:32:57.000000000 +0200
@@ -1,3 +1,10 @@
+cups (2.4.2-3+deb12u6) bookworm; urgency=medium
+
+  * CVE-2024-35235 (Closes: #1073002)
+    fix domain socket handling
+
+ -- Thorsten Alteholz <deb...@alteholz.de>  Tue, 11 Jun 2024 22:16:49 +0200
+
 cups (2.4.2-3+deb12u5) bookworm; urgency=medium
 
   * 0017-check-colormodel-also-for-CMYK.patch
diff -Nru cups-2.4.2/debian/patches/0019-CVE-2024-35235.patch 
cups-2.4.2/debian/patches/0019-CVE-2024-35235.patch
--- cups-2.4.2/debian/patches/0019-CVE-2024-35235.patch 1970-01-01 
01:00:00.000000000 +0100
+++ cups-2.4.2/debian/patches/0019-CVE-2024-35235.patch 2024-06-11 
13:11:25.000000000 +0200
@@ -0,0 +1,108 @@
+commit 2f87c46b719e6edf0b6900e5eb307b7154e183e8
+Author: Zdenek Dohnal <zdoh...@redhat.com>
+Date:   Mon Jun 3 18:53:58 2024 +0200
+
+    Fix domain socket handling
+    
+    - Check status of unlink and bind system calls.
+    - Don't allow extra domain sockets when running from launchd/systemd.
+    - Validate length of domain socket path (< sizeof(sun_path))
+    
+    Fixes CVE-2024-35235, written by Mike Sweet
+
+Index: cups-2.4.2/cups/http-addr.c
+===================================================================
+--- cups-2.4.2.orig/cups/http-addr.c   2024-06-11 13:11:20.465733904 +0200
++++ cups-2.4.2/cups/http-addr.c        2024-06-11 13:11:20.465733904 +0200
+@@ -1,6 +1,7 @@
+ /*
+  * HTTP address routines for CUPS.
+  *
++ * Copyright © 2023-2024 by OpenPrinting
+  * Copyright © 2007-2021 by Apple Inc.
+  * Copyright © 1997-2006 by Easy Software Products, all rights reserved.
+  *
+@@ -206,27 +207,31 @@
+     * Remove any existing domain socket file...
+     */
+ 
+-    unlink(addr->un.sun_path);
+-
+-   /*
+-    * Save the current umask and set it to 0 so that all users can access
+-    * the domain socket...
+-    */
+-
+-    mask = umask(0);
+-
+-   /*
+-    * Bind the domain socket...
+-    */
+-
+-    status = bind(fd, (struct sockaddr *)addr, 
(socklen_t)httpAddrLength(addr));
+-
+-   /*
+-    * Restore the umask and fix permissions...
+-    */
+-
+-    umask(mask);
+-    chmod(addr->un.sun_path, 0140777);
++    if ((status = unlink(addr->un.sun_path)) < 0)
++    {
++      DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", 
addr->un.sun_path, strerror(errno)));
++
++      if (errno == ENOENT)
++       status = 0;
++    }
++
++
++    if (!status)
++    {
++      // Save the current umask and set it to 0 so that all users can access
++      // the domain socket...
++      mask = umask(0);
++
++
++      // Bind the domain socket...
++      if ((status = bind(fd, (struct sockaddr *)addr, 
(socklen_t)httpAddrLength(addr))) < 0)
++      {
++       DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": 
%s", addr->un.sun_path, strerror(errno)));
++      }
++
++      // Restore the umask...
++      umask(mask);
++    }
+   }
+   else
+ #endif /* AF_LOCAL */
+Index: cups-2.4.2/scheduler/conf.c
+===================================================================
+--- cups-2.4.2.orig/scheduler/conf.c   2024-06-11 13:11:20.465733904 +0200
++++ cups-2.4.2/scheduler/conf.c        2024-06-11 13:11:20.465733904 +0200
+@@ -3077,6 +3077,26 @@
+ 
+ 
+      /*
++      * If we are launched on-demand, do not use domain sockets from the 
config
++      * file.  Also check that the domain socket path is not too long...
++      */
++
++#ifdef HAVE_ONDEMAND
++      if (*value == '/' && OnDemand)
++      {
++        if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
++          cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d 
- only using domain socket from launchd/systemd.", line, value, linenum);
++        continue;
++      }
++#endif // HAVE_ONDEMAND
++
++      if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 
1))
++      {
++        cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - 
too long.", line, value, linenum);
++        continue;
++      }
++
++     /*
+       * Get the address list...
+       */
+ 
diff -Nru cups-2.4.2/debian/patches/series cups-2.4.2/debian/patches/series
--- cups-2.4.2/debian/patches/series    2023-12-01 20:35:27.000000000 +0100
+++ cups-2.4.2/debian/patches/series    2024-06-11 13:11:18.000000000 +0200
@@ -16,3 +16,4 @@
 0016-CVE-2023-32360.patch
 0017-check-colormodel-also-for-CMYK.patch
 0018-dont-override-color-settings-from-print-dialoag.patch
+0019-CVE-2024-35235.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 12.7

Hi,

Each of these bugs relates to an update including in today's bookworm
12.7 point release.

Regards,

Adam

--- End Message ---

Reply via email to