Version in base suite: 2.2.10-6+deb10u5 Base version: cups_2.2.10-6+deb10u5 Target version: cups_2.2.10-6+deb10u6 Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/cups/cups_2.2.10-6+deb10u5.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/c/cups/cups_2.2.10-6+deb10u6.dsc .git-dpm | 4 - changelog | 8 +++ patches/0054-Fix-certificate-comparison-CVE-2022-26691.patch | 27 +++++++++++ patches/series | 1 4 files changed, 38 insertions(+), 2 deletions(-) diff -Nru cups-2.2.10/debian/.git-dpm cups-2.2.10/debian/.git-dpm --- cups-2.2.10/debian/.git-dpm 2022-02-23 21:03:02.000000000 +0000 +++ cups-2.2.10/debian/.git-dpm 2022-05-23 20:03:02.000000000 +0000 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -cd650ee595b7905afba01cfe9c4479823f22704d -cd650ee595b7905afba01cfe9c4479823f22704d +445a7a17ca0738d4578e3c402913bae958d2a5d2 +445a7a17ca0738d4578e3c402913bae958d2a5d2 25b2338346ef3abbb93ea88476887cba7b2b86f8 25b2338346ef3abbb93ea88476887cba7b2b86f8 cups_2.2.10.orig.tar.gz diff -Nru cups-2.2.10/debian/changelog cups-2.2.10/debian/changelog --- cups-2.2.10/debian/changelog 2022-02-23 21:03:02.000000000 +0000 +++ cups-2.2.10/debian/changelog 2022-05-23 20:03:02.000000000 +0000 @@ -1,3 +1,11 @@ +cups (2.2.10-6+deb10u6) buster-security; urgency=high + + * CVE-2022-26691 + Fix certificate comparison. + (Thanks to Zdenek Dohnal for the patch) + + -- Thorsten Alteholz Mon, 23 May 2022 22:03:02 +0200 + cups (2.2.10-6+deb10u5) buster; urgency=medium * Non-maintainer upload by the LTS Team. diff -Nru cups-2.2.10/debian/patches/0054-Fix-certificate-comparison-CVE-2022-26691.patch cups-2.2.10/debian/patches/0054-Fix-certificate-comparison-CVE-2022-26691.patch --- cups-2.2.10/debian/patches/0054-Fix-certificate-comparison-CVE-2022-26691.patch 1970-01-01 00:00:00.000000000 +0000 +++ cups-2.2.10/debian/patches/0054-Fix-certificate-comparison-CVE-2022-26691.patch 2022-05-23 20:03:02.000000000 +0000 @@ -0,0 +1,27 @@ +From 445a7a17ca0738d4578e3c402913bae958d2a5d2 Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal +Date: Wed, 25 May 2022 15:36:31 +0200 +Subject: Fix certificate comparison (CVE-2022-26691) + +--- + scheduler/cert.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/scheduler/cert.c b/scheduler/cert.c +index 0ebd54947..cc2107b8b 100644 +--- a/scheduler/cert.c ++++ b/scheduler/cert.c +@@ -444,5 +444,12 @@ ctcompare(const char *a, /* I - First string */ + b ++; + } + +- return (result); ++ /* ++ * The while loop finishes when *a == '\0' or *b == '\0' ++ * so after the while loop either both *a and *b == '\0', ++ * or one points inside a string, so when we apply logical OR on *a, ++ * *b and result, we get a non-zero return value if the compared strings don't match. ++ */ ++ ++ return (result | *a | *b); + } diff -Nru cups-2.2.10/debian/patches/series cups-2.2.10/debian/patches/series --- cups-2.2.10/debian/patches/series 2022-02-23 21:03:02.000000000 +0000 +++ cups-2.2.10/debian/patches/series 2022-05-23 20:03:02.000000000 +0000 @@ -51,3 +51,4 @@ 0051-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch 0052-backend-scheduler-ipp.c-Fix-printer-alert-invalid-fr.patch 0053-CVE-2020-10001.patch +0054-Fix-certificate-comparison-CVE-2022-26691.patch