1742934, 1742935 - SNMP backend CVEs

0001-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch

@@ -0,0 +1,22 @@
+diff --git a/cgi-bin/var.c b/cgi-bin/var.c
+index 316b67f05..12f3c8344 100644
+--- a/cgi-bin/var.c
++++ b/cgi-bin/var.c
+@@ -1186,6 +1186,7 @@ cgi_set_sid(void)
+   const char		*remote_addr,	/* REMOTE_ADDR */
+ 			*server_name,	/* SERVER_NAME */
+ 			*server_port;	/* SERVER_PORT */
++  struct timeval	curtime;	/* Current time */
+ 
+ 
+   if ((remote_addr = getenv("REMOTE_ADDR")) == NULL)
+@@ -1195,7 +1196,8 @@ cgi_set_sid(void)
+   if ((server_port = getenv("SERVER_PORT")) == NULL)
+     server_port = "SERVER_PORT";
+ 
+-  CUPS_SRAND(time(NULL));
++  gettimeofday(&curtime, NULL);
++  CUPS_SRAND(curtime.tv_sec + curtime.tv_usec);
+   snprintf(buffer, sizeof(buffer), "%s:%s:%s:%02X%02X%02X%02X%02X%02X%02X%02X",
+            remote_addr, server_name, server_port,
+ 	   (unsigned)CUPS_RAND() & 255, (unsigned)CUPS_RAND() & 255,

0001-Multiple-security-disclosure-issues.patch

@@ -0,0 +1,182 @@
+From 2c030c7a06e0c2b8227c7e85f5c58dfb339731d0 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Thu, 15 Aug 2019 14:06:47 -0400
+Subject: [PATCH] Multiple security/disclosure issues:
+
+- CVE-2019-8696 and CVE-2019-8675: Fixed SNMP buffer overflows (rdar://51685251)
+- Fixed IPP buffer overflow (rdar://50035411)
+- Fixed memory disclosure issue in the scheduler (rdar://51373853)
+- Fixed DoS issues in the scheduler (rdar://51373929)
+diff --git a/cups/http.c b/cups/http.c
+index 266a15791..fbb1bf13c 100644
+--- a/cups/http.c
++++ b/cups/http.c
+@@ -1860,7 +1860,7 @@ httpPrintf(http_t     *http,		/* I - HTTP connection */
+ 	   ...)				/* I - Additional args as needed */
+ {
+   ssize_t	bytes;			/* Number of bytes to write */
+-  char		buf[16384];		/* Buffer for formatted string */
++  char		buf[65536];		/* Buffer for formatted string */
+   va_list	ap;			/* Variable argument pointer */
+ 
+ 
+@@ -1872,7 +1872,12 @@ httpPrintf(http_t     *http,		/* I - HTTP connection */
+ 
+   DEBUG_printf(("3httpPrintf: (" CUPS_LLFMT " bytes) %s", CUPS_LLCAST bytes, buf));
+ 
+-  if (http->data_encoding == HTTP_ENCODING_FIELDS)
++  if (bytes > (ssize_t)(sizeof(buf) - 1))
++  {
++    http->error = ENOMEM;
++    return (-1);
++  }
++  else if (http->data_encoding == HTTP_ENCODING_FIELDS)
+     return ((int)httpWrite2(http, buf, (size_t)bytes));
+   else
+   {
+diff --git a/cups/ipp.c b/cups/ipp.c
+index 6fae52a00..1bd59cef1 100644
+--- a/cups/ipp.c
++++ b/cups/ipp.c
+@@ -4550,9 +4550,7 @@ ippSetValueTag(
+         break;
+ 
+     case IPP_TAG_NAME :
+-        if (temp_tag != IPP_TAG_KEYWORD && temp_tag != IPP_TAG_URI &&
+-            temp_tag != IPP_TAG_URISCHEME && temp_tag != IPP_TAG_LANGUAGE &&
+-            temp_tag != IPP_TAG_MIMETYPE)
++        if (temp_tag != IPP_TAG_KEYWORD)
+           return (0);
+ 
+         (*attr)->value_tag = (ipp_tag_t)(IPP_TAG_NAME | ((*attr)->value_tag & IPP_TAG_CUPS_CONST));
+@@ -4560,10 +4558,7 @@ ippSetValueTag(
+ 
+     case IPP_TAG_NAMELANG :
+     case IPP_TAG_TEXTLANG :
+-        if (value_tag == IPP_TAG_NAMELANG &&
+-            (temp_tag != IPP_TAG_NAME && temp_tag != IPP_TAG_KEYWORD &&
+-             temp_tag != IPP_TAG_URI && temp_tag != IPP_TAG_URISCHEME &&
+-             temp_tag != IPP_TAG_LANGUAGE && temp_tag != IPP_TAG_MIMETYPE))
++        if (value_tag == IPP_TAG_NAMELANG && (temp_tag != IPP_TAG_NAME && temp_tag != IPP_TAG_KEYWORD))
+           return (0);
+ 
+         if (value_tag == IPP_TAG_TEXTLANG && temp_tag != IPP_TAG_TEXT)
+diff --git a/cups/snmp.c b/cups/snmp.c
+index 5cefee454..1d9da01f2 100644
+--- a/cups/snmp.c
++++ b/cups/snmp.c
+@@ -1233,6 +1233,9 @@ asn1_get_integer(
+   int	value;				/* Integer value */
+ 
+ 
++  if (*buffer >= bufend)
++    return (0);
++
+   if (length > sizeof(int))
+   {
+     (*buffer) += length;
+@@ -1259,6 +1262,9 @@ asn1_get_length(unsigned char **buffer,	/* IO - Pointer in buffer */
+   unsigned	length;			/* Length */
+ 
+ 
++  if (*buffer >= bufend)
++    return (0);
++
+   length = **buffer;
+   (*buffer) ++;
+ 
+@@ -1301,6 +1307,9 @@ asn1_get_oid(
+   int		number;			/* OID number */
+ 
+ 
++  if (*buffer >= bufend)
++    return (0);
++
+   valend = *buffer + length;
+   oidptr = oid;
+   oidend = oid + oidsize - 1;
+@@ -1349,9 +1358,12 @@ asn1_get_packed(
+   int	value;				/* Value */
+ 
+ 
++  if (*buffer >= bufend)
++    return (0);
++
+   value = 0;
+ 
+-  while ((**buffer & 128) && *buffer < bufend)
++  while (*buffer < bufend && (**buffer & 128))
+   {
+     value = (value << 7) | (**buffer & 127);
+     (*buffer) ++;
+@@ -1379,6 +1391,9 @@ asn1_get_string(
+     char          *string,		/* I  - String buffer */
+     size_t        strsize)		/* I  - String buffer size */
+ {
++  if (*buffer >= bufend)
++    return (NULL);
++
+   if (length > (unsigned)(bufend - *buffer))
+     length = (unsigned)(bufend - *buffer);
+ 
+@@ -1421,6 +1436,9 @@ asn1_get_type(unsigned char **buffer,	/* IO - Pointer in buffer */
+   int	type;				/* Type */
+ 
+ 
++  if (*buffer >= bufend)
++    return (0);
++
+   type = **buffer;
+   (*buffer) ++;
+ 
+diff --git a/scheduler/client.c b/scheduler/client.c
+index 923a6e67a..f693e7c49 100644
+--- a/scheduler/client.c
++++ b/scheduler/client.c
+@@ -564,6 +564,17 @@ cupsdReadClient(cupsd_client_t *con)	/* I - Client to read from */
+ 
+   cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cupsdReadClient: error=%d, used=%d, state=%s, data_encoding=HTTP_ENCODING_%s, data_remaining=" CUPS_LLFMT ", request=%p(%s), file=%d", httpError(con->http), (int)httpGetReady(con->http), httpStateString(httpGetState(con->http)), httpIsChunked(con->http) ? "CHUNKED" : "LENGTH", CUPS_LLCAST httpGetRemaining(con->http), con->request, con->request ? ippStateString(ippGetState(con->request)) : "", con->file);
+ 
++  if (httpError(con->http) == EPIPE && !httpGetReady(con->http) && recv(httpGetFd(con->http), buf, 1, MSG_PEEK) < 1)
++  {
++   /*
++    * Connection closed...
++    */
++
++    cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing on EOF.");
++    cupsdCloseClient(con);
++    return;
++  }
++
+   if (httpGetState(con->http) == HTTP_STATE_GET_SEND ||
+       httpGetState(con->http) == HTTP_STATE_POST_SEND ||
+       httpGetState(con->http) == HTTP_STATE_STATUS)
+@@ -573,17 +584,6 @@ cupsdReadClient(cupsd_client_t *con)	/* I - Client to read from */
+     * connection and we need to shut it down...
+     */
+ 
+-    if (!httpGetReady(con->http) && recv(httpGetFd(con->http), buf, 1, MSG_PEEK) < 1)
+-    {
+-     /*
+-      * Connection closed...
+-      */
+-
+-      cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing on EOF.");
+-      cupsdCloseClient(con);
+-      return;
+-    }
+-
+     cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing on unexpected HTTP read state %s.", httpStateString(httpGetState(con->http)));
+     cupsdCloseClient(con);
+     return;
+@@ -1950,6 +1950,7 @@ cupsdSendError(cupsd_client_t *con,	/* I - Connection */
+   strlcpy(location, httpGetField(con->http, HTTP_FIELD_LOCATION), sizeof(location));
+ 
+   httpClearFields(con->http);
++  httpClearCookie(con->http);
+ 
+   httpSetField(con->http, HTTP_FIELD_LOCATION, location);
+ 
+-- 
+2.20.1
+

cups.spec

@@ -15,7 +15,7 @@ Summary: CUPS printing system
 Name: cups
 Epoch: 1
 Version: 2.2.8
-Release: 6%{?dist}
+Release: 12%{?dist}
 License: GPLv2+ and LGPLv2+ with exceptions and AML
 Url: http://www.cups.org/
 Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz
@@ -91,6 +91,9 @@ Patch9: cups-lpr-help.patch
 Patch18: cups-filter-debug.patch
 # add device id for dymo printer
 Patch29: cups-dymo-deviceid.patch
+
+#### UPSTREAM PATCHES ####
+
 # cupsd LogLevel ignored when logging to journald (syslog) (#1589593) - 
 # cups logging ignored log level when logging was set to syslog and
 # it did not support job logging history (upstream https://github.com/apple/cups/pull/5337)
@@ -107,6 +110,10 @@ Patch44: cups-ippeve-webui.patch
 Patch45: 0001-Fix-memory-leaks-found-by-Coverity-Issue-5375.patch
 # 1622432 - multiple file job can stuck when data transfer is interrupted, so now it is aborted (https://github.com/apple/cups/pull/5413)
 Patch46: 0001-Fix-stuck-multi-file-jobs-Issue-5359-Issue-5413.patch
+# 1657750 - CVE-2018-4700 cups: Predictable session cookie breaks CSRF protection [fedora-all]
+Patch47: 0001-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch
+# 1742934, 1742935 - CVEs in SNMP backend
+Patch48: 0001-Multiple-security-disclosure-issues.patch
 
 ##### Patches removed because IMHO they aren't no longer needed
 ##### but still I'll leave them in git in case their removal
@@ -356,6 +363,8 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
 # fixed covscan issues from upstream
 %patch45 -p1 -b .covscan
 %patch46 -p1 -b .multifile-stuck
+%patch47 -p1 -b .predictable-cookie
+%patch48 -p1 -b .snmp-cves
 
 # if cupsd is set to log into /var/log/cups, then 'MaxLogSize 0' needs to be
 # in cupsd.conf to disable cupsd logrotate functionality and use logrotated
@@ -381,7 +390,7 @@ iconv -f MACINTOSH -t UTF-8 "$f"~ > "$f"
 rm -f "$f"~
 
 aclocal -I config-scripts
-autoconf -I config-scripts
+autoconf -f -I config-scripts
 
 %build
 # add Fedora specific flags to DSOFLAGS
@@ -526,13 +535,24 @@ message="This CUPS log has been moved into journal by default unless changes hav
 for ((i=0;i<${#confignames[@]};i++));
 do
   found=`grep -i "${confignames[i]} syslog" /etc/cups/cups-files.conf`
+  found=`%{_bindir}/grep -i "${confignames[i]} syslog" /etc/cups/cups-files.conf`
   if [ ! -z "$found" ]
   then
     if [ ! -f %{_localstatedir}/log/cups/${lognames[i]} ]
     then
       %{_bindir}/touch %{_localstatedir}/log/cups/${lognames[i]} || :
     fi
-    lastmessage=`%{_bindir}/tail -n 1 %{_localstatedir}/log/cups/${lognames[i]} | grep "$message"`
+    perms=`%{_bindir}/ls -lah %{_localstatedir}/log/cups/${lognames[i]} | %{_bindir}/grep -v -e "\-rw-------" -e "root lp"`
+    if [ ! -z "$perms" ]
+    then
+      # we need to set correct permissions and ownership because of possible
+      # security issues
+      # we need to have it here, because previous CUPS releases had the bug.
+      # Checking permissions and ownership here fixes it.
+      %{_bindir}/chown root:lp %{_localstatedir}/log/cups/${lognames[i]} || :
+      %{_bindir}/chmod 600 %{_localstatedir}/log/cups/${lognames[i]} || :
+    fi
+    lastmessage=`%{_bindir}/tail -n 1 %{_localstatedir}/log/cups/${lognames[i]} | %{_bindir}/grep "$message"`
     if [ -z "$lastmessage" ]
     then
       %{_bindir}/echo $message >> %{_localstatedir}/log/cups/${lognames[i]} || :
@@ -630,15 +650,18 @@ rm -f %{cups_serverbin}/backend/smb
 %dir %{_datadir}/%{name}/www/ru
 %{_datadir}/%{name}/www/images
 %{_datadir}/%{name}/www/*.css
-%doc %{_datadir}/%{name}/www/index.html
-%doc %{_datadir}/%{name}/www/help
-%doc %{_datadir}/%{name}/www/robots.txt
-%doc %{_datadir}/%{name}/www/de/index.html
-%doc %{_datadir}/%{name}/www/es/index.html
-%doc %{_datadir}/%{name}/www/ja/index.html
-%doc %{_datadir}/%{name}/www/ru/index.html
-%doc %{_datadir}/%{name}/www/pt_BR/index.html
-%doc %{_datadir}/%{name}/www/apple-touch-icon.png
+# 1658673 - html files cannot be docs, because CUPS web ui will not have
+# introduction page on Fedora Docker image (because rpms are installed
+# without docs there because of space reasons)
+%{_datadir}/%{name}/www/index.html
+%{_datadir}/%{name}/www/help
+%{_datadir}/%{name}/www/robots.txt
+%{_datadir}/%{name}/www/de/index.html
+%{_datadir}/%{name}/www/es/index.html
+%{_datadir}/%{name}/www/ja/index.html
+%{_datadir}/%{name}/www/ru/index.html
+%{_datadir}/%{name}/www/pt_BR/index.html
+%{_datadir}/%{name}/www/apple-touch-icon.png
 %dir %{_datadir}/%{name}/usb
 %{_datadir}/%{name}/usb/org.cups.usb-quirks
 %{_unitdir}/%{name}.service
@@ -749,6 +772,24 @@ rm -f %{cups_serverbin}/backend/smb
 %{_mandir}/man5/ipptoolfile.5.gz
 
 %changelog
+* Mon Aug 19 2019 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.8-12
+- 1742934, 1742935 - SNMP backend CVEs
+
+* Tue Feb 19 2019 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.8-11
+- automake sometimes does not generate macros correctly - force it
+
+* Fri Dec 14 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.8-10
+- previous commit - fix for previous releases
+
+* Thu Dec 13 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.8-9
+- logs need to have correct permissions
+
+* Thu Dec 13 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.8-8
+- 1658673 - Main index.html of web interface doesn't get installed when not installing documentation
+
+* Mon Dec 10 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.8-7
+- 1657750 - CVE-2018-4700 cups: Predictable session cookie breaks CSRF protection [fedora-all]
+
 * Fri Nov 09 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.8-6
 - 1622432 - Jobs with multiple files don't complete when backend fails
 - 1648396 - 'cupsd[998]: [CGI] Unable to execute ippfind utility: No such file or directory' in journal