Debian Bug report logs -
#903605
cups: CVE-2018-6553
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 11 Jul 2018 19:15:02 UTC
Severity: serious
Tags: patch, security
Found in version cups/2.2.1-8
Fixed in versions cups/2.2.1-8+deb9u2, cups/2.2.8-5
Done: Didier Raboud <odyx@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#903605; Package src:cups.
(Wed, 11 Jul 2018 19:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Printing Team <debian-printing@lists.debian.org>.
(Wed, 11 Jul 2018 19:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: cups
Version: 2.2.1-8
Severity: serious
Tags: patch security
Control: fixed -1 2.2.1-8+deb9u2
Hi,
I'm filling this with severity serious, as it indicates a regression
from stable, given the issue was fixed already via DSA-4243-1 in
2.2.1-8+deb9u2.
CVE-2018-6553[0]:
AppArmor profile issue in cups
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-6553
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6553
[1] https://usn.ubuntu.com/usn/usn-3713-1
[2] https://lists.debian.org/debian-security-announce/2018/msg00172.html
Regards,
Salvatore
Marked as fixed in versions cups/2.2.1-8+deb9u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Wed, 11 Jul 2018 19:15:04 GMT) (full text, mbox, link).
Reply sent
to Didier Raboud <odyx@debian.org>:
You have taken responsibility.
(Fri, 13 Jul 2018 08:51:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 13 Jul 2018 08:51:06 GMT) (full text, mbox, link).
Message #12 received at 903605-close@bugs.debian.org (full text, mbox, reply):
Source: cups
Source-Version: 2.2.8-5
We believe that the bug you reported is fixed in the latest version of
cups, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 903605@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Didier Raboud <odyx@debian.org> (supplier of updated cups package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 12 Jul 2018 18:48:48 +0200
Source: cups
Binary: libcups2 libcupsimage2 libcupscgi1 libcupsmime1 libcupsppdc1 cups cups-core-drivers cups-daemon cups-client cups-ipp-utils libcups2-dev libcupsimage2-dev cups-bsd cups-common cups-server-common cups-ppdc
Architecture: source
Version: 2.2.8-5
Distribution: unstable
Urgency: high
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Didier Raboud <odyx@debian.org>
Description:
cups - Common UNIX Printing System(tm) - PPD/driver support, web interfa
cups-bsd - Common UNIX Printing System(tm) - BSD commands
cups-client - Common UNIX Printing System(tm) - client programs (SysV)
cups-common - Common UNIX Printing System(tm) - common files
cups-core-drivers - Common UNIX Printing System(tm) - driverless printing
cups-daemon - Common UNIX Printing System(tm) - daemon
cups-ipp-utils - Common UNIX Printing System(tm) - IPP developer/admin utilities
cups-ppdc - Common UNIX Printing System(tm) - PPD manipulation utilities
cups-server-common - Common UNIX Printing System(tm) - server common files
libcups2 - Common UNIX Printing System(tm) - Core library
libcups2-dev - Common UNIX Printing System(tm) - Development files CUPS library
libcupscgi1 - Common UNIX Printing System(tm) - CGI library
libcupsimage2 - Common UNIX Printing System(tm) - Raster image library
libcupsimage2-dev - Common UNIX Printing System(tm) - Development files CUPS image li
libcupsmime1 - Common UNIX Printing System(tm) - MIME library
libcupsppdc1 - Common UNIX Printing System(tm) - PPD manipulation library
Closes: 903605
Changes:
cups (2.2.8-5) unstable; urgency=high
.
* CVE-2018-6553: Fix AppArmor cupsd sandbox bypass due to use of hard links
(Closes: #903605)
* All these were fixed in 2.2.8:
- CVE-2018-4180 Local Privilege Escalation to Root in dnssd Backend
(CUPS_SERVERBIN)
- CVE-2018-4181 Limited Local File Reads as Root via cupsd.conf Include
Directive
- CVE-2018-4182 cups-exec Sandbox Bypass Due to Insecure Error Handling
- CVE-2018-4183 cups-exec Sandbox Bypass Due to Profile Misconfiguration
Checksums-Sha1:
483f06886c5a7cb9cb478e7d052f3398c8bcd5a1 3467 cups_2.2.8-5.dsc
ba22875e59a37ad516070520210efc1c89802498 351624 cups_2.2.8-5.debian.tar.xz
Checksums-Sha256:
2f27b624cd965f100906ea5bba0abea9cc9daadbfef42bbeab021b8ffd184ce6 3467 cups_2.2.8-5.dsc
4f1e27226659d44d6b3409d7509d53ebd64976b85a0bb7331efd50d4e362d547 351624 cups_2.2.8-5.debian.tar.xz
Files:
ce46b9e693449e477fa5943bea687b72 3467 net optional cups_2.2.8-5.dsc
80e19d7cf637f8523c0b2bc43ae83639 351624 net optional cups_2.2.8-5.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEe+WPIRpjNw1/GSB7i8+nHsoWNFUFAltIXaEACgkQi8+nHsoW
NFV+WAv/ZDZ7SuRdxkoupyG/Q2JrnIJuCCryRlUWKjudO0Wiu2c4VRc8eAUNcv+6
sSEFC6RDWuV2767BMkdvlbqIsoa/tpiIhP8CNJgOckKn645vvNxNAHq3+yshX6DD
nLCUsdyXJc3NBSY2jUeFV8NIyd4An3GNHRmEUBTGfbCLR6I8Ux7BeKhRIQZWAljR
w+LFdTNoXIxPe89ZU3D7+mFGYdg0apqLDObH7nStyPDU++oOh4OI0sNmjOA++ETY
kGN7I8PO1lG6MnUpDwyU2WbPjI6ZSBBYlm6LWldfsmt67oUN2NxedXUy25HJd7XV
OLV0dJCRQwzp9qDPI5pcDbOef+GB5KwUlPurK/LNPLPGymz3ZCxK2oynHRxkep3/
GZwEQPtcwaGgHtdfOWELOZ9A1Xa0bMs0/FhxODtds0cIDQ40f+6Wo1inw2NXZpse
ajn0wcpymGMKWEeWs64mdb5mpv17KP8WWUgnTuYvol+L+kNyw7U9DgIOC4KuDTnX
qyW/JG0o
=pb3x
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 11 Nov 2018 07:25:55 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:13:19 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon