Upstream has announced a security issue in CUPS: https://www.openwall.com/lists/oss-security/2023/06/01/1 The commit that fixed the issue is linked from the message above. Mageia 8 may also be affected.
Status comment: (none) => Patch available from upstream
Assigning to Thierry, who nurses CUPS.
Assignee: bugsquad => thierry.vignaud
Hi, cups-2.4.2-4.mga9 fixes that CVE. Best regards, Nico.
CC: (none) => nicolas.salguero
Version: Cauldron => 8
Suggested advisory: ======================== The updated packages fix a security vulnerability: In versions 2.4.2 and prior, a heap buffer overflow vulnerability would allow a remote attacker to launch a denial of service (DoS) attack. A buffer overflow vulnerability in the function `format_log_line` could allow remote attackers to cause a DoS on the affected system. Exploitation of the vulnerability can be triggered when the configuration file `cupsd.conf` sets the value of `loglevel `to `DEBUG`. (CVE-2023-32324) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32324 https://www.openwall.com/lists/oss-security/2023/06/01/1 ======================== Updated packages in core/updates_testing: ======================== cups-2.3.3op2-1.2.mga8 cups-common-2.3.3op2-1.2.mga8 ups-filesystem-2.3.3op2-1.2.mga8 cups-printerapp-2.3.3op2-1.2.mga8 lib(64)cups2-2.3.3op2-1.2.mga8 lib(64)cups2-devel-2.3.3op2-1.2.mga8 from SRPM: cups-2.3.3op2-1.2.mga8.src.rpm
Assignee: thierry.vignaud => qa-bugsStatus: NEW => ASSIGNEDStatus comment: Patch available from upstream => (none)Source RPM: cups-2.4.2-3.mga9.src.rpm => cups-2.3.3op2-1.1.mga8.src.rpm
ups-filesystem-2.3.3op2-1.2.mga8 Is that a test to check we're awake when testing?? -;
CC: (none) => herman.viaene
(In reply to Herman Viaene from comment #4) > ups-filesystem-2.3.3op2-1.2.mga8 Is that a test to check we're awake when > testing?? -; Oops, sorry! Updated packages in core/updates_testing: ======================== cups-2.3.3op2-1.2.mga8 cups-common-2.3.3op2-1.2.mga8 cups-filesystem-2.3.3op2-1.2.mga8 cups-printerapp-2.3.3op2-1.2.mga8 lib(64)cups2-2.3.3op2-1.2.mga8 lib(64)cups2-devel-2.3.3op2-1.2.mga8 from SRPM: cups-2.3.3op2-1.2.mga8.src.rpm
MGA8-64 MATE on Acer Aspire 5253 No installation issues. Ref bug 30480 fot testing. After installation: # systemctl restart cups # systemctl -l status cups ● cups.service - CUPS Scheduler Loaded: loaded (/usr/lib/systemd/system/cups.service; enabled; vendor pres> Drop-In: /usr/lib/systemd/system/cups.service.d └─server.conf Active: active (running) since Wed 2023-06-07 10:50:27 CEST; 2s ago TriggeredBy: ● cups.socket ● cups.path Docs: man:cupsd(8) Main PID: 5603 (cupsd) Status: "Scheduler is running..." Tasks: 2 (limit: 4364) Memory: 2.3M CPU: 92ms CGroup: /system.slice/cups.service └─5603 /usr/sbin/cupsd -l Jun 07 10:50:27 mach7.hviaene.thuis systemd[1]: Starting CUPS Scheduler... Jun 07 10:50:27 mach7.hviaene.thuis systemd[1]: Started CUPS Scheduler. I have an HP Envy 6022 allinone as network device. Removed the device in cups (localhost:631). Reverted to MCC-Hardware, and there could add the device OK. Checked also the scanner function and that works well with simple-scan. I cann't test locally connection.
Could not get a handle on the PoC for this one (CVE-2023-32324). It might involve recompiling cups with asan. Not our field.
CC: (none) => tarazed25
MGA8-64 Xfce system. No installation issues. I installed cups-pdf and set up the virtual printer after getting the updates. Loaded an image into Gimp and printed it using the cups-pdf printer. Loaded that pdf into Atril, and printed it on my HP Color Laserjet CP1215 (which uses the foo2hp driver rather than hplip). I then printed the pdf to the Boomaga virtual printer, which then also printed to the Laserjet. No issues noted. Giving this an OK, and validating. Advisory in comment 3.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA8-64-OKCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0198.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED