Bug 30480

Summary: cups new security issue CVE-2022-26691
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: cups-2.3.3op2-1.mga8.src.rpm CVE: CVE-2022-26691
Status comment:

Description David Walser 2022-05-26 17:43:39 CEST 
CUPS 2.4.2 has been released today (May 26), fixing a security issue:
https://openprinting.github.io/cups-2.4.2/

Mageia 8 is also affected.
David Walser 2022-05-26 17:43:51 CEST

Status comment: (none) => Fixed upstream in 2.4.2
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2022-05-26 18:02:11 CEST 
openSUSE has issued an advisory for this today (May 26):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7NQSHXNFEE2OGIYVYN23S2BDDQTAGLSJ/
Comment 2 Lewis Smith 2022-05-26 20:11:59 CEST 
Another one for you, Thierry.

Assignee: bugsquad => thierry.vignaud

Comment 3 David Walser 2022-05-31 22:27:34 CEST 
Debian has issued an advisory for this on May 26:
https://www.debian.org/security/2022/dsa-5149
Comment 4 David Walser 2022-05-31 22:43:44 CEST 
Ubuntu has issued an advisory for this on May 31:
https://ubuntu.com/security/notices/USN-5454-1
Comment 5 David Walser 2022-06-06 18:45:19 CEST 
Fedora has issued an advisory for this on June 4:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KQ6TD7F3VRITPEHFDHZHK7MU6FEBMZ5U/

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 6 David Walser 2022-06-13 17:03:59 CEST 
RedHat has issued an advisory for this today (June 13):
https://access.redhat.com/errata/RHSA-2022:4990
Comment 7 David Walser 2022-06-16 23:26:38 CEST 
Fedora has issued an advisory for this today (June 16):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YQRIT4H75XV6M42K7ZTARWZ7YLLYQHPO/

They patched the same version we have in Mageia 8.
Comment 8 Nicolas Salguero 2022-10-19 14:48:11 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Authentication bypass and code execution vulnerability. (CVE-2022-26691)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26691
https://openprinting.github.io/cups-2.4.2/
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7NQSHXNFEE2OGIYVYN23S2BDDQTAGLSJ/
https://www.debian.org/security/2022/dsa-5149
https://ubuntu.com/security/notices/USN-5454-1
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KQ6TD7F3VRITPEHFDHZHK7MU6FEBMZ5U/
https://access.redhat.com/errata/RHSA-2022:4990
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YQRIT4H75XV6M42K7ZTARWZ7YLLYQHPO/
========================

Updated packages in core/updates_testing:
========================
cups-2.3.3op2-1.1.mga8
cups-common-2.3.3op2-1.1.mga8
cups-filesystem-2.3.3op2-1.1.mga8
cups-printerapp-2.3.3op2-1.1.mga8
lib(64)cups2-2.3.3op2-1.1.mga8
lib(64)cups2-devel-2.3.3op2-1.1.mga8

from SRPM:
cups-2.3.3op2-1.1.mga8.src.rpm

Status comment: Fixed upstream in 2.4.2 => (none)
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2022-26691
Assignee: thierry.vignaud => qa-bugs
Source RPM: cups-2.4.1-5.mga9.src.rpm => cups-2.3.3op2-1.mga8.src.rpm
Status: NEW => ASSIGNED

Comment 9 Herman Viaene 2022-10-20 14:16:40 CEST 
MGA8-64 MATE on Acer Aspire 5253
No instaallation issues.
I have an HP Envy 6022 allinone as network device.
Removed the device in cups (localhost:631), buy I'm not familiar enough with this (do not understand all the options) to add the device again, so reverted to MCC-Hardware, and there could add the device OK. Checked also the scanner function and that works well with simple-scan.
I cann't test locally connection.

CC: (none) => herman.viaene

Comment 10 Thomas Andrews 2022-10-27 19:31:49 CEST 
MGA8-64 Plasma. No installation issues. 

I tested using an HP Color Laserjet CP1215, connected locally via usb. I printed two test pages from the HP Device Manager, one in color, the other in monochrome. Loaded a color photo into Gwenview, and printed it. Used system-config-printer from MCC to print yet another test page, and then printed a test page using the generic Boomaga printer.

No issues noted. Giving this an OK, based on my test and Herman's, and validating. Advisory in Comment 8.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2022-10-28 03:52:34 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 11 Mageia Robot 2022-10-28 08:55:35 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0392.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED