Debian Bug report logs -
#946782
cups: CVE-2019-2228
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 15 Dec 2019 20:09:02 UTC
Severity: important
Tags: security, upstream
Found in versions cups/2.2.1-8+deb9u4, cups/2.2.1-8+deb9u2, cups/2.2.10-6+deb10u1, cups/2.2.1-8, cups/2.3.0-7
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Printing Team <debian-printing@lists.debian.org>
:
Bug#946782
; Package src:cups
.
(Sun, 15 Dec 2019 20:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Printing Team <debian-printing@lists.debian.org>
.
(Sun, 15 Dec 2019 20:09:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: cups
Version: 2.3.0-7
Severity: important
Tags: security upstream
Control: found -1 2.2.10-6+deb10u1
Control: found -1 2.2.1-8+deb9u2
Control: found -1 2.2.1-8+deb9u4
Control: found -1 2.2.1-8
Hi,
The following vulnerability was published for cups.
CVE-2019-2228[0]:
| In array_find of array.c, there is a possible out-of-bounds read due
| to an incorrect bounds check. This could lead to local information
| disclosure in the printer spooler with no additional execution
| privileges needed. User interaction is not needed for
| exploitation.Product: AndroidVersions: Android-8.0 Android-8.1
| Android-9 Android-10Android ID: A-111210196
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-2228
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2228
Please adjust the affected versions in the BTS as needed.
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.3.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Marked as found in versions cups/2.2.10-6+deb10u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Sun, 15 Dec 2019 20:09:04 GMT) (full text, mbox, link).
Marked as found in versions cups/2.2.1-8+deb9u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Sun, 15 Dec 2019 20:09:05 GMT) (full text, mbox, link).
Marked as found in versions cups/2.2.1-8+deb9u4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Sun, 15 Dec 2019 20:09:06 GMT) (full text, mbox, link).
Marked as found in versions cups/2.2.1-8.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Sun, 15 Dec 2019 20:09:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Printing Team <debian-printing@lists.debian.org>
:
Bug#946782
; Package src:cups
.
(Mon, 16 Dec 2019 07:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Didier 'OdyX' Raboud <odyx@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>
.
(Mon, 16 Dec 2019 07:00:04 GMT) (full text, mbox, link).
Message #18 received at 946782@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hello Salvatore, and thanks for your bugreport,
Le dimanche, 15 décembre 2019, 21.06:42 h CET Salvatore Bonaccorso a écrit :
> The following vulnerability was published for cups.
>
> CVE-2019-2228[0] (…)
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For the record, due to subkey expiration and rotation, I won't be able to
upload before the next keyring-maint sync (around Dec 24). Feel free (you or
anybody) to NMU as needed!
Cheers,
OdyX
[signature.asc (application/pgp-signature, inline)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Dec 16 09:09:00 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.