Bug 39401 - cups: Multiple issues (3.2)
cups: Multiple issues (3.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.2
Other Linux
: P2 normal (vote)
: UCS 3.2-7-errata
Assigned To: Janek Walkenhorst
Arvid Requate
:
: 35402 (view as bug list)
Depends on:
Blocks: 43591
  Show dependency treegraph
 
Reported: 2015-09-24 20:07 CEST by Arvid Requate
Modified: 2017-02-20 20:49 CET (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:
requate: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2015-09-24 20:07:19 CEST
Two issues have been fixed in upstream Debian package version 1.4.4-7+squeeze10:

* cups-filters: texttopdf heap-based buffer overflow (CVE-2015-3258)
* integer overflow leading to a heap-based buffer overflow (CVE-2015-3279)
Comment 1 Janek Walkenhorst univentionstaff 2015-09-29 19:00:01 CEST
Patch from 1.4.4-7+squeeze9 to 1.4.4-7+squeeze10 extracted.
Advisory: cups.yaml
Comment 2 Arvid Requate univentionstaff 2015-11-18 12:33:14 CET
Verified:
* The patches have been extracted correctly
* They have been applied successfully while building 1.4.4-7.97.201509291754
* Package update works
* Functional test according to Wiki test set successful
* Advisory Ok, since 3.2-6 is out of maintenance I removed it from the list
Comment 3 Arvid Requate univentionstaff 2015-11-18 12:44:39 CET
I just re-checked and found that the 41_CVE-2015-3258-CVE-2015-3279.dpatch is not applied during the "dpatch apply-all", see

logs/ucs_3.2-0-0-errata3.2-7/cups_1.4.4-7.97.201509291754.log.bz2.

I think the patch still needs to be added to the debian/patches/00list !
Comment 4 Janek Walkenhorst univentionstaff 2015-11-18 16:10:08 CET
r65708 r15431
Comment 5 Arvid Requate univentionstaff 2015-11-18 16:39:49 CET
Ok, patch is applied now:

applying patch CVE-2015-3258-CVE-2015-3279 to ./ ... ok.

And the update & functional tests have still been successful.

Advisory is up to date too.
Comment 6 Janek Walkenhorst univentionstaff 2015-11-19 13:30:54 CET
<http://errata.software-univention.de/ucs/3.2/377.html>
Comment 7 Arvid Requate univentionstaff 2016-06-08 22:07:41 CEST
*** Bug 35402 has been marked as a duplicate of this bug. ***