This whole thing has been a mess, so please bare with as we figure out which issue is in which package.
Writeup is at https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7fa423265b666d24d4a9acf27030cf701fb4976 commit f7fa423265b666d24d4a9acf27030cf701fb4976 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-09-26 21:10:29 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-09-26 21:11:20 +0000 net-print/cups: backport PPD validation fixes These fixes are in net-print/cups itself, which was not actually referenced in the 4 CVEs in the CUPS writeup mentioned in bug 940312. But they're also the only patches available right now, and they're clearly related, so let's pull them in as others are doing too. Specifically, it pulls in the following from the 2.4.x branch: * 313c388dbc023bbcb75d1efed800d0cfc992a6cc * 9939a70b750edd9d05270060cc5cf62ca98cfbe5 * 04bb2af4521b56c1699a2c2431c56c05a7102e69 * e0630cd18f76340d302000f2bf6516e99602b844 * 1e6ca5913eceee906038bc04cc7ccfbe2923bdfd * 2abe1ba8a66864aa82cd9836b37e57103b8e1a3b Bug: https://bugs.gentoo.org/940312 Bug: https://bugs.gentoo.org/940311 Bug: https://bugs.gentoo.org/940313 Bug: https://bugs.gentoo.org/940314 Bug: https://bugs.gentoo.org/940315 Bug: https://bugs.gentoo.org/940316 Signed-off-by: Sam James <sam@gentoo.org> net-print/cups/Manifest | 1 + net-print/cups/cups-2.4.10-r1.ebuild | 322 +++++++++++++++++++++++++++++++++++ 2 files changed, 323 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=514b7f9c5f97a92ad3e9c4321db99e8fc4cd14a2 commit 514b7f9c5f97a92ad3e9c4321db99e8fc4cd14a2 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-09-26 21:19:03 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-09-26 21:20:22 +0000 net-print/cups-browsed: add 2.0.1 Also, include a mitigation for CVE-2024-47176 (bug #940311) by copying the effects of upstream commit 1debe6b140c37e0aa928559add4abcc95ce54aa2, i.e. drop 'cups' from --with-browseremoteprotocols=... (Also, while here, change the casing to match the upstream configure script.) Bug: https://bugs.gentoo.org/940312 Bug: https://bugs.gentoo.org/940311 Bug: https://bugs.gentoo.org/940313 Bug: https://bugs.gentoo.org/940314 Bug: https://bugs.gentoo.org/940315 Bug: https://bugs.gentoo.org/940316 Signed-off-by: Sam James <sam@gentoo.org> net-print/cups-browsed/Manifest | 1 + net-print/cups-browsed/cups-browsed-2.0.1.ebuild | 79 ++++++++++++++++++++++++ 2 files changed, 80 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7eba3af91f1fd96ebb7491890479e7aef6c649ac commit 7eba3af91f1fd96ebb7491890479e7aef6c649ac Author: Sam James <sam@gentoo.org> AuthorDate: 2024-09-26 21:32:40 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-09-26 21:34:07 +0000 net-print/libppd: add 2.1_beta1 Note that while this is technically a beta, it was a better option than backporting patches to 2.0.0 because the relevant upstream commit didn't apply cleanly (d681747ebf12602cb426725eb8ce2753211e2477) and there's various mostly bug fixes between 2.0.0 and 2.1_beta1. The only new feature is adding libcups-3 support which should be harmless. i.e. The delta betewen 2.0.0 and 2.1_beta1 is almost entirely, modulo libcups-3 support, stuff we would want to backport anyway (obvious and trivial bug fixes). Bug: https://bugs.gentoo.org/940312 Bug: https://bugs.gentoo.org/940311 Bug: https://bugs.gentoo.org/940313 Bug: https://bugs.gentoo.org/940314 Bug: https://bugs.gentoo.org/940315 Bug: https://bugs.gentoo.org/940316 Signed-off-by: Sam James <sam@gentoo.org> net-print/libppd/Manifest | 1 + net-print/libppd/libppd-2.1_beta1.ebuild | 54 ++++++++++++++++++++++++++++++++ 2 files changed, 55 insertions(+)
https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ec56d5dd8051dcfb81e1496248a78b260fe20f64 commit ec56d5dd8051dcfb81e1496248a78b260fe20f64 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-09-26 22:05:20 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-09-26 22:06:06 +0000 net-print/libppd: add CVE-2024-47175 patch I left this out when rebasing on the beta. Bug: https://bugs.gentoo.org/940312 Bug: https://bugs.gentoo.org/940311 Bug: https://bugs.gentoo.org/940313 Bug: https://bugs.gentoo.org/940314 Bug: https://bugs.gentoo.org/940315 Bug: https://bugs.gentoo.org/940316 Fixes: 7eba3af91f1fd96ebb7491890479e7aef6c649ac Signed-off-by: Sam James <sam@gentoo.org> .../files/libppd-2.1_beta1-CVE-2024-47175.patch | 560 +++++++++++++++++++++ net-print/libppd/libppd-2.1_beta1-r1.ebuild | 58 +++ 2 files changed, 618 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=429f7f1f7ec1dd9e83c4b556e829f95f9e8c50f4 commit 429f7f1f7ec1dd9e83c4b556e829f95f9e8c50f4 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-09-26 22:12:07 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-09-26 22:12:07 +0000 net-print/libcupsfilters: add 2.1_beta1 Similar rationale to 7eba3af91f1fd96ebb7491890479e7aef6c649ac in terms of why a beta. Bug: https://bugs.gentoo.org/940312 Bug: https://bugs.gentoo.org/940311 Bug: https://bugs.gentoo.org/940313 Bug: https://bugs.gentoo.org/940314 Bug: https://bugs.gentoo.org/940315 Bug: https://bugs.gentoo.org/940316 Signed-off-by: Sam James <sam@gentoo.org> net-print/libcupsfilters/Manifest | 1 + .../libcupsfilters-2.1_beta1-CVE-2024-47076.patch | 31 +++++++++ .../libcupsfilters/libcupsfilters-2.1_beta1.ebuild | 75 ++++++++++++++++++++++ 3 files changed, 107 insertions(+)
