692300 – (CVE-2019-8675) <net-print/cups-2.2.12: multiple vulnerabilities (CVE-2019-8675 CVE-2019-8696)

Bug 692300 (CVE-2019-8675) - <net-print/cups-2.2.12: multiple vulnerabilities (CVE-2019-8675 CVE-2019-8696)

Summary: <net-print/cups-2.2.12: multiple vulnerabilities (CVE-2019-8675 CVE-2019-8696)

Status:	RESOLVED FIXED

Alias:	CVE-2019-8675

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://github.com/apple/cups/release...
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2019-08-16 17:57 UTC by Lars Wendler (Polynomial-C) (RETIRED)
Modified:	2019-09-03 19:20 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	net-print/cups-2.2.12
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2019-08-16 17:57:24 UTC

CUPS 2.2.12 is now available and includes security, compatibility, and general bug fixes. Changes include:

    CVE-2019-8696 and CVE-2019-8675: Fixed SNMP buffer overflows (rdar://51685251)
    The cupsctl command now prevents setting "cups-files.conf" directives
    (Issue #5530)
    Updated the systemd service file for cupsd (Issue #5551)
    The cupsCheckDestSupported function did not check octetString values
    correctly (Issue #5557)
    The scheduler did not encode octetString values like "job-password" correctly
    for the print filters (Issue #5558)
    Restored minimal support for the Emulators keyword in PPD files to allow
    old Samsung printer drivers to continue to work (Issue #5562)
    Timed out job submission now yields an error (Issue #5570)
    The footer in the web interface covered some content on small displays
    (Issue #5574)
    The libusb-based USB backend now enforces read limits, improving print speed
    in many cases (Issue #5583)
    Fixed some compatibility issues with old releases of CUPS (Issue #5587)
    Fixed a bug in the scheduler job cleanup code (Issue #5588)
    "make" failed with GZIP options (Issue #5595)
    Added FIPS-140 workarounds for GNU TLS (Issue #5601, Issue #5622)
    The scheduler no longer provides a default value for the description
    (Issue #5603)
    The lpadmin command did not always update the PPD file for changes to the
    cupsIPPSupplies and cupsSNMPSupplies keywords (Issue #5610)
    The scheduler now uses both the group's membership list as well as the
    various OS-specific membership functions to determine whether a user belongs
    to a named group (Issue #5613)
    Added USB quirks rule for HP LaserJet 1015 (Issue #5617)
    Fixed some PPD parser issues (Issue #5623, Issue #5624)
    The IPP parser no longer allows invalid member attributes in collections
    (Issue #5630)
    Fixed IPP buffer overflow (rdar://50035411)
    Fixed memory disclosure issue in the scheduler (rdar://51373853)
    Fixed DoS issues in the scheduler (rdar://51373929)
    The scheduler would restart continuously when idle and printers were not
    shared (rdar://52561199)
    Fixed a command ordering issue in the Zebra ZPL driver.
    Fixed a memory leak in ppdOpen.

Comment 1 Larry the Git Cow gentoo-dev

2019-08-16 18:06:58 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=676d2274d0ae6e4cddd4597c553db76f5184b08e

commit 676d2274d0ae6e4cddd4597c553db76f5184b08e
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2019-08-16 18:06:30 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2019-08-16 18:06:52 +0000

    net-print/cups: Security bump to version 2.2.12
    
    Bug: https://bugs.gentoo.org/692300
    Package-Manager: Portage-2.3.71, Repoman-2.3.17
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 net-print/cups/Manifest           |   1 +
 net-print/cups/cups-2.2.12.ebuild | 339 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 340 insertions(+)

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2019-08-24 23:07:40 UTC

arm64 stable

Comment 3 Rolf Eike Beer archtester

2019-08-25 07:12:01 UTC

sparc stable

Comment 4 Agostino Sarubbo gentoo-dev

2019-08-26 12:56:28 UTC

amd64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2019-08-26 14:57:49 UTC

ppc stable

Comment 6 Agostino Sarubbo gentoo-dev

2019-08-26 14:58:47 UTC

ppc64 stable

Comment 7 Agostino Sarubbo gentoo-dev

2019-08-26 15:00:52 UTC

x86 stable

Comment 8 Rolf Eike Beer archtester

2019-08-26 18:47:35 UTC

hppa stable

Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev

2019-08-27 23:02:43 UTC

ia64 stable

Comment 10 Agostino Sarubbo gentoo-dev

2019-08-28 12:54:49 UTC

alpha stable

Comment 11 Mikle Kolyada (RETIRED) archtester

2019-09-01 18:25:13 UTC

arm stable

Comment 12 Mikle Kolyada (RETIRED) archtester

2019-09-01 18:25:35 UTC

s390 stable

Comment 13 Aaron Bauman (RETIRED) gentoo-dev

2019-09-02 22:30:43 UTC

@maintainer, please drop vulnerable.

Comment 14 Larry the Git Cow gentoo-dev

2019-09-03 07:56:25 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5983cc09eade48687c10dd3241c946d899369a43

commit 5983cc09eade48687c10dd3241c946d899369a43
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2019-09-03 07:51:15 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2019-09-03 07:51:15 +0000

    net-print/cups: Security cleanup
    
    Bug: https://bugs.gentoo.org/692300
    Package-Manager: Portage-2.3.75, Repoman-2.3.17
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 net-print/cups/Manifest                        |   1 -
 net-print/cups/cups-2.2.11.ebuild              | 336 -------------------------
 net-print/cups/files/cups-2.3_rc1-no_pam.patch | 164 ------------
 3 files changed, 501 deletions(-)

Comment 15 Aaron Bauman (RETIRED) gentoo-dev

2019-09-03 19:20:28 UTC

(In reply to Larry the Git Cow from comment #14)
> The bug has been referenced in the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=5983cc09eade48687c10dd3241c946d899369a43
> 
> commit 5983cc09eade48687c10dd3241c946d899369a43
> Author:     Lars Wendler <polynomial-c@gentoo.org>
> AuthorDate: 2019-09-03 07:51:15 +0000
> Commit:     Lars Wendler <polynomial-c@gentoo.org>
> CommitDate: 2019-09-03 07:51:15 +0000
> 
>     net-print/cups: Security cleanup
>     
>     Bug: https://bugs.gentoo.org/692300
>     Package-Manager: Portage-2.3.75, Repoman-2.3.17
>     Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
> 
>  net-print/cups/Manifest                        |   1 -
>  net-print/cups/cups-2.2.11.ebuild              | 336
> -------------------------
>  net-print/cups/files/cups-2.3_rc1-no_pam.patch | 164 ------------
>  3 files changed, 501 deletions(-)

Thanks, Lars!