[SECURITY] [DLA 3594-1] cups security update

2023-09-3016:54:52

lists.debian.org

buffer overflow

unauthorized access

cups

debian 10 buster

security update

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.6

Confidence

High

EPSS

0.001

Percentile

43.1%

JSON

Debian LTS Advisory DLA-3594-1 [email protected]
https://www.debian.org/lts/security/ Thorsten Alteholz
September 30, 2023 https://wiki.debian.org/LTS

Package : cups
Version : 2.2.10-6+deb10u9
CVE ID : CVE-2023-4504 CVE-2023-32360
Debian Bug : #1051953

Two issues have been found in cups, the Common UNIX Printing System™.

CVE-2023-4504

Due to missing boundary checks a heap-based buffer overflow and code
execution might be possible by using crafted postscript documents.

CVE-2023-32360

Unauthorized users might be allowed to fetch recently printed documents.

Since this is a configuration fix, it might be that it does not reach
you if you are updating the package.
Please double check your /etc/cups/cupds.conf file, whether it limits
the access to CUPS-Get-Document with something like the following
> <Limit CUPS-Get-Document>
> AuthType Default
> Require user @OWNER @SYSTEM
> Order deny,allow
> </Limit>
(The important line is the 'AuthType Default' in this section)

For Debian 10 buster, these problems have been fixed in version
2.2.10-6+deb10u9.

We recommend that you upgrade your cups packages.

For the detailed security status of cups please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/cups

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian10amd64cups-client< 2.2.10-6+deb10u9cups-client_2.2.10-6+deb10u9_amd64.deb
Debian10i386cups-daemon< 2.2.10-6+deb10u9cups-daemon_2.2.10-6+deb10u9_i386.deb
Debian10arm64cups-client< 2.2.10-6+deb10u9cups-client_2.2.10-6+deb10u9_arm64.deb
Debian10armhfcups-ipp-utils-dbgsym< 2.2.10-6+deb10u9cups-ipp-utils-dbgsym_2.2.10-6+deb10u9_armhf.deb
Debian10arm64cups-dbgsym< 2.2.10-6+deb10u9cups-dbgsym_2.2.10-6+deb10u9_arm64.deb
Debian10allcups-server-common< 2.2.10-6+deb10u9cups-server-common_2.2.10-6+deb10u9_all.deb
Debian10i386cups-ppdc< 2.2.10-6+deb10u9cups-ppdc_2.2.10-6+deb10u9_i386.deb
Debian12allcups< 2.4.2-3+deb12u2cups_2.4.2-3+deb12u2_all.deb
Debian10armhfcups< 2.2.10-6+deb10u9cups_2.2.10-6+deb10u9_armhf.deb
Debian10i386cups-bsd-dbgsym< 2.2.10-6+deb10u9cups-bsd-dbgsym_2.2.10-6+deb10u9_i386.deb

OS	Version	Architecture	Package	Version	Filename
Debian	10	amd64	cups-client	< 2.2.10-6+deb10u9	cups-client_2.2.10-6+deb10u9_amd64.deb
Debian	10	i386	cups-daemon	< 2.2.10-6+deb10u9	cups-daemon_2.2.10-6+deb10u9_i386.deb
Debian	10	arm64	cups-client	< 2.2.10-6+deb10u9	cups-client_2.2.10-6+deb10u9_arm64.deb
Debian	10	armhf	cups-ipp-utils-dbgsym	< 2.2.10-6+deb10u9	cups-ipp-utils-dbgsym_2.2.10-6+deb10u9_armhf.deb
Debian	10	arm64	cups-dbgsym	< 2.2.10-6+deb10u9	cups-dbgsym_2.2.10-6+deb10u9_arm64.deb
Debian	10	all	cups-server-common	< 2.2.10-6+deb10u9	cups-server-common_2.2.10-6+deb10u9_all.deb
Debian	10	i386	cups-ppdc	< 2.2.10-6+deb10u9	cups-ppdc_2.2.10-6+deb10u9_i386.deb
Debian	12	all	cups	< 2.4.2-3+deb12u2	cups_2.4.2-3+deb12u2_all.deb
Debian	10	armhf	cups	< 2.2.10-6+deb10u9	cups_2.2.10-6+deb10u9_armhf.deb
Debian	10	i386	cups-bsd-dbgsym	< 2.2.10-6+deb10u9	cups-bsd-dbgsym_2.2.10-6+deb10u9_i386.deb