diff -Nru cups-2.2.4/debian/changelog cups-2.2.4/debian/changelog --- cups-2.2.4/debian/changelog 2017-11-08 13:17:38.000000000 +0000 +++ cups-2.2.4/debian/changelog 2018-06-22 17:41:03.000000000 +0000 @@ -1,3 +1,25 @@ +cups (2.2.4-7ubuntu3.1) artful-security; urgency=medium + + * SECURITY UPDATE: scheduler crash via DBUS notifications + - debian/patches/CVE-2017-18248.patch: validate requesting-user-name in + scheduler/ipp.c. + - CVE-2017-18248 + * SECURITY UPDATE: privilege escalation in dnssd backend + - debian/patches/CVE-2018-418x.patch: don't allow PassEnv and SetEnv to + override standard variables in man/cups-files.conf.man.in, + man/cupsd.conf.man.in, scheduler/conf.c, test/run-stp-tests.sh. + - CVE-2018-4180 + * SECURITY UPDATE: local file read via Include directive + - debian/patches/CVE-2018-418x.patch: remove Include directive handling + in scheduler/conf.c. + - CVE-2018-4181 + * SECURITY UPDATE: AppArmor sandbox bypass + - debian/local/apparmor-profile: also confine + /usr/lib/cups/backend/mdns. + - CVE-2018-6553 + + -- Marc Deslauriers Fri, 22 Jun 2018 13:41:03 -0400 + cups (2.2.4-7ubuntu3) artful; urgency=medium * Fixes cupsGetNamedDest not using local default printer diff -Nru cups-2.2.4/debian/control cups-2.2.4/debian/control --- cups-2.2.4/debian/control 2017-09-13 16:53:20.000000000 +0000 +++ cups-2.2.4/debian/control 2018-06-22 17:41:03.000000000 +0000 @@ -2,7 +2,8 @@ Standards-Version: 4.0.0 Priority: optional Section: net -Maintainer: Debian Printing Team +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian Printing Team Uploaders: Didier Raboud , Till Kamppeter , diff -Nru cups-2.2.4/debian/local/apparmor-profile cups-2.2.4/debian/local/apparmor-profile --- cups-2.2.4/debian/local/apparmor-profile 2017-09-13 16:53:20.000000000 +0000 +++ cups-2.2.4/debian/local/apparmor-profile 2018-06-22 17:40:40.000000000 +0000 @@ -87,6 +87,7 @@ /usr/lib/cups/backend/http ixr, /usr/lib/cups/backend/ipp ixr, /usr/lib/cups/backend/lpd ixr, + /usr/lib/cups/backend/mdns ixr, /usr/lib/cups/backend/parallel ixr, /usr/lib/cups/backend/serial ixr, /usr/lib/cups/backend/snmp ixr, diff -Nru cups-2.2.4/debian/patches/CVE-2017-18248.patch cups-2.2.4/debian/patches/CVE-2017-18248.patch --- cups-2.2.4/debian/patches/CVE-2017-18248.patch 1970-01-01 00:00:00.000000000 +0000 +++ cups-2.2.4/debian/patches/CVE-2017-18248.patch 2018-06-22 17:38:18.000000000 +0000 @@ -0,0 +1,61 @@ +From 49fa4983f25b64ec29d548ffa3b9782426007df3 Mon Sep 17 00:00:00 2001 +From: Michael Sweet +Date: Mon, 23 Oct 2017 16:23:43 -0400 +Subject: [PATCH] DBUS notifications could crash the scheduler (Issue #5143) + +- scheduler/ipp.c: Make sure requesting-user-name string is valid UTF-8. +--- + CHANGES.md | 5 +++-- + scheduler/ipp.c | 12 ++++++++++-- + 2 files changed, 13 insertions(+), 4 deletions(-) + +#diff --git a/CHANGES.md b/CHANGES.md +#index 2fdf93e32..86eb1dbdc 100644 +#--- a/CHANGES.md +#+++ b/CHANGES.md +#@@ -1,12 +1,13 @@ +#-CHANGES - 2.2.6 - 2017-10-19 +#+CHANGES - 2.2.6 - 2017-10-23 +# ============================ +# +# +# Changes in CUPS v2.2.6 +# ---------------------- +# +#+- DBUS notifications could crash the scheduler (Issue #5143) +# - Added USB quirks rules for Canon MP540 and Samsung ML-2160 (Issue #5148) +#-- Fixed TLS cipher suite selection with GNU TLS (Issue #5145) +#+- Fixed TLS cipher suite selection with GNU TLS (Issue #5145, Issue #5150) +# +# +# Changes in CUPS v2.2.5 +diff --git a/scheduler/ipp.c b/scheduler/ipp.c +index e6743cdcb..5cf980ab3 100644 +--- a/scheduler/ipp.c ++++ b/scheduler/ipp.c +@@ -1597,6 +1597,16 @@ add_job(cupsd_client_t *con, /* I - Client connection */ + return (NULL); + } + ++ attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME); ++ ++ if (attr && !ippValidateAttribute(attr)) ++ { ++ send_ipp_status(con, IPP_ATTRIBUTES, _("Bad requesting-user-name value: %s"), cupsLastErrorString()); ++ if ((attr = ippCopyAttribute(con->response, attr, 0)) != NULL) ++ attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP; ++ return (NULL); ++ } ++ + if ((job = cupsdAddJob(priority, printer->name)) == NULL) + { + send_ipp_status(con, IPP_INTERNAL_ERROR, +@@ -1615,8 +1625,6 @@ add_job(cupsd_client_t *con, /* I - Client connection */ + add_job_uuid(job); + apply_printer_defaults(printer, job); + +- attr = ippFindAttribute(job->attrs, "requesting-user-name", IPP_TAG_NAME); +- + if (con->username[0]) + { + cupsdSetString(&job->username, con->username); diff -Nru cups-2.2.4/debian/patches/CVE-2018-418x.patch cups-2.2.4/debian/patches/CVE-2018-418x.patch --- cups-2.2.4/debian/patches/CVE-2018-418x.patch 1970-01-01 00:00:00.000000000 +0000 +++ cups-2.2.4/debian/patches/CVE-2018-418x.patch 2018-06-22 17:40:03.000000000 +0000 @@ -0,0 +1,480 @@ +Backport of: + +From d47f6aec436e0e9df6554436e391471097686ecc Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Tue, 8 May 2018 15:24:21 -0700 +Subject: [PATCH] Fix local privilege escalation to root and sandbox bypasses + in scheduler (rdar://37836779, rdar://37836995, rdar://37837252, + rdar://37837581) + +--- + man/cups-files.conf.man.in | 10 +++ + man/cupsd.conf.man.in | 8 -- + scheduler/conf.c | 201 ++++++++++++++++++++++++++++----------------- + scheduler/job.c | 12 +++ + scheduler/process.c | 16 ++-- + scheduler/server.c | 20 ++++- + test/run-stp-tests.sh | 11 +-- + 7 files changed, 179 insertions(+), 99 deletions(-) + +Index: cups-2.2.4/man/cups-files.conf.man.in +=================================================================== +--- cups-2.2.4.orig/man/cups-files.conf.man.in 2018-06-22 13:38:34.686569960 -0400 ++++ cups-2.2.4/man/cups-files.conf.man.in 2018-06-22 13:39:16.522660674 -0400 +@@ -159,6 +159,11 @@ The server name may be included in filen + + .fi + The default is "/var/log/cups/page_log". ++.\"#PassEnv ++.TP 5 ++\fBPassEnv \fIvariable \fR[ ... \fIvariable \fR] ++Passes the specified environment variable(s) to child processes. ++Note: the standard CUPS filter and backend environment variables cannot be overridden using this directive. + .\"#RemoteRoot + .TP 5 + \fBRemoteRoot \fIusername\fR +@@ -193,6 +198,11 @@ macOS uses its keychain database to stor + \fBServerRoot \fIdirectory\fR + Specifies the directory containing the server configuration files. + The default is "/etc/cups". ++.\"#SetEnv ++.TP 5 ++\fBSetEnv \fIvariable value\fR ++Set the specified environment variable to be passed to child processes. ++Note: the standard CUPS filter and backend environment variables cannot be overridden using this directive. + .\"#SyncOnClose + .TP 5 + \fBSyncOnClose Yes\fR +Index: cups-2.2.4/man/cupsd.conf.man.in +=================================================================== +--- cups-2.2.4.orig/man/cupsd.conf.man.in 2018-06-22 13:38:34.686569960 -0400 ++++ cups-2.2.4/man/cupsd.conf.man.in 2018-06-22 13:39:40.710712810 -0400 +@@ -377,10 +377,6 @@ The following percent sequences are reco + .fi + The default is the empty string, which disables page logging. + The string "%p %u %j %T %P %C %{job-billing} %{job-originating-host-name} %{job-name} %{media} %{sides}" creates a page log with the standard items. +-.\"#PassEnv +-.TP 5 +-\fBPassEnv \fIvariable \fR[ ... \fIvariable \fR] +-Passes the specified environment variable(s) to child processes. + .\"#Policy + .TP 5 + \fB \fR... \fB\fR +@@ -466,10 +462,6 @@ Specifies what information is included i + command. + "Full" reports "CUPS 2.0.0 (UNAME) IPP/2.0". + The default is "Minimal". +-.\"#SetEnv +-.TP 5 +-\fBSetEnv \fIvariable value\fR +-Set the specified environment variable to be passed to child processes. + .\"#SSLListen + .TP 5 + \fBSSLListen \fIipv4-address\fB:\fIport\fR +Index: cups-2.2.4/scheduler/conf.c +=================================================================== +--- cups-2.2.4.orig/scheduler/conf.c 2018-06-22 13:38:34.686569960 -0400 ++++ cups-2.2.4/scheduler/conf.c 2018-06-22 13:38:34.686569960 -0400 +@@ -2911,13 +2911,10 @@ read_cupsd_conf(cups_file_t *fp) /* I - + /* Line from file */ + temp[HTTP_MAX_BUFFER], + /* Temporary buffer for value */ +- *value, /* Pointer to value */ +- *valueptr; /* Pointer into value */ ++ *value; /* Pointer to value */ + int valuelen; /* Length of value */ + http_addrlist_t *addrlist, /* Address list */ + *addr; /* Current address */ +- cups_file_t *incfile; /* Include file */ +- char incname[1024]; /* Include filename */ + + + /* +@@ -2932,28 +2929,7 @@ read_cupsd_conf(cups_file_t *fp) /* I - + * Decode the directive... + */ + +- if (!_cups_strcasecmp(line, "Include") && value) +- { +- /* +- * Include filename +- */ +- +- if (value[0] == '/') +- strlcpy(incname, value, sizeof(incname)); +- else +- snprintf(incname, sizeof(incname), "%s/%s", ServerRoot, value); +- +- if ((incfile = cupsFileOpen(incname, "rb")) == NULL) +- cupsdLogMessage(CUPSD_LOG_ERROR, +- "Unable to include config file \"%s\" - %s", +- incname, strerror(errno)); +- else +- { +- read_cupsd_conf(incfile); +- cupsFileClose(incfile); +- } +- } +- else if (!_cups_strcasecmp(line, " +@@ -3331,31 +3307,6 @@ read_cupsd_conf(cups_file_t *fp) /* I - + cupsdLogMessage(CUPSD_LOG_WARN, "Unknown ServerTokens %s on line %d of %s.", + value, linenum, ConfigurationFile); + } +- else if (!_cups_strcasecmp(line, "PassEnv") && value) +- { +- /* +- * PassEnv variable [... variable] +- */ +- +- for (; *value;) +- { +- for (valuelen = 0; value[valuelen]; valuelen ++) +- if (_cups_isspace(value[valuelen]) || value[valuelen] == ',') +- break; +- +- if (value[valuelen]) +- { +- value[valuelen] = '\0'; +- valuelen ++; +- } +- +- cupsdSetEnv(value, NULL); +- +- for (value += valuelen; *value; value ++) +- if (!_cups_isspace(*value) || *value != ',') +- break; +- } +- } + else if (!_cups_strcasecmp(line, "ServerAlias") && value) + { + /* +@@ -3384,30 +3335,6 @@ read_cupsd_conf(cups_file_t *fp) /* I - + break; + } + } +- else if (!_cups_strcasecmp(line, "SetEnv") && value) +- { +- /* +- * SetEnv variable value +- */ +- +- for (valueptr = value; *valueptr && !isspace(*valueptr & 255); valueptr ++); +- +- if (*valueptr) +- { +- /* +- * Found a value... +- */ +- +- while (isspace(*valueptr & 255)) +- *valueptr++ = '\0'; +- +- cupsdSetEnv(value, valueptr); +- } +- else +- cupsdLogMessage(CUPSD_LOG_ERROR, +- "Missing value for SetEnv directive on line %d of %s.", +- linenum, ConfigurationFile); +- } + else if (!_cups_strcasecmp(line, "AccessLog") || + !_cups_strcasecmp(line, "CacheDir") || + !_cups_strcasecmp(line, "ConfigFilePerm") || +@@ -3421,6 +3348,7 @@ read_cupsd_conf(cups_file_t *fp) /* I - + !_cups_strcasecmp(line, "LogFilePerm") || + !_cups_strcasecmp(line, "LPDConfigFile") || + !_cups_strcasecmp(line, "PageLog") || ++ !_cups_strcasecmp(line, "PassEnv") || + !_cups_strcasecmp(line, "Printcap") || + !_cups_strcasecmp(line, "PrintcapFormat") || + !_cups_strcasecmp(line, "RemoteRoot") || +@@ -3430,6 +3358,7 @@ read_cupsd_conf(cups_file_t *fp) /* I - + !_cups_strcasecmp(line, "ServerKey") || + !_cups_strcasecmp(line, "ServerKeychain") || + !_cups_strcasecmp(line, "ServerRoot") || ++ !_cups_strcasecmp(line, "SetEnv") || + !_cups_strcasecmp(line, "SMBConfigFile") || + !_cups_strcasecmp(line, "StateDir") || + !_cups_strcasecmp(line, "SystemGroup") || +@@ -3460,10 +3389,49 @@ read_cupsd_conf(cups_file_t *fp) /* I - + static int /* O - 1 on success, 0 on failure */ + read_cups_files_conf(cups_file_t *fp) /* I - File to read from */ + { +- int linenum; /* Current line number */ ++ int i, /* Looping var */ ++ linenum; /* Current line number */ + char line[HTTP_MAX_BUFFER], /* Line from file */ + *value; /* Value from line */ + struct group *group; /* Group */ ++ static const char * const prohibited_env[] = ++ { /* Prohibited environment variables */ ++ "APPLE_LANGUAGE", ++ "AUTH_DOMAIN", ++ "AUTH_INFO_REQUIRED", ++ "AUTH_NEGOTIATE", ++ "AUTH_PASSWORD", ++ "AUTH_UID", ++ "AUTH_USERNAME", ++ "CHARSET", ++ "CLASS", ++ "CLASSIFICATION", ++ "CONTENT_TYPE", ++ "CUPS_CACHEDIR", ++ "CUPS_DATADIR", ++ "CUPS_DOCROOT", ++ "CUPS_FILETYPE", ++ "CUPS_FONTPATH", ++ "CUPS_MAX_MESSAGE", ++ "CUPS_REQUESTROOT", ++ "CUPS_SERVERBIN", ++ "CUPS_SERVERROOT", ++ "CUPS_STATEDIR", ++ "DEVICE_URI", ++ "FINAL_CONTENT_TYPE", ++ "HOME", ++ "LANG", ++ "PPD", ++ "PRINTER", ++ "PRINTER_INFO", ++ "PRINTER_LOCATION", ++ "PRINTER_STATE_REASONS", ++ "RIP_CACHE", ++ "SERVER_ADMIN", ++ "SOFTWARE", ++ "TMPDIR", ++ "USER" ++ }; + + + /* +@@ -3501,6 +3469,47 @@ read_cups_files_conf(cups_file_t *fp) /* + } + } + } ++ else if (!_cups_strcasecmp(line, "PassEnv") && value) ++ { ++ /* ++ * PassEnv variable [... variable] ++ */ ++ ++ int valuelen; /* Length of variable name */ ++ ++ for (; *value;) ++ { ++ for (valuelen = 0; value[valuelen]; valuelen ++) ++ if (_cups_isspace(value[valuelen]) || value[valuelen] == ',') ++ break; ++ ++ if (value[valuelen]) ++ { ++ value[valuelen] = '\0'; ++ valuelen ++; ++ } ++ ++ for (i = 0; i < (int)(sizeof(prohibited_env) / sizeof(prohibited_env[0])); i ++) ++ { ++ if (!strcmp(value, prohibited_env[i])) ++ { ++ cupsdLogMessage(CUPSD_LOG_ERROR, "Environment variable \"%s\" cannot be passed through on line %d of %s.", value, linenum, CupsFilesFile); ++ ++ if (FatalErrors & CUPSD_FATAL_CONFIG) ++ return (0); ++ else ++ break; ++ } ++ } ++ ++ if (i >= (int)(sizeof(prohibited_env) / sizeof(prohibited_env[0]))) ++ cupsdSetEnv(value, NULL); ++ ++ for (value += valuelen; *value; value ++) ++ if (!_cups_isspace(*value) || *value != ',') ++ break; ++ } ++ } + else if (!_cups_strcasecmp(line, "PrintcapFormat") && value) + { + /* +@@ -3546,6 +3555,46 @@ read_cups_files_conf(cups_file_t *fp) /* + return (0); + } + } ++ else if (!_cups_strcasecmp(line, "SetEnv") && value) ++ { ++ /* ++ * SetEnv variable value ++ */ ++ ++ char *valueptr; /* Pointer to environment variable value */ ++ ++ for (valueptr = value; *valueptr && !isspace(*valueptr & 255); valueptr ++); ++ ++ if (*valueptr) ++ { ++ /* ++ * Found a value... ++ */ ++ ++ while (isspace(*valueptr & 255)) ++ *valueptr++ = '\0'; ++ ++ for (i = 0; i < (int)(sizeof(prohibited_env) / sizeof(prohibited_env[0])); i ++) ++ { ++ if (!strcmp(value, prohibited_env[i])) ++ { ++ cupsdLogMessage(CUPSD_LOG_ERROR, "Environment variable \"%s\" cannot be set on line %d of %s.", value, linenum, CupsFilesFile); ++ ++ if (FatalErrors & CUPSD_FATAL_CONFIG) ++ return (0); ++ else ++ break; ++ } ++ } ++ ++ if (i >= (int)(sizeof(prohibited_env) / sizeof(prohibited_env[0]))) ++ cupsdSetEnv(value, valueptr); ++ } ++ else ++ cupsdLogMessage(CUPSD_LOG_ERROR, ++ "Missing value for SetEnv directive on line %d of %s.", ++ linenum, ConfigurationFile); ++ } + else if (!_cups_strcasecmp(line, "SystemGroup") && value) + { + /* +Index: cups-2.2.4/scheduler/job.c +=================================================================== +--- cups-2.2.4.orig/scheduler/job.c 2018-06-22 13:38:34.686569960 -0400 ++++ cups-2.2.4/scheduler/job.c 2018-06-22 13:38:34.686569960 -0400 +@@ -4774,6 +4774,18 @@ start_job(cupsd_job_t *job, /* I - + job->profile = cupsdCreateProfile(job->id, 0); + job->bprofile = cupsdCreateProfile(job->id, 1); + ++#ifdef HAVE_SANDBOX_H ++ if ((!job->profile || !job->bprofile) && UseSandboxing && Sandboxing != CUPSD_SANDBOXING_OFF) ++ { ++ /* ++ * Failure to create the sandbox profile means something really bad has ++ * happened and we need to shutdown immediately. ++ */ ++ ++ return; ++ } ++#endif /* HAVE_SANDBOX_H */ ++ + /* + * Create the status pipes and buffer... + */ +Index: cups-2.2.4/scheduler/process.c +=================================================================== +--- cups-2.2.4.orig/scheduler/process.c 2018-06-22 13:38:34.686569960 -0400 ++++ cups-2.2.4/scheduler/process.c 2018-06-22 13:38:34.686569960 -0400 +@@ -99,9 +99,13 @@ cupsdCreateProfile(int job_id, /* I - J + + if ((fp = cupsTempFile2(profile, sizeof(profile))) == NULL) + { ++ /* ++ * This should never happen, and is fatal when sandboxing is enabled. ++ */ ++ + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCreateProfile(job_id=%d, allow_networking=%d) = NULL", job_id, allow_networking); +- cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to create security profile: %s", +- strerror(errno)); ++ cupsdLogMessage(CUPSD_LOG_EMERG, "Unable to create security profile: %s", strerror(errno)); ++ kill(getpid(), SIGTERM); + return (NULL); + } + +@@ -198,10 +202,8 @@ cupsdCreateProfile(int job_id, /* I - J + " #\"^%s/\"" /* TempDir/... */ + " #\"^%s$\"" /* CacheDir */ + " #\"^%s/\"" /* CacheDir/... */ +- " #\"^%s$\"" /* StateDir */ +- " #\"^%s/\"" /* StateDir/... */ + "))\n", +- temp, temp, cache, cache, state, state); ++ temp, temp, cache, cache); + /* Read common folders */ + cupsFilePrintf(fp, + "(allow file-read-data file-read-metadata\n" +@@ -243,8 +245,10 @@ cupsdCreateProfile(int job_id, /* I - J + " #\"^%s/\"" /* ServerBin/... */ + " #\"^%s$\"" /* ServerRoot */ + " #\"^%s/\"" /* ServerRoot/... */ ++ " #\"^%s$\"" /* StateDir */ ++ " #\"^%s/\"" /* StateDir/... */ + "))\n", +- request, request, bin, bin, root, root); ++ request, request, bin, bin, root, root, state, state); + if (Sandboxing == CUPSD_SANDBOXING_RELAXED) + { + /* Limited write access to /Library/Printers/... */ +Index: cups-2.2.4/scheduler/server.c +=================================================================== +--- cups-2.2.4.orig/scheduler/server.c 2018-06-22 13:38:34.686569960 -0400 ++++ cups-2.2.4/scheduler/server.c 2018-06-22 13:38:34.686569960 -0400 +@@ -38,16 +38,28 @@ void + cupsdStartServer(void) + { + /* +- * Start color management (as needed)... ++ * Create the default security profile... + */ + +- cupsdStartColor(); ++ DefaultProfile = cupsdCreateProfile(0, 1); ++ ++#ifdef HAVE_SANDBOX_H ++ if (!DefaultProfile && UseSandboxing && Sandboxing != CUPSD_SANDBOXING_OFF) ++ { ++ /* ++ * Failure to create the sandbox profile means something really bad has ++ * happened and we need to shutdown immediately. ++ */ ++ ++ return; ++ } ++#endif /* HAVE_SANDBOX_H */ + + /* +- * Create the default security profile... ++ * Start color management (as needed)... + */ + +- DefaultProfile = cupsdCreateProfile(0, 1); ++ cupsdStartColor(); + + /* + * Startup all the networking stuff... +Index: cups-2.2.4/test/run-stp-tests.sh +=================================================================== +--- cups-2.2.4.orig/test/run-stp-tests.sh 2018-06-22 13:38:34.686569960 -0400 ++++ cups-2.2.4/test/run-stp-tests.sh 2018-06-22 13:38:34.686569960 -0400 +@@ -488,11 +488,6 @@ StrictConformance Yes + Browsing Off + Listen 127.0.0.1:$port + Listen $BASE/sock +-PassEnv DYLD_LIBRARY_PATH +-PassEnv LD_LIBRARY_PATH +-PassEnv LD_PRELOAD +-PassEnv LOCALEDIR +-PassEnv SHLIB_PATH + MaxSubscriptions 3 + MaxLogSize 0 + AccessLogLevel actions +@@ -529,6 +524,12 @@ PidFile $BASE/cupsd.pid + AccessLog $BASE/log/access_log + ErrorLog $BASE/log/error_log + PageLog $BASE/log/page_log ++ ++PassEnv DYLD_LIBRARY_PATH ++PassEnv LD_LIBRARY_PATH ++PassEnv LD_PRELOAD ++PassEnv LOCALEDIR ++PassEnv SHLIB_PATH + EOF + + if test $ssltype != 0 -a `uname` = Darwin; then diff -Nru cups-2.2.4/debian/patches/series cups-2.2.4/debian/patches/series --- cups-2.2.4/debian/patches/series 2017-11-08 12:56:09.000000000 +0000 +++ cups-2.2.4/debian/patches/series 2018-06-22 17:38:29.000000000 +0000 @@ -46,3 +46,5 @@ 0046-Fix-sorting-bug.patch 0047-The-scheduler-incorrectly-woke-up-once-per-second-to.patch cupsGetNamedDest-use-local-default.patch +CVE-2017-18248.patch +CVE-2018-418x.patch