Debian Bug report logs - #1052419
cups-daemon: NEWS.Debian is only tech-gibberish

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: IOhannes m zmoelnig <umlaeute@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: cups-daemon: NEWS.Debian is only tech-gibberish

Date: Thu, 21 Sep 2023 19:27:26 +0200

Package: cups-daemon
Version: 2.4.2-6
Severity: normal

Dear Maintainer,

While doing a routing update on my Debian/sid laptop today, i was greeted with
the following:

> cups (2.4.2-6) unstable; urgency=low
> 
>   In case this is not a fresh installation of cups, please double check
>   whether your cupsd.conf really does contain the limitiation for
>   "CUPS-Get-Document" (see patch 0015-CVE-2023-32360.patch)
> 
>  -- Thorsten Alteholz <debian@alteholz.de>  Tue, 19 Sep 2023 21:20:27 +0200

wth?

NEWS.Debian is a user-facing interface for telling them important news.
(That's why they are shown in the first place).
As such, I think that the users ought to understand what this means.
I'm fine with the first two lines, but then it goes downhill.
Which "limitation of CUPS-Get-Document"? which patch?

I think we cannot expect our users to do a 'apt-get source cupsd' to hunt down a
patchfile and then understand the implications of what it does.
Even if they are smart enough to just head over to
<https://salsa.debian.org/printing-team/cups/-/blob/605d5df62adecb8941b9b3b25d5b0e92c0df752e/debian/patches/0015-CVE-2023-32360.patch>
to inspect the patch.
And then infer from the subject of the patch, that they might also hunt down
CVE-2023-32360 to see what this is all about.

*maybe* (but hey, i know that this is hard to write) something like this is better:
> This release addresses a security issue (CVE-2023-32360) which allows
> unauthorized users to fetch documents over local or remote networks.
> Since this is a configuration fix, it might be that it does not reach you if you
> are updating 'cups-daemon' (rather than doing a fresh installation).
> Please double check your /etc/cups/cupds.conf file, whether it limits the access
> to CUPS-Get-Document with something like the following
> >  <Limit CUPS-Get-Document>
> >    AuthType Default
> >    Require user @OWNER @SYSTEM
> >    Order deny,allow
> >   </Limit>
> (The important line is the 'AuthType Default' in this section)


(sidenote: since the NEWS.Debian file is shown only on upgrade, i think it is
safe to assume that "this is not a fresh installation of cups".)

Thanks for maintaining cups, probably one of the most installed packages
(outside of essential) in Debian (that's why I think it is even more important
to get the NEWS right)

cheers


-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.5.0-1-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cups-daemon depends on:
ii  adduser                    3.137
ii  bc                         1.07.1-3+b1
ii  init-system-helpers        1.65.2
ii  libavahi-client3           0.8-11
ii  libavahi-common3           0.8-11
ii  libc6                      2.37-10
ii  libcups2                   2.4.2-6
ii  libdbus-1-3                1.14.10-1
ii  libgssapi-krb5-2           1.20.1-4
ii  libpam0g                   1.5.2-7
ii  libpaper1                  1.1.29
ii  libsystemd0                254.4-1
ii  procps                     2:4.0.3-1
ii  ssl-cert                   1.1.2
ii  sysvinit-utils [lsb-base]  3.08-1

Versions of packages cups-daemon recommends:
ii  avahi-daemon  0.8-11
ii  colord        1.4.6-3
ii  cups-browsed  1.28.17-3
ii  ipp-usb       0.9.23-1+b6

Versions of packages cups-daemon suggests:
ii  cups                                       2.4.2-6
ii  cups-bsd                                   2.4.2-6
ii  cups-client                                2.4.2-6
ii  cups-common                                2.4.2-6
ii  cups-filters                               1.28.17-3
pn  cups-pdf                                   <none>
ii  cups-ppdc                                  2.4.2-6
ii  cups-server-common                         2.4.2-6
ii  foomatic-db-compressed-ppds [foomatic-db]  20230202-1
ii  ghostscript                                10.02.0~dfsg-2
ii  poppler-utils                              22.12.0-2+b1
pn  smbclient                                  <none>
ii  udev                                       254.4-1

-- no debconf information

Message #10 received at 1052419@bugs.debian.org (full text, mbox, reply):

From: IOhannes m zmoelnig <umlaeute@debian.org>

To: Debian Bug Tracking System <1052419@bugs.debian.org>

Subject: Re: cups-daemon: NEWS.Debian is only tech-gibberish

Date: Thu, 21 Sep 2023 19:38:44 +0200

Package: cups-daemon
Version: 2.4.2-6
Followup-For: Bug #1052419

Just as a follow-up: after double-checking my cupsd.conf file, I see that
the <Limit CUPS-Get-Document/> section is present multiple-times in the
document, once each in the "default", "authenticated" and "kerberos" Policy
section.
I assume, that the patch needs to be applied to the "default" policy, as for the
other policies there is already an AuthType defined.

is this correct?
(the nature of a patch file does not make this obvious)
this ought to be documented as well.

And since i'm pretty sure that i've neve touched this file myself (at least
etckeeper shows that it was only ever changed while i installed cups-daemon 1½
years ago), i wonder why there was no dialog showing me the differences between
the files.


cheers

Message #15 received at 1052419@bugs.debian.org (full text, mbox, reply):

From: Andres Salomon <dilinger@queued.net>

To: 1052419@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: cups-daemon: NEWS.Debian is only tech-gibberish

Date: Mon, 02 Oct 2023 00:22:28 -0400

[Message part 1 (text/plain, inline)]

On Thu, 21 Sep 2023 19:38:44 +0200 IOhannes m zmoelnig 
<umlaeute@debian.org> wrote:
> Package: cups-daemon
> Version: 2.4.2-6
> Followup-For: Bug #1052419
>
> Just as a follow-up: after double-checking my cupsd.conf file, I see 
that
> the <Limit CUPS-Get-Document/> section is present multiple-times in 
the
> document, once each in the "default", "authenticated" and "kerberos" 
Policy
> section.
> I assume, that the patch needs to be applied to the "default" 
policy, as for the
> other policies there is already an AuthType defined.
>
> is this correct?
> (the nature of a patch file does not make this obvious)
> this ought to be documented as well.
>
> And since i'm pretty sure that i've neve touched this file myself 
(at least
> etckeeper shows that it was only ever changed while i installed 
cups-daemon 1½
> years ago), i wonder why there was no dialog showing me the 
differences between
> the files.
>
>
> cheers


It is confusing. Given that the vast majority of people don't touch 
cupsd.conf, maybe the NEWS entry should say something like the 
following?

"If you've never touched cupsd.conf and are unsure what to do, it's 
probably safest to simply run the following commands:
sudo cp /etc/cups/cupsd.conf /etc/cups/cupsd.conf-bak; sudo cp  
/usr/share/cups/cupsd.conf.default /etc/cups/cupsd.conf

In case printing stops working after making that change, you can 
restore the old configuration file. However, note that restoring the 
old config will reintroduce the security hole. Do the configuration 
file restoration by running:
sudo mv /etc/cups/cupsd.conf-bak /etc/cups/cupsd.conf
"


Or even better, have a cups.postinst that checks /etc/cups/cupsd.conf's 
md5sum == 758e3a2fb820f5cfb8aed788f2c8f353, and if so automatically 
copy over that cupsd.conf.default config and restart cupsd. I just 
checked two machines (sid and bookworm) and my untouched cupsd.conf 
matches that checksum on both.

[Message part 2 (text/html, inline)]

Message #20 received at 1052419-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1052419-close@bugs.debian.org

Subject: Bug#1052419: fixed in cups 2.4.7-1

Date: Sat, 07 Oct 2023 22:34:43 +0000

Source: cups
Source-Version: 2.4.7-1
Done: Thorsten Alteholz <debian@alteholz.de>

We believe that the bug you reported is fixed in the latest version of
cups, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1052419@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Alteholz <debian@alteholz.de> (supplier of updated cups package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 06 Oct 2023 20:16:49 +0200
Source: cups
Architecture: source
Version: 2.4.7-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Thorsten Alteholz <debian@alteholz.de>
Closes: 954974 971625 998004 1008053 1009146 1009147 1039983 1041466 1043331 1043470 1052419
Changes:
 cups (2.4.7-1) unstable; urgency=medium
 .
   * Update to new upstream version 2.4.7.
     (Closes: #1039983   this should have been fixed in 2.4.3)
     (Closes: #1041466   this should have been fixed in 2.4.3)
     (Closes: #1043331   this should have been fixed in 2.4.3)
     (Closes: #998004    this should have been fixed in 2.4.3)
     (Closes: #1008053   this should have been fixed in 2.4.3)
     (Closes: #1009146   this should have been fixed in 2.4.3)
     (Closes: #1009147   this should have been fixed in 2.4.3)
   * debian/watch: update watch file (Closes: #1043470)
                   (thanks a lot to t3b4in+2gxh764v647us@cs.email)
   * debian/rules: switch on testing again
   * debian/control: bump standard to 4.6.2 (no changes)
   * debian/cups-daemon.NEWS: reword last entry (Closes: #1052419)
                              (thanks to IOhannes m zmoelnig)
   * debian/local/apparmor-profile: add drop-in for cups-pdf as well
                                    (Closes: #954974)
   * Provide a cups.pc file. (Closes: #971625)
     (thanks a lot to Helmut Grohne for the patch)
   * update debian/*.lintian-overrides and use new syntax
Checksums-Sha1:
 cbc8bfafbffcdf91c3485d969c8d09bb95bf3c2f 3357 cups_2.4.7-1.dsc
 9c6155dfa367eee9a88ad08cf83b1dc6c446309f 8134809 cups_2.4.7.orig.tar.gz
 a2b411cdcf336ac0ba9b3f6d17377cc963bf7d26 228 cups_2.4.7.orig.tar.gz.asc
 925bced67d126a6dc1ce3586de2b58327c417240 383284 cups_2.4.7-1.debian.tar.xz
 01d9093d9e634e5bf609546ada19e8a41b4625b7 13522 cups_2.4.7-1_amd64.buildinfo
Checksums-Sha256:
 28a4e4dcbecb7ee3ddb8ba6883e09add5556f73e45bd6536e04b552bbffad8ef 3357 cups_2.4.7-1.dsc
 dd54228dd903526428ce7e37961afaed230ad310788141da75cebaa08362cf6c 8134809 cups_2.4.7.orig.tar.gz
 4a5f7d06dd1255248c0718111b86c8c40e56990c9c7ec497f4190d933e0691a4 228 cups_2.4.7.orig.tar.gz.asc
 8609ef2edd3f5142fb1dd3f6ae7a323b1a952a4a49cb3ae04aa7f31ef4f1bc75 383284 cups_2.4.7-1.debian.tar.xz
 75374e7a994ed757e71eeafba5daed63bd4966122c0ace02bfa7b025a85736b6 13522 cups_2.4.7-1_amd64.buildinfo
Files:
 d127d7414d397282312dabf9ea7b3c69 3357 net optional cups_2.4.7-1.dsc
 e0a5ddbf53dfad41da26fc1ef60b2256 8134809 net optional cups_2.4.7.orig.tar.gz
 aa1ef89b6837bf5742d0517c61dbe8d7 228 net optional cups_2.4.7.orig.tar.gz.asc
 176916b932730693d819bc6d68995d4f 383284 net optional cups_2.4.7-1.debian.tar.xz
 a151a50a14e07b7ec61bc6a7ec6bc882 13522 net optional cups_2.4.7-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmUh3MZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh
bHRlaG9sei5kZQAKCRCW/KwNOHtYRwtaD/0RKUaUqgm//CZEZfRxvp7sra300U5U
sBCUcEwjL4NsLKks14EQpqt17zVsWQ34TWTA6wQ2m1zrp/z8hG5MiZQbna0yG1Ye
8cG7XK7EBkQZdimu+nsmBspMrfnuUpGEt4VOi8yN4qkVP2SvT/NV7bQd5L5d7upx
pOWNykuBFQDynanE4ZiFflG1IsbZVZAuaDMdV9jB5b2wzCCkE0r+eQBv+MaqlbpV
MWjw+1U411L3BKJmsj1GJSfb4LS4qjLpyhLC6LeLnM+RLR2P9D0/O12Z7FAo40yo
xR06k1s44lxjSXxvMlGqZkD3rleBrdTK5GJbz5/BKmXtBirg1hz0A4SxDChJNV3N
KBd8zruJ9WUxD+d13QMykmGpi/HAoVoP7jo27WVhAQPT3wlr6SiytqUIBE1EzU9T
jnFge8dezve7SP/QAKL5vDMXtNJq0qt/xrgwqrDpB/0J0XIfpy9qdtGxillU40/v
bSrC/jUtabcrttocXquzLVlHip375tNp+oTFK4Vki9xUKRzHaHsVUSg6EdDdzTnO
oGq0jbZOCnRnCA1GEG+ZSoI2flBHDT2hyvGo7F6LXl8+i6c3KyyyUyB3WtFpRdLo
aqB9wIIGtAKOhtogUD001XYEXC0mGpHsJdcfJUvD4nAR4qwrCJWJqfqBr25TDpRA
3ZOL1n51WHWuIQ==
=uG+d
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.