Bug 22877

Summary: cups new security issue CVE-2017-18248
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, sysadmin-bugs
Version: 5Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-32-OK
Source RPM: cups-2.0.4-1.4.mga5.src.rpm CVE:
Status comment: Patch available from Fedora

Description David Walser 2018-04-07 18:40:43 CEST 
Fedora has issued an advisory on April 6:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IGQ3XXPAM2RKAOIEXMCKKNICIKDLKWE2/

The issue was fixed in 2.2.6, so Mageia 6 is not affected.
Comment 1 Marja Van Waes 2018-04-07 23:02:40 CEST 
Assigning to all packagers collectively, because afaik the registered maintainer (tv) considers Mga5 to be EOL

CC: (none) => marja11, thierry.vignaud
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2018-04-09 00:40:33 CEST 
Actually it looks like tv added a patch for this on top of 2.2.6.

Version: 5 => 6
Whiteboard: (none) => MGA5TOO
Status comment: (none) => Patch available from Fedora

Comment 3 Thierry Vignaud 2018-04-09 16:16:45 CEST 
(In reply to Marja van Waes from comment #1)
> Assigning to all packagers collectively, because afaik the registered
> maintainer (tv) considers Mga5 to be EOL

Err, that's not my feeling, this is our official policy!
See https://www.mageia.org/en/support/
"Mageia 5 was supported until December 31st, 2017".
Comment 4 David Walser 2018-04-09 16:30:28 CEST 
We're still sort of unofficially supporting core packages for 5, but I'll worry about that.  Mageia 6 needs the fixes you have in Cauldron.
Comment 5 David Walser 2018-05-04 06:06:04 CEST 
I'm not sure what tv was doing, because 2.2.6 does contain the upstream fix.

Version: 6 => 5
Whiteboard: MGA5TOO => (none)

Comment 6 David Walser 2018-05-04 06:23:18 CEST 
Advisory:
========================

Updated cups packages fix security vulnerability:

CUPS before version 2.2.6 has a vulnerability in the handling of usernames in
the scheduler/ipp.c:add_job() function. A remote attacker could exploit this by
submitting a print job with an invalid UTF-8 username to cause a crash and
subsequent denial of service (CVE-2017-18248).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18248
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IGQ3XXPAM2RKAOIEXMCKKNICIKDLKWE2/
========================

Updated packages in core/updates_testing:
========================
cups-2.0.4-1.5.mga5
cups-common-2.0.4-1.5.mga5
libcups2-devel-2.0.4-1.5.mga5
libcups2-2.0.4-1.5.mga5
cups-filesystem-2.0.4-1.5.mga5

from cups-2.0.4-1.5.mga5.src.rpm

CC: marja11, thierry.vignaud => (none)
Assignee: pkg-bugs => qa-bugs

Comment 7 Herman Viaene 2018-05-07 14:29:15 CEST 
MGA5-32 on Dell Latitude D600 Xfce
No installation issues
After update existing printer was accessible, removed it in MCC - Hardware and installed it again.
All seems well on board.

Whiteboard: (none) => MGA5-32-OK
CC: (none) => herman.viaene

Comment 8 Lewis Smith 2018-05-08 09:45:28 CEST 
Thanks you Herman for the test. Advisoried, validating.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2018-05-09 20:34:05 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0224.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED