Bug 672742 (CVE-2018-4700)

Summary:	<net-print/cups-2.2.10: Linux session cookies use a predictable random number seed (CVE-2018-4700)
Product:	Gentoo Security	Reporter:	Lars Wendler (Polynomial-C) (RETIRED) <polynomial-c>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	pacho, printing
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/apple/cups/releases/tag/v2.2.10
Whiteboard:	B3 [noglsa cve]
Package list:	net-print/cups-2.2.11	Runtime testing required:	---

Description Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2018-12-08 12:30:16 UTC

Dunno how big the impact is on this one but nevertheless, a CVE was filed so here goes the bug.

Comment 1 Hanno Böck gentoo-dev

2018-12-11 23:21:11 UTC

Not really fixed:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1706#c3

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2018-12-12 22:34:05 UTC

(In reply to Hanno Boeck from comment #1)
> Not really fixed:
> https://bugs.chromium.org/p/project-zero/issues/detail?id=1706#c3

Thanks, Hanno.

Comment 3 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2019-04-01 21:39:39 UTC

Well, meanwhile cups-2.2.11 was released but I have no idea if this bug is finally fully fixed...

Comment 4 Pacho Ramos gentoo-dev

2019-04-13 22:12:28 UTC

The tag says it was fixed in 2.2.10
https://github.com/apple/cups/releases/tag/v2.2.10

Comment 5 Pacho Ramos gentoo-dev

2019-04-27 18:04:45 UTC

any issues stabilizing 2.2.11?

Comment 6 Rolf Eike Beer archtester

2019-06-02 20:23:48 UTC

sparc stable

Comment 7 Larry the Git Cow gentoo-dev

2019-06-04 07:53:15 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8ac59b92148da35b9d7d6066f0e03ee2953375a7

commit 8ac59b92148da35b9d7d6066f0e03ee2953375a7
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2019-06-04 07:52:16 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2019-06-04 07:52:35 +0000

    net-print/cups-2.2.11-r0: alpha stable
    
    Bug: http://bugs.gentoo.org/672742
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 net-print/cups/cups-2.2.11.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 8 Agostino Sarubbo gentoo-dev

2019-06-04 10:59:24 UTC

ppc64 stable

Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev

2019-06-04 15:15:48 UTC

x86 stable

Comment 10 Agostino Sarubbo gentoo-dev

2019-06-04 20:55:12 UTC

amd64 stable

Comment 11 Agostino Sarubbo gentoo-dev

2019-06-04 20:57:42 UTC

ppc stable

Comment 12 Agostino Sarubbo gentoo-dev

2019-06-05 07:30:36 UTC

ia64 stable

Comment 13 Aaron Bauman (RETIRED) gentoo-dev

2019-06-09 11:33:15 UTC

arm64 stable

Comment 14 Sergei Trofimovich (RETIRED) gentoo-dev

2019-06-09 19:28:25 UTC

hppa stable

Comment 15 Markus Meier gentoo-dev

2019-06-13 04:26:51 UTC

arm stable

Comment 16 Mikle Kolyada (RETIRED) archtester

2019-06-17 09:51:04 UTC

s390 stable

Comment 17 Larry the Git Cow gentoo-dev

2019-07-31 11:54:14 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5d061b6cf8a79d5dc2501f4a1d0c61835369a7a4

commit 5d061b6cf8a79d5dc2501f4a1d0c61835369a7a4
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2019-07-31 11:53:46 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2019-07-31 11:54:08 +0000

    net-print/cups: Security cleanup
    
    Bug: https://bugs.gentoo.org/672742
    Package-Manager: Portage-2.3.69, Repoman-2.3.16
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 net-print/cups/Manifest           |   2 -
 net-print/cups/cups-2.2.10.ebuild | 337 -------------------------------------
 net-print/cups/cups-2.2.7.ebuild  | 343 --------------------------------------
 3 files changed, 682 deletions(-)