diff -Nru cups-2.2.7/debian/changelog cups-2.2.7/debian/changelog --- cups-2.2.7/debian/changelog 2018-11-16 19:05:42.000000000 +0000 +++ cups-2.2.7/debian/changelog 2019-08-16 07:12:45.000000000 +0000 @@ -1,3 +1,50 @@ +cups (2.2.7-1ubuntu2.7) bionic-security; urgency=medium + + * SECURITY UPDATE: Stack buffer overflow in SNMP ASN.1 decoder + - debian/patches/CVE-2019-86xx.patch: update cups/snmp.c to check for + buffer overflow when decoding various ASN.1 elements. + - CVE-2019-8675 + - CVE-2019-8696 + * SECURITY UPDATE: Buffer overflow in IPP + - debian/patches/CVE-2019-86xx.patch: update cups/ipp.c to avoid + buffer overflow due to tag type confusion + * SECURITY UPDATE: Denial of service and memory disclosure in scheduler + - debian/patches/CVE-2019-86xx.patch: update scheduler/client.c to + avoid a denial of service and possible memory disclosure if the + client unexpectedly closes the connection + + -- Alex Murray Fri, 16 Aug 2019 16:42:45 +0930 + +cups (2.2.7-1ubuntu2.6) bionic; urgency=medium + + * d/p/0045-Fix-an-issue-with-PreserveJobHistory-and-time-values.patch + Fix an issue with `PreserveJobHistory` and time values + (Issue #5538, Closes: #921741, LP: #1747765) + + -- Dariusz Gadomski Thu, 30 May 2019 10:02:17 +0200 + +cups (2.2.7-1ubuntu2.5) bionic; urgency=medium + + * d/p/systemd-service-for-cupsd-after-sssd.patch: Start cupsd after sssd if + installed (LP: #1822062) + + -- Victor Tapia Wed, 24 Apr 2019 16:58:30 +0200 + +cups (2.2.7-1ubuntu2.4) bionic; urgency=medium + + * fix-a-parsing-bug-in-the-new-authentication-code.patch, + fix-cups-auth-find-for-schemes-without-parameters.patch: Backported + authentication fixes from upstream (LP: #1783298). + + -- Till Kamppeter Sun, 3 Mar 2019 12:28:01 +0100 + +cups (2.2.7-1ubuntu2.3) bionic; urgency=medium + + * fix-handling-of-MaxJobTime.patch: Fix handling of MaxJobTime 0 + (LP: #1804576) + + -- Dariusz Gadomski Wed, 12 Dec 2018 08:31:14 +0100 + cups (2.2.7-1ubuntu2.2) bionic-security; urgency=medium * SECURITY UPDATE: predictable session cookies diff -Nru cups-2.2.7/debian/patches/0045-Fix-an-issue-with-PreserveJobHistory-and-time-values.patch cups-2.2.7/debian/patches/0045-Fix-an-issue-with-PreserveJobHistory-and-time-values.patch --- cups-2.2.7/debian/patches/0045-Fix-an-issue-with-PreserveJobHistory-and-time-values.patch 1970-01-01 00:00:00.000000000 +0000 +++ cups-2.2.7/debian/patches/0045-Fix-an-issue-with-PreserveJobHistory-and-time-values.patch 2019-05-30 08:02:17.000000000 +0000 @@ -0,0 +1,114 @@ +From 917e6f4ff70eed933c80d21eed4c6bfeb2cb68b7 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Mon, 11 Mar 2019 13:54:46 -0400 +Subject: Fix an issue with `PreserveJobHistory` and time values (Issue #5538) + +Closes: #921741 +--- + scheduler/job.c | 36 ++++++++++++++++++------------------ + 1 file changed, 18 insertions(+), 18 deletions(-) + +diff --git a/scheduler/job.c b/scheduler/job.c +index cc9283fb8..d4793cbb1 100644 +--- a/scheduler/job.c ++++ b/scheduler/job.c +@@ -437,10 +437,20 @@ cupsdCleanJobs(void) + curtime = time(NULL); + JobHistoryUpdate = 0; + ++ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCleanJobs: curtime=%d", (int)curtime); ++ + for (job = (cupsd_job_t *)cupsArrayFirst(Jobs); + job; + job = (cupsd_job_t *)cupsArrayNext(Jobs)) + { ++ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCleanJobs: Job %d, state=%d, printer=%p, history_time=%d, file_time=%d", job->id, (int)job->state_value, (void *)job->printer, (int)job->history_time, (int)job->file_time); ++ ++ if ((job->history_time && job->history_time) < JobHistoryUpdate || !JobHistoryUpdate) ++ JobHistoryUpdate = job->history_time; ++ ++ if ((job->file_time && job->file_time < JobHistoryUpdate) || !JobHistoryUpdate) ++ JobHistoryUpdate = job->file_time; ++ + if (job->state_value >= IPP_JOB_CANCELED && !job->printer) + { + /* +@@ -456,21 +466,9 @@ cupsdCleanJobs(void) + else if (job->file_time && job->file_time <= curtime) + { + cupsdLogJob(job, CUPSD_LOG_DEBUG, "Removing document files."); +- cupsdLogJob(job, CUPSD_LOG_DEBUG2, "curtime=%ld, job->file_time=%ld", (long)curtime, (long)job->file_time); + remove_job_files(job); + + cupsdMarkDirty(CUPSD_DIRTY_JOBS); +- +- if (job->history_time < JobHistoryUpdate || !JobHistoryUpdate) +- JobHistoryUpdate = job->history_time; +- } +- else +- { +- if (job->history_time < JobHistoryUpdate || !JobHistoryUpdate) +- JobHistoryUpdate = job->history_time; +- +- if (job->file_time < JobHistoryUpdate || !JobHistoryUpdate) +- JobHistoryUpdate = job->file_time; + } + } + } +@@ -1729,7 +1727,7 @@ cupsdLoadJob(cupsd_job_t *job) /* I - Job */ + job->completed_time = attr->values[0].integer; + + if (JobHistory < INT_MAX) +- job->history_time = attr->values[0].integer + JobHistory; ++ job->history_time = job->completed_time + JobHistory; + else + job->history_time = INT_MAX; + +@@ -1740,7 +1738,7 @@ cupsdLoadJob(cupsd_job_t *job) /* I - Job */ + JobHistoryUpdate = job->history_time; + + if (JobFiles < INT_MAX) +- job->file_time = attr->values[0].integer + JobFiles; ++ job->file_time = job->completed_time + JobFiles; + else + job->file_time = INT_MAX; + +@@ -2862,8 +2860,10 @@ cupsdUpdateJobs(void) + * Update history/file expiration times... + */ + ++ job->completed_time = attr->values[0].integer; ++ + if (JobHistory < INT_MAX) +- job->history_time = attr->values[0].integer + JobHistory; ++ job->history_time = job->completed_time + JobHistory; + else + job->history_time = INT_MAX; + +@@ -2877,7 +2877,7 @@ cupsdUpdateJobs(void) + JobHistoryUpdate = job->history_time; + + if (JobFiles < INT_MAX) +- job->file_time = attr->values[0].integer + JobFiles; ++ job->file_time = job->completed_time + JobFiles; + else + job->file_time = INT_MAX; + +@@ -4693,7 +4693,7 @@ set_time(cupsd_job_t *job, /* I - Job to update */ + job->completed_time = curtime; + + if (JobHistory < INT_MAX && attr) +- job->history_time = attr->values[0].integer + JobHistory; ++ job->history_time = job->completed_time + JobHistory; + else + job->history_time = INT_MAX; + +@@ -4701,7 +4701,7 @@ set_time(cupsd_job_t *job, /* I - Job to update */ + JobHistoryUpdate = job->history_time; + + if (JobFiles < INT_MAX && attr) +- job->file_time = curtime + JobFiles; ++ job->file_time = job->completed_time + JobFiles; + else + job->file_time = INT_MAX; + diff -Nru cups-2.2.7/debian/patches/CVE-2019-86xx.patch cups-2.2.7/debian/patches/CVE-2019-86xx.patch --- cups-2.2.7/debian/patches/CVE-2019-86xx.patch 1970-01-01 00:00:00.000000000 +0000 +++ cups-2.2.7/debian/patches/CVE-2019-86xx.patch 2019-08-16 07:12:32.000000000 +0000 @@ -0,0 +1,208 @@ +Backported from the following upstream commit +From f24e6cf6a39300ad0c3726a41a4aab51ad54c109 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Thu, 15 Aug 2019 14:08:31 -0400 +Subject: [PATCH] Fix multiple security/disclosure issues: + +- CVE-2019-8696 and CVE-2019-8675: Fixed SNMP buffer overflows (rdar://51685251) +- Fixed IPP buffer overflow (rdar://50035411) +- Fixed memory disclosure issue in the scheduler (rdar://51373853) +- Fixed DoS issues in the scheduler (rdar://51373929) +--- + CHANGES.md | 6 +++++- + cups/http.c | 9 +++++++-- + cups/ipp.c | 9 ++------- + cups/snmp.c | 20 +++++++++++++++++++- + scheduler/client.c | 23 ++++++++++++----------- + 5 files changed, 45 insertions(+), 22 deletions(-) + +Index: cups-2.2.7/CHANGES.md +=================================================================== +--- cups-2.2.7.orig/CHANGES.md ++++ cups-2.2.7/CHANGES.md +@@ -1,10 +1,14 @@ +-CHANGES - 2.2.7 - 2018-03-22 ++CHANGES - 2.2.7 - 2019-08-16 + ============================ + + + Changes in CUPS v2.2.7 + ---------------------- + ++- CVE-2019-8696 and CVE-2019-8675: Fixed SNMP buffer overflows (rdar://51685251) ++- Fixed IPP buffer overflow (rdar://50035411) ++- Fixed memory disclosure issue in the scheduler (rdar://51373853) ++- Fixed DoS issues in the scheduler (rdar://51373929) + - NOTICE: Raw print queues are now deprecated (Issue #5269) + - Fixed an Avahi crash bug in the scheduler (Issue #5268) + - The IPP Everywhere PPD generator did not include the `cupsJobPassword` +Index: cups-2.2.7/cups/http.c +=================================================================== +--- cups-2.2.7.orig/cups/http.c ++++ cups-2.2.7/cups/http.c +@@ -1892,7 +1892,7 @@ httpPrintf(http_t *http, /* I - HTT + ...) /* I - Additional args as needed */ + { + ssize_t bytes; /* Number of bytes to write */ +- char buf[16384]; /* Buffer for formatted string */ ++ char buf[65536]; /* Buffer for formatted string */ + va_list ap; /* Variable argument pointer */ + + +@@ -1904,7 +1904,12 @@ httpPrintf(http_t *http, /* I - HTT + + DEBUG_printf(("3httpPrintf: (" CUPS_LLFMT " bytes) %s", CUPS_LLCAST bytes, buf)); + +- if (http->data_encoding == HTTP_ENCODING_FIELDS) ++ if (bytes > (ssize_t)(sizeof(buf) - 1)) ++ { ++ http->error = ENOMEM; ++ return (-1); ++ } ++ else if (http->data_encoding == HTTP_ENCODING_FIELDS) + return ((int)httpWrite2(http, buf, (size_t)bytes)); + else + { +Index: cups-2.2.7/cups/ipp.c +=================================================================== +--- cups-2.2.7.orig/cups/ipp.c ++++ cups-2.2.7/cups/ipp.c +@@ -4748,9 +4748,7 @@ ippSetValueTag( + break; + + case IPP_TAG_NAME : +- if (temp_tag != IPP_TAG_KEYWORD && temp_tag != IPP_TAG_URI && +- temp_tag != IPP_TAG_URISCHEME && temp_tag != IPP_TAG_LANGUAGE && +- temp_tag != IPP_TAG_MIMETYPE) ++ if (temp_tag != IPP_TAG_KEYWORD) + return (0); + + (*attr)->value_tag = (ipp_tag_t)(IPP_TAG_NAME | ((*attr)->value_tag & IPP_TAG_CUPS_CONST)); +@@ -4758,10 +4756,7 @@ ippSetValueTag( + + case IPP_TAG_NAMELANG : + case IPP_TAG_TEXTLANG : +- if (value_tag == IPP_TAG_NAMELANG && +- (temp_tag != IPP_TAG_NAME && temp_tag != IPP_TAG_KEYWORD && +- temp_tag != IPP_TAG_URI && temp_tag != IPP_TAG_URISCHEME && +- temp_tag != IPP_TAG_LANGUAGE && temp_tag != IPP_TAG_MIMETYPE)) ++ if (value_tag == IPP_TAG_NAMELANG && (temp_tag != IPP_TAG_NAME && temp_tag != IPP_TAG_KEYWORD)) + return (0); + + if (value_tag == IPP_TAG_TEXTLANG && temp_tag != IPP_TAG_TEXT) +Index: cups-2.2.7/cups/snmp.c +=================================================================== +--- cups-2.2.7.orig/cups/snmp.c ++++ cups-2.2.7/cups/snmp.c +@@ -1233,6 +1233,9 @@ asn1_get_integer( + int value; /* Integer value */ + + ++ if (*buffer >= bufend) ++ return (0); ++ + if (length > sizeof(int)) + { + (*buffer) += length; +@@ -1259,6 +1262,9 @@ asn1_get_length(unsigned char **buffer, + unsigned length; /* Length */ + + ++ if (*buffer >= bufend) ++ return (0); ++ + length = **buffer; + (*buffer) ++; + +@@ -1301,6 +1307,9 @@ asn1_get_oid( + int number; /* OID number */ + + ++ if (*buffer >= bufend) ++ return (0); ++ + valend = *buffer + length; + oidptr = oid; + oidend = oid + oidsize - 1; +@@ -1349,9 +1358,12 @@ asn1_get_packed( + int value; /* Value */ + + ++ if (*buffer >= bufend) ++ return (0); ++ + value = 0; + +- while ((**buffer & 128) && *buffer < bufend) ++ while (*buffer < bufend && (**buffer & 128)) + { + value = (value << 7) | (**buffer & 127); + (*buffer) ++; +@@ -1379,6 +1391,9 @@ asn1_get_string( + char *string, /* I - String buffer */ + size_t strsize) /* I - String buffer size */ + { ++ if (*buffer >= bufend) ++ return (NULL); ++ + if (length > (unsigned)(bufend - *buffer)) + length = (unsigned)(bufend - *buffer); + +@@ -1421,6 +1436,9 @@ asn1_get_type(unsigned char **buffer, /* + int type; /* Type */ + + ++ if (*buffer >= bufend) ++ return (0); ++ + type = **buffer; + (*buffer) ++; + +Index: cups-2.2.7/scheduler/client.c +=================================================================== +--- cups-2.2.7.orig/scheduler/client.c ++++ cups-2.2.7/scheduler/client.c +@@ -568,6 +568,17 @@ cupsdReadClient(cupsd_client_t *con) /* + + cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cupsdReadClient: error=%d, used=%d, state=%s, data_encoding=HTTP_ENCODING_%s, data_remaining=" CUPS_LLFMT ", request=%p(%s), file=%d", httpError(con->http), (int)httpGetReady(con->http), httpStateString(httpGetState(con->http)), httpIsChunked(con->http) ? "CHUNKED" : "LENGTH", CUPS_LLCAST httpGetRemaining(con->http), con->request, con->request ? ippStateString(ippGetState(con->request)) : "", con->file); + ++ if (httpError(con->http) == EPIPE && !httpGetReady(con->http) && recv(httpGetFd(con->http), buf, 1, MSG_PEEK) < 1) ++ { ++ /* ++ * Connection closed... ++ */ ++ ++ cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing on EOF."); ++ cupsdCloseClient(con); ++ return; ++ } ++ + if (httpGetState(con->http) == HTTP_STATE_GET_SEND || + httpGetState(con->http) == HTTP_STATE_POST_SEND || + httpGetState(con->http) == HTTP_STATE_STATUS) +@@ -577,17 +588,6 @@ cupsdReadClient(cupsd_client_t *con) /* + * connection and we need to shut it down... + */ + +- if (!httpGetReady(con->http) && recv(httpGetFd(con->http), buf, 1, MSG_PEEK) < 1) +- { +- /* +- * Connection closed... +- */ +- +- cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing on EOF."); +- cupsdCloseClient(con); +- return; +- } +- + cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing on unexpected HTTP read state %s.", httpStateString(httpGetState(con->http))); + cupsdCloseClient(con); + return; +@@ -2197,6 +2197,7 @@ cupsdSendError(cupsd_client_t *con, /* I + strlcpy(location, httpGetField(con->http, HTTP_FIELD_LOCATION), sizeof(location)); + + httpClearFields(con->http); ++ httpClearCookie(con->http); + + httpSetField(con->http, HTTP_FIELD_LOCATION, location); + diff -Nru cups-2.2.7/debian/patches/fix-a-parsing-bug-in-the-new-authentication-code.patch cups-2.2.7/debian/patches/fix-a-parsing-bug-in-the-new-authentication-code.patch --- cups-2.2.7/debian/patches/fix-a-parsing-bug-in-the-new-authentication-code.patch 1970-01-01 00:00:00.000000000 +0000 +++ cups-2.2.7/debian/patches/fix-a-parsing-bug-in-the-new-authentication-code.patch 2019-03-03 11:24:31.000000000 +0000 @@ -0,0 +1,24 @@ +From: Michael R Sweet +Date: Wed, 11 Apr 2018 13:10:51 -0400 +Subject: [PATCH] Fix a parsing bug in the new authentication code. +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1783298 +--- a/cups/auth.c ++++ b/cups/auth.c +@@ -218,7 +218,7 @@ + if (!cg->lang_default) + cg->lang_default = cupsLangDefault(); + +- if (cups_auth_param(scheme, "username", default_username, sizeof(default_username))) ++ if (cups_auth_param(schemedata, "username", default_username, sizeof(default_username))) + cupsSetUser(default_username); + + snprintf(prompt, sizeof(prompt), _cupsLangString(cg->lang_default, _("Password for %s on %s? ")), cupsUser(), http->hostname[0] == '/' ? "localhost" : http->hostname); +@@ -801,7 +801,7 @@ + * Parse the scheme name or param="value" string... + */ + +- for (sptr = scheme, start = www_authenticate, param = 0; *www_authenticate && !isspace(*www_authenticate & 255); www_authenticate ++) ++ for (sptr = scheme, start = www_authenticate, param = 0; *www_authenticate && *www_authenticate != ',' && !isspace(*www_authenticate & 255); www_authenticate ++) + { + if (*www_authenticate == '=') + param = 1; diff -Nru cups-2.2.7/debian/patches/fix-cups-auth-find-for-schemes-without-parameters.patch cups-2.2.7/debian/patches/fix-cups-auth-find-for-schemes-without-parameters.patch --- cups-2.2.7/debian/patches/fix-cups-auth-find-for-schemes-without-parameters.patch 1970-01-01 00:00:00.000000000 +0000 +++ cups-2.2.7/debian/patches/fix-cups-auth-find-for-schemes-without-parameters.patch 2019-03-03 11:26:01.000000000 +0000 @@ -0,0 +1,15 @@ +From: Michael R Sweet +Date: Wed, 11 Apr 2018 22:03:57 -0400 +Subject: [PATCH] Fix cups_auth_find for schemes without parameters. +https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1783298 +--- a/cups/auth.c ++++ b/cups/auth.c +@@ -620,7 +620,7 @@ + * See if this is "Scheme" followed by whitespace or the end of the string. + */ + +- if (!strncmp(www_authenticate, scheme, schemelen) && (isspace(www_authenticate[schemelen] & 255) || !www_authenticate[schemelen])) ++ if (!strncmp(www_authenticate, scheme, schemelen) && (isspace(www_authenticate[schemelen] & 255) || www_authenticate[schemelen] == ',' || !www_authenticate[schemelen])) + { + /* + * Yes, this is the start of the scheme-specific information... diff -Nru cups-2.2.7/debian/patches/fix-handling-of-MaxJobTime.patch cups-2.2.7/debian/patches/fix-handling-of-MaxJobTime.patch --- cups-2.2.7/debian/patches/fix-handling-of-MaxJobTime.patch 1970-01-01 00:00:00.000000000 +0000 +++ cups-2.2.7/debian/patches/fix-handling-of-MaxJobTime.patch 2018-12-12 07:31:14.000000000 +0000 @@ -0,0 +1,38 @@ +Description: Fix handling of MaxJobTime 0 + Setting MaxJobTime to 0 resulted in immediate job cancellation + instead of disabling timeout-based cancelation (as per documentation). + . + cups (2.2.7-1ubuntu2.3) bionic; urgency=medium + . + * fix-handling-of-MaxJobTime.patch: Fix handling of MaxJobTime 0 + (LP: #1804576) +Origin: upstream, https://github.com/apple/cups/commit/8c7143551ab03423990c62923209363d760f925f +Bug: https://github.com/apple/cups/issues/5438 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1804576 +Last-Update: 2018-12-12 + +--- cups-2.2.7.orig/scheduler/job.c ++++ cups-2.2.7/scheduler/job.c +@@ -5102,8 +5102,10 @@ update_job(cupsd_job_t *job) /* I - Job + + if (cancel_after) + job->cancel_time = time(NULL) + ippGetInteger(cancel_after, 0); +- else ++ else if (MaxJobTime > 0) + job->cancel_time = time(NULL) + MaxJobTime; ++ else ++ job->cancel_time = 0; + } + } + } +--- cups-2.2.7.orig/scheduler/printers.c ++++ cups-2.2.7/scheduler/printers.c +@@ -3445,7 +3445,7 @@ add_printer_defaults(cupsd_printer_t *p) + "document-format-default", NULL, "application/octet-stream"); + + if (!cupsGetOption("job-cancel-after", p->num_options, p->options)) +- ippAddInteger(p->attrs, IPP_TAG_PRINTER, IPP_TAG_INTEGER, ++ ippAddInteger(p->attrs, IPP_TAG_PRINTER, MaxJobTime > 0 ? IPP_TAG_INTEGER : IPP_TAG_NOVALUE, + "job-cancel-after-default", MaxJobTime); + + if (!cupsGetOption("job-hold-until", p->num_options, p->options)) diff -Nru cups-2.2.7/debian/patches/series cups-2.2.7/debian/patches/series --- cups-2.2.7/debian/patches/series 2018-11-16 19:05:38.000000000 +0000 +++ cups-2.2.7/debian/patches/series 2019-08-16 07:11:37.000000000 +0000 @@ -41,3 +41,9 @@ fix-another-crash-when-creating-temporary-queue.patch CVE-2018-418x.patch CVE-2018-4700.patch +fix-handling-of-MaxJobTime.patch +fix-a-parsing-bug-in-the-new-authentication-code.patch +fix-cups-auth-find-for-schemes-without-parameters.patch +systemd-service-for-cupsd-after-sssd.patch +0045-Fix-an-issue-with-PreserveJobHistory-and-time-values.patch +CVE-2019-86xx.patch diff -Nru cups-2.2.7/debian/patches/systemd-service-for-cupsd-after-sssd.patch cups-2.2.7/debian/patches/systemd-service-for-cupsd-after-sssd.patch --- cups-2.2.7/debian/patches/systemd-service-for-cupsd-after-sssd.patch 1970-01-01 00:00:00.000000000 +0000 +++ cups-2.2.7/debian/patches/systemd-service-for-cupsd-after-sssd.patch 2019-04-24 14:58:30.000000000 +0000 @@ -0,0 +1,16 @@ +Description: Make cupsd.service start after sssd.service to avoid a race + condition when SystemGroup is set to a remote group. LP: #1822062 +Author: Victor Tapia +Origin: https://github.com/apple/cups/commit/4d0f1959a3f46973caec2cd41828c59674fe195d +Bug: https://github.com/apple/cups/pull/5551 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1822062 +--- a/scheduler/org.cups.cupsd.service.in ++++ b/scheduler/org.cups.cupsd.service.in +@@ -1,6 +1,7 @@ + [Unit] + Description=CUPS Scheduler + Documentation=man:cupsd(8) ++After=sssd.service + + [Service] + ExecStart=@sbindir@/cupsd -l