Version in base suite: 1.28.17-3 Base version: cups-filters_1.28.17-3 Target version: cups-filters_1.28.17-3+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/cups-filters/cups-filters_1.28.17-3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/c/cups-filters/cups-filters_1.28.17-3+deb12u1.dsc changelog | 11 ++++++++++- patches/0004-CVE-2024-47076.patch | 30 ++++++++++++++++++++++++++++++ patches/0005-CVE-2024-47176.patch | 22 ++++++++++++++++++++++ patches/series | 2 ++ 4 files changed, 64 insertions(+), 1 deletion(-) diff -Nru cups-filters-1.28.17/debian/changelog cups-filters-1.28.17/debian/changelog --- cups-filters-1.28.17/debian/changelog 2023-05-19 16:25:20.000000000 +0000 +++ cups-filters-1.28.17/debian/changelog 2024-09-26 21:45:05.000000000 +0000 @@ -1,6 +1,15 @@ +cups-filters (1.28.17-3+deb12u1) bookworm-security; urgency=high + + * CVE-2024-47076 (Closes: #1082827) + cfGetPrinterAttributes5(): Validate response attributes before return + * CVE-2024-47176 (Closes: #1082820) + Default BrowseRemoteProtocols should not include "cups" protocol + + -- Thorsten Alteholz Thu, 26 Sep 2024 23:45:05 +0200 + cups-filters (1.28.17-3) unstable; urgency=medium - * CVE-2023-24805 + * CVE-2023-24805 prevent arbitrary command execution by escaping the quoting of the arguments in a job with a forged job title more information are available in the commit message at: diff -Nru cups-filters-1.28.17/debian/patches/0004-CVE-2024-47076.patch cups-filters-1.28.17/debian/patches/0004-CVE-2024-47076.patch --- cups-filters-1.28.17/debian/patches/0004-CVE-2024-47076.patch 1970-01-01 00:00:00.000000000 +0000 +++ cups-filters-1.28.17/debian/patches/0004-CVE-2024-47076.patch 2024-09-26 21:45:05.000000000 +0000 @@ -0,0 +1,30 @@ +commit 95576ec3d20c109332d14672a807353cdc551018 +Author: Zdenek Dohnal +Date: Thu Sep 26 23:09:29 2024 +0200 + + cfGetPrinterAttributes5(): Validate response attributes before return + + The destination can be corrupted or forged, so validate the response + to strenghten security measures. + + Fixes CVE-2024-47076 + +Index: cups-filters-1.28.17/cupsfilters/ipp.c +=================================================================== +--- cups-filters-1.28.17.orig/cupsfilters/ipp.c 2024-09-27 15:56:02.498019369 +0200 ++++ cups-filters-1.28.17/cupsfilters/ipp.c 2024-09-27 15:56:02.494019366 +0200 +@@ -435,6 +435,14 @@ + ippDelete(response2); + } + } ++ ++ // Check if the response is valid ++ if (!ippValidateAttributes(response)) ++ { ++ ippDelete(response); ++ response = NULL; ++ } ++ + if (have_http == 0) httpClose(http_printer); + if (uri) free(uri); + return response; diff -Nru cups-filters-1.28.17/debian/patches/0005-CVE-2024-47176.patch cups-filters-1.28.17/debian/patches/0005-CVE-2024-47176.patch --- cups-filters-1.28.17/debian/patches/0005-CVE-2024-47176.patch 1970-01-01 00:00:00.000000000 +0000 +++ cups-filters-1.28.17/debian/patches/0005-CVE-2024-47176.patch 2024-09-26 21:45:05.000000000 +0000 @@ -0,0 +1,22 @@ +DEscription: Default BrowseRemoteProtocols should not include "cups" protocol. + + + configure.ac | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: cups-filters-1.28.17/configure.ac +=================================================================== +--- cups-filters-1.28.17.orig/configure.ac 2024-09-27 15:38:49.000000000 +0200 ++++ cups-filters-1.28.17/configure.ac 2024-09-27 16:31:37.079375228 +0200 +@@ -428,9 +428,9 @@ + AC_SUBST(GIO_UNIX_LIBS) + + AC_ARG_WITH([browseremoteprotocols], +- [AS_HELP_STRING([--with-browseremoteprotocols=value], [Set which protocols to listen for in cups-browsed (default: dnssd cups)])], ++ [AS_HELP_STRING([--with-browseremoteprotocols=value], [Set which protocols to listen for in cups-browsed (default: dnssd)])], + [with_browseremoteprotocols="$withval"], +- [with_browseremoteprotocols="dnssd cups"] ++ [with_browseremoteprotocols="dnssd"] + ) + BROWSEREMOTEPROTOCOLS="$with_browseremoteprotocols" + AC_SUBST(BROWSEREMOTEPROTOCOLS) diff -Nru cups-filters-1.28.17/debian/patches/series cups-filters-1.28.17/debian/patches/series --- cups-filters-1.28.17/debian/patches/series 2023-05-19 08:50:03.000000000 +0000 +++ cups-filters-1.28.17/debian/patches/series 2024-09-26 21:45:05.000000000 +0000 @@ -1,3 +1,5 @@ 0001-Force-set-INITDIR-in-configure.ac-instead-of-relying.patch 0002-qpdf-needs-at-least-c-17.patch 0003-fix-CVE-2023-24805.patch +0004-CVE-2024-47076.patch +0005-CVE-2024-47176.patch