CVE-2014-5029, CVE-2014-5030, CVE-2014-5031 (#1122601)

2014-07-23 17:18:39 +02:00 · 2014-07-23 17:18:39 +02:00 · feafaa334e
commit feafaa334e
parent 3c29b9339f
2 changed files with 106 additions and 1 deletions
--- a/cups-CVE-2014-5029-5030-5031.patch
+++ b/cups-CVE-2014-5029-5030-5031.patch
@ -0,0 +1,99 @@
+From d40220801eec992804cb728d51228d19496fffd9 Mon Sep 17 00:00:00 2001
+From: msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be>
+Date: Tue, 22 Jul 2014 14:03:19 +0000
+Subject: [PATCH] Mirror changes from trunk.
+
+git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/branches/branch-1.7@12057 a1ca3aef-8c08-0410-bb20-df032aa958be
+---
+diff --git a/scheduler/client.c b/scheduler/client.c
+index e5959fa..366b351 100644
+--- a/scheduler/client.c
+++ b/scheduler/client.c
+@@ -3310,7 +3310,7 @@ get_file(cupsd_client_t *con,		/* I  - Client connection */
+   * then fallback to the default one...
+   */
+ 
+-  if ((status = stat(filename, filestats)) != 0 && language[0] &&
+  if ((status = lstat(filename, filestats)) != 0 && language[0] &&
+       strncmp(con->uri, "/icons/", 7) &&
+       strncmp(con->uri, "/ppd/", 5) &&
+       strncmp(con->uri, "/rss/", 5) &&
+@@ -3408,13 +3408,13 @@ get_file(cupsd_client_t *con,		/* I  - Client connection */
+       plen = len - (ptr - filename);
+ 
+       strlcpy(ptr, "index.html", plen);
+-      status = stat(filename, filestats);
+      status = lstat(filename, filestats);
+ 
+ #ifdef HAVE_JAVA
+       if (status)
+       {
+ 	strlcpy(ptr, "index.class", plen);
+-	status = stat(filename, filestats);
+	status = lstat(filename, filestats);
+       }
+ #endif /* HAVE_JAVA */
+ 
+@@ -3422,7 +3422,7 @@ get_file(cupsd_client_t *con,		/* I  - Client connection */
+       if (status)
+       {
+ 	strlcpy(ptr, "index.pl", plen);
+-	status = stat(filename, filestats);
+	status = lstat(filename, filestats);
+       }
+ #endif /* HAVE_PERL */
+ 
+@@ -3430,7 +3430,7 @@ get_file(cupsd_client_t *con,		/* I  - Client connection */
+       if (status)
+       {
+ 	strlcpy(ptr, "index.php", plen);
+-	status = stat(filename, filestats);
+	status = lstat(filename, filestats);
+       }
+ #endif /* HAVE_PHP */
+ 
+@@ -3438,18 +3438,39 @@ get_file(cupsd_client_t *con,		/* I  - Client connection */
+       if (status)
+       {
+ 	strlcpy(ptr, "index.pyc", plen);
+-	status = stat(filename, filestats);
+	status = lstat(filename, filestats);
+       }
+ 
+       if (status)
+       {
+ 	strlcpy(ptr, "index.py", plen);
+-	status = stat(filename, filestats);
+	status = lstat(filename, filestats);
+       }
+ #endif /* HAVE_PYTHON */
+ 
+     }
+     while (status && language[0]);
+
+   /*
+    * If we've found a symlink, 404 the sucker to avoid disclosing information.
+    */
+
+    if (!status && S_ISLNK(filestats->st_mode))
+    {
+      cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Symlinks such as \"%s\" are not allowed.", con->http.fd, filename);
+      return (NULL);
+    }
+
+   /*
+    * Similarly, if the file/directory does not have world read permissions, do
+    * not allow access...
+    */
+
+    if (!status && !(filestats->st_mode & S_IROTH))
+    {
+      cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Files/directories such as \"%s\" must be world-readable.", con->http.fd, filename);
+      return (NULL);
+    }
+   }
+ 
+   cupsdLogMessage(CUPSD_LOG_DEBUG2,
+-- 
+1.9.3
+
--- a/cups.spec
+++ b/cups.spec
@ -11,7 +11,7 @@ Summary: CUPS printing system
 Name: cups
 Epoch: 1
 Version: 1.7.4
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2
 Url: http://www.cups.org/
 Source: http://www.cups.org/software/%{version}/cups-%{version}-source.tar.bz2
@ -66,6 +66,7 @@ Patch37: cups-final-content-type.patch
 Patch38: cups-journal.patch
 Patch39: cups-synconclose.patch
 Patch40: cups-cgi.patch
+Patch41: cups-CVE-2014-5029-5030-5031.patch

 Patch100: cups-lspp.patch

@ -255,6 +256,8 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
 %patch39 -p1 -b .synconclose
 # Fix CGI handling (STR #4454).
 %patch40 -p1 -b .cgi
+# CVE-2014-5029, CVE-2014-5030, CVE-2014-5031 (#1122601)
+%patch41 -p1 -b .CVE-2014-5029-5030-5031

 %if %lspp
 # LSPP support.
@ -643,6 +646,9 @@ rm -f %{cups_serverbin}/backend/smb
 %{_mandir}/man5/ipptoolfile.5.gz

 %changelog
+* Wed Jul 23 2014 Jiri Popelka <jpopelka@redhat.com> - 1:1.7.4-3
+- CVE-2014-5029, CVE-2014-5030, CVE-2014-5031 (#1122601)
+
 * Wed Jul 23 2014 Tim Waugh <twaugh@redhat.com> - 1:1.7.4-2
 - Fix CGI handling (STR #4454).