Bug 23306 - cups new security issues CVE-2018-418[0-3] and CVE-2018-4700
Summary: cups new security issues CVE-2018-418[0-3] and CVE-2018-4700
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: Thierry Vignaud
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on: 25317
Blocks:
  Show dependency treegraph
 
Reported: 2018-07-16 19:50 CEST by David Walser
Modified: 2019-11-06 13:32 CET (History)
6 users (show)

See Also:
Source RPM: cups-2.2.6-1.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-07-16 19:50:56 CEST 
Debian has issued an advisory on July 11:
https://www.debian.org/security/2018/dsa-4243

The issues were fixed upstream in the following commit:
https://github.com/apple/cups/commit/d47f6aec436e0e9df6554436e391471097686ecc

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-07-16 19:51:05 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2018-07-16 19:59:09 CEST 
Ubuntu has issued an advisory for this on July 11:
https://usn.ubuntu.com/3713-1/
Comment 2 Marja Van Waes 2018-07-17 15:24:11 CEST 
Assigning to the registered maintainer, CC'ing some committers.

Assignee: bugsquad => thierry.vignaud
CC: (none) => doktor5000, mageia, mageia, marja11, pterjan

Comment 3 David Walser 2018-08-02 17:29:43 CEST 
SUSE has issued an advisory on August 1:
http://lists.suse.com/pipermail/sle-security-updates/2018-August/004364.html

It fixes these and two new issues, which were all disclosed here:
https://blog.gdssecurity.com/labs/2018/7/11/cups-local-privilege-escalation-and-sandbox-escapes.html

Summary: cups new security issues CVE-2018-418[01] => cups new security issues CVE-2018-418[0-3]

Comment 4 David Walser 2018-08-02 18:14:28 CEST 
Fedora has issued an advisory for this on July 29:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5CDW7PAQIBDYEQC5M3UYPLJOXOGFJ7BY/
Comment 5 David Walser 2018-12-25 21:20:25 CET 
Fedora has issued an advisory on December 12:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MTPCMCONP5W3GMWEUKVATP2VDVGZEQDY/

This fixes a new issue, with the fix linked from the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1649347

Severity: normal => major
Summary: cups new security issues CVE-2018-418[0-3] => cups new security issues CVE-2018-418[0-3] and CVE-2018-4700

Comment 6 David Walser 2018-12-25 21:37:51 CET 
Fedora advisory for the new issue from December 21:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GA2OBRREMQ4AO3ZZCYI7D3CCG3FSMLW6/

They patched 2.2.6 there (same version we have in Mageia 6).
Comment 7 David Walser 2018-12-29 02:18:55 CET 
CVE-2018-4700 is fixed upstream in 2.2.10.
Comment 8 David Walser 2018-12-29 06:02:41 CET 
Older issues appear to have been fixed upstream in 2.2.8 (which is in Cauldron).  tv included a patch from Fedora for CVE-2018-4700 in Cauldron.

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

David Walser 2019-08-16 14:55:20 CEST

Depends on: (none) => 25317

Comment 9 Mike Rambo 2019-11-06 13:32:52 CET 
Mageia 6 is EOL.

Status: NEW => RESOLVED
CC: (none) => mrambo
Resolution: (none) => OLD
Note You need to log in before you can comment on or make changes to this bug.