SUSE has issued an advisory today (April 23): http://lists.suse.com/pipermail/sle-security-updates/2020-April/006728.html Ubuntu and Debian have more info: https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-3898.html https://security-tracker.debian.org/tracker/CVE-2020-3898 Fedora has added a patch for it here: https://src.fedoraproject.org/rpms/cups/c/c1920d09b842bd2d0611559d00d595abd8aa2424?branch=c1920d09b842bd2d0611559d00d595abd8aa2424 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOBlocks: (none) => 25874Assignee: bugsquad => thierry.vignaudStatus comment: (none) => Patch available from Fedora
Fixed in Cauldron in cups-2.3.1-10.mga8 by Thierry.
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)
Ubuntu has issued an advisory for this today (April 27): https://usn.ubuntu.com/4340-1/
CUPS 2.3.3 has been released on April 27, fixing this issue and one other: https://github.com/apple/cups/releases/tag/v2.3.3
Whiteboard: (none) => MGA7TOOSummary: cups new security issue CVE-2020-3898 => cups new security issues CVE-2019-8842 and CVE-2020-3898Version: 7 => Cauldron
Fedora has issued an advisory for CVE-2020-3898 today (April 28): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HLYM2YY4QOS5AOVWUDGQ3PLMK5TFMIXN/
CC: (none) => fri
cups-2.3.3-1.mga8 uploaded for Cauldron.
Version: Cauldron => 7Status comment: Patch available from Fedora => Patch available from Fedora for CVE-2020-3898, not sure for CVE-2019-8842Whiteboard: MGA7TOO => (none)
i see no reference for CVE-2019-8842 in cups changelog.
CC: (none) => mageia
Fix for CVE-2020-3898 added ( Patch 500 ) Added fix for CVE-2019-2228 too ( Patch501 ) https://github.com/apple/cups/commit/b018978c278d42c7abf78941251b887c95dfdb07.patch Fix for CVE-2019-8842 added too ( Patch502 )
Summary: cups new security issues CVE-2019-8842 and CVE-2020-3898 => cups new security issues CVE-2019-8842 and CVE-2020-3898 and CVE-2019-2228Assignee: thierry.vignaud => qa-bugsStatus comment: Patch available from Fedora for CVE-2020-3898, not sure for CVE-2019-8842 => (none)
(In reply to Nicolas Lécureuil from comment #6) > i see no reference for CVE-2019-8842 in cups changelog. See Comment 3.
CVE-2019-2228 is Bug 25874 (we'll fix it in this bug, of course).
Summary: cups new security issues CVE-2019-8842 and CVE-2020-3898 and CVE-2019-2228 => cups new security issues CVE-2019-8842 and CVE-2020-3898
Of course you have to check the whole chain of dependencies when there's multiple bugs. We still have to address CVE-2019-8675 and CVE-2019-8696 (Bug 25317) too.
Assignee: qa-bugs => mageiaCC: (none) => qa-bugs
Source RPM: cups-2.3.1-10.mga8.src.rpm => cups-2.2.11-2.mga7.src.rpm
CVE-2019-8675 and CVE-2019-8696 are now fixed on the next rpms ( Patch 503 )
Assignee: mageia => qa-bugs
Advisory: ======================== Updated cups packages fix security vulnerabilities: It was discovered that CUPS incorrectly handled certain language values. A local attacker could possibly use this issue to cause CUPS to crash, leading to a denial of service, or possibly obtain sensitive information (CVE-2019-2228). Stephan Zeisberg discovered that the CUPS SNMP backend incorrectly handled encoded ASN.1 inputs. A remote attacker could possibly use this issue to cause CUPS to crash by providing specially crafted network traffic (CVE-2019-8675, CVE-2019-8696). The ippReadIO function may under-read an extension (CVE-2019-8842). Stephan Zeisberg discovered that CUPS incorrectly handled certain malformed ppd files. A local attacker could possibly use this issue to execute arbitrary code (CVE-2020-3898). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2228 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8675 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8696 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8842 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3898 https://usn.ubuntu.com/4105-1/ https://usn.ubuntu.com/4340-1/ https://security-tracker.debian.org/tracker/CVE-2019-8842 ======================== Updated packages in core/updates_testing: ======================== cups-2.2.11-2.3.mga7 cups-common-2.2.11-2.3.mga7 libcups2-devel-2.2.11-2.3.mga7 libcups2-2.2.11-2.3.mga7 cups-filesystem-2.2.11-2.3.mga7 from cups-2.2.11-2.3.mga7.src.rpm
CC: qa-bugs => (none)
as talked with you i updated cups to version 2.2.13
Advisory: ======================== Updated cups packages fix security vulnerabilities: It was discovered that CUPS incorrectly handled certain language values. A local attacker could possibly use this issue to cause CUPS to crash, leading to a denial of service, or possibly obtain sensitive information (CVE-2019-2228). Stephan Zeisberg discovered that the CUPS SNMP backend incorrectly handled encoded ASN.1 inputs. A remote attacker could possibly use this issue to cause CUPS to crash by providing specially crafted network traffic (CVE-2019-8675, CVE-2019-8696). The ippReadIO function may under-read an extension (CVE-2019-8842). Stephan Zeisberg discovered that CUPS incorrectly handled certain malformed ppd files. A local attacker could possibly use this issue to execute arbitrary code (CVE-2020-3898). The cups package has been updated to version 2.2.13 and patched to fix these issues and other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2228 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8675 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8696 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8842 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3898 https://usn.ubuntu.com/4105-1/ https://usn.ubuntu.com/4340-1/ https://security-tracker.debian.org/tracker/CVE-2019-8842 https://github.com/apple/cups/releases/tag/v2.2.12 https://github.com/apple/cups/releases/tag/v2.2.13 ======================== Updated packages in core/updates_testing: ======================== cups-2.2.13-1.1.mga7 cups-common-2.2.13-1.1.mga7 libcups2-devel-2.2.13-1.1.mga7 libcups2-2.2.13-1.1.mga7 cups-filesystem-2.2.13-1.1.mga7 from cups-2.2.13-1.1.mga7.src.rpm
64 bit updated on two machines, rebooted, printing works as normal.
MGA7-64 Plasma on Lenovo B50 No installation issues. Ref bug 22877 for testing. Removed HP Officejet Pro 8100 (wifi connection) from MCC before update. Installed update. Added printer in MCC. The first time it detected the printer with access via dns:sd something. That went wrong as it did not detect or report the duplex facility. Removed the printer again, and added again. The detection now reports the printer twice: as HP Officejet Pro 8100 plain and as HP Officejet Pro 8100 (<itsIP address>). Choosing the latter, let me connect thru HPlip and that gives the duplex configuration. Checked by opening the print dialog in firefox and checking the options: duplex is there. Not OK'ing, waiting for others' experiences. This is something I never have seen before.
CC: (none) => herman.viaene
MGA7-64 Plasma on home-built desktop with i5-2500. No installation issues here, either. I don't have any wifi-connected printers, so I can't replicate your test, Herman. However, before updating I did remove my Deskjet 5650 USB printer with the duplexing attachment. I left my Laserjet CP1215 and the Boomaga virtual printer still installed. Re-installing the Deskjet from MCC worked as expected, and the cups test page was printed correctly. The cups test page for the Laserjet also printed correctly (and much faster). HP usb printers work OK here, at least.
CC: (none) => andrewsfarm
MGA7-64 Plasma on A6 laptop installed - cups-2.2.13-1.1.mga7.x86_64 - cups-common-2.2.13-1.1.mga7.x86_64 - cups-filesystem-2.2.13-1.1.mga7.noarch - lib64cups2-2.2.13-1.1.mga7.x86_64 THen set up a brother printer using cups All worked.
CC: (none) => brtians1
(In reply to Brian Rockwell from comment #18) > MGA7-64 Plasma on A6 laptop > > installed > > - cups-2.2.13-1.1.mga7.x86_64 > - cups-common-2.2.13-1.1.mga7.x86_64 > - cups-filesystem-2.2.13-1.1.mga7.noarch > - lib64cups2-2.2.13-1.1.mga7.x86_64 > > > THen set up a brother printer using cups > > All worked. fyi - this was wifi attached
Just a note : I have 2 friend's computers that stopped starting cups 3 days ago. It fails at boot, but starting it manually after boot succeeds. Always the same for more than 3 successive reboots. I have no access to the systems to do a good bug report, let's see if this update helps fixing this error.
CC: (none) => lists.jjorge
It is starting properly on this machine after the upgrade. However, this is only a dual core, I suspect it could be related to parallel threads causing an issue in your case.
Yeah, that one has been around for a while. Bug 24189, filed in January 2019. It seems to affect only some hardware, and nobody seems to be able to do anything about it. Some sort of race condition, difficult to track down, I guess. It affected me for a while on a dual-core Core2Duo machine with a rust boot drive, but when I upgraded to a quad-core i5 and an SSD boot drive it went away and didn't come back. A very annoying bug if you are affected. So we have three good tests and one that started off shaky, but was ultimately successful. I'm going to let this one go with that. Validating. Advisory in Comment 14.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA7-64-OKCC: (none) => sysadmin-bugs
(In reply to Thomas Andrews from comment #22) > Yeah, that one has been around for a while. Bug 24189, filed in January > 2019. It seems to affect only some hardware, and nobody seems to be able to > do anything about it. Some sort of race condition, difficult to track down, > I guess. Thanks, so I continue discussion in this other bug.
José, you should have waited for this to be pushed before rebuilding. Advisory: ======================== Updated cups packages fix security vulnerabilities: It was discovered that CUPS incorrectly handled certain language values. A local attacker could possibly use this issue to cause CUPS to crash, leading to a denial of service, or possibly obtain sensitive information (CVE-2019-2228). Stephan Zeisberg discovered that the CUPS SNMP backend incorrectly handled encoded ASN.1 inputs. A remote attacker could possibly use this issue to cause CUPS to crash by providing specially crafted network traffic (CVE-2019-8675, CVE-2019-8696). The ippReadIO function may under-read an extension (CVE-2019-8842). Stephan Zeisberg discovered that CUPS incorrectly handled certain malformed ppd files. A local attacker could possibly use this issue to execute arbitrary code (CVE-2020-3898). The cups package has been updated to version 2.2.13 and patched to fix these issues and other bugs. Also, this update will hopefully fix the cups service failing to start at boot on some systems. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2228 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8675 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8696 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8842 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3898 https://usn.ubuntu.com/4105-1/ https://usn.ubuntu.com/4340-1/ https://security-tracker.debian.org/tracker/CVE-2019-8842 https://github.com/apple/cups/releases/tag/v2.2.12 https://github.com/apple/cups/releases/tag/v2.2.13 https://bugs.mageia.org/show_bug.cgi?id=24189 https://bugs.mageia.org/show_bug.cgi?id=25317 https://bugs.mageia.org/show_bug.cgi?id=25874 https://bugs.mageia.org/show_bug.cgi?id=26531 ======================== Updated packages in core/updates_testing: ======================== cups-2.2.13-1.2.mga7 cups-common-2.2.13-1.2.mga7 libcups2-devel-2.2.13-1.2.mga7 libcups2-2.2.13-1.2.mga7 cups-filesystem-2.2.13-1.2.mga7 from cups-2.2.13-1.2.mga7.src.rpm
Whiteboard: MGA7-64-OK => (none)Keywords: validated_update => (none)
installed - cups-2.2.13-1.2.mga7.x86_64 - cups-common-2.2.13-1.2.mga7.x86_64 - cups-filesystem-2.2.13-1.2.mga7.noarch - lib64cups2-2.2.13-1.2.mga7.x86_64 -- rebooted --- printed Seems to be working.
Same tests as Comment 25. Working here, too.
Installed and tested without issues. WARNING: The 32bit package (libcups2-2.2.11-2.mga7) was NOT updated. Is this as intended or an omission? Printer: HP OfficeJet 4658 (USB connected) System: Mageia 7, x86_64, HPLIP, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver. $ uname -a Linux marte 5.6.14-desktop-2.mga7 #1 SMP Wed May 20 23:14:20 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ $ $ rpm -qa | grep cups | sort cups-2.2.13-1.2.mga7 cups-common-2.2.13-1.2.mga7 cups-drivers-foo2zjs-0.0-1.20121012.11.mga7 cups-filesystem-2.2.13-1.2.mga7 cups-filters-1.22.5-1.mga7 cups-pk-helper-0.2.6-3.mga7 gutenprint-cups-5.2.14-2.mga7 lib64cups2-2.2.13-1.2.mga7 lib64cups-filters1-1.22.5-1.mga7 libcups2-2.2.11-2.mga7 python3-cups-1.9.74-2.mga7 $ $ $ rpm -qa | grep hplip hplip-model-data-3.19.5-1.mga7 hplip-hpijs-ppds-3.19.5-1.mga7 hplip-hpijs-3.19.5-1.mga7 hplip-gui-3.19.5-1.mga7 hplip-3.19.5-1.mga7 $ $ $ systemctl status cups ● cups.service - CUPS Scheduler Loaded: loaded (/usr/lib/systemd/system/cups.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2020-05-30 08:53:50 WEST; 13min ago Docs: man:cupsd(8) Main PID: 3791 (cupsd) Status: "Scheduler is running..." Tasks: 2 (limit: 4697) Memory: 23.9M CGroup: /system.slice/cups.service └─3791 /usr/sbin/cupsd -l mai 30 09:04:01 marte hp[5193]: io/hpmud/musb.c 535: claimed 7/1/2 interface mai 30 09:04:01 marte hp[5193]: io/hpmud/musb.c 780: read actual device_id successfully fd=1 len=300 mai 30 09:04:01 marte hp[5193]: io/hpmud/musb.c 561: released 7/1/2 interface mai 30 09:04:01 marte hp[5193]: io/hpmud/musb.c 960: new PRINT channel=2 clientCnt=1 channelCnt=1 mai 30 09:04:01 marte hp[5193]: io/hpmud/musb.c 427: Found interface conf=0, iface=1, altset=0, index=1 mai 30 09:04:01 marte hp[5193]: io/hpmud/musb.c 389: Active kernel driver on interface=1 ret=0 mai 30 09:04:01 marte hp[5193]: io/hpmud/musb.c 535: claimed 7/1/2 interface mai 30 09:04:15 marte hp[5193]: io/hpmud/musb.c 561: released 7/1/2 interface mai 30 09:04:15 marte hp[5193]: io/hpmud/musb.c 975: removed PRINT channel=2 clientCnt=0 channelCnt=0 mai 30 09:04:15 marte cupsd[3791]: HP-OfficeJet-4650-series pclx 15 [30/May/2020:09:04:15 +0100] total 1 - localhost PCLX - -
I think you can re-validate this one.
(In reply to David Walser from comment #28) > I think you can re-validate this one. Done. Latest advisory in Comment 24.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA7-64-OK
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0248.html
Status: NEW => RESOLVEDResolution: (none) => FIXED