CVE-2022-26691 cups: authorization bypass when using "local" authorization

2022-05-31 15:15:15 +02:00 · 2022-05-31 15:15:15 +02:00 · e8eef8ded5
parent 61a3d70231
commit e8eef8ded5
2 changed files with 43 additions and 1 deletions
--- a/0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch
+++ b/0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch
@ -0,0 +1,35 @@
+From de4f8c196106033e4c372dce3e91b9d42b0b9444 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Thu, 26 May 2022 06:27:04 +0200
+Subject: [PATCH] scheduler/cert.c: Fix string comparison (fixes
+ CVE-2022-26691)
+
+The previous algorithm didn't expect the strings can have a different
+length, so one string can be a substring of the other and such substring
+was reported as equal to the longer string.
+---
+ CHANGES.md       | 1 +
+ scheduler/cert.c | 9 ++++++++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/scheduler/cert.c b/scheduler/cert.c
+index b268bf1b2..9b65b96c9 100644
+--- a/scheduler/cert.c
+++ b/scheduler/cert.c
+@@ -444,5 +444,12 @@ ctcompare(const char *a,		/* I - First string */
+     b ++;
+   }
+ 
+-  return (result);
+ /*
+  * The while loop finishes when *a == '\0' or *b == '\0'
+  * so after the while loop either both *a and *b == '\0',
+  * or one points inside a string, so when we apply bitwise OR on *a,
+  * *b and result, we get a non-zero return value if the compared strings don't match.
+  */
+
+  return (result | *a | *b);
+ }
+-- 
+2.36.1
+
--- a/cups.spec
+++ b/cups.spec
@ -17,7 +17,7 @@ Summary: CUPS printing system
 Name: cups
 Epoch: 1
 Version: 2.3.3%{OP_VER}
-Release: 17%{?dist}
+Release: 18%{?dist}
 License: ASL 2.0
 Url: https://openprinting.github.io/cups/
 # Apple stopped uploading the new versions into github, use OpenPrinting fork
@ -111,6 +111,8 @@ Patch29: 0001-cups-http-encode-memleaks-fixes-issue-322.patch
 Patch30: 0001-cups-fix-uninit-value-jump.patch
 # 2073268 - 30-second delays printing to Windows 2016 server via HTTPS
 Patch31: 0001-cups-tls-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch
+# CVE-2022-26691 cups: authorization bypass when using "local" authorization
+Patch32: 0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch

 ##### Patches removed because IMHO they aren't no longer needed
 ##### but still I'll leave them in git in case their removal
@ -348,6 +350,8 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
 %patch30 -p1 -b .ppd-memleak
 # 2073268 - 30-second delays printing to Windows 2016 server via HTTPS
 %patch31 -p1 -b .gnutlsbye
+# CVE-2022-26691 cups: authorization bypass when using "local" authorization
+%patch32 -p1 -b .cve26691


 %if %{lspp}
@ -724,6 +728,9 @@ rm -f %{cups_serverbin}/backend/smb
 %{_mandir}/man7/ippeveps.7.gz

 %changelog
+* Tue May 31 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-18
+- CVE-2022-26691 cups: authorization bypass when using "local" authorization
+
 * Fri Apr 08 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-17
 - 2073268 - 30-second delays printing to Windows 2016 server via HTTPS