From 798d194948287da5b36ba6505ca08511b8dd7ed1 Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Wed, 17 Apr 2019 14:43:21 +0200 Subject: [PATCH] 1700664 - Stop advertising the HTTP methods that are supported --- cups-dont-send-http-options-field.patch | 13 +++++++++++++ cups.spec | 15 ++++++++++++++- 2 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 cups-dont-send-http-options-field.patch diff --git a/cups-dont-send-http-options-field.patch b/cups-dont-send-http-options-field.patch new file mode 100644 index 0000000..79af685 --- /dev/null +++ b/cups-dont-send-http-options-field.patch @@ -0,0 +1,13 @@ +diff --git a/scheduler/client.c b/scheduler/client.c +index d057602..8960516 100644 +--- a/scheduler/client.c ++++ b/scheduler/client.c +@@ -1023,8 +1023,6 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ + } + + httpClearFields(con->http); +- httpSetField(con->http, HTTP_FIELD_ALLOW, +- "GET, HEAD, OPTIONS, POST, PUT"); + httpSetField(con->http, HTTP_FIELD_CONTENT_LENGTH, "0"); + + if (!cupsdSendHeader(con, HTTP_STATUS_OK, NULL, CUPSD_AUTH_NONE)) diff --git a/cups.spec b/cups.spec index e95dfcf..8ebf645 100644 --- a/cups.spec +++ b/cups.spec @@ -15,7 +15,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 2.2.11 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ and LGPLv2+ with exceptions and AML Url: http://www.cups.org/ Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz @@ -95,6 +95,13 @@ Patch18: cups-filter-debug.patch # add device id for dymo printer Patch29: cups-dymo-deviceid.patch +#### UPSTREAM PATCHES #### +# possible security issue - all answers tell to +# possible attacker supported options, which +# can narrow the attack vector - do not send it +# in regular message +Patch40: cups-dont-send-http-options-field.patch + ##### Patches removed because IMHO they aren't no longer needed ##### but still I'll leave them in git in case their removal ##### breaks something. @@ -336,6 +343,9 @@ Sends IPP requests to the specified URI and tests and/or displays the results. %patch100 -p1 -b .lspp %endif +#### UPSTREAMED PATCHES #### +%patch40 -p1 -b .dont-send-http-options-field + # if cupsd is set to log into /var/log/cups, then 'MaxLogSize 0' needs to be # in cupsd.conf to disable cupsd logrotate functionality and use logrotated sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in @@ -741,6 +751,9 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man5/ipptoolfile.5.gz %changelog +* Wed Apr 17 2019 Zdenek Dohnal - 1:2.2.11-2 +- 1700664 - Stop advertising the HTTP methods that are supported + * Tue Mar 26 2019 Zdenek Dohnal - 1:2.2.11-1 - 2.2.11