This commit is contained in:
parent
b7d926d961
commit
28c8ddb831
|
@ -0,0 +1,141 @@
|
|||
diff -up cups-2.2.2/scheduler/ipp.c.substitute-bad-attrs cups-2.2.2/scheduler/ipp.c
|
||||
--- cups-2.2.2/scheduler/ipp.c.substitute-bad-attrs 2018-04-12 09:08:48.142363431 +0200
|
||||
+++ cups-2.2.2/scheduler/ipp.c 2018-04-12 09:09:54.442790576 +0200
|
||||
@@ -164,6 +164,7 @@ cupsdProcessIPPRequest(
|
||||
ipp_attribute_t *uri = NULL; /* Printer or job URI attribute */
|
||||
ipp_attribute_t *username; /* requesting-user-name attr */
|
||||
int sub_id; /* Subscription ID */
|
||||
+ int valid = 1; /* Valid request? */
|
||||
|
||||
|
||||
cupsdLogMessage(CUPSD_LOG_DEBUG2,
|
||||
@@ -402,20 +403,55 @@ cupsdProcessIPPRequest(
|
||||
else
|
||||
{
|
||||
/*
|
||||
- * OK, all the checks pass so far; make sure requesting-user-name is
|
||||
- * not "root" from a remote host...
|
||||
+ * OK, all the checks pass so far; validate "requesting-user-name"
|
||||
+ * attribute value...
|
||||
*/
|
||||
|
||||
- if ((username = ippFindAttribute(con->request, "requesting-user-name",
|
||||
- IPP_TAG_NAME)) != NULL)
|
||||
- {
|
||||
- /*
|
||||
- * Check for root user...
|
||||
- */
|
||||
-
|
||||
- if (!strcmp(username->values[0].string.text, "root") &&
|
||||
- _cups_strcasecmp(con->http->hostname, "localhost") &&
|
||||
- strcmp(con->username, "root"))
|
||||
+ if ((username = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_ZERO)) != NULL)
|
||||
+ {
|
||||
+ /*
|
||||
+ * Validate "requesting-user-name"...
|
||||
+ */
|
||||
+
|
||||
+ if (username->group_tag != IPP_TAG_OPERATION && StrictConformance)
|
||||
+ {
|
||||
+ cupsdAddEvent(CUPSD_EVENT_SERVER_AUDIT, NULL, NULL, "%04X %s \"requesting-user-name\" attribute in wrong group.", IPP_STATUS_ERROR_BAD_REQUEST, con->http->hostname);
|
||||
+ send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("\"requesting-user-name\" attribute in wrong group."));
|
||||
+ valid = 0;
|
||||
+ }
|
||||
+ else if (username->value_tag != IPP_TAG_NAME && username->value_tag != IPP_TAG_NAMELANG)
|
||||
+ {
|
||||
+ cupsdAddEvent(CUPSD_EVENT_SERVER_AUDIT, NULL, NULL, "%04X %s \"requesting-user-name\" attribute with wrong syntax.", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES, con->http->hostname);
|
||||
+ send_ipp_status(con, IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES, _("\"requesting-user-name\" attribute with wrong syntax."));
|
||||
+ if ((attr = ippCopyAttribute(con->response, username, 0)) != NULL)
|
||||
+ attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
|
||||
+ valid = 0;
|
||||
+ }
|
||||
+ else if (!ippValidateAttribute(username))
|
||||
+ {
|
||||
+ cupsdAddEvent(CUPSD_EVENT_SERVER_AUDIT, NULL, NULL, "%04X %s \"requesting-user-name\" attribute with bad value.", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES, con->http->hostname);
|
||||
+
|
||||
+ if (StrictConformance)
|
||||
+ {
|
||||
+ /*
|
||||
+ * Throw an error...
|
||||
+ */
|
||||
+
|
||||
+ send_ipp_status(con, IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES, _("\"requesting-user-name\" attribute with wrong syntax."));
|
||||
+ if ((attr = ippCopyAttribute(con->response, username, 0)) != NULL)
|
||||
+ attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
|
||||
+ valid = 0;
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ /*
|
||||
+ * Map bad "requesting-user-name" to 'anonymous'...
|
||||
+ */
|
||||
+
|
||||
+ ippSetString(con->request, &username, 0, "anonymous");
|
||||
+ }
|
||||
+ }
|
||||
+ else if (!strcmp(username->values[0].string.text, "root") && _cups_strcasecmp(con->http->hostname, "localhost") && strcmp(con->username, "root"))
|
||||
{
|
||||
/*
|
||||
* Remote unauthenticated user masquerading as local root...
|
||||
@@ -431,6 +467,8 @@ cupsdProcessIPPRequest(
|
||||
else
|
||||
sub_id = 0;
|
||||
|
||||
+ if (valid)
|
||||
+ {
|
||||
/*
|
||||
* Then try processing the operation...
|
||||
*/
|
||||
@@ -634,6 +672,7 @@ cupsdProcessIPPRequest(
|
||||
ippOpString(
|
||||
con->request->request.op.operation_id));
|
||||
break;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1594,27 +1633,34 @@ add_job(cupsd_client_t *con, /* I - Cl
|
||||
_("Bad job-name value: Wrong type or count."));
|
||||
if ((attr = ippCopyAttribute(con->response, attr, 0)) != NULL)
|
||||
attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
|
||||
- return (NULL);
|
||||
+
|
||||
+ if (StrictConformance)
|
||||
+ return (NULL);
|
||||
+
|
||||
+ /* Don't use invalid attribute */
|
||||
+ ippDeleteAttribute(con->request, attr);
|
||||
+
|
||||
+ ippAddString(con->request, IPP_TAG_JOB, IPP_TAG_NAME, "job-name", NULL, "Untitled");
|
||||
}
|
||||
else if (!ippValidateAttribute(attr))
|
||||
{
|
||||
send_ipp_status(con, IPP_ATTRIBUTES, _("Bad job-name value: %s"),
|
||||
cupsLastErrorString());
|
||||
+
|
||||
if ((attr = ippCopyAttribute(con->response, attr, 0)) != NULL)
|
||||
attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
|
||||
- return (NULL);
|
||||
- }
|
||||
|
||||
- attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME);
|
||||
+ if (StrictConformance)
|
||||
+ return (NULL);
|
||||
|
||||
- if (attr && !ippValidateAttribute(attr))
|
||||
- {
|
||||
- send_ipp_status(con, IPP_ATTRIBUTES, _("Bad requesting-user-name value: %s"), cupsLastErrorString());
|
||||
- if ((attr = ippCopyAttribute(con->response, attr, 0)) != NULL)
|
||||
- attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
|
||||
- return (NULL);
|
||||
+ /* Don't use invalid attribute */
|
||||
+ ippDeleteAttribute(con->request, attr);
|
||||
+
|
||||
+ ippAddString(con->request, IPP_TAG_JOB, IPP_TAG_NAME, "job-name", NULL, "Untitled");
|
||||
}
|
||||
|
||||
+ attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME);
|
||||
+
|
||||
#ifdef WITH_LSPP
|
||||
if (is_lspp_config())
|
||||
{
|
10
cups.spec
10
cups.spec
|
@ -15,7 +15,7 @@ Summary: CUPS printing system
|
|||
Name: cups
|
||||
Epoch: 1
|
||||
Version: 2.2.2
|
||||
Release: 9%{?dist}
|
||||
Release: 10%{?dist}
|
||||
License: GPLv2
|
||||
Url: http://www.cups.org/
|
||||
Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz
|
||||
|
@ -64,6 +64,7 @@ Patch36: cups-web-devices-timeout.patch
|
|||
Patch37: cups-synconclose.patch
|
||||
Patch39: cups-ypbind.patch
|
||||
Patch40: cups-dbus_crash.patch
|
||||
Patch41: cups-substitute-bad-attrs.patch
|
||||
|
||||
Patch100: cups-lspp.patch
|
||||
|
||||
|
@ -265,6 +266,8 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
|
|||
# LSPP support.
|
||||
%patch100 -p1 -b .lspp
|
||||
%endif
|
||||
# Substitute default values for invalid job attributes (upstream #5186 and #5229)
|
||||
%patch41 -p1 -b .substitute-bad-attrs
|
||||
|
||||
|
||||
sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in
|
||||
|
@ -499,7 +502,7 @@ rm -f %{cups_serverbin}/backend/smb
|
|||
%verify(not md5 size mtime) %config(noreplace) %attr(0644,root,lp) %{_sysconfdir}/cups/snmp.conf
|
||||
%attr(0640,root,lp) %{_sysconfdir}/cups/snmp.conf.default
|
||||
%verify(not md5 size mtime) %config(noreplace) %attr(0640,root,lp) %{_sysconfdir}/cups/subscriptions.conf
|
||||
#%{_sysconfdir}/cups/interfaces
|
||||
#%%{_sysconfdir}/cups/interfaces
|
||||
%verify(not md5 size mtime) %config(noreplace) %attr(0644,root,lp) %{_sysconfdir}/cups/lpoptions
|
||||
%dir %attr(0755,root,lp) %{_sysconfdir}/cups/ppd
|
||||
%dir %attr(0700,root,lp) %{_sysconfdir}/cups/ssl
|
||||
|
@ -626,6 +629,9 @@ rm -f %{cups_serverbin}/backend/smb
|
|||
%{_mandir}/man5/ipptoolfile.5.gz
|
||||
|
||||
%changelog
|
||||
* Thu Apr 12 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.2-10
|
||||
- Substitute default values for invalid job attributes (upstream #5186 and #5229)
|
||||
|
||||
* Wed Mar 28 2018 Pavel Zhukov <pzhukov@redhat.com> - 1:2.2.2-9
|
||||
- Fix for CVE-2017-18248
|
||||
|
||||
|
|
Loading…
Reference in New Issue