Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 940316

Summary: <net-print/cups-2.4.10-r1: Missing PPD attribute validation
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: bertrand, kripton, printing
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [cleanup glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 940015, 942429    
Bug Blocks: 940312    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-09-26 20:23:55 UTC
None of the 4 CVEs in the writeup for bug 940312 (https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/) are for net-print/cups directly, but there is a patch which came up in the VINCE case which also looks relevant: https://github.com/OpenPrinting/cups/commit/96b3bdf010e78880f5764e5032720379aa1116df.
Comment 2 Larry the Git Cow gentoo-dev 2024-09-26 21:12:43 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7fa423265b666d24d4a9acf27030cf701fb4976

commit f7fa423265b666d24d4a9acf27030cf701fb4976
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-09-26 21:10:29 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-09-26 21:11:20 +0000

    net-print/cups: backport PPD validation fixes
    
    These fixes are in net-print/cups itself, which was not actually
    referenced in the 4 CVEs in the CUPS writeup mentioned in bug 940312.
    
    But they're also the only patches available right now, and they're clearly
    related, so let's pull them in as others are doing too.
    
    Specifically, it pulls in the following from the 2.4.x branch:
    * 313c388dbc023bbcb75d1efed800d0cfc992a6cc
    * 9939a70b750edd9d05270060cc5cf62ca98cfbe5
    * 04bb2af4521b56c1699a2c2431c56c05a7102e69
    * e0630cd18f76340d302000f2bf6516e99602b844
    * 1e6ca5913eceee906038bc04cc7ccfbe2923bdfd
    * 2abe1ba8a66864aa82cd9836b37e57103b8e1a3b
    
    Bug: https://bugs.gentoo.org/940312
    Bug: https://bugs.gentoo.org/940311
    Bug: https://bugs.gentoo.org/940313
    Bug: https://bugs.gentoo.org/940314
    Bug: https://bugs.gentoo.org/940315
    Bug: https://bugs.gentoo.org/940316
    Signed-off-by: Sam James <sam@gentoo.org>

 net-print/cups/Manifest              |   1 +
 net-print/cups/cups-2.4.10-r1.ebuild | 322 +++++++++++++++++++++++++++++++++++
 2 files changed, 323 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2024-09-26 21:21:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=514b7f9c5f97a92ad3e9c4321db99e8fc4cd14a2

commit 514b7f9c5f97a92ad3e9c4321db99e8fc4cd14a2
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-09-26 21:19:03 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-09-26 21:20:22 +0000

    net-print/cups-browsed: add 2.0.1
    
    Also, include a mitigation for CVE-2024-47176 (bug #940311) by
    copying the effects of upstream commit 1debe6b140c37e0aa928559add4abcc95ce54aa2,
    i.e. drop 'cups' from --with-browseremoteprotocols=...
    
    (Also, while here, change the casing to match the upstream configure script.)
    
    Bug: https://bugs.gentoo.org/940312
    Bug: https://bugs.gentoo.org/940311
    Bug: https://bugs.gentoo.org/940313
    Bug: https://bugs.gentoo.org/940314
    Bug: https://bugs.gentoo.org/940315
    Bug: https://bugs.gentoo.org/940316
    Signed-off-by: Sam James <sam@gentoo.org>

 net-print/cups-browsed/Manifest                  |  1 +
 net-print/cups-browsed/cups-browsed-2.0.1.ebuild | 79 ++++++++++++++++++++++++
 2 files changed, 80 insertions(+)
Comment 4 Larry the Git Cow gentoo-dev 2024-09-26 21:35:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7eba3af91f1fd96ebb7491890479e7aef6c649ac

commit 7eba3af91f1fd96ebb7491890479e7aef6c649ac
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-09-26 21:32:40 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-09-26 21:34:07 +0000

    net-print/libppd: add 2.1_beta1
    
    Note that while this is technically a beta, it was a better
    option than backporting patches to 2.0.0 because the relevant
    upstream commit didn't apply cleanly (d681747ebf12602cb426725eb8ce2753211e2477)
    and there's various mostly bug fixes between 2.0.0 and 2.1_beta1.
    
    The only new feature is adding libcups-3 support which should be harmless.
    
    i.e. The delta betewen 2.0.0 and 2.1_beta1 is almost entirely, modulo
    libcups-3 support, stuff we would want to backport anyway (obvious and
    trivial bug fixes).
    
    Bug: https://bugs.gentoo.org/940312
    Bug: https://bugs.gentoo.org/940311
    Bug: https://bugs.gentoo.org/940313
    Bug: https://bugs.gentoo.org/940314
    Bug: https://bugs.gentoo.org/940315
    Bug: https://bugs.gentoo.org/940316
    Signed-off-by: Sam James <sam@gentoo.org>

 net-print/libppd/Manifest                |  1 +
 net-print/libppd/libppd-2.1_beta1.ebuild | 54 ++++++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+)
Comment 5 Larry the Git Cow gentoo-dev 2024-09-26 22:07:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ec56d5dd8051dcfb81e1496248a78b260fe20f64

commit ec56d5dd8051dcfb81e1496248a78b260fe20f64
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-09-26 22:05:20 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-09-26 22:06:06 +0000

    net-print/libppd: add CVE-2024-47175 patch
    
    I left this out when rebasing on the beta.
    
    Bug: https://bugs.gentoo.org/940312
    Bug: https://bugs.gentoo.org/940311
    Bug: https://bugs.gentoo.org/940313
    Bug: https://bugs.gentoo.org/940314
    Bug: https://bugs.gentoo.org/940315
    Bug: https://bugs.gentoo.org/940316
    Fixes: 7eba3af91f1fd96ebb7491890479e7aef6c649ac
    Signed-off-by: Sam James <sam@gentoo.org>

 .../files/libppd-2.1_beta1-CVE-2024-47175.patch    | 560 +++++++++++++++++++++
 net-print/libppd/libppd-2.1_beta1-r1.ebuild        |  58 +++
 2 files changed, 618 insertions(+)
Comment 6 Larry the Git Cow gentoo-dev 2024-09-26 22:13:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=429f7f1f7ec1dd9e83c4b556e829f95f9e8c50f4

commit 429f7f1f7ec1dd9e83c4b556e829f95f9e8c50f4
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-09-26 22:12:07 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-09-26 22:12:07 +0000

    net-print/libcupsfilters: add 2.1_beta1
    
    Similar rationale to 7eba3af91f1fd96ebb7491890479e7aef6c649ac in terms
    of why a beta.
    
    Bug: https://bugs.gentoo.org/940312
    Bug: https://bugs.gentoo.org/940311
    Bug: https://bugs.gentoo.org/940313
    Bug: https://bugs.gentoo.org/940314
    Bug: https://bugs.gentoo.org/940315
    Bug: https://bugs.gentoo.org/940316
    Signed-off-by: Sam James <sam@gentoo.org>

 net-print/libcupsfilters/Manifest                  |  1 +
 .../libcupsfilters-2.1_beta1-CVE-2024-47076.patch  | 31 +++++++++
 .../libcupsfilters/libcupsfilters-2.1_beta1.ebuild | 75 ++++++++++++++++++++++
 3 files changed, 107 insertions(+)