Bug 46625 - cups: Multiple issues (4.3)
cups: Multiple issues (4.3)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.3
All Linux
: P3 normal (vote)
: UCS 4.3-0-errata
Assigned To: Philipp Hahn
Arvid Requate
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-03-13 16:50 CET by Philipp Hahn
Modified: 2018-05-16 17:04 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) NVD


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2018-03-13 16:50:36 CET
New Debian cups 2.2.1-8+deb9u1A~4.3.0.201803130703 fixes:
This update addresses the following issue:
* CVE-2017-18190: Prevent an issue where remote attackers could execute
  arbitrary IPP commands by sending POST requests to the CUPS daemon in
  conjunction with DNS rebinding. This was caused by a whitelisted
  "localhost.localdomain" entry.

A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).
Comment 1 Philipp Hahn univentionstaff 2018-03-13 17:38:39 CET
[4.3-0] bdc053edc4 Bug #46625: cups_2.2.1-8+deb9u1A~4.3.0.201803130703
Comment 2 Quality Assurance univentionstaff 2018-05-04 16:43:13 CEST
--- mirror/ftp/4.3/unmaintained/4.3-0/source/cups_2.2.1-8A~4.3.0.201803121724.dsc
+++ apt/ucs_4.3-0-errata4.3-0/source/cups_2.2.1-8+deb9u1A~4.3.0.201803131634.dsc
@@ -1,4 +1,4 @@
-2.2.1-8A~4.3.0.201803121724 [Mon, 12 Mar 2018 17:24:41 +0100] Univention builddaemon <buildd@univention.de>:
+2.2.1-8+deb9u1A~4.3.0.201803131634 [Tue, 13 Mar 2018 16:34:20 +0100] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. The following patches have been applied to the original source package
     00-autostart-setting
@@ -9,6 +9,13 @@
     15_postponed-univention-lpadmin-systemd
     20_no-on-demand-systemd-service
 
+2.2.1-8+deb9u1 [Thu, 22 Feb 2018 17:51:44 +0100] Didier Raboud <odyx@debian.org>:
+
+  * CVE-2017-18190: Prevent an issue where remote attackers could execute
+    arbitrary IPP commands by sending POST requests to the CUPS daemon in
+    conjunction with DNS rebinding. This was caused by a whitelisted
+    "localhost.localdomain" entry.
+
 2.2.1-8 [Tue, 31 Jan 2017 08:00:49 +0100] Didier Raboud <odyx@debian.org>:
 
   [ JP Guillonneau ]
Comment 3 Arvid Requate univentionstaff 2018-05-14 19:00:51 CEST
* All UCS specific patches merged and applied during rebuilt
* Comparison to previously shipped version ok
* Binary package update Ok
* Advisory Ok
Comment 4 Arvid Requate univentionstaff 2018-05-16 17:04:04 CEST
<http://errata.software-univention.de/ucs/4.3/46.html>