Bug 46625 – cups: Multiple issues (4.3)

Bug 46625 - cups: Multiple issues (4.3)


Summary:	cups: Multiple issues (4.3)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.3
Hardware:	All Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 4.3-0-errata
Assigned To:	Philipp Hahn
QA Contact:	Arvid Requate

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2018-03-13 16:50 CET by Philipp Hahn
Modified:	2018-05-16 17:04 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:	7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) NVD

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Philipp Hahn

2018-03-13 16:50:36 CET

New Debian cups 2.2.1-8+deb9u1A~4.3.0.201803130703 fixes:
This update addresses the following issue:
* CVE-2017-18190: Prevent an issue where remote attackers could execute
  arbitrary IPP commands by sending POST requests to the CUPS daemon in
  conjunction with DNS rebinding. This was caused by a whitelisted
  "localhost.localdomain" entry.

A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).

Comment 1 Philipp Hahn

2018-03-13 17:38:39 CET

[4.3-0] bdc053edc4 Bug #46625: cups_2.2.1-8+deb9u1A~4.3.0.201803130703

Comment 2 Quality Assurance

2018-05-04 16:43:13 CEST

--- mirror/ftp/4.3/unmaintained/4.3-0/source/cups_2.2.1-8A~4.3.0.201803121724.dsc
+++ apt/ucs_4.3-0-errata4.3-0/source/cups_2.2.1-8+deb9u1A~4.3.0.201803131634.dsc
@@ -1,4 +1,4 @@
-2.2.1-8A~4.3.0.201803121724 [Mon, 12 Mar 2018 17:24:41 +0100] Univention builddaemon <buildd@univention.de>:
+2.2.1-8+deb9u1A~4.3.0.201803131634 [Tue, 13 Mar 2018 16:34:20 +0100] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. The following patches have been applied to the original source package
     00-autostart-setting
@@ -9,6 +9,13 @@
     15_postponed-univention-lpadmin-systemd
     20_no-on-demand-systemd-service
 
+2.2.1-8+deb9u1 [Thu, 22 Feb 2018 17:51:44 +0100] Didier Raboud <odyx@debian.org>:
+
+  * CVE-2017-18190: Prevent an issue where remote attackers could execute
+    arbitrary IPP commands by sending POST requests to the CUPS daemon in
+    conjunction with DNS rebinding. This was caused by a whitelisted
+    "localhost.localdomain" entry.
+
 2.2.1-8 [Tue, 31 Jan 2017 08:00:49 +0100] Didier Raboud <odyx@debian.org>:
 
   [ JP Guillonneau ]

Comment 3 Arvid Requate

2018-05-14 19:00:51 CEST

* All UCS specific patches merged and applied during rebuilt
* Comparison to previously shipped version ok
* Binary package update Ok
* Advisory Ok

Comment 4 Arvid Requate

2018-05-16 17:04:04 CEST

<http://errata.software-univention.de/ucs/4.3/46.html>