1826330 - CVE-2020-3898 cups: heap based buffer overflow in libcups's ppdFindOption() in ppd-mark.c

1822154 - cups.service doesn't execute automatically on request
1808409 - the default printer for the system set with lpoptions is being ignored
2020-04-22 10:12:08 +02:00 · 2020-04-20 15:39:57 +02:00 · 2020-03-04 16:28:53 +01:00 · 2020-01-02 10:40:09 +01:00 · 2019-12-17 11:07:51 +01:00
4 changed files with 424 additions and 3 deletions
--- a/cups-autostart-when-enabled.patch
+++ b/cups-autostart-when-enabled.patch
@ -0,0 +1,10 @@
+diff --git a/scheduler/org.cups.cupsd.service.in b/scheduler/org.cups.cupsd.service.in
+index bf308a5..add238b 100644
+--- a/scheduler/org.cups.cupsd.service.in
+++ b/scheduler/org.cups.cupsd.service.in
+@@ -10,4 +10,4 @@ Restart=on-failure
+ 
+ [Install]
+ Also=cups.socket cups.path
+-WantedBy=printer.target
+WantedBy=printer.target multi-user.target
--- a/cups-default-lpoptions.patch
+++ b/cups-default-lpoptions.patch
@ -0,0 +1,335 @@
+diff --git a/cups/cups-private.h b/cups/cups-private.h
+index 4ec4e68..f436e3e 100644
+--- a/cups/cups-private.h
+++ b/cups/cups-private.h
+@@ -64,6 +64,7 @@ typedef struct _cups_globals_s		/**** CUPS global state data ****/
+ 			*cups_serverroot,
+ 					/* CUPS_SERVERROOT environment var */
+ 			*cups_statedir,	/* CUPS_STATEDIR environment var */
+			*home,		/* HOME environment var */
+ 			*localedir;	/* LOCALDIR environment var */
+ 
+   /* adminutil.c */
+diff --git a/cups/dest.c b/cups/dest.c
+index fd635b1..bc07eb1 100644
+--- a/cups/dest.c
+++ b/cups/dest.c
+@@ -1752,7 +1752,6 @@ cupsGetNamedDest(http_t     *http,	/* I - Connection to server or @code CUPS_HTT
+   cups_dest_t	*dest;			/* Destination */
+   char		filename[1024],		/* Path to lpoptions */
+ 		defname[256];		/* Default printer name */
+-  const char	*home = getenv("HOME");	/* Home directory */
+   int		set_as_default = 0;	/* Set returned destination as default */
+   ipp_op_t	op = IPP_OP_GET_PRINTER_ATTRIBUTES;
+ 					/* IPP operation to get server ops */
+@@ -1784,13 +1783,13 @@ cupsGetNamedDest(http_t     *http,	/* I - Connection to server or @code CUPS_HTT
+       else
+         instance = NULL;
+     }
+-    else if (home)
+    else if (cg->home)
+     {
+      /*
+       * No default in the environment, try the user's lpoptions files...
+       */
+ 
+-      snprintf(filename, sizeof(filename), "%s/.cups/lpoptions", home);
+      snprintf(filename, sizeof(filename), "%s/.cups/lpoptions", cg->home);
+ 
+       dest_name = cups_get_default(filename, defname, sizeof(defname), &instance);
+ 
+@@ -1896,9 +1895,9 @@ cupsGetNamedDest(http_t     *http,	/* I - Connection to server or @code CUPS_HTT
+   snprintf(filename, sizeof(filename), "%s/lpoptions", cg->cups_serverroot);
+   cups_get_dests(filename, dest_name, instance, 0, 1, 1, &dest);
+ 
+-  if (home)
+  if (cg->home)
+   {
+-    snprintf(filename, sizeof(filename), "%s/.cups/lpoptions", home);
+    snprintf(filename, sizeof(filename), "%s/.cups/lpoptions", cg->home);
+ 
+     cups_get_dests(filename, dest_name, instance, 0, 1, 1, &dest);
+   }
+@@ -2036,9 +2035,6 @@ cupsSetDests2(http_t      *http,	/* I - Connection to server or @code CUPS_HTTP_
+   cups_option_t	*option;		/* Current option */
+   _ipp_option_t	*match;			/* Matching attribute for option */
+   FILE		*fp;			/* File pointer */
+-#ifndef _WIN32
+-  const char	*home;			/* HOME environment variable */
+-#endif /* _WIN32 */
+   char		filename[1024];		/* lpoptions file */
+   int		num_temps;		/* Number of temporary destinations */
+   cups_dest_t	*temps = NULL,		/* Temporary destinations */
+@@ -2072,27 +2068,18 @@ cupsSetDests2(http_t      *http,	/* I - Connection to server or @code CUPS_HTTP_
+ 
+   snprintf(filename, sizeof(filename), "%s/lpoptions", cg->cups_serverroot);
+ 
+-#ifndef _WIN32
+-  if (getuid())
+  if (cg->home)
+   {
+    /*
+-    * Point to user defaults...
+    * Create ~/.cups subdirectory...
+     */
+ 
+-    if ((home = getenv("HOME")) != NULL)
+-    {
+-     /*
+-      * Create ~/.cups subdirectory...
+-      */
+    snprintf(filename, sizeof(filename), "%s/.cups", cg->home);
+    if (access(filename, 0))
+      mkdir(filename, 0700);
+ 
+-      snprintf(filename, sizeof(filename), "%s/.cups", home);
+-      if (access(filename, 0))
+-        mkdir(filename, 0700);
+-
+-      snprintf(filename, sizeof(filename), "%s/.cups/lpoptions", home);
+-    }
+    snprintf(filename, sizeof(filename), "%s/.cups/lpoptions", cg->home);
+   }
+-#endif /* !_WIN32 */
+ 
+  /*
+   * Try to open the file...
+@@ -2273,7 +2260,7 @@ _cupsUserDefault(char   *name,		/* I - Name buffer */
+   * system preferences...
+   */
+ 
+-  if ((locprinter = _cupsAppleCopyDefaultPrinter()) != NULL)
+  if (!getenv("CUPS_NO_APPLE_DEFAULT") && (locprinter = _cupsAppleCopyDefaultPrinter()) != NULL)
+   {
+     CFStringGetCString(locprinter, name, (CFIndex)namesize, kCFStringEncodingUTF8);
+     CFRelease(locprinter);
+@@ -3396,10 +3383,9 @@ cups_enum_dests(
+   int           i, j,			/* Looping vars */
+                 num_dests;              /* Number of destinations */
+   cups_dest_t   *dests = NULL,          /* Destinations */
+-                *dest,                  /* Current destination */
+-                *user_dest;		/* User destination */
+                *dest;			/* Current destination */
+   cups_option_t	*option;		/* Current option */
+-  char          *user_default;          /* User default printer */
+  const char	*user_default;		/* Default printer from environment */
+ #if defined(HAVE_DNSSD) || defined(HAVE_AVAHI)
+   int           count,                  /* Number of queries started */
+                 completed,              /* Number of completed queries */
+@@ -3430,7 +3416,6 @@ cups_enum_dests(
+ #else
+   _cups_getdata_t data;			/* Data for callback */
+ #endif /* HAVE_DNSSD || HAVE_AVAHI */
+-  const char	*home;			/* HOME environment variable */
+   char		filename[1024];		/* Local lpoptions file */
+   _cups_globals_t *cg = _cupsGlobals();	/* Pointer to library globals */
+ 
+@@ -3455,13 +3440,35 @@ cups_enum_dests(
+ 
+   memset(&data, 0, sizeof(data));
+ 
+-  if ((user_default = _cupsUserDefault(data.def_name, sizeof(data.def_name))) == NULL)
+  user_default = _cupsUserDefault(data.def_name, sizeof(data.def_name));
+
+  snprintf(filename, sizeof(filename), "%s/lpoptions", cg->cups_serverroot);
+  data.num_dests = cups_get_dests(filename, NULL, NULL, 1, user_default != NULL, data.num_dests, &data.dests);
+
+  if (cg->home)
+   {
+-    const char *defprinter = cupsGetDefault2(http);
+-					/* Server default, if any */
+    snprintf(filename, sizeof(filename), "%s/.cups/lpoptions", cg->home);
+ 
+-    if (defprinter)
+-      strlcpy(data.def_name, defprinter, sizeof(data.def_name));
+    data.num_dests = cups_get_dests(filename, NULL, NULL, 1, user_default != NULL, data.num_dests, &data.dests);
+  }
+
+  if (!user_default && (dest = cupsGetDest(NULL, NULL, data.num_dests, data.dests)) != NULL)
+  {
+   /*
+    * Use an lpoptions default printer...
+    */
+
+    if (dest->instance)
+      snprintf(data.def_name, sizeof(data.def_name), "%s/%s", dest->name, dest->instance);
+    else
+      strlcpy(data.def_name, dest->name, sizeof(data.def_name));
+  }
+  else
+  {
+    const char	*default_printer;	/* Server default printer */
+
+    if ((default_printer = cupsGetDefault2(http)) != NULL)
+      strlcpy(data.def_name, default_printer, sizeof(data.def_name));
+   }
+ 
+   if (data.def_name[0])
+@@ -3476,16 +3483,6 @@ cups_enum_dests(
+ 
+   DEBUG_printf(("1cups_enum_dests: def_name=\"%s\", def_instance=\"%s\"", data.def_name, data.def_instance));
+ 
+-  snprintf(filename, sizeof(filename), "%s/lpoptions", cg->cups_serverroot);
+-  data.num_dests = cups_get_dests(filename, NULL, NULL, 1, user_default != NULL, data.num_dests, &data.dests);
+-
+-  if ((home = getenv("HOME")) != NULL)
+-  {
+-    snprintf(filename, sizeof(filename), "%s/.cups/lpoptions", home);
+-
+-    data.num_dests = cups_get_dests(filename, NULL, NULL, 1, user_default != NULL, data.num_dests, &data.dests);
+-  }
+-
+  /*
+   * Get ready to enumerate...
+   */
+@@ -3523,8 +3520,9 @@ cups_enum_dests(
+          i > 0 && (!cancel || !*cancel);
+          i --, dest ++)
+     {
+      cups_dest_t	*user_dest;	/* Destination from lpoptions */
+ #if defined(HAVE_DNSSD) || defined(HAVE_AVAHI)
+-      const char *device_uri;    /* Device URI */
+      const char	*device_uri;	/* Device URI */
+ #endif /* HAVE_DNSSD || HAVE_AVAHI */
+ 
+       if ((user_dest = cupsGetDest(dest->name, dest->instance, data.num_dests, data.dests)) != NULL)
+@@ -3793,6 +3791,8 @@ cups_enum_dests(
+ 
+         if ((device->type & mask) == type)
+         {
+          cups_dest_t	*user_dest;	/* Destination from lpoptions */
+
+           dest = &device->dest;
+ 
+ 	  if ((user_dest = cupsGetDest(dest->name, dest->instance, data.num_dests, data.dests)) != NULL)
+diff --git a/cups/globals.c b/cups/globals.c
+index 28c993b..3882b78 100644
+--- a/cups/globals.c
+++ b/cups/globals.c
+@@ -18,6 +18,9 @@
+  */
+ 
+ #include "cups-private.h"
+#ifndef _WIN32
+#  include <pwd.h>
+#endif /* !_WIN32 */
+ 
+ 
+ /*
+@@ -276,6 +279,8 @@ cups_globals_alloc(void)
+   if ((cg->localedir = getenv("LOCALEDIR")) == NULL)
+     cg->localedir = localedir;
+ 
+  cg->home = getenv("HOME");
+
+ #else
+ #  ifdef HAVE_GETEUID
+   if ((geteuid() != getuid() && getuid()) || getegid() != getgid())
+@@ -314,6 +319,18 @@ cups_globals_alloc(void)
+ 
+     if ((cg->localedir = getenv("LOCALEDIR")) == NULL)
+       cg->localedir = CUPS_LOCALEDIR;
+
+#  ifndef __APPLE__ /* Sandboxing now exposes the container as the home directory */
+    cg->home = getenv("HOME");
+#endif /* !__APPLE__ */
+  }
+
+  if (!cg->home)
+  {
+    struct passwd	*pw;		/* User info */
+
+    if ((pw = getpwuid(getuid())) != NULL)
+      cg->home = _cupsStrAlloc(pw->pw_dir);
+   }
+ #endif /* _WIN32 */
+ 
+diff --git a/cups/tls-darwin.c b/cups/tls-darwin.c
+index c4f0ccb..f2259fe 100644
+--- a/cups/tls-darwin.c
+++ b/cups/tls-darwin.c
+@@ -1935,7 +1935,8 @@ static const char *			/* O - Keychain path */
+ http_cdsa_default_path(char   *buffer,	/* I - Path buffer */
+                        size_t bufsize)	/* I - Size of buffer */
+ {
+-  const char *home = getenv("HOME");	/* HOME environment variable */
+  _cups_globals_t	*cg = _cupsGlobals();
+					/* Pointer to library globals */
+ 
+ 
+  /*
+@@ -1944,8 +1945,8 @@ http_cdsa_default_path(char   *buffer,	/* I - Path buffer */
+   * 10.11.4 (!), so we need to create our own keychain just for CUPS.
+   */
+ 
+-  if (getuid() && home)
+-    snprintf(buffer, bufsize, "%s/.cups/ssl.keychain", home);
+  if (cg->home)
+    snprintf(buffer, bufsize, "%s/.cups/ssl.keychain", cg->home);
+   else
+     strlcpy(buffer, "/etc/cups/ssl.keychain", bufsize);
+ 
+diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c
+index 1dc1b2a..c195c63 100644
+--- a/cups/tls-gnutls.c
+++ b/cups/tls-gnutls.c
+@@ -931,12 +931,13 @@ static const char *			/* O - Path or NULL on error */
+ http_gnutls_default_path(char   *buffer,/* I - Path buffer */
+                          size_t bufsize)/* I - Size of path buffer */
+ {
+-  const char *home = getenv("HOME");	/* HOME environment variable */
+  _cups_globals_t	*cg = _cupsGlobals();
+					/* Pointer to library globals */
+ 
+ 
+-  if (getuid() && home)
+  if (cg->home)
+   {
+-    snprintf(buffer, bufsize, "%s/.cups", home);
+    snprintf(buffer, bufsize, "%s/.cups", cg->home);
+     if (access(buffer, 0))
+     {
+       DEBUG_printf(("1http_gnutls_default_path: Making directory \"%s\".", buffer));
+@@ -947,7 +948,7 @@ http_gnutls_default_path(char   *buffer,/* I - Path buffer */
+       }
+     }
+ 
+-    snprintf(buffer, bufsize, "%s/.cups/ssl", home);
+    snprintf(buffer, bufsize, "%s/.cups/ssl", cg->home);
+     if (access(buffer, 0))
+     {
+       DEBUG_printf(("1http_gnutls_default_path: Making directory \"%s\".", buffer));
+diff --git a/cups/usersys.c b/cups/usersys.c
+index 781f27b..2a57aa9 100644
+--- a/cups/usersys.c
+++ b/cups/usersys.c
+@@ -877,7 +877,6 @@ void
+ _cupsSetDefaults(void)
+ {
+   cups_file_t	*fp;			/* File */
+-  const char	*home;			/* Home directory of user */
+   char		filename[1024];		/* Filename */
+   _cups_client_conf_t cc;		/* client.conf values */
+   _cups_globals_t *cg = _cupsGlobals();	/* Pointer to library globals */
+@@ -903,19 +902,13 @@ _cupsSetDefaults(void)
+     cupsFileClose(fp);
+   }
+ 
+-#  ifdef HAVE_GETEUID
+-  if ((geteuid() == getuid() || !getuid()) && getegid() == getgid() && (home = getenv("HOME")) != NULL)
+-#  elif !defined(_WIN32)
+-  if (getuid() && (home = getenv("HOME")) != NULL)
+-#  else
+-  if ((home = getenv("HOME")) != NULL)
+-#  endif /* HAVE_GETEUID */
+  if (cg->home)
+   {
+    /*
+     * Look for ~/.cups/client.conf...
+     */
+ 
+-    snprintf(filename, sizeof(filename), "%s/.cups/client.conf", home);
+    snprintf(filename, sizeof(filename), "%s/.cups/client.conf", cg->home);
+     if ((fp = cupsFileOpen(filename, "r")) != NULL)
+     {
+       cups_read_client_conf(fp, &cc);
--- a/cups-ppdopen-heap-overflow.patch
+++ b/cups-ppdopen-heap-overflow.patch
@ -0,0 +1,42 @@
+diff --git a/cups/ppd.c b/cups/ppd.c
+index ff52df2e..199cf034 100644
+--- a/cups/ppd.c
+++ b/cups/ppd.c
+@@ -1719,8 +1719,7 @@ _ppdOpen(
+                      constraint->choice1, constraint->option2,
+ 		     constraint->choice2))
+       {
+-        case 0 : /* Error */
+-	case 1 : /* Error */
+        default : /* Error */
+ 	    pg->ppd_status = PPD_BAD_UI_CONSTRAINTS;
+ 	    goto error;
+ 
+diff --git a/ppdc/ppdc-source.cxx b/ppdc/ppdc-source.cxx
+index c25d4966..236c00db 100644
+--- a/ppdc/ppdc-source.cxx
+++ b/ppdc/ppdc-source.cxx
+@@ -1743,15 +1743,17 @@ ppdcSource::get_resolution(ppdcFile *fp)// I - File to read
+ 
+   switch (sscanf(name, "%dx%d", &xdpi, &ydpi))
+   {
+-    case 0 :
+-        _cupsLangPrintf(stderr,
+-	                _("ppdc: Bad resolution name \"%s\" on line %d of "
+-			  "%s."), name, fp->line, fp->filename);
+-        break;
+     case 1 :
+         ydpi = xdpi;
+ 	break;
+-  }
+    case 2 :
+        break;
+    default :
+        _cupsLangPrintf(stderr,
+                  _("ppdc: Bad resolution name \"%s\" on line %d of "
+        "%s."), name, fp->line, fp->filename);
+        break;
+}
+ 
+   // Create the necessary PS commands...
+   snprintf(command, sizeof(command),
--- a/cups.spec
+++ b/cups.spec
@ -15,7 +15,7 @@ Summary: CUPS printing system
 Name: cups
 Epoch: 1
 Version: 2.2.12
-Release: 3%{?dist}
+Release: 8%{?dist}
 License: GPLv2+ and LGPLv2+ with exceptions and AML
 Url: http://www.cups.org/
 Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz
@ -73,7 +73,7 @@ Patch25: cups-systemd-socket.patch
 Patch30: cups-freebind.patch
 # add support of multifile
 Patch35: cups-ipp-multifile.patch
-# prolongs web ui timeout
+# prolongs  web ui timeout
 Patch36: cups-web-devices-timeout.patch
 # needs to be set to Yes to avoid race conditions
 Patch37: cups-synconclose.patch
@ -104,6 +104,13 @@ Patch41: 0001-SIGSEGV-in-CUPS-web-ui-when-adding-a-printer.patch
 # parser ended with error when encountered it. Now the parser adds underscore to incorrect
 # keyword and continues
 Patch42: 0001-PPD-files-containing-custom-option-keywords-did-not-.patch
+# 1808409 - the default printer for the system set with lpoptions is being ignored
+Patch43: cups-default-lpoptions.patch
+# 1822154 - cups.service doesn't execute automatically on request
+# https://github.com/apple/cups/issues/5708
+Patch44: cups-autostart-when-enabled.patch
+# 1826330 - CVE-2020-3898 cups: heap based buffer overflow in libcups's ppdFindOption() in ppd-mark.c
+Patch45: cups-ppdopen-heap-overflow.patch

 ##### Patches removed because IMHO they aren't no longer needed
 ##### but still I'll leave them in git in case their removal
@ -353,6 +360,12 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
 %patch41 -p1 -b .webui-sigsegv
 # 1750904 - cups is unable to add ppd with custom/Custom option
 %patch42 -p1 -b .ppd-custom-option
+# 1808409 - the default printer for the system set with lpoptions is being ignored
+%patch43 -p1 -b .default-lpoptions
+# 1822154 - cups.service doesn't execute automatically on request
+%patch44 -p1 -b .autostart-when-enabled
+# 1826330 - CVE-2020-3898 cups: heap based buffer overflow in libcups's ppdFindOption() in ppd-mark.c
+%patch45 -p1 -b .ppdopen-heap-overflow

 # if cupsd is set to log into /var/log/cups, then 'MaxLogSize 0' needs to be
 # in cupsd.conf to disable cupsd logrotate functionality and use logrotated
@ -551,6 +564,12 @@ do
 done
 %endif

+# needed for #1822154 for upgrade path, remove in newer releases
+if [ -e /etc/systemd/system/printer.target.wants/cups.service ]
+then
+  %{_bindir}/systemctl enable cups.service > /dev/null 2>&1
+fi
+
 exit 0

 %post client
@ -759,6 +778,21 @@ rm -f %{cups_serverbin}/backend/smb
 %{_mandir}/man5/ipptoolfile.5.gz

 %changelog
+* Tue Apr 21 2020 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.12-8
+- 1826330 - CVE-2020-3898 cups: heap based buffer overflow in libcups's ppdFindOption() in ppd-mark.c
+
+* Mon Apr 20 2020 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.12-7
+- 1822154 - cups.service doesn't execute automatically on request
+
+* Wed Mar 04 2020 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.12-6
+- 1808409 - the default printer for the system set with lpoptions is being ignored
+
+* Thu Jan 02 2020 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.12-5
+- revert previous commit - according CUPS upstream it breaks kerberized printing
+
+* Tue Dec 17 2019 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.12-4
+- change permissions on ipp backend (needed due cups-filters rebase)
+
 * Wed Oct 16 2019 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.12-3
 - 1720688 - [abrt] cups: __strlen_avx2(): printers.cgi killed by SIGSEGV
 - 1750904 - cups is unable to add ppd with custom/Custom option
@ -3762,5 +3796,5 @@ rm -f %{cups_serverbin}/backend/smb
 * Mon Jun 26 2000 Tim Powers <timp@redhat.com>
 - started changelog 
 - fixed init.d script location
- changed script in init.d quite a bit and made more like the rest of our
+- changed script scripi in init.d quite a bit and made more like the rest of our
  startup scripts
Author	SHA1	Message	Date
Zdenek Dohnal	e88cea2bbe	1826330 - CVE-2020-3898 cups: heap based buffer overflow in libcups's ppdFindOption() in ppd-mark.c	2020-04-22 10:12:08 +02:00
Zdenek Dohnal	6e358e5eae	1822154 - cups.service doesn't execute automatically on request	2020-04-20 15:39:57 +02:00
Zdenek Dohnal	7f39b72910	1808409 - the default printer for the system set with lpoptions is being ignored	2020-03-04 16:28:53 +01:00
Zdenek Dohnal	a8184c9497	revert previous commit - according CUPS upstream it breaks kerberized printing	2020-01-02 10:40:09 +01:00
Zdenek Dohnal	7e7fb66ae5	change permissions on ipp backend (needed due cups-filters rebase)	2019-12-17 11:07:51 +01:00