909018 – (CVE-2023-34241) <net-print/cups-2.4.6: Use-after-free when logging warnings during cupsdAcceptClient failure

Bug 909018 (CVE-2023-34241) - <net-print/cups-2.4.6: Use-after-free when logging warnings during cupsdAcceptClient failure

Summary: <net-print/cups-2.4.6: Use-after-free when logging warnings during cupsdAccep...

Status:	RESOLVED FIXED

Alias:	CVE-2023-34241

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	A3 [glsa+]
Keywords:

Depends on:	910084
Blocks:
	Show dependency tree

Reported:	2023-06-23 01:45 UTC by Sam James
Modified:	2024-02-18 08:58 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2023-06-23 01:45:27 UTC

+Changes in CUPS v2.4.6 - TBA
+----------------------------
+
+- Fix linking error on old MacOS (Issue #715)
+- Fix printing multiple files on specific printers (Issue #643)
+- Fix use-after-free when logging warnings in case of failures
+  in `cupsdAcceptClient()` (fixes CVE-2023-34241)
+

Comment 1 Larry the Git Cow gentoo-dev

2023-06-23 02:14:26 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7700a344daf14778c2375b4e8de9114ec3727171

commit 7700a344daf14778c2375b4e8de9114ec3727171
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-06-23 01:47:48 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-06-23 01:47:48 +0000

    net-print/cups: add 2.4.6
    
    Bug: https://bugs.gentoo.org/909018
    Signed-off-by: Sam James <sam@gentoo.org>

 net-print/cups/Manifest          |   1 +
 net-print/cups/cups-2.4.6.ebuild | 315 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 316 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2023-09-27 04:20:57 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eabfd29399b97d885388cea671349c85f19e5b35

commit eabfd29399b97d885388cea671349c85f19e5b35
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-09-27 04:19:23 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-09-27 04:19:23 +0000

    net-print/cups: drop 2.4.2-r7, 2.4.4, 2.4.5
    
    Bug: https://bugs.gentoo.org/907675
    Bug: https://bugs.gentoo.org/909018
    Signed-off-by: Sam James <sam@gentoo.org>

 net-print/cups/Manifest                            |   3 -
 net-print/cups/cups-2.4.2-r7.ebuild                | 325 ---------------------
 net-print/cups/cups-2.4.4.ebuild                   | 315 --------------------
 net-print/cups/cups-2.4.5.ebuild                   | 315 --------------------
 .../files/cups-2.4.2-no-fortify-override.patch     |  18 --
 .../cups-2.4.2-openssl-intermediate-certs.patch    |  20 --
 .../cups/files/cups-2.4.2-scheduler-ipp.patch      |  36 ---
 net-print/cups/files/cups-resolve-local.patch      |  97 ------
 8 files changed, 1129 deletions(-)

Comment 3 Larry the Git Cow gentoo-dev

2024-02-18 08:56:24 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=e7fda950590c5976421bfc5b5694dcadd1281e90

commit e7fda950590c5976421bfc5b5694dcadd1281e90
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-02-18 08:55:48 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-02-18 08:56:12 +0000

    [ GLSA 202402-17 ] CUPS: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/847625
    Bug: https://bugs.gentoo.org/907675
    Bug: https://bugs.gentoo.org/909018
    Bug: https://bugs.gentoo.org/914781
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202402-17.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)