Substitute default values for invalid job attributes (upstream #5186 and #5229)

2018-04-12 09:30:13 +02:00 · 2018-04-12 09:30:13 +02:00 · 28c8ddb831
parent b7d926d961
commit 28c8ddb831
2 changed files with 149 additions and 2 deletions
--- a/cups-substitute-bad-attrs.patch
+++ b/cups-substitute-bad-attrs.patch
@ -0,0 +1,141 @@
+diff -up cups-2.2.2/scheduler/ipp.c.substitute-bad-attrs cups-2.2.2/scheduler/ipp.c
+--- cups-2.2.2/scheduler/ipp.c.substitute-bad-attrs	2018-04-12 09:08:48.142363431 +0200
+++ cups-2.2.2/scheduler/ipp.c	2018-04-12 09:09:54.442790576 +0200
+@@ -164,6 +164,7 @@ cupsdProcessIPPRequest(
+   ipp_attribute_t	*uri = NULL;	/* Printer or job URI attribute */
+   ipp_attribute_t	*username;	/* requesting-user-name attr */
+   int			sub_id;		/* Subscription ID */
+  int			valid = 1;	/* Valid request? */
+ 
+ 
+   cupsdLogMessage(CUPSD_LOG_DEBUG2,
+@@ -402,20 +403,55 @@ cupsdProcessIPPRequest(
+       else
+       {
+        /*
+-	* OK, all the checks pass so far; make sure requesting-user-name is
+-	* not "root" from a remote host...
+	* OK, all the checks pass so far; validate "requesting-user-name"
+	* attribute value...
+ 	*/
+ 
+-        if ((username = ippFindAttribute(con->request, "requesting-user-name",
+-	                                 IPP_TAG_NAME)) != NULL)
+-	{
+-	 /*
+-	  * Check for root user...
+-	  */
+-
+-	  if (!strcmp(username->values[0].string.text, "root") &&
+-	      _cups_strcasecmp(con->http->hostname, "localhost") &&
+-	      strcmp(con->username, "root"))
+        if ((username = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_ZERO)) != NULL)
+        {
+         /*
+          * Validate "requesting-user-name"...
+          */
+
+          if (username->group_tag != IPP_TAG_OPERATION && StrictConformance)
+          {
+	    cupsdAddEvent(CUPSD_EVENT_SERVER_AUDIT, NULL, NULL, "%04X %s \"requesting-user-name\" attribute in wrong group.", IPP_STATUS_ERROR_BAD_REQUEST, con->http->hostname);
+	    send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("\"requesting-user-name\" attribute in wrong group."));
+	    valid = 0;
+          }
+          else if (username->value_tag != IPP_TAG_NAME && username->value_tag != IPP_TAG_NAMELANG)
+          {
+	    cupsdAddEvent(CUPSD_EVENT_SERVER_AUDIT, NULL, NULL, "%04X %s \"requesting-user-name\" attribute with wrong syntax.", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES, con->http->hostname);
+	    send_ipp_status(con, IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES, _("\"requesting-user-name\" attribute with wrong syntax."));
+	    if ((attr = ippCopyAttribute(con->response, username, 0)) != NULL)
+	      attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
+	    valid = 0;
+          }
+          else if (!ippValidateAttribute(username))
+          {
+	    cupsdAddEvent(CUPSD_EVENT_SERVER_AUDIT, NULL, NULL, "%04X %s \"requesting-user-name\" attribute with bad value.", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES, con->http->hostname);
+
+            if (StrictConformance)
+            {
+             /*
+              * Throw an error...
+              */
+
+	      send_ipp_status(con, IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES, _("\"requesting-user-name\" attribute with wrong syntax."));
+              if ((attr = ippCopyAttribute(con->response, username, 0)) != NULL)
+                attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
+	      valid = 0;
+	    }
+	    else
+	    {
+	     /*
+	      * Map bad "requesting-user-name" to 'anonymous'...
+	      */
+
+              ippSetString(con->request, &username, 0, "anonymous");
+	    }
+          }
+          else if (!strcmp(username->values[0].string.text, "root") && _cups_strcasecmp(con->http->hostname, "localhost") && strcmp(con->username, "root"))
+ 	  {
+ 	   /*
+ 	    * Remote unauthenticated user masquerading as local root...
+@@ -431,6 +467,8 @@ cupsdProcessIPPRequest(
+ 	else
+ 	  sub_id = 0;
+ 
+        if (valid)
+        {
+        /*
+         * Then try processing the operation...
+ 	*/
+@@ -634,6 +672,7 @@ cupsdProcessIPPRequest(
+ 			      ippOpString(
+ 			          con->request->request.op.operation_id));
+ 	      break;
+        }
+ 	}
+       }
+     }
+@@ -1594,27 +1633,34 @@ add_job(cupsd_client_t  *con,		/* I - Cl
+                     _("Bad job-name value: Wrong type or count."));
+     if ((attr = ippCopyAttribute(con->response, attr, 0)) != NULL)
+       attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
+-    return (NULL);
+
+    if (StrictConformance)
+      return (NULL);
+
+    /* Don't use invalid attribute */
+    ippDeleteAttribute(con->request, attr);
+
+    ippAddString(con->request, IPP_TAG_JOB, IPP_TAG_NAME, "job-name", NULL, "Untitled");
+   }
+   else if (!ippValidateAttribute(attr))
+   {
+     send_ipp_status(con, IPP_ATTRIBUTES, _("Bad job-name value: %s"),
+                     cupsLastErrorString());
+
+     if ((attr = ippCopyAttribute(con->response, attr, 0)) != NULL)
+       attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
+-    return (NULL);
+-  }
+ 
+-  attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME);
+    if (StrictConformance)
+      return (NULL);
+ 
+-  if (attr && !ippValidateAttribute(attr))
+-  {
+-    send_ipp_status(con, IPP_ATTRIBUTES, _("Bad requesting-user-name value: %s"), cupsLastErrorString());
+-    if ((attr = ippCopyAttribute(con->response, attr, 0)) != NULL)
+-      attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
+-    return (NULL);
+    /* Don't use invalid attribute */
+    ippDeleteAttribute(con->request, attr);
+
+    ippAddString(con->request, IPP_TAG_JOB, IPP_TAG_NAME, "job-name", NULL, "Untitled");
+   }
+ 
+  attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME);
+
+ #ifdef WITH_LSPP
+   if (is_lspp_config())
+   {
--- a/cups.spec
+++ b/cups.spec
@ -15,7 +15,7 @@ Summary: CUPS printing system
 Name: cups
 Epoch: 1
 Version: 2.2.2
-Release: 9%{?dist}
+Release: 10%{?dist}
 License: GPLv2
 Url: http://www.cups.org/
 Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz
@ -64,6 +64,7 @@ Patch36: cups-web-devices-timeout.patch
 Patch37: cups-synconclose.patch
 Patch39: cups-ypbind.patch
 Patch40: cups-dbus_crash.patch
+Patch41: cups-substitute-bad-attrs.patch

 Patch100: cups-lspp.patch

@ -265,6 +266,8 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
 # LSPP support.
 %patch100 -p1 -b .lspp
 %endif
+# Substitute default values for invalid job attributes (upstream #5186 and #5229) 
+%patch41 -p1 -b .substitute-bad-attrs


 sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in
@ -499,7 +502,7 @@ rm -f %{cups_serverbin}/backend/smb
 %verify(not md5 size mtime) %config(noreplace) %attr(0644,root,lp) %{_sysconfdir}/cups/snmp.conf
 %attr(0640,root,lp) %{_sysconfdir}/cups/snmp.conf.default
 %verify(not md5 size mtime) %config(noreplace) %attr(0640,root,lp) %{_sysconfdir}/cups/subscriptions.conf
-#%{_sysconfdir}/cups/interfaces
+#%%{_sysconfdir}/cups/interfaces
 %verify(not md5 size mtime) %config(noreplace) %attr(0644,root,lp) %{_sysconfdir}/cups/lpoptions
 %dir %attr(0755,root,lp) %{_sysconfdir}/cups/ppd
 %dir %attr(0700,root,lp) %{_sysconfdir}/cups/ssl
@ -626,6 +629,9 @@ rm -f %{cups_serverbin}/backend/smb
 %{_mandir}/man5/ipptoolfile.5.gz

 %changelog
+* Thu Apr 12 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.2-10
+- Substitute default values for invalid job attributes (upstream #5186 and #5229)
+
 * Wed Mar 28 2018 Pavel Zhukov <pzhukov@redhat.com> - 1:2.2.2-9
 - Fix for CVE-2017-18248