Version in base suite: 2.4.2-3+deb12u8 Base version: cups_2.4.2-3+deb12u8 Target version: cups_2.4.2-3+deb12u9 Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/cups/cups_2.4.2-3+deb12u8.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/c/cups/cups_2.4.2-3+deb12u9.dsc changelog | 9 + patches/0025-CVE-2025-58060-fix-authentication-bypass-with-AuthType-negotiate.patch | 66 ++++++++++ patches/0026-CVE-2025-58364-fix-remote-DoS-via-null-dereference.patch | 53 ++++++++ patches/series | 2 4 files changed, 130 insertions(+) diff -Nru cups-2.4.2/debian/changelog cups-2.4.2/debian/changelog --- cups-2.4.2/debian/changelog 2024-09-26 21:45:05.000000000 +0000 +++ cups-2.4.2/debian/changelog 2025-09-07 17:45:05.000000000 +0000 @@ -1,3 +1,12 @@ +cups (2.4.2-3+deb12u9) bookworm-security; urgency=high + + * CVE-2025-58060 + fix authentication bypass with AuthType Negotiate + * CVE-2025-58364 + fix remote DoS via null dereference + + -- Thorsten Alteholz Sun, 07 Sep 2025 19:45:05 +0200 + cups (2.4.2-3+deb12u8) bookworm-security; urgency=high * CVE-2024-47175 diff -Nru cups-2.4.2/debian/patches/0025-CVE-2025-58060-fix-authentication-bypass-with-AuthType-negotiate.patch cups-2.4.2/debian/patches/0025-CVE-2025-58060-fix-authentication-bypass-with-AuthType-negotiate.patch --- cups-2.4.2/debian/patches/0025-CVE-2025-58060-fix-authentication-bypass-with-AuthType-negotiate.patch 1970-01-01 00:00:00.000000000 +0000 +++ cups-2.4.2/debian/patches/0025-CVE-2025-58060-fix-authentication-bypass-with-AuthType-negotiate.patch 2025-09-07 17:45:05.000000000 +0000 @@ -0,0 +1,66 @@ +From: Thorsten Alteholz +Date: Wed, 10 Sep 2025 10:46:21 +0200 +Subject: fix authentication bypass with AuthType negotiate + +--- + scheduler/auth.c | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +Index: cups-2.4.2/scheduler/auth.c +=================================================================== +--- cups-2.4.2.orig/scheduler/auth.c 2025-09-10 11:43:40.020228384 +0200 ++++ cups-2.4.2/scheduler/auth.c 2025-09-10 11:45:27.288263312 +0200 +@@ -513,6 +513,16 @@ + int userlen; /* Username:password length */ + + ++ /* ++ * Only allow Basic if enabled... ++ */ ++ ++ if (type != CUPSD_AUTH_BASIC) ++ { ++ cupsdLogClient(con, CUPSD_LOG_ERROR, "Basic authentication is not enabled."); ++ return; ++ } ++ + authorization += 5; + while (isspace(*authorization & 255)) + authorization ++; +@@ -558,10 +568,6 @@ + * Validate the username and password... + */ + +- switch (type) +- { +- default : +- case CUPSD_AUTH_BASIC : + { + #if HAVE_LIBPAM + /* +@@ -715,8 +721,6 @@ + } + + cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using Basic.", username); +- break; +- } + + con->type = type; + } +@@ -733,6 +737,16 @@ + /* Output token for username */ + gss_name_t client_name; /* Client name */ + ++ /* ++ * Only allow Kerberos if enabled... ++ */ ++ ++ if (type != CUPSD_AUTH_NEGOTIATE) ++ { ++ cupsdLogClient(con, CUPSD_LOG_ERROR, "Kerberos authentication is not enabled."); ++ return; ++ } ++ + # ifdef __APPLE__ + /* + * If the weak-linked GSSAPI/Kerberos library is not present, don't try diff -Nru cups-2.4.2/debian/patches/0026-CVE-2025-58364-fix-remote-DoS-via-null-dereference.patch cups-2.4.2/debian/patches/0026-CVE-2025-58364-fix-remote-DoS-via-null-dereference.patch --- cups-2.4.2/debian/patches/0026-CVE-2025-58364-fix-remote-DoS-via-null-dereference.patch 1970-01-01 00:00:00.000000000 +0000 +++ cups-2.4.2/debian/patches/0026-CVE-2025-58364-fix-remote-DoS-via-null-dereference.patch 2025-09-07 17:45:05.000000000 +0000 @@ -0,0 +1,53 @@ +From: Thorsten Alteholz +Date: Wed, 10 Sep 2025 11:05:30 +0200 +Subject: fix remote DoS via null dereference + +--- + cups/ipp.c | 26 +------------------------- + 1 file changed, 1 insertion(+), 25 deletions(-) + +Index: cups-2.4.2/cups/ipp.c +=================================================================== +--- cups-2.4.2.orig/cups/ipp.c 2025-09-10 14:22:19.506950359 +0200 ++++ cups-2.4.2/cups/ipp.c 2025-09-10 14:22:19.502950359 +0200 +@@ -2949,32 +2949,6 @@ + */ + + tag = (ipp_tag_t)buffer[0]; +- if (tag == IPP_TAG_EXTENSION) +- { +- /* +- * Read 32-bit "extension" tag... +- */ +- +- if ((*cb)(src, buffer, 4) < 4) +- { +- DEBUG_puts("1ippReadIO: Callback returned EOF/error"); +- goto rollback; +- } +- +- tag = (ipp_tag_t)((((((buffer[0] << 8) | buffer[1]) << 8) | +- buffer[2]) << 8) | buffer[3]); +- +- if (tag & IPP_TAG_CUPS_CONST) +- { +- /* +- * Fail if the high bit is set in the tag... +- */ +- +- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("IPP extension tag larger than 0x7FFFFFFF."), 1); +- DEBUG_printf(("1ippReadIO: bad tag 0x%x.", tag)); +- goto rollback; +- } +- } + + if (tag == IPP_TAG_END) + { +@@ -3196,6 +3170,7 @@ + + if ((*cb)(src, buffer, (size_t)n) < n) + { ++ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to read IPP attribute name."), 1); + DEBUG_puts("1ippReadIO: unable to read name."); + goto rollback; + } diff -Nru cups-2.4.2/debian/patches/series cups-2.4.2/debian/patches/series --- cups-2.4.2/debian/patches/series 2024-09-26 21:45:05.000000000 +0000 +++ cups-2.4.2/debian/patches/series 2025-09-07 17:45:05.000000000 +0000 @@ -22,3 +22,5 @@ 0022-CVE-2024-35235-regression3.patch 0023-CVE-2024-35235-regression4.patch 0024-CVE-2024-47175-and-further-hardening.patch +0025-CVE-2025-58060-fix-authentication-bypass-with-AuthType-negotiate.patch +0026-CVE-2025-58364-fix-remote-DoS-via-null-dereference.patch