Version in base suite: 2.4.10-3 Base version: cups_2.4.10-3 Target version: cups_2.4.10-3+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/cups/cups_2.4.10-3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/c/cups/cups_2.4.10-3+deb13u1.dsc changelog | 9 + patches/0016-CVE-2025-58060-fix-authentication-bypass-with-AuthType-negotiate.patch | 54 ++++++++++ patches/0017-CVE-2025-58364-fix-remote-DoS-via-null-dereference.patch | 52 +++++++++ patches/series | 2 4 files changed, 117 insertions(+) diff -Nru cups-2.4.10/debian/changelog cups-2.4.10/debian/changelog --- cups-2.4.10/debian/changelog 2025-06-01 11:45:05.000000000 +0000 +++ cups-2.4.10/debian/changelog 2025-09-07 17:45:05.000000000 +0000 @@ -1,3 +1,12 @@ +cups (2.4.10-3+deb13u1) trixie-security; urgency=high + + * CVE-2025-58060 + fix authentication bypass with AuthType Negotiate + * CVE-2025-58364 + fix remote DoS via null dereference + + -- Thorsten Alteholz Sun, 07 Sep 2025 19:45:05 +0200 + cups (2.4.10-3) unstable; urgency=medium * Fix FTBFS with huge file limit due to testsuite timeouts after diff -Nru cups-2.4.10/debian/patches/0016-CVE-2025-58060-fix-authentication-bypass-with-AuthType-negotiate.patch cups-2.4.10/debian/patches/0016-CVE-2025-58060-fix-authentication-bypass-with-AuthType-negotiate.patch --- cups-2.4.10/debian/patches/0016-CVE-2025-58060-fix-authentication-bypass-with-AuthType-negotiate.patch 1970-01-01 00:00:00.000000000 +0000 +++ cups-2.4.10/debian/patches/0016-CVE-2025-58060-fix-authentication-bypass-with-AuthType-negotiate.patch 2025-09-07 17:45:05.000000000 +0000 @@ -0,0 +1,54 @@ +From: Thorsten Alteholz +Date: Wed, 10 Sep 2025 10:46:21 +0200 +Subject: fix authentication bypass with AuthType negotiate + +--- + scheduler/auth.c | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +diff --git a/scheduler/auth.c b/scheduler/auth.c +index d0430b4..0499718 100644 +--- a/scheduler/auth.c ++++ b/scheduler/auth.c +@@ -513,6 +513,16 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ + int userlen; /* Username:password length */ + + ++ /* ++ * Only allow Basic if enabled... ++ */ ++ ++ if (type != CUPSD_AUTH_BASIC) ++ { ++ cupsdLogClient(con, CUPSD_LOG_ERROR, "Basic authentication is not enabled."); ++ return; ++ } ++ + authorization += 5; + while (isspace(*authorization & 255)) + authorization ++; +@@ -558,7 +568,6 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ + * Validate the username and password... + */ + +- if (type == CUPSD_AUTH_BASIC) + { + #if HAVE_LIBPAM + /* +@@ -727,6 +736,16 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ + /* Output token for username */ + gss_name_t client_name; /* Client name */ + ++ /* ++ * Only allow Kerberos if enabled... ++ */ ++ ++ if (type != CUPSD_AUTH_NEGOTIATE) ++ { ++ cupsdLogClient(con, CUPSD_LOG_ERROR, "Kerberos authentication is not enabled."); ++ return; ++ } ++ + # ifdef __APPLE__ + /* + * If the weak-linked GSSAPI/Kerberos library is not present, don't try diff -Nru cups-2.4.10/debian/patches/0017-CVE-2025-58364-fix-remote-DoS-via-null-dereference.patch cups-2.4.10/debian/patches/0017-CVE-2025-58364-fix-remote-DoS-via-null-dereference.patch --- cups-2.4.10/debian/patches/0017-CVE-2025-58364-fix-remote-DoS-via-null-dereference.patch 1970-01-01 00:00:00.000000000 +0000 +++ cups-2.4.10/debian/patches/0017-CVE-2025-58364-fix-remote-DoS-via-null-dereference.patch 2025-09-07 17:45:05.000000000 +0000 @@ -0,0 +1,52 @@ +From: Thorsten Alteholz +Date: Wed, 10 Sep 2025 11:05:30 +0200 +Subject: fix remote DoS via null dereference + +--- + cups/ipp.c | 26 +------------------------- + 1 file changed, 1 insertion(+), 25 deletions(-) + +Index: cups-2.4.10/cups/ipp.c +=================================================================== +--- cups-2.4.10.orig/cups/ipp.c 2025-09-10 11:25:47.275881427 +0200 ++++ cups-2.4.10/cups/ipp.c 2025-09-10 12:33:15.653213317 +0200 +@@ -2949,31 +2949,6 @@ + */ + + tag = (ipp_tag_t)buffer[0]; +- if (tag == IPP_TAG_EXTENSION) +- { +- /* +- * Read 32-bit "extension" tag... +- */ +- +- if ((*cb)(src, buffer, 4) < 4) +- { +- DEBUG_puts("1ippReadIO: Callback returned EOF/error"); +- goto rollback; +- } +- +- tag = (ipp_tag_t)((buffer[0] << 24) | (buffer[1] << 16) | (buffer[2] << 8) | buffer[3]); +- +- if (tag & IPP_TAG_CUPS_CONST) +- { +- /* +- * Fail if the high bit is set in the tag... +- */ +- +- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("IPP extension tag larger than 0x7FFFFFFF."), 1); +- DEBUG_printf(("1ippReadIO: bad tag 0x%x.", tag)); +- goto rollback; +- } +- } + + if (tag == IPP_TAG_END) + { +@@ -3196,6 +3171,7 @@ + + if ((*cb)(src, buffer, (size_t)n) < n) + { ++ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to read IPP attribute name."), 1); + DEBUG_puts("1ippReadIO: unable to read name."); + goto rollback; + } diff -Nru cups-2.4.10/debian/patches/series cups-2.4.10/debian/patches/series --- cups-2.4.10/debian/patches/series 2025-06-01 11:43:04.000000000 +0000 +++ cups-2.4.10/debian/patches/series 2025-09-07 17:45:05.000000000 +0000 @@ -13,3 +13,5 @@ 0013-CVE-2023-32324.patch 0014-CVE-2024-47175-and-further-hardening.patch 0015-Limit-the-maximum-number-of-file-descriptors-to-64k-.patch +0016-CVE-2025-58060-fix-authentication-bypass-with-AuthType-negotiate.patch +0017-CVE-2025-58364-fix-remote-DoS-via-null-dereference.patch