Bug 23306

Summary: cups new security issues CVE-2018-418[0-3] and CVE-2018-4700
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Thierry Vignaud <thierry.vignaud>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: doktor5000, mageia, mageia, marja11, mhrambo3501, pterjan
Version: 6   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: cups-2.2.6-1.mga6.src.rpm CVE:
Status comment:
Bug Depends on: 25317    
Bug Blocks:    

Description David Walser 2018-07-16 19:50:56 CEST 
Debian has issued an advisory on July 11:
https://www.debian.org/security/2018/dsa-4243

The issues were fixed upstream in the following commit:
https://github.com/apple/cups/commit/d47f6aec436e0e9df6554436e391471097686ecc

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-07-16 19:51:05 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2018-07-16 19:59:09 CEST 
Ubuntu has issued an advisory for this on July 11:
https://usn.ubuntu.com/3713-1/
Comment 2 Marja Van Waes 2018-07-17 15:24:11 CEST 
Assigning to the registered maintainer, CC'ing some committers.

Assignee: bugsquad => thierry.vignaud
CC: (none) => doktor5000, mageia, mageia, marja11, pterjan

Comment 3 David Walser 2018-08-02 17:29:43 CEST 
SUSE has issued an advisory on August 1:
http://lists.suse.com/pipermail/sle-security-updates/2018-August/004364.html

It fixes these and two new issues, which were all disclosed here:
https://blog.gdssecurity.com/labs/2018/7/11/cups-local-privilege-escalation-and-sandbox-escapes.html

Summary: cups new security issues CVE-2018-418[01] => cups new security issues CVE-2018-418[0-3]

Comment 4 David Walser 2018-08-02 18:14:28 CEST 
Fedora has issued an advisory for this on July 29:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5CDW7PAQIBDYEQC5M3UYPLJOXOGFJ7BY/
Comment 5 David Walser 2018-12-25 21:20:25 CET 
Fedora has issued an advisory on December 12:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MTPCMCONP5W3GMWEUKVATP2VDVGZEQDY/

This fixes a new issue, with the fix linked from the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1649347

Severity: normal => major
Summary: cups new security issues CVE-2018-418[0-3] => cups new security issues CVE-2018-418[0-3] and CVE-2018-4700

Comment 6 David Walser 2018-12-25 21:37:51 CET 
Fedora advisory for the new issue from December 21:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GA2OBRREMQ4AO3ZZCYI7D3CCG3FSMLW6/

They patched 2.2.6 there (same version we have in Mageia 6).
Comment 7 David Walser 2018-12-29 02:18:55 CET 
CVE-2018-4700 is fixed upstream in 2.2.10.
Comment 8 David Walser 2018-12-29 06:02:41 CET 
Older issues appear to have been fixed upstream in 2.2.8 (which is in Cauldron).  tv included a patch from Fedora for CVE-2018-4700 in Cauldron.

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

David Walser 2019-08-16 14:55:20 CEST

Depends on: (none) => 25317

Comment 9 Mike Rambo 2019-11-06 13:32:52 CET 
Mageia 6 is EOL.

Status: NEW => RESOLVED
CC: (none) => mrambo
Resolution: (none) => OLD