| Summary: | cups new security issues CVE-2019-8842 and CVE-2020-3898 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, brtians1, fri, herman.viaene, lists.jjorge, mageia, mageia, sysadmin-bugs |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | cups-2.2.11-2.mga7.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 25874 | ||
|
Description
David Walser
2020-04-23 21:06:58 CEST
David Walser
2020-04-23 21:07:37 CEST
Whiteboard:
(none) =>
MGA7TOO Fixed in Cauldron in cups-2.3.1-10.mga8 by Thierry. Version:
Cauldron =>
7 Ubuntu has issued an advisory for this today (April 27): https://usn.ubuntu.com/4340-1/ CUPS 2.3.3 has been released on April 27, fixing this issue and one other: https://github.com/apple/cups/releases/tag/v2.3.3 Whiteboard:
(none) =>
MGA7TOO Fedora has issued an advisory for CVE-2020-3898 today (April 28): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HLYM2YY4QOS5AOVWUDGQ3PLMK5TFMIXN/
Morgan Leijström
2020-04-30 11:31:38 CEST
CC:
(none) =>
fri cups-2.3.3-1.mga8 uploaded for Cauldron. Version:
Cauldron =>
7 i see no reference for CVE-2019-8842 in cups changelog. CC:
(none) =>
mageia Fix for CVE-2020-3898 added ( Patch 500 ) Added fix for CVE-2019-2228 too ( Patch501 ) https://github.com/apple/cups/commit/b018978c278d42c7abf78941251b887c95dfdb07.patch Fix for CVE-2019-8842 added too ( Patch502 ) Summary:
cups new security issues CVE-2019-8842 and CVE-2020-3898 =>
cups new security issues CVE-2019-8842 and CVE-2020-3898 and CVE-2019-2228 (In reply to Nicolas Lécureuil from comment #6) > i see no reference for CVE-2019-8842 in cups changelog. See Comment 3. CVE-2019-2228 is Bug 25874 (we'll fix it in this bug, of course). Summary:
cups new security issues CVE-2019-8842 and CVE-2020-3898 and CVE-2019-2228 =>
cups new security issues CVE-2019-8842 and CVE-2020-3898 Of course you have to check the whole chain of dependencies when there's multiple bugs. We still have to address CVE-2019-8675 and CVE-2019-8696 (Bug 25317) too. Assignee:
qa-bugs =>
mageia
David Walser
2020-05-22 19:51:50 CEST
Source RPM:
cups-2.3.1-10.mga8.src.rpm =>
cups-2.2.11-2.mga7.src.rpm CVE-2019-8675 and CVE-2019-8696 are now fixed on the next rpms ( Patch 503 ) Assignee:
mageia =>
qa-bugs Advisory: ======================== Updated cups packages fix security vulnerabilities: It was discovered that CUPS incorrectly handled certain language values. A local attacker could possibly use this issue to cause CUPS to crash, leading to a denial of service, or possibly obtain sensitive information (CVE-2019-2228). Stephan Zeisberg discovered that the CUPS SNMP backend incorrectly handled encoded ASN.1 inputs. A remote attacker could possibly use this issue to cause CUPS to crash by providing specially crafted network traffic (CVE-2019-8675, CVE-2019-8696). The ippReadIO function may under-read an extension (CVE-2019-8842). Stephan Zeisberg discovered that CUPS incorrectly handled certain malformed ppd files. A local attacker could possibly use this issue to execute arbitrary code (CVE-2020-3898). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2228 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8675 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8696 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8842 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3898 https://usn.ubuntu.com/4105-1/ https://usn.ubuntu.com/4340-1/ https://security-tracker.debian.org/tracker/CVE-2019-8842 ======================== Updated packages in core/updates_testing: ======================== cups-2.2.11-2.3.mga7 cups-common-2.2.11-2.3.mga7 libcups2-devel-2.2.11-2.3.mga7 libcups2-2.2.11-2.3.mga7 cups-filesystem-2.2.11-2.3.mga7 from cups-2.2.11-2.3.mga7.src.rpm CC:
qa-bugs =>
(none) as talked with you i updated cups to version 2.2.13 Advisory: ======================== Updated cups packages fix security vulnerabilities: It was discovered that CUPS incorrectly handled certain language values. A local attacker could possibly use this issue to cause CUPS to crash, leading to a denial of service, or possibly obtain sensitive information (CVE-2019-2228). Stephan Zeisberg discovered that the CUPS SNMP backend incorrectly handled encoded ASN.1 inputs. A remote attacker could possibly use this issue to cause CUPS to crash by providing specially crafted network traffic (CVE-2019-8675, CVE-2019-8696). The ippReadIO function may under-read an extension (CVE-2019-8842). Stephan Zeisberg discovered that CUPS incorrectly handled certain malformed ppd files. A local attacker could possibly use this issue to execute arbitrary code (CVE-2020-3898). The cups package has been updated to version 2.2.13 and patched to fix these issues and other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2228 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8675 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8696 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8842 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3898 https://usn.ubuntu.com/4105-1/ https://usn.ubuntu.com/4340-1/ https://security-tracker.debian.org/tracker/CVE-2019-8842 https://github.com/apple/cups/releases/tag/v2.2.12 https://github.com/apple/cups/releases/tag/v2.2.13 ======================== Updated packages in core/updates_testing: ======================== cups-2.2.13-1.1.mga7 cups-common-2.2.13-1.1.mga7 libcups2-devel-2.2.13-1.1.mga7 libcups2-2.2.13-1.1.mga7 cups-filesystem-2.2.13-1.1.mga7 from cups-2.2.13-1.1.mga7.src.rpm 64 bit updated on two machines, rebooted, printing works as normal. MGA7-64 Plasma on Lenovo B50 No installation issues. Ref bug 22877 for testing. Removed HP Officejet Pro 8100 (wifi connection) from MCC before update. Installed update. Added printer in MCC. The first time it detected the printer with access via dns:sd something. That went wrong as it did not detect or report the duplex facility. Removed the printer again, and added again. The detection now reports the printer twice: as HP Officejet Pro 8100 plain and as HP Officejet Pro 8100 (<itsIP address>). Choosing the latter, let me connect thru HPlip and that gives the duplex configuration. Checked by opening the print dialog in firefox and checking the options: duplex is there. Not OK'ing, waiting for others' experiences. This is something I never have seen before. CC:
(none) =>
herman.viaene MGA7-64 Plasma on home-built desktop with i5-2500. No installation issues here, either. I don't have any wifi-connected printers, so I can't replicate your test, Herman. However, before updating I did remove my Deskjet 5650 USB printer with the duplexing attachment. I left my Laserjet CP1215 and the Boomaga virtual printer still installed. Re-installing the Deskjet from MCC worked as expected, and the cups test page was printed correctly. The cups test page for the Laserjet also printed correctly (and much faster). HP usb printers work OK here, at least. CC:
(none) =>
andrewsfarm MGA7-64 Plasma on A6 laptop installed - cups-2.2.13-1.1.mga7.x86_64 - cups-common-2.2.13-1.1.mga7.x86_64 - cups-filesystem-2.2.13-1.1.mga7.noarch - lib64cups2-2.2.13-1.1.mga7.x86_64 THen set up a brother printer using cups All worked. CC:
(none) =>
brtians1 (In reply to Brian Rockwell from comment #18) > MGA7-64 Plasma on A6 laptop > > installed > > - cups-2.2.13-1.1.mga7.x86_64 > - cups-common-2.2.13-1.1.mga7.x86_64 > - cups-filesystem-2.2.13-1.1.mga7.noarch > - lib64cups2-2.2.13-1.1.mga7.x86_64 > > > THen set up a brother printer using cups > > All worked. fyi - this was wifi attached Just a note : I have 2 friend's computers that stopped starting cups 3 days ago. It fails at boot, but starting it manually after boot succeeds. Always the same for more than 3 successive reboots. I have no access to the systems to do a good bug report, let's see if this update helps fixing this error. CC:
(none) =>
lists.jjorge It is starting properly on this machine after the upgrade. However, this is only a dual core, I suspect it could be related to parallel threads causing an issue in your case. Yeah, that one has been around for a while. Bug 24189, filed in January 2019. It seems to affect only some hardware, and nobody seems to be able to do anything about it. Some sort of race condition, difficult to track down, I guess. It affected me for a while on a dual-core Core2Duo machine with a rust boot drive, but when I upgraded to a quad-core i5 and an SSD boot drive it went away and didn't come back. A very annoying bug if you are affected. So we have three good tests and one that started off shaky, but was ultimately successful. I'm going to let this one go with that. Validating. Advisory in Comment 14. Keywords:
(none) =>
validated_update (In reply to Thomas Andrews from comment #22) > Yeah, that one has been around for a while. Bug 24189, filed in January > 2019. It seems to affect only some hardware, and nobody seems to be able to > do anything about it. Some sort of race condition, difficult to track down, > I guess. Thanks, so I continue discussion in this other bug. José, you should have waited for this to be pushed before rebuilding. Advisory: ======================== Updated cups packages fix security vulnerabilities: It was discovered that CUPS incorrectly handled certain language values. A local attacker could possibly use this issue to cause CUPS to crash, leading to a denial of service, or possibly obtain sensitive information (CVE-2019-2228). Stephan Zeisberg discovered that the CUPS SNMP backend incorrectly handled encoded ASN.1 inputs. A remote attacker could possibly use this issue to cause CUPS to crash by providing specially crafted network traffic (CVE-2019-8675, CVE-2019-8696). The ippReadIO function may under-read an extension (CVE-2019-8842). Stephan Zeisberg discovered that CUPS incorrectly handled certain malformed ppd files. A local attacker could possibly use this issue to execute arbitrary code (CVE-2020-3898). The cups package has been updated to version 2.2.13 and patched to fix these issues and other bugs. Also, this update will hopefully fix the cups service failing to start at boot on some systems. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2228 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8675 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8696 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8842 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3898 https://usn.ubuntu.com/4105-1/ https://usn.ubuntu.com/4340-1/ https://security-tracker.debian.org/tracker/CVE-2019-8842 https://github.com/apple/cups/releases/tag/v2.2.12 https://github.com/apple/cups/releases/tag/v2.2.13 https://bugs.mageia.org/show_bug.cgi?id=24189 https://bugs.mageia.org/show_bug.cgi?id=25317 https://bugs.mageia.org/show_bug.cgi?id=25874 https://bugs.mageia.org/show_bug.cgi?id=26531 ======================== Updated packages in core/updates_testing: ======================== cups-2.2.13-1.2.mga7 cups-common-2.2.13-1.2.mga7 libcups2-devel-2.2.13-1.2.mga7 libcups2-2.2.13-1.2.mga7 cups-filesystem-2.2.13-1.2.mga7 from cups-2.2.13-1.2.mga7.src.rpm Whiteboard:
MGA7-64-OK =>
(none) installed - cups-2.2.13-1.2.mga7.x86_64 - cups-common-2.2.13-1.2.mga7.x86_64 - cups-filesystem-2.2.13-1.2.mga7.noarch - lib64cups2-2.2.13-1.2.mga7.x86_64 -- rebooted --- printed Seems to be working. Same tests as Comment 25. Working here, too. Installed and tested without issues.
WARNING: The 32bit package (libcups2-2.2.11-2.mga7) was NOT updated. Is this as intended or an omission?
Printer: HP OfficeJet 4658 (USB connected)
System: Mageia 7, x86_64, HPLIP, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver.
$ uname -a
Linux marte 5.6.14-desktop-2.mga7 #1 SMP Wed May 20 23:14:20 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$
$
$ rpm -qa | grep cups | sort
cups-2.2.13-1.2.mga7
cups-common-2.2.13-1.2.mga7
cups-drivers-foo2zjs-0.0-1.20121012.11.mga7
cups-filesystem-2.2.13-1.2.mga7
cups-filters-1.22.5-1.mga7
cups-pk-helper-0.2.6-3.mga7
gutenprint-cups-5.2.14-2.mga7
lib64cups2-2.2.13-1.2.mga7
lib64cups-filters1-1.22.5-1.mga7
libcups2-2.2.11-2.mga7
python3-cups-1.9.74-2.mga7
$
$
$ rpm -qa | grep hplip
hplip-model-data-3.19.5-1.mga7
hplip-hpijs-ppds-3.19.5-1.mga7
hplip-hpijs-3.19.5-1.mga7
hplip-gui-3.19.5-1.mga7
hplip-3.19.5-1.mga7
$
$
$ systemctl status cups
● cups.service - CUPS Scheduler
Loaded: loaded (/usr/lib/systemd/system/cups.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2020-05-30 08:53:50 WEST; 13min ago
Docs: man:cupsd(8)
Main PID: 3791 (cupsd)
Status: "Scheduler is running..."
Tasks: 2 (limit: 4697)
Memory: 23.9M
CGroup: /system.slice/cups.service
└─3791 /usr/sbin/cupsd -l
mai 30 09:04:01 marte hp[5193]: io/hpmud/musb.c 535: claimed 7/1/2 interface
mai 30 09:04:01 marte hp[5193]: io/hpmud/musb.c 780: read actual device_id successfully fd=1 len=300
mai 30 09:04:01 marte hp[5193]: io/hpmud/musb.c 561: released 7/1/2 interface
mai 30 09:04:01 marte hp[5193]: io/hpmud/musb.c 960: new PRINT channel=2 clientCnt=1 channelCnt=1
mai 30 09:04:01 marte hp[5193]: io/hpmud/musb.c 427: Found interface conf=0, iface=1, altset=0, index=1
mai 30 09:04:01 marte hp[5193]: io/hpmud/musb.c 389: Active kernel driver on interface=1 ret=0
mai 30 09:04:01 marte hp[5193]: io/hpmud/musb.c 535: claimed 7/1/2 interface
mai 30 09:04:15 marte hp[5193]: io/hpmud/musb.c 561: released 7/1/2 interface
mai 30 09:04:15 marte hp[5193]: io/hpmud/musb.c 975: removed PRINT channel=2 clientCnt=0 channelCnt=0
mai 30 09:04:15 marte cupsd[3791]: HP-OfficeJet-4650-series pclx 15 [30/May/2020:09:04:15 +0100] total 1 - localhost PCLX - -CC:
(none) =>
mageia I think you can re-validate this one. (In reply to David Walser from comment #28) > I think you can re-validate this one. Done. Latest advisory in Comment 24. Keywords:
(none) =>
validated_update
Nicolas Lécureuil
2020-06-10 23:43:09 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0248.html Status:
NEW =>
RESOLVED |