1657750 - CVE-2018-4700 cups: Predictable session cookie breaks CSRF protection [fedora-all]

2018-12-10 15:29:24 +01:00 · 2018-12-10 15:29:24 +01:00 · 13d9a7ab2b
commit 13d9a7ab2b
parent f68ad8183f
2 changed files with 29 additions and 1 deletions
--- a/0001-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch
+++ b/0001-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch
@ -0,0 +1,22 @@
+diff --git a/cgi-bin/var.c b/cgi-bin/var.c
+index 316b67f05..12f3c8344 100644
+--- a/cgi-bin/var.c
+++ b/cgi-bin/var.c
+@@ -1186,6 +1186,7 @@ cgi_set_sid(void)
+   const char		*remote_addr,	/* REMOTE_ADDR */
+ 			*server_name,	/* SERVER_NAME */
+ 			*server_port;	/* SERVER_PORT */
+  struct timeval	curtime;	/* Current time */
+ 
+ 
+   if ((remote_addr = getenv("REMOTE_ADDR")) == NULL)
+@@ -1195,7 +1196,8 @@ cgi_set_sid(void)
+   if ((server_port = getenv("SERVER_PORT")) == NULL)
+     server_port = "SERVER_PORT";
+ 
+-  CUPS_SRAND(time(NULL));
+  gettimeofday(&curtime, NULL);
+  CUPS_SRAND(curtime.tv_sec + curtime.tv_usec);
+   snprintf(buffer, sizeof(buffer), "%s:%s:%s:%02X%02X%02X%02X%02X%02X%02X%02X",
+            remote_addr, server_name, server_port,
+ 	   (unsigned)CUPS_RAND() & 255, (unsigned)CUPS_RAND() & 255,
--- a/cups.spec
+++ b/cups.spec
@ -15,7 +15,7 @@ Summary: CUPS printing system
 Name: cups
 Epoch: 1
 Version: 2.2.8
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: GPLv2+ and LGPLv2+ with exceptions and AML
 Url: http://www.cups.org/
 Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz
@ -107,6 +107,8 @@ Patch44: cups-ippeve-webui.patch
 Patch45: 0001-Fix-memory-leaks-found-by-Coverity-Issue-5375.patch
 # 1622432 - multiple file job can stuck when data transfer is interrupted, so now it is aborted (https://github.com/apple/cups/pull/5413)
 Patch46: 0001-Fix-stuck-multi-file-jobs-Issue-5359-Issue-5413.patch
+# 1657750 - CVE-2018-4700 cups: Predictable session cookie breaks CSRF protection [fedora-all]
+Patch47: 0001-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch

 ##### Patches removed because IMHO they aren't no longer needed
 ##### but still I'll leave them in git in case their removal
@ -356,6 +358,7 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
 # fixed covscan issues from upstream
 %patch45 -p1 -b .covscan
 %patch46 -p1 -b .multifile-stuck
+%patch47 -p1 -b .predictable-cookie

 # if cupsd is set to log into /var/log/cups, then 'MaxLogSize 0' needs to be
 # in cupsd.conf to disable cupsd logrotate functionality and use logrotated
@ -749,6 +752,9 @@ rm -f %{cups_serverbin}/backend/smb
 %{_mandir}/man5/ipptoolfile.5.gz

 %changelog
+* Mon Dec 10 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.8-7
+- 1657750 - CVE-2018-4700 cups: Predictable session cookie breaks CSRF protection [fedora-all]
+
 * Fri Nov 09 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.8-6
 - 1622432 - Jobs with multiple files don't complete when backend fails
 - 1648396 - 'cupsd[998]: [CGI] Unable to execute ippfind utility: No such file or directory' in journal