Compare commits
8 Commits
Author | SHA1 | Date |
---|---|---|
Zdenek Dohnal | 2b8241b590 | |
Zdenek Dohnal | 1ee12e24ca | |
Zdenek Dohnal | eda1c61294 | |
Zdenek Dohnal | a9d0aa70cd | |
Zdenek Dohnal | 59c0df3063 | |
Zdenek Dohnal | a0b8dc8ea4 | |
Zdenek Dohnal | 595f04610e | |
Zdenek Dohnal | cedbda0d39 |
|
@ -0,0 +1,22 @@
|
|||
diff --git a/cgi-bin/var.c b/cgi-bin/var.c
|
||||
index 316b67f05..12f3c8344 100644
|
||||
--- a/cgi-bin/var.c
|
||||
+++ b/cgi-bin/var.c
|
||||
@@ -1186,6 +1186,7 @@ cgi_set_sid(void)
|
||||
const char *remote_addr, /* REMOTE_ADDR */
|
||||
*server_name, /* SERVER_NAME */
|
||||
*server_port; /* SERVER_PORT */
|
||||
+ struct timeval curtime; /* Current time */
|
||||
|
||||
|
||||
if ((remote_addr = getenv("REMOTE_ADDR")) == NULL)
|
||||
@@ -1195,7 +1196,8 @@ cgi_set_sid(void)
|
||||
if ((server_port = getenv("SERVER_PORT")) == NULL)
|
||||
server_port = "SERVER_PORT";
|
||||
|
||||
- CUPS_SRAND(time(NULL));
|
||||
+ gettimeofday(&curtime, NULL);
|
||||
+ CUPS_SRAND(curtime.tv_sec + curtime.tv_usec);
|
||||
snprintf(buffer, sizeof(buffer), "%s:%s:%s:%02X%02X%02X%02X%02X%02X%02X%02X",
|
||||
remote_addr, server_name, server_port,
|
||||
(unsigned)CUPS_RAND() & 255, (unsigned)CUPS_RAND() & 255,
|
|
@ -0,0 +1,182 @@
|
|||
From 2c030c7a06e0c2b8227c7e85f5c58dfb339731d0 Mon Sep 17 00:00:00 2001
|
||||
From: Michael R Sweet <michael.r.sweet@gmail.com>
|
||||
Date: Thu, 15 Aug 2019 14:06:47 -0400
|
||||
Subject: [PATCH] Multiple security/disclosure issues:
|
||||
|
||||
- CVE-2019-8696 and CVE-2019-8675: Fixed SNMP buffer overflows (rdar://51685251)
|
||||
- Fixed IPP buffer overflow (rdar://50035411)
|
||||
- Fixed memory disclosure issue in the scheduler (rdar://51373853)
|
||||
- Fixed DoS issues in the scheduler (rdar://51373929)
|
||||
diff --git a/cups/http.c b/cups/http.c
|
||||
index 266a15791..fbb1bf13c 100644
|
||||
--- a/cups/http.c
|
||||
+++ b/cups/http.c
|
||||
@@ -1860,7 +1860,7 @@ httpPrintf(http_t *http, /* I - HTTP connection */
|
||||
...) /* I - Additional args as needed */
|
||||
{
|
||||
ssize_t bytes; /* Number of bytes to write */
|
||||
- char buf[16384]; /* Buffer for formatted string */
|
||||
+ char buf[65536]; /* Buffer for formatted string */
|
||||
va_list ap; /* Variable argument pointer */
|
||||
|
||||
|
||||
@@ -1872,7 +1872,12 @@ httpPrintf(http_t *http, /* I - HTTP connection */
|
||||
|
||||
DEBUG_printf(("3httpPrintf: (" CUPS_LLFMT " bytes) %s", CUPS_LLCAST bytes, buf));
|
||||
|
||||
- if (http->data_encoding == HTTP_ENCODING_FIELDS)
|
||||
+ if (bytes > (ssize_t)(sizeof(buf) - 1))
|
||||
+ {
|
||||
+ http->error = ENOMEM;
|
||||
+ return (-1);
|
||||
+ }
|
||||
+ else if (http->data_encoding == HTTP_ENCODING_FIELDS)
|
||||
return ((int)httpWrite2(http, buf, (size_t)bytes));
|
||||
else
|
||||
{
|
||||
diff --git a/cups/ipp.c b/cups/ipp.c
|
||||
index 6fae52a00..1bd59cef1 100644
|
||||
--- a/cups/ipp.c
|
||||
+++ b/cups/ipp.c
|
||||
@@ -4550,9 +4550,7 @@ ippSetValueTag(
|
||||
break;
|
||||
|
||||
case IPP_TAG_NAME :
|
||||
- if (temp_tag != IPP_TAG_KEYWORD && temp_tag != IPP_TAG_URI &&
|
||||
- temp_tag != IPP_TAG_URISCHEME && temp_tag != IPP_TAG_LANGUAGE &&
|
||||
- temp_tag != IPP_TAG_MIMETYPE)
|
||||
+ if (temp_tag != IPP_TAG_KEYWORD)
|
||||
return (0);
|
||||
|
||||
(*attr)->value_tag = (ipp_tag_t)(IPP_TAG_NAME | ((*attr)->value_tag & IPP_TAG_CUPS_CONST));
|
||||
@@ -4560,10 +4558,7 @@ ippSetValueTag(
|
||||
|
||||
case IPP_TAG_NAMELANG :
|
||||
case IPP_TAG_TEXTLANG :
|
||||
- if (value_tag == IPP_TAG_NAMELANG &&
|
||||
- (temp_tag != IPP_TAG_NAME && temp_tag != IPP_TAG_KEYWORD &&
|
||||
- temp_tag != IPP_TAG_URI && temp_tag != IPP_TAG_URISCHEME &&
|
||||
- temp_tag != IPP_TAG_LANGUAGE && temp_tag != IPP_TAG_MIMETYPE))
|
||||
+ if (value_tag == IPP_TAG_NAMELANG && (temp_tag != IPP_TAG_NAME && temp_tag != IPP_TAG_KEYWORD))
|
||||
return (0);
|
||||
|
||||
if (value_tag == IPP_TAG_TEXTLANG && temp_tag != IPP_TAG_TEXT)
|
||||
diff --git a/cups/snmp.c b/cups/snmp.c
|
||||
index 5cefee454..1d9da01f2 100644
|
||||
--- a/cups/snmp.c
|
||||
+++ b/cups/snmp.c
|
||||
@@ -1233,6 +1233,9 @@ asn1_get_integer(
|
||||
int value; /* Integer value */
|
||||
|
||||
|
||||
+ if (*buffer >= bufend)
|
||||
+ return (0);
|
||||
+
|
||||
if (length > sizeof(int))
|
||||
{
|
||||
(*buffer) += length;
|
||||
@@ -1259,6 +1262,9 @@ asn1_get_length(unsigned char **buffer, /* IO - Pointer in buffer */
|
||||
unsigned length; /* Length */
|
||||
|
||||
|
||||
+ if (*buffer >= bufend)
|
||||
+ return (0);
|
||||
+
|
||||
length = **buffer;
|
||||
(*buffer) ++;
|
||||
|
||||
@@ -1301,6 +1307,9 @@ asn1_get_oid(
|
||||
int number; /* OID number */
|
||||
|
||||
|
||||
+ if (*buffer >= bufend)
|
||||
+ return (0);
|
||||
+
|
||||
valend = *buffer + length;
|
||||
oidptr = oid;
|
||||
oidend = oid + oidsize - 1;
|
||||
@@ -1349,9 +1358,12 @@ asn1_get_packed(
|
||||
int value; /* Value */
|
||||
|
||||
|
||||
+ if (*buffer >= bufend)
|
||||
+ return (0);
|
||||
+
|
||||
value = 0;
|
||||
|
||||
- while ((**buffer & 128) && *buffer < bufend)
|
||||
+ while (*buffer < bufend && (**buffer & 128))
|
||||
{
|
||||
value = (value << 7) | (**buffer & 127);
|
||||
(*buffer) ++;
|
||||
@@ -1379,6 +1391,9 @@ asn1_get_string(
|
||||
char *string, /* I - String buffer */
|
||||
size_t strsize) /* I - String buffer size */
|
||||
{
|
||||
+ if (*buffer >= bufend)
|
||||
+ return (NULL);
|
||||
+
|
||||
if (length > (unsigned)(bufend - *buffer))
|
||||
length = (unsigned)(bufend - *buffer);
|
||||
|
||||
@@ -1421,6 +1436,9 @@ asn1_get_type(unsigned char **buffer, /* IO - Pointer in buffer */
|
||||
int type; /* Type */
|
||||
|
||||
|
||||
+ if (*buffer >= bufend)
|
||||
+ return (0);
|
||||
+
|
||||
type = **buffer;
|
||||
(*buffer) ++;
|
||||
|
||||
diff --git a/scheduler/client.c b/scheduler/client.c
|
||||
index 923a6e67a..f693e7c49 100644
|
||||
--- a/scheduler/client.c
|
||||
+++ b/scheduler/client.c
|
||||
@@ -564,6 +564,17 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */
|
||||
|
||||
cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cupsdReadClient: error=%d, used=%d, state=%s, data_encoding=HTTP_ENCODING_%s, data_remaining=" CUPS_LLFMT ", request=%p(%s), file=%d", httpError(con->http), (int)httpGetReady(con->http), httpStateString(httpGetState(con->http)), httpIsChunked(con->http) ? "CHUNKED" : "LENGTH", CUPS_LLCAST httpGetRemaining(con->http), con->request, con->request ? ippStateString(ippGetState(con->request)) : "", con->file);
|
||||
|
||||
+ if (httpError(con->http) == EPIPE && !httpGetReady(con->http) && recv(httpGetFd(con->http), buf, 1, MSG_PEEK) < 1)
|
||||
+ {
|
||||
+ /*
|
||||
+ * Connection closed...
|
||||
+ */
|
||||
+
|
||||
+ cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing on EOF.");
|
||||
+ cupsdCloseClient(con);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
if (httpGetState(con->http) == HTTP_STATE_GET_SEND ||
|
||||
httpGetState(con->http) == HTTP_STATE_POST_SEND ||
|
||||
httpGetState(con->http) == HTTP_STATE_STATUS)
|
||||
@@ -573,17 +584,6 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */
|
||||
* connection and we need to shut it down...
|
||||
*/
|
||||
|
||||
- if (!httpGetReady(con->http) && recv(httpGetFd(con->http), buf, 1, MSG_PEEK) < 1)
|
||||
- {
|
||||
- /*
|
||||
- * Connection closed...
|
||||
- */
|
||||
-
|
||||
- cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing on EOF.");
|
||||
- cupsdCloseClient(con);
|
||||
- return;
|
||||
- }
|
||||
-
|
||||
cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing on unexpected HTTP read state %s.", httpStateString(httpGetState(con->http)));
|
||||
cupsdCloseClient(con);
|
||||
return;
|
||||
@@ -1950,6 +1950,7 @@ cupsdSendError(cupsd_client_t *con, /* I - Connection */
|
||||
strlcpy(location, httpGetField(con->http, HTTP_FIELD_LOCATION), sizeof(location));
|
||||
|
||||
httpClearFields(con->http);
|
||||
+ httpClearCookie(con->http);
|
||||
|
||||
httpSetField(con->http, HTTP_FIELD_LOCATION, location);
|
||||
|
||||
--
|
||||
2.20.1
|
||||
|
65
cups.spec
65
cups.spec
|
@ -15,7 +15,7 @@ Summary: CUPS printing system
|
|||
Name: cups
|
||||
Epoch: 1
|
||||
Version: 2.2.8
|
||||
Release: 6%{?dist}
|
||||
Release: 12%{?dist}
|
||||
License: GPLv2+ and LGPLv2+ with exceptions and AML
|
||||
Url: http://www.cups.org/
|
||||
Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz
|
||||
|
@ -91,6 +91,9 @@ Patch9: cups-lpr-help.patch
|
|||
Patch18: cups-filter-debug.patch
|
||||
# add device id for dymo printer
|
||||
Patch29: cups-dymo-deviceid.patch
|
||||
|
||||
#### UPSTREAM PATCHES ####
|
||||
|
||||
# cupsd LogLevel ignored when logging to journald (syslog) (#1589593) -
|
||||
# cups logging ignored log level when logging was set to syslog and
|
||||
# it did not support job logging history (upstream https://github.com/apple/cups/pull/5337)
|
||||
|
@ -107,6 +110,10 @@ Patch44: cups-ippeve-webui.patch
|
|||
Patch45: 0001-Fix-memory-leaks-found-by-Coverity-Issue-5375.patch
|
||||
# 1622432 - multiple file job can stuck when data transfer is interrupted, so now it is aborted (https://github.com/apple/cups/pull/5413)
|
||||
Patch46: 0001-Fix-stuck-multi-file-jobs-Issue-5359-Issue-5413.patch
|
||||
# 1657750 - CVE-2018-4700 cups: Predictable session cookie breaks CSRF protection [fedora-all]
|
||||
Patch47: 0001-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch
|
||||
# 1742934, 1742935 - CVEs in SNMP backend
|
||||
Patch48: 0001-Multiple-security-disclosure-issues.patch
|
||||
|
||||
##### Patches removed because IMHO they aren't no longer needed
|
||||
##### but still I'll leave them in git in case their removal
|
||||
|
@ -356,6 +363,8 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
|
|||
# fixed covscan issues from upstream
|
||||
%patch45 -p1 -b .covscan
|
||||
%patch46 -p1 -b .multifile-stuck
|
||||
%patch47 -p1 -b .predictable-cookie
|
||||
%patch48 -p1 -b .snmp-cves
|
||||
|
||||
# if cupsd is set to log into /var/log/cups, then 'MaxLogSize 0' needs to be
|
||||
# in cupsd.conf to disable cupsd logrotate functionality and use logrotated
|
||||
|
@ -381,7 +390,7 @@ iconv -f MACINTOSH -t UTF-8 "$f"~ > "$f"
|
|||
rm -f "$f"~
|
||||
|
||||
aclocal -I config-scripts
|
||||
autoconf -I config-scripts
|
||||
autoconf -f -I config-scripts
|
||||
|
||||
%build
|
||||
# add Fedora specific flags to DSOFLAGS
|
||||
|
@ -526,13 +535,24 @@ message="This CUPS log has been moved into journal by default unless changes hav
|
|||
for ((i=0;i<${#confignames[@]};i++));
|
||||
do
|
||||
found=`grep -i "${confignames[i]} syslog" /etc/cups/cups-files.conf`
|
||||
found=`%{_bindir}/grep -i "${confignames[i]} syslog" /etc/cups/cups-files.conf`
|
||||
if [ ! -z "$found" ]
|
||||
then
|
||||
if [ ! -f %{_localstatedir}/log/cups/${lognames[i]} ]
|
||||
then
|
||||
%{_bindir}/touch %{_localstatedir}/log/cups/${lognames[i]} || :
|
||||
fi
|
||||
lastmessage=`%{_bindir}/tail -n 1 %{_localstatedir}/log/cups/${lognames[i]} | grep "$message"`
|
||||
perms=`%{_bindir}/ls -lah %{_localstatedir}/log/cups/${lognames[i]} | %{_bindir}/grep -v -e "\-rw-------" -e "root lp"`
|
||||
if [ ! -z "$perms" ]
|
||||
then
|
||||
# we need to set correct permissions and ownership because of possible
|
||||
# security issues
|
||||
# we need to have it here, because previous CUPS releases had the bug.
|
||||
# Checking permissions and ownership here fixes it.
|
||||
%{_bindir}/chown root:lp %{_localstatedir}/log/cups/${lognames[i]} || :
|
||||
%{_bindir}/chmod 600 %{_localstatedir}/log/cups/${lognames[i]} || :
|
||||
fi
|
||||
lastmessage=`%{_bindir}/tail -n 1 %{_localstatedir}/log/cups/${lognames[i]} | %{_bindir}/grep "$message"`
|
||||
if [ -z "$lastmessage" ]
|
||||
then
|
||||
%{_bindir}/echo $message >> %{_localstatedir}/log/cups/${lognames[i]} || :
|
||||
|
@ -630,15 +650,18 @@ rm -f %{cups_serverbin}/backend/smb
|
|||
%dir %{_datadir}/%{name}/www/ru
|
||||
%{_datadir}/%{name}/www/images
|
||||
%{_datadir}/%{name}/www/*.css
|
||||
%doc %{_datadir}/%{name}/www/index.html
|
||||
%doc %{_datadir}/%{name}/www/help
|
||||
%doc %{_datadir}/%{name}/www/robots.txt
|
||||
%doc %{_datadir}/%{name}/www/de/index.html
|
||||
%doc %{_datadir}/%{name}/www/es/index.html
|
||||
%doc %{_datadir}/%{name}/www/ja/index.html
|
||||
%doc %{_datadir}/%{name}/www/ru/index.html
|
||||
%doc %{_datadir}/%{name}/www/pt_BR/index.html
|
||||
%doc %{_datadir}/%{name}/www/apple-touch-icon.png
|
||||
# 1658673 - html files cannot be docs, because CUPS web ui will not have
|
||||
# introduction page on Fedora Docker image (because rpms are installed
|
||||
# without docs there because of space reasons)
|
||||
%{_datadir}/%{name}/www/index.html
|
||||
%{_datadir}/%{name}/www/help
|
||||
%{_datadir}/%{name}/www/robots.txt
|
||||
%{_datadir}/%{name}/www/de/index.html
|
||||
%{_datadir}/%{name}/www/es/index.html
|
||||
%{_datadir}/%{name}/www/ja/index.html
|
||||
%{_datadir}/%{name}/www/ru/index.html
|
||||
%{_datadir}/%{name}/www/pt_BR/index.html
|
||||
%{_datadir}/%{name}/www/apple-touch-icon.png
|
||||
%dir %{_datadir}/%{name}/usb
|
||||
%{_datadir}/%{name}/usb/org.cups.usb-quirks
|
||||
%{_unitdir}/%{name}.service
|
||||
|
@ -749,6 +772,24 @@ rm -f %{cups_serverbin}/backend/smb
|
|||
%{_mandir}/man5/ipptoolfile.5.gz
|
||||
|
||||
%changelog
|
||||
* Mon Aug 19 2019 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.8-12
|
||||
- 1742934, 1742935 - SNMP backend CVEs
|
||||
|
||||
* Tue Feb 19 2019 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.8-11
|
||||
- automake sometimes does not generate macros correctly - force it
|
||||
|
||||
* Fri Dec 14 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.8-10
|
||||
- previous commit - fix for previous releases
|
||||
|
||||
* Thu Dec 13 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.8-9
|
||||
- logs need to have correct permissions
|
||||
|
||||
* Thu Dec 13 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.8-8
|
||||
- 1658673 - Main index.html of web interface doesn't get installed when not installing documentation
|
||||
|
||||
* Mon Dec 10 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.8-7
|
||||
- 1657750 - CVE-2018-4700 cups: Predictable session cookie breaks CSRF protection [fedora-all]
|
||||
|
||||
* Fri Nov 09 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.8-6
|
||||
- 1622432 - Jobs with multiple files don't complete when backend fails
|
||||
- 1648396 - 'cupsd[998]: [CGI] Unable to execute ippfind utility: No such file or directory' in journal
|
||||
|
|
Loading…
Reference in New Issue