Version in base suite: 2.2.10-6+deb10u2 Base version: cups_2.2.10-6+deb10u2 Target version: cups_2.2.10-6+deb10u3 Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/cups/cups_2.2.10-6+deb10u2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/c/cups/cups_2.2.10-6+deb10u3.dsc .git-dpm | 4 changelog | 10 + patches/0050-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch | 56 ++++++++++ patches/0051-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch | 23 ++++ patches/series | 2 5 files changed, 93 insertions(+), 2 deletions(-) diff -Nru cups-2.2.10/debian/.git-dpm cups-2.2.10/debian/.git-dpm --- cups-2.2.10/debian/.git-dpm 2020-01-19 08:36:31.000000000 +0000 +++ cups-2.2.10/debian/.git-dpm 2020-04-25 14:27:21.000000000 +0000 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -1b21a83376cee1f213faf7f4b4d89dd766c28975 -1b21a83376cee1f213faf7f4b4d89dd766c28975 +f1b7b7e074291c85366a60f7a197dea19e62c9cf +f1b7b7e074291c85366a60f7a197dea19e62c9cf 25b2338346ef3abbb93ea88476887cba7b2b86f8 25b2338346ef3abbb93ea88476887cba7b2b86f8 cups_2.2.10.orig.tar.gz diff -Nru cups-2.2.10/debian/changelog cups-2.2.10/debian/changelog --- cups-2.2.10/debian/changelog 2020-01-19 08:36:31.000000000 +0000 +++ cups-2.2.10/debian/changelog 2020-04-25 14:27:21.000000000 +0000 @@ -1,3 +1,13 @@ +cups (2.2.10-6+deb10u3) buster; urgency=medium + + * Backport upstream security fixes: + - CVE-2020-3898: heap-buffer-overflow in libcups’s ppdFindOption() + function in ppd-mark.c + - CVE-2019-8842: The `ippReadIO` function may under-read an extension + field + + -- Didier Raboud Sat, 25 Apr 2020 16:27:21 +0200 + cups (2.2.10-6+deb10u2) buster; urgency=medium * Backport upstream security fixes: diff -Nru cups-2.2.10/debian/patches/0050-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch cups-2.2.10/debian/patches/0050-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch --- cups-2.2.10/debian/patches/0050-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch 1970-01-01 00:00:00.000000000 +0000 +++ cups-2.2.10/debian/patches/0050-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch 2020-04-25 14:27:21.000000000 +0000 @@ -0,0 +1,56 @@ +From 1668f3bdc68101d44d0d18c85ba3e6572b517ff4 Mon Sep 17 00:00:00 2001 +From: Stephan Zeisberg +Date: Fri, 10 Apr 2020 17:14:34 +0200 +Subject: =?UTF-8?q?CVE-2020-3898=20-=20heap-buffer-overflow=20in=20libcups?= + =?UTF-8?q?=E2=80=99s=20ppdFindOption()=20function=20in=20ppd-mark.c?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +--- + cups/ppd.c | 3 +-- + ppdc/ppdc-source.cxx | 14 ++++++++------ + 2 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/cups/ppd.c b/cups/ppd.c +index b823d17b4..8d3eb8a3b 100644 +--- a/cups/ppd.c ++++ b/cups/ppd.c +@@ -1705,8 +1705,7 @@ _ppdOpen( + constraint->choice1, constraint->option2, + constraint->choice2)) + { +- case 0 : /* Error */ +- case 1 : /* Error */ ++ default : /* Error */ + pg->ppd_status = PPD_BAD_UI_CONSTRAINTS; + goto error; + +diff --git a/ppdc/ppdc-source.cxx b/ppdc/ppdc-source.cxx +index 5add81002..383f0183d 100644 +--- a/ppdc/ppdc-source.cxx ++++ b/ppdc/ppdc-source.cxx +@@ -1746,15 +1746,17 @@ ppdcSource::get_resolution(ppdcFile *fp)// I - File to read + + switch (sscanf(name, "%dx%d", &xdpi, &ydpi)) + { +- case 0 : +- _cupsLangPrintf(stderr, +- _("ppdc: Bad resolution name \"%s\" on line %d of " +- "%s."), name, fp->line, fp->filename); +- break; + case 1 : + ydpi = xdpi; + break; +- } ++ case 2 : ++ break; ++ default : ++ _cupsLangPrintf(stderr, ++ _("ppdc: Bad resolution name \"%s\" on line %d of " ++ "%s."), name, fp->line, fp->filename); ++ break; ++} + + // Create the necessary PS commands... + snprintf(command, sizeof(command), diff -Nru cups-2.2.10/debian/patches/0051-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch cups-2.2.10/debian/patches/0051-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch --- cups-2.2.10/debian/patches/0051-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch 1970-01-01 00:00:00.000000000 +0000 +++ cups-2.2.10/debian/patches/0051-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch 2020-04-25 14:27:21.000000000 +0000 @@ -0,0 +1,23 @@ +From f1b7b7e074291c85366a60f7a197dea19e62c9cf Mon Sep 17 00:00:00 2001 +From: Didier Raboud +Date: Sat, 25 Apr 2020 16:02:12 +0200 +Subject: CVE-2019-8842: The `ippReadIO` function may under-read an extension + field + +--- + cups/ipp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cups/ipp.c b/cups/ipp.c +index 98b499716..4ebb1da9c 100644 +--- a/cups/ipp.c ++++ b/cups/ipp.c +@@ -2960,7 +2960,7 @@ ippReadIO(void *src, /* I - Data source */ + * Read 32-bit "extension" tag... + */ + +- if ((*cb)(src, buffer, 4) < 1) ++ if ((*cb)(src, buffer, 4) < 4) + { + DEBUG_puts("1ippReadIO: Callback returned EOF/error"); + _cupsBufferRelease((char *)buffer); diff -Nru cups-2.2.10/debian/patches/series cups-2.2.10/debian/patches/series --- cups-2.2.10/debian/patches/series 2020-01-19 08:36:31.000000000 +0000 +++ cups-2.2.10/debian/patches/series 2020-04-25 14:27:21.000000000 +0000 @@ -47,3 +47,5 @@ 0047-Fix-multiple-security-disclosure-issues.patch 0048-Fix-memory-leak-in-ppdOpen.patch 0049-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch +0050-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch +0051-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch