CVE-2022-26691 cups: authorization bypass when using "local" authorization

.fmf/version

@@ -0,0 +1 @@
+1

0001-cups-fix-uninit-value-jump.patch

@@ -0,0 +1,18 @@
+diff --git a/cups/ppd.c b/cups/ppd.c
+index 525df3592..54368ac4c 100644
+--- a/cups/ppd.c
++++ b/cups/ppd.c
+@@ -3430,12 +3430,12 @@ ppd_update_filters(ppd_file_t     *ppd,	/* I - PPD file */
+ 		srctype[256],
+ 		dstsuper[16],		/* Destination MIME media type */
+ 		dsttype[256],
+-		program[1024],		/* Command to run */
+ 		*ptr,			/* Pointer into command to run */
+ 		buffer[1024],		/* Re-written cupsFilter value */
+ 		**filter;		/* Current filter */
+   int		cost;			/* Cost of filter */
+ 
++  char		program[1024] = { 0 };	/* Command to run */
+ 
+   DEBUG_printf(("4ppd_update_filters(ppd=%p, cg=%p)", ppd, pg));
+ 

0001-cups-http-encode-memleaks-fixes-issue-322.patch

@@ -0,0 +1,38 @@
+From d9924186325c89aefa56e36258f56f246dd2c4ad Mon Sep 17 00:00:00 2001
+From: Richard Lescak <rlescak@redhat.com>
+Date: Tue, 11 Jan 2022 10:53:34 +0100
+Subject: [PATCH] cups/http.c,encode.c: Fix memory leaks
+
+---
+ CHANGES.md    | 3 ++-
+ cups/encode.c | 1 +
+ cups/http.c   | 1 +
+ 3 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/cups/encode.c b/cups/encode.c
+index 5bcbf6fe5..15b1c6b40 100644
+--- a/cups/encode.c
++++ b/cups/encode.c
+@@ -655,6 +655,7 @@ _cupsEncodeOption(
+ 	  ippSetCollection(ipp, &attr, i, collection);
+ 	  cupsEncodeOptions2(collection, num_cols, cols, IPP_TAG_JOB);
+ 	  cupsFreeOptions(num_cols, cols);
++	  ippDelete(collection);
+ 	  break;
+ 
+       default :
+diff --git a/cups/http.c b/cups/http.c
+index bd41e6f8e..4b6a24bd3 100644
+--- a/cups/http.c
++++ b/cups/http.c
+@@ -4624,6 +4624,7 @@ http_tls_upgrade(http_t *http)		/* I - HTTP connection */
+   * Restore the HTTP request data...
+   */
+ 
++  httpClearFields(http);
+   memcpy(http->_fields, myhttp._fields, sizeof(http->_fields));
+   memcpy(http->fields, myhttp.fields, sizeof(http->fields));
+ 
+-- 
+2.31.1
+

0001-cups-tls-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch

@@ -0,0 +1,55 @@
+From bdb1ca45454d90410031c4c2054005a995f76180 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Wed, 6 Apr 2022 15:04:45 +0200
+Subject: [PATCH] cups/tls-gnutls.c: Use always GNUTLS_SHUT_WR
+
+The current mode for `gnutls_bye()` in client use cases strictly
+follows TLS v1.2 standard, which in this particular part says:
+
+```
+Unless some other fatal alert has been transmitted, each party is
+required to send a close_notify alert before closing the write
+side of the connection.  The other party MUST respond with a
+close_notify alert of its own and close down the connection immediately,
+discarding any pending writes.  It is not required for the initiator
+of the close to wait for the responding close_notify alert before
+closing the read side of the connection.
+```
+
+and waits for the other side of TLS connection to confirm the close.
+
+Unfortunately it can undesired for reasons:
+- we support switching of TLS versions in CUPS, and this mode strictly
+  follows TLS v1.2 - so for older version this behavior is not expected
+  and can cause delays
+- even some TLS v1.2 implementations (like Windows Server 2016) don't
+  comply TLS v1.2 behavior even if it says it does - in that case,
+  encrypted printing takes 30s till HTTP timeout is reached, because the
+  other side didn't send confirmation
+- AFAIU openssl's SSL_shutdown() doesn't make this TLS v1.2 difference,
+  so we could end up with two TLS implementations in CUPS which will
+  behave differently
+
+Since the standard defines that waiting for confirmation is not required
+and due the problems above, I would propose using GNUTLS_SHUT_WR mode
+regardless of HTTP mode.
+---
+ cups/tls-gnutls.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c
+index c55995b2b..f87b4f4df 100644
+--- a/cups/tls-gnutls.c
++++ b/cups/tls-gnutls.c
+@@ -1667,7 +1667,7 @@ _httpTLSStop(http_t *http)		/* I - Connection to server */
+   int	error;				/* Error code */
+ 
+ 
+-  error = gnutls_bye(http->tls, http->mode == _HTTP_MODE_CLIENT ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
++  error = gnutls_bye(http->tls, GNUTLS_SHUT_WR);
+   if (error != GNUTLS_E_SUCCESS)
+     _cupsSetError(IPP_STATUS_ERROR_INTERNAL, gnutls_strerror(errno), 0);
+ 
+-- 
+2.35.1
+

0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch

@@ -0,0 +1,35 @@
+From de4f8c196106033e4c372dce3e91b9d42b0b9444 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Thu, 26 May 2022 06:27:04 +0200
+Subject: [PATCH] scheduler/cert.c: Fix string comparison (fixes
+ CVE-2022-26691)
+
+The previous algorithm didn't expect the strings can have a different
+length, so one string can be a substring of the other and such substring
+was reported as equal to the longer string.
+---
+ CHANGES.md       | 1 +
+ scheduler/cert.c | 9 ++++++++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/scheduler/cert.c b/scheduler/cert.c
+index b268bf1b2..9b65b96c9 100644
+--- a/scheduler/cert.c
++++ b/scheduler/cert.c
+@@ -444,5 +444,12 @@ ctcompare(const char *a,		/* I - First string */
+     b ++;
+   }
+ 
+-  return (result);
++ /*
++  * The while loop finishes when *a == '\0' or *b == '\0'
++  * so after the while loop either both *a and *b == '\0',
++  * or one points inside a string, so when we apply bitwise OR on *a,
++  * *b and result, we get a non-zero return value if the compared strings don't match.
++  */
++
++  return (result | *a | *b);
+ }
+-- 
+2.36.1
+

cups-deprecate-drivers.patch

@@ -154,11 +154,11 @@ index 4498a8c..8776874 100755
  count=`$GREP '^W ' $BASE/log/error_log | $GREP -v CreateProfile | $GREP -v 'libusb error' | $GREP -v ColorManager | $GREP -v 'Avahi client failed' | wc -l | awk '{print $1}'`
 -if test $count != 8; then
 -	echo "FAIL: $count warning messages, expected 8."
-+if test $count != 10; then
-+	echo "FAIL: $count warning messages, expected 10."
++if test $count != 9; then
++	echo "FAIL: $count warning messages, expected 9."
  	$GREP '^W ' $BASE/log/error_log
 -	echo "    <p>FAIL: $count warning messages, expected 8.</p>" >>$strfile
-+	echo "    <p>FAIL: $count warning messages, expected 10.</p>" >>$strfile
++	echo "    <p>FAIL: $count warning messages, expected 9.</p>" >>$strfile
  	echo "    <pre>" >>$strfile
  	$GREP '^W ' $BASE/log/error_log | sed -e '1,$s/&/&amp;/g' -e '1,$s/</&lt;/g' >>$strfile
  	echo "    </pre>" >>$strfile

cups.spec

@@ -17,7 +17,7 @@ Summary: CUPS printing system
 Name: cups
 Epoch: 1
 Version: 2.3.3%{OP_VER}
-Release: 11%{?dist}
+Release: 18%{?dist}
 License: ASL 2.0
 Url: https://openprinting.github.io/cups/
 # Apple stopped uploading the new versions into github, use OpenPrinting fork
@@ -103,6 +103,16 @@ Patch26: 0001-cups-http-support.c-Apply-DigestOptions-to-RFC-2069-.patch
 Patch27: 0001-Add-with-idle-exit-timeout-configure-option.patch
 # 2018953 - RFE: Implement TimeoutStartSec configuration during build
 Patch28: 0001-Add-with-systemd-timeoutstartsec-configure-option.patch
+# Memory leak fixes
+# https://github.com/OpenPrinting/cups/pull/322
+Patch29: 0001-cups-http-encode-memleaks-fixes-issue-322.patch
+# uninitialized value in cups library on ppc64le
+# https://github.com/OpenPrinting/cups/pull/329
+Patch30: 0001-cups-fix-uninit-value-jump.patch
+# 2073268 - 30-second delays printing to Windows 2016 server via HTTPS
+Patch31: 0001-cups-tls-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch
+# CVE-2022-26691 cups: authorization bypass when using "local" authorization
+Patch32: 0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch
 
 ##### Patches removed because IMHO they aren't no longer needed
 ##### but still I'll leave them in git in case their removal
@@ -334,6 +344,14 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
 %patch27 -p1 -b .conf-idleexittimeout
 # 2018953 - RFE: Implement TimeoutStartSec configuration during build
 %patch28 -p1 -b .conf-timeoutstartsec
+# Memory leak fixes
+%patch29 -p1 -b .memleak-fixes
+# uninitialized value in PPD CUPS API
+%patch30 -p1 -b .ppd-memleak
+# 2073268 - 30-second delays printing to Windows 2016 server via HTTPS
+%patch31 -p1 -b .gnutlsbye
+# CVE-2022-26691 cups: authorization bypass when using "local" authorization
+%patch32 -p1 -b .cve26691
 
 
 %if %{lspp}
@@ -710,6 +728,27 @@ rm -f %{cups_serverbin}/backend/smb
 %{_mandir}/man7/ippeveps.7.gz
 
 %changelog
+* Tue May 31 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-18
+- CVE-2022-26691 cups: authorization bypass when using "local" authorization
+
+* Fri Apr 08 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-17
+- 2073268 - 30-second delays printing to Windows 2016 server via HTTPS
+
+* Mon Mar 14 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-16
+- let ipp-usb recommendation in only for F36+... (bz#2063241,2061851,2061843)
+
+* Thu Feb 24 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-15
+- jump based on uninitialized value in PPD related CUPS API on ppc64le
+
+* Wed Feb 16 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-14
+- recommend ipp-usb for devices which support IPP-over-USB
+
+* Thu Jan 20 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-13
+- Fix number of expected warnings in test suite
+
+* Wed Jan 12 2022 Richard Lescak <rlescak@redhat.com> - 1:2.3.3op2-12
+- Fix memory leaks in http_tls_upgrade() and _cupsEncodeOption()
+
 * Mon Nov 29 2021 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-11
 - 2018957 - RFE: Implement IdleExitTimeout configuration during build
 - 2018953 - RFE: Implement TimeoutStartSec configuration during build

gating.yaml

@@ -0,0 +1,26 @@
+--- !Policy
+product_versions:
+  - fedora-*
+decision_context: bodhi_update_push_testing
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
+
+#Rawhide
+--- !Policy
+product_versions:
+  - fedora-*
+decision_context: bodhi_update_push_stable
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
+
+#gating rhel
+--- !Policy
+product_versions:
+  - rhel-*
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.acceptance-tier.functional}

plans/all.fmf

@@ -0,0 +1,6 @@
+summary: Test plan with cups tests
+discover:
+    how: fmf
+    url: https://src.fedoraproject.org/tests/cups.git
+execute:
+    how: tmt