From 13d9a7ab2bc2a5a17e30b78cbcc6a48649d5f42d Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Mon, 10 Dec 2018 15:29:24 +0100 Subject: [PATCH] 1657750 - CVE-2018-4700 cups: Predictable session cookie breaks CSRF protection [fedora-all] --- ...nux-session-cookies-used-a-predictab.patch | 22 +++++++++++++++++++ cups.spec | 8 ++++++- 2 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 0001-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch diff --git a/0001-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch b/0001-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch new file mode 100644 index 0000000..2745b5d --- /dev/null +++ b/0001-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch @@ -0,0 +1,22 @@ +diff --git a/cgi-bin/var.c b/cgi-bin/var.c +index 316b67f05..12f3c8344 100644 +--- a/cgi-bin/var.c ++++ b/cgi-bin/var.c +@@ -1186,6 +1186,7 @@ cgi_set_sid(void) + const char *remote_addr, /* REMOTE_ADDR */ + *server_name, /* SERVER_NAME */ + *server_port; /* SERVER_PORT */ ++ struct timeval curtime; /* Current time */ + + + if ((remote_addr = getenv("REMOTE_ADDR")) == NULL) +@@ -1195,7 +1196,8 @@ cgi_set_sid(void) + if ((server_port = getenv("SERVER_PORT")) == NULL) + server_port = "SERVER_PORT"; + +- CUPS_SRAND(time(NULL)); ++ gettimeofday(&curtime, NULL); ++ CUPS_SRAND(curtime.tv_sec + curtime.tv_usec); + snprintf(buffer, sizeof(buffer), "%s:%s:%s:%02X%02X%02X%02X%02X%02X%02X%02X", + remote_addr, server_name, server_port, + (unsigned)CUPS_RAND() & 255, (unsigned)CUPS_RAND() & 255, diff --git a/cups.spec b/cups.spec index ac35df6..7c6ca95 100644 --- a/cups.spec +++ b/cups.spec @@ -15,7 +15,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 2.2.8 -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv2+ and LGPLv2+ with exceptions and AML Url: http://www.cups.org/ Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz @@ -107,6 +107,8 @@ Patch44: cups-ippeve-webui.patch Patch45: 0001-Fix-memory-leaks-found-by-Coverity-Issue-5375.patch # 1622432 - multiple file job can stuck when data transfer is interrupted, so now it is aborted (https://github.com/apple/cups/pull/5413) Patch46: 0001-Fix-stuck-multi-file-jobs-Issue-5359-Issue-5413.patch +# 1657750 - CVE-2018-4700 cups: Predictable session cookie breaks CSRF protection [fedora-all] +Patch47: 0001-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch ##### Patches removed because IMHO they aren't no longer needed ##### but still I'll leave them in git in case their removal @@ -356,6 +358,7 @@ Sends IPP requests to the specified URI and tests and/or displays the results. # fixed covscan issues from upstream %patch45 -p1 -b .covscan %patch46 -p1 -b .multifile-stuck +%patch47 -p1 -b .predictable-cookie # if cupsd is set to log into /var/log/cups, then 'MaxLogSize 0' needs to be # in cupsd.conf to disable cupsd logrotate functionality and use logrotated @@ -749,6 +752,9 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man5/ipptoolfile.5.gz %changelog +* Mon Dec 10 2018 Zdenek Dohnal - 1:2.2.8-7 +- 1657750 - CVE-2018-4700 cups: Predictable session cookie breaks CSRF protection [fedora-all] + * Fri Nov 09 2018 Zdenek Dohnal - 1:2.2.8-6 - 1622432 - Jobs with multiple files don't complete when backend fails - 1648396 - 'cupsd[998]: [CGI] Unable to execute ippfind utility: No such file or directory' in journal