Bug 26531 - cups new security issues CVE-2019-8842 and CVE-2020-3898
Summary: cups new security issues CVE-2019-8842 and CVE-2020-3898
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 25874
  Show dependency treegraph
 
Reported: 2020-04-23 21:06 CEST by David Walser
Modified: 2020-06-11 00:27 CEST (History)
8 users (show)

See Also:
Source RPM: cups-2.2.11-2.mga7.src.rpm
CVE:
Status comment:


Attachments

David Walser 2020-04-23 21:07:37 CEST

Whiteboard: (none) => MGA7TOO
Blocks: (none) => 25874
Assignee: bugsquad => thierry.vignaud
Status comment: (none) => Patch available from Fedora

Comment 1 David Walser 2020-04-27 22:43:43 CEST
Fixed in Cauldron in cups-2.3.1-10.mga8 by Thierry.

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 2 David Walser 2020-04-28 02:56:43 CEST
Ubuntu has issued an advisory for this today (April 27):
https://usn.ubuntu.com/4340-1/
Comment 3 David Walser 2020-04-28 16:40:28 CEST
CUPS 2.3.3 has been released on April 27, fixing this issue and one other:
https://github.com/apple/cups/releases/tag/v2.3.3

Whiteboard: (none) => MGA7TOO
Summary: cups new security issue CVE-2020-3898 => cups new security issues CVE-2019-8842 and CVE-2020-3898
Version: 7 => Cauldron

Comment 4 David Walser 2020-04-28 19:47:50 CEST
Fedora has issued an advisory for CVE-2020-3898 today (April 28):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HLYM2YY4QOS5AOVWUDGQ3PLMK5TFMIXN/
Morgan Leijström 2020-04-30 11:31:38 CEST

CC: (none) => fri

Comment 5 David Walser 2020-05-06 21:10:45 CEST
cups-2.3.3-1.mga8 uploaded for Cauldron.

Version: Cauldron => 7
Status comment: Patch available from Fedora => Patch available from Fedora for CVE-2020-3898, not sure for CVE-2019-8842
Whiteboard: MGA7TOO => (none)

Comment 6 Nicolas Lécureuil 2020-05-22 15:46:08 CEST
i see no reference for CVE-2019-8842 in cups changelog.

CC: (none) => mageia

Comment 7 Nicolas Lécureuil 2020-05-22 16:06:32 CEST
Fix for CVE-2020-3898 added  ( Patch 500 )

Added fix for CVE-2019-2228 too ( Patch501 )
https://github.com/apple/cups/commit/b018978c278d42c7abf78941251b887c95dfdb07.patch

Fix for CVE-2019-8842 added too ( Patch502 )

Summary: cups new security issues CVE-2019-8842 and CVE-2020-3898 => cups new security issues CVE-2019-8842 and CVE-2020-3898 and CVE-2019-2228
Assignee: thierry.vignaud => qa-bugs
Status comment: Patch available from Fedora for CVE-2020-3898, not sure for CVE-2019-8842 => (none)

Comment 8 David Walser 2020-05-22 19:32:13 CEST
(In reply to Nicolas Lécureuil from comment #6)
> i see no reference for CVE-2019-8842 in cups changelog.

See Comment 3.
Comment 9 David Walser 2020-05-22 19:33:32 CEST
CVE-2019-2228 is Bug 25874 (we'll fix it in this bug, of course).

Summary: cups new security issues CVE-2019-8842 and CVE-2020-3898 and CVE-2019-2228 => cups new security issues CVE-2019-8842 and CVE-2020-3898

Comment 10 David Walser 2020-05-22 19:48:55 CEST
Of course you have to check the whole chain of dependencies when there's multiple bugs.  We still have to address CVE-2019-8675 and CVE-2019-8696 (Bug 25317) too.

Assignee: qa-bugs => mageia
CC: (none) => qa-bugs

David Walser 2020-05-22 19:51:50 CEST

Source RPM: cups-2.3.1-10.mga8.src.rpm => cups-2.2.11-2.mga7.src.rpm

Comment 11 Nicolas Lécureuil 2020-05-22 23:09:50 CEST
CVE-2019-8675 and CVE-2019-8696 are now fixed on the next rpms ( Patch 503 )

Assignee: mageia => qa-bugs

Comment 12 David Walser 2020-05-22 23:30:19 CEST
Advisory:
========================

Updated cups packages fix security vulnerabilities:

It was discovered that CUPS incorrectly handled certain language values. A
local attacker could possibly use this issue to cause CUPS to crash, leading
to a denial of service, or possibly obtain sensitive information
(CVE-2019-2228).

Stephan Zeisberg discovered that the CUPS SNMP backend incorrectly handled
encoded ASN.1 inputs. A remote attacker could possibly use this issue to cause
CUPS to crash by providing specially crafted network traffic (CVE-2019-8675,
CVE-2019-8696).

The ippReadIO function may under-read an extension (CVE-2019-8842).

Stephan Zeisberg discovered that CUPS incorrectly handled certain malformed
ppd files. A local attacker could possibly use this issue to execute arbitrary
code (CVE-2020-3898).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2228
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8675
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8696
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8842
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3898
https://usn.ubuntu.com/4105-1/
https://usn.ubuntu.com/4340-1/
https://security-tracker.debian.org/tracker/CVE-2019-8842
========================

Updated packages in core/updates_testing:
========================
cups-2.2.11-2.3.mga7
cups-common-2.2.11-2.3.mga7
libcups2-devel-2.2.11-2.3.mga7
libcups2-2.2.11-2.3.mga7
cups-filesystem-2.2.11-2.3.mga7

from cups-2.2.11-2.3.mga7.src.rpm

CC: qa-bugs => (none)

Comment 13 Nicolas Lécureuil 2020-05-22 23:39:19 CEST
as talked with you i updated cups to version 2.2.13
Comment 14 David Walser 2020-05-22 23:45:35 CEST
Advisory:
========================

Updated cups packages fix security vulnerabilities:

It was discovered that CUPS incorrectly handled certain language values. A
local attacker could possibly use this issue to cause CUPS to crash, leading
to a denial of service, or possibly obtain sensitive information
(CVE-2019-2228).

Stephan Zeisberg discovered that the CUPS SNMP backend incorrectly handled
encoded ASN.1 inputs. A remote attacker could possibly use this issue to cause
CUPS to crash by providing specially crafted network traffic (CVE-2019-8675,
CVE-2019-8696).

The ippReadIO function may under-read an extension (CVE-2019-8842).

Stephan Zeisberg discovered that CUPS incorrectly handled certain malformed
ppd files. A local attacker could possibly use this issue to execute arbitrary
code (CVE-2020-3898).

The cups package has been updated to version 2.2.13 and patched to fix these
issues and other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2228
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8675
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8696
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8842
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3898
https://usn.ubuntu.com/4105-1/
https://usn.ubuntu.com/4340-1/
https://security-tracker.debian.org/tracker/CVE-2019-8842
https://github.com/apple/cups/releases/tag/v2.2.12
https://github.com/apple/cups/releases/tag/v2.2.13
========================

Updated packages in core/updates_testing:
========================
cups-2.2.13-1.1.mga7
cups-common-2.2.13-1.1.mga7
libcups2-devel-2.2.13-1.1.mga7
libcups2-2.2.13-1.1.mga7
cups-filesystem-2.2.13-1.1.mga7

from cups-2.2.13-1.1.mga7.src.rpm
Comment 15 Morgan Leijström 2020-05-24 02:16:26 CEST
64 bit updated on two machines, rebooted, printing works as normal.
Comment 16 Herman Viaene 2020-05-24 14:57:39 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 22877 for testing.
Removed HP Officejet Pro 8100 (wifi connection) from MCC before update.
Installed update.
Added printer in MCC.
The first time it detected the printer with access via dns:sd something. That went wrong as it did not detect or report the duplex facility.
Removed the printer again, and added again.
The detection now reports the printer twice:
as HP Officejet Pro 8100 plain
and as
HP Officejet Pro 8100 (<itsIP address>).
Choosing the latter, let me connect thru HPlip and that gives the duplex configuration.
Checked by opening the print dialog in firefox and checking the options: duplex is there.
Not OK'ing, waiting for others' experiences. This is something I never have seen before.

CC: (none) => herman.viaene

Comment 17 Thomas Andrews 2020-05-26 04:30:02 CEST
MGA7-64 Plasma on home-built desktop with i5-2500.

No installation issues here, either. I don't have any wifi-connected printers, so I can't replicate your test, Herman. 

However, before updating I did remove my Deskjet 5650 USB printer with the duplexing attachment. I left my Laserjet CP1215 and the Boomaga virtual printer still installed. Re-installing the Deskjet from MCC worked as expected, and the cups test page was printed correctly. The cups test page for the Laserjet also printed correctly (and much faster).

HP usb printers work OK here, at least.

CC: (none) => andrewsfarm

Comment 18 Brian Rockwell 2020-05-27 15:44:27 CEST
MGA7-64 Plasma on A6 laptop

installed

- cups-2.2.13-1.1.mga7.x86_64
- cups-common-2.2.13-1.1.mga7.x86_64
- cups-filesystem-2.2.13-1.1.mga7.noarch
- lib64cups2-2.2.13-1.1.mga7.x86_64


THen set up a brother printer using cups

All worked.

CC: (none) => brtians1

Comment 19 Brian Rockwell 2020-05-27 15:45:03 CEST
(In reply to Brian Rockwell from comment #18)
> MGA7-64 Plasma on A6 laptop
> 
> installed
> 
> - cups-2.2.13-1.1.mga7.x86_64
> - cups-common-2.2.13-1.1.mga7.x86_64
> - cups-filesystem-2.2.13-1.1.mga7.noarch
> - lib64cups2-2.2.13-1.1.mga7.x86_64
> 
> 
> THen set up a brother printer using cups
> 
> All worked.

fyi - this was wifi attached
Comment 20 José Jorge 2020-05-28 21:25:53 CEST
Just a note : I have 2 friend's computers that stopped starting cups 3 days ago.
It fails at boot, but starting it manually after boot succeeds. Always the same for more than 3 successive reboots.

I have no access to the systems to do a good bug report, let's see if this update helps fixing this error.

CC: (none) => lists.jjorge

Comment 21 Brian Rockwell 2020-05-29 00:26:05 CEST
It is starting properly on this machine after the upgrade.  However, this is only a dual core, I suspect it could be related to parallel threads causing an issue in your case.
Comment 22 Thomas Andrews 2020-05-29 02:35:26 CEST
Yeah, that one has been around for a while. Bug 24189, filed in January 2019. It seems to affect only some hardware, and nobody seems to be able to do anything about it. Some sort of race condition, difficult to track down, I guess.

It affected me for a while on a dual-core Core2Duo machine with a rust boot drive, but when I upgraded to a quad-core i5 and an SSD boot drive it went away and didn't come back. A very annoying bug if you are affected.

So we have three good tests and one that started off shaky, but was ultimately successful. I'm going to let this one go with that. Validating. Advisory in Comment 14.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA7-64-OK
CC: (none) => sysadmin-bugs

Comment 23 José Jorge 2020-05-29 15:36:55 CEST
(In reply to Thomas Andrews from comment #22)
> Yeah, that one has been around for a while. Bug 24189, filed in January
> 2019. It seems to affect only some hardware, and nobody seems to be able to
> do anything about it. Some sort of race condition, difficult to track down,
> I guess.

Thanks, so I continue discussion in this other bug.
Comment 24 David Walser 2020-05-29 16:43:42 CEST
José, you should have waited for this to be pushed before rebuilding.

Advisory:
========================

Updated cups packages fix security vulnerabilities:

It was discovered that CUPS incorrectly handled certain language values. A
local attacker could possibly use this issue to cause CUPS to crash, leading
to a denial of service, or possibly obtain sensitive information
(CVE-2019-2228).

Stephan Zeisberg discovered that the CUPS SNMP backend incorrectly handled
encoded ASN.1 inputs. A remote attacker could possibly use this issue to cause
CUPS to crash by providing specially crafted network traffic (CVE-2019-8675,
CVE-2019-8696).

The ippReadIO function may under-read an extension (CVE-2019-8842).

Stephan Zeisberg discovered that CUPS incorrectly handled certain malformed
ppd files. A local attacker could possibly use this issue to execute arbitrary
code (CVE-2020-3898).

The cups package has been updated to version 2.2.13 and patched to fix these
issues and other bugs.

Also, this update will hopefully fix the cups service failing to start at boot
on some systems.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2228
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8675
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8696
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8842
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3898
https://usn.ubuntu.com/4105-1/
https://usn.ubuntu.com/4340-1/
https://security-tracker.debian.org/tracker/CVE-2019-8842
https://github.com/apple/cups/releases/tag/v2.2.12
https://github.com/apple/cups/releases/tag/v2.2.13
https://bugs.mageia.org/show_bug.cgi?id=24189
https://bugs.mageia.org/show_bug.cgi?id=25317
https://bugs.mageia.org/show_bug.cgi?id=25874
https://bugs.mageia.org/show_bug.cgi?id=26531
========================

Updated packages in core/updates_testing:
========================
cups-2.2.13-1.2.mga7
cups-common-2.2.13-1.2.mga7
libcups2-devel-2.2.13-1.2.mga7
libcups2-2.2.13-1.2.mga7
cups-filesystem-2.2.13-1.2.mga7

from cups-2.2.13-1.2.mga7.src.rpm

Whiteboard: MGA7-64-OK => (none)
Keywords: validated_update => (none)

Comment 25 Brian Rockwell 2020-05-29 17:54:56 CEST
installed

- cups-2.2.13-1.2.mga7.x86_64
- cups-common-2.2.13-1.2.mga7.x86_64
- cups-filesystem-2.2.13-1.2.mga7.noarch
- lib64cups2-2.2.13-1.2.mga7.x86_64


-- rebooted ---

printed


Seems to be working.
Comment 26 Thomas Andrews 2020-05-29 21:29:31 CEST
Same tests as Comment 25. Working here, too.
Comment 27 PC LX 2020-05-30 10:19:25 CEST
Installed and tested without issues.

WARNING: The 32bit package (libcups2-2.2.11-2.mga7) was NOT updated. Is this as intended or an omission?


Printer: HP OfficeJet 4658 (USB connected)
System: Mageia 7, x86_64, HPLIP, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver.


$ uname -a
Linux marte 5.6.14-desktop-2.mga7 #1 SMP Wed May 20 23:14:20 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$
$
$ rpm -qa | grep cups | sort
cups-2.2.13-1.2.mga7
cups-common-2.2.13-1.2.mga7
cups-drivers-foo2zjs-0.0-1.20121012.11.mga7
cups-filesystem-2.2.13-1.2.mga7
cups-filters-1.22.5-1.mga7
cups-pk-helper-0.2.6-3.mga7
gutenprint-cups-5.2.14-2.mga7
lib64cups2-2.2.13-1.2.mga7
lib64cups-filters1-1.22.5-1.mga7
libcups2-2.2.11-2.mga7
python3-cups-1.9.74-2.mga7
$
$
$ rpm -qa | grep hplip
hplip-model-data-3.19.5-1.mga7
hplip-hpijs-ppds-3.19.5-1.mga7
hplip-hpijs-3.19.5-1.mga7
hplip-gui-3.19.5-1.mga7
hplip-3.19.5-1.mga7
$
$
$ systemctl status cups
● cups.service - CUPS Scheduler
   Loaded: loaded (/usr/lib/systemd/system/cups.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2020-05-30 08:53:50 WEST; 13min ago
     Docs: man:cupsd(8)
 Main PID: 3791 (cupsd)
   Status: "Scheduler is running..."
    Tasks: 2 (limit: 4697)
   Memory: 23.9M
   CGroup: /system.slice/cups.service
           └─3791 /usr/sbin/cupsd -l

mai 30 09:04:01 marte hp[5193]: io/hpmud/musb.c 535: claimed 7/1/2 interface
mai 30 09:04:01 marte hp[5193]: io/hpmud/musb.c 780: read actual device_id successfully fd=1 len=300
mai 30 09:04:01 marte hp[5193]: io/hpmud/musb.c 561: released 7/1/2 interface
mai 30 09:04:01 marte hp[5193]: io/hpmud/musb.c 960: new PRINT channel=2 clientCnt=1 channelCnt=1
mai 30 09:04:01 marte hp[5193]: io/hpmud/musb.c 427: Found interface conf=0, iface=1, altset=0, index=1
mai 30 09:04:01 marte hp[5193]: io/hpmud/musb.c 389: Active kernel driver on interface=1 ret=0
mai 30 09:04:01 marte hp[5193]: io/hpmud/musb.c 535: claimed 7/1/2 interface
mai 30 09:04:15 marte hp[5193]: io/hpmud/musb.c 561: released 7/1/2 interface
mai 30 09:04:15 marte hp[5193]: io/hpmud/musb.c 975: removed PRINT channel=2 clientCnt=0 channelCnt=0
mai 30 09:04:15 marte cupsd[3791]: HP-OfficeJet-4650-series pclx 15 [30/May/2020:09:04:15 +0100] total 1 - localhost PCLX - -

CC: (none) => mageia

Comment 28 David Walser 2020-05-30 22:16:46 CEST
I think you can re-validate this one.
Comment 29 Thomas Andrews 2020-05-30 22:40:55 CEST
(In reply to David Walser from comment #28)
> I think you can re-validate this one.

Done. Latest advisory in Comment 24.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA7-64-OK

Nicolas Lécureuil 2020-06-10 23:43:09 CEST

Keywords: (none) => advisory

Comment 30 Mageia Robot 2020-06-11 00:27:39 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0248.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.