!147 [sync] PR-144: fix CVE-2024-35235

From: @openeuler-sync-bot 
Reviewed-by: @dou33 
Signed-off-by: @dou33

backport-CVE-2023-34241.patch

@@ -0,0 +1,65 @@
+From ffd290b4ab247f82722927ba9b21358daa16dbf1 Mon Sep 17 00:00:00 2001
+From: Rose <83477269+AtariDreams@users.noreply.github.com>
+Date: Thu, 1 Jun 2023 11:33:39 -0400
+Subject: [PATCH] Log result of httpGetHostname BEFORE closing the connection
+
+httpClose frees the memory of con->http. This is problematic because httpGetHostname then tries to access the memory it points to.
+
+We have to log the hostname first.
+
+Reference:https://github.com/OpenPrinting/cups/commit/9809947a959e18409dcf562a3466ef246cb90cb2
+Conflict:NA
+---
+ scheduler/client.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/scheduler/client.c b/scheduler/client.c
+index 91e441188c..327473a4d1 100644
+--- a/scheduler/client.c
++++ b/scheduler/client.c
+@@ -193,13 +193,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
+    /*
+     * Can't have an unresolved IP address with double-lookups enabled...
+     */
+-
+-    httpClose(con->http);
+-
+     cupsdLogClient(con, CUPSD_LOG_WARN,
+-                    "Name lookup failed - connection from %s closed!",
++                    "Name lookup failed - closing connection from %s!",
+                     httpGetHostname(con->http, NULL, 0));
+ 
++    httpClose(con->http);
+     free(con);
+     return;
+   }
+@@ -235,11 +233,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
+       * with double-lookups enabled...
+       */
+ 
+-      httpClose(con->http);
+-
+       cupsdLogClient(con, CUPSD_LOG_WARN,
+-                      "IP lookup failed - connection from %s closed!",
++                      "IP lookup failed - closing connection from %s!",
+                       httpGetHostname(con->http, NULL, 0));
++
++      httpClose(con->http);
+       free(con);
+       return;
+     }
+@@ -256,11 +254,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
+ 
+   if (!hosts_access(&wrap_req))
+   {
+-    httpClose(con->http);
+-
+     cupsdLogClient(con, CUPSD_LOG_WARN,
+                     "Connection from %s refused by /etc/hosts.allow and "
+ 		    "/etc/hosts.deny rules.", httpGetHostname(con->http, NULL, 0));
++
++    httpClose(con->http);
+     free(con);
+     return;
+   }
+

backport-CVE-2023-4504.patch

@@ -0,0 +1,44 @@
+From 2431caddb7e6a87f04ac90b5c6366ad268b6ff31 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Wed, 20 Sep 2023 14:45:17 +0200
+Subject: [PATCH] raster-interpret.c: Fix CVE-2023-4504
+
+We didn't check for end of buffer if it looks there is an escaped
+character - check for NULL terminator there and if found, return NULL
+as return value and in `ptr`, because a lone backslash is not
+a valid PostScript character.
+
+Reference:https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31
+Conflict:Patch context adaptation
+
+---
+ cups/raster-interpret.c | 14 +++++++++++++-
+ 1 files changed, 14 insertions(+)
+
+diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
+index 6fcf731b5..b8655c8c6 100644
+--- a/cups/raster-interpret.c
++++ b/cups/raster-interpret.c
+@@ -1116,7 +1116,19 @@ scan_ps(_cups_ps_stack_t *st,		/* I  - Stack */
+ 
+ 	    cur ++;
+ 
+-            if (*cur == 'b')
++	   /*
++	    * Return NULL if we reached NULL terminator, a lone backslash
++	    * is not a valid character in PostScript.
++	    */
++
++	    if (!*cur)
++	    {
++	      *ptr = NULL;
++
++	      return (NULL);
++	    }
++
++	    if (*cur == 'b')
+ 	      *valptr++ = '\b';
+ 	    else if (*cur == 'f')
+ 	      *valptr++ = '\f';
+
+

backport-Fix-CVE-2024-35235.patch

@@ -0,0 +1,99 @@
+From a436956f374b0fd7f5da9df482e4f5840fa1c0d2 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Mon, 3 Jun 2024 18:53:58 +020
+Subject: [PATCH] Fix domain socket handling
+Reference: https://github.com/OpenPrinting/cups/commit/a436956f374b0fd7f5da9df482e4f5840fa1c0d2
+
+---
+ cups/http-addr.c | 40 +++++++++++++++++++---------------------
+ scheduler/conf.c | 19 +++++++++++++++++++
+ 2 files changed, 38 insertions(+), 21 deletions(-)
+
+diff --git a/cups/http-addr.c b/cups/http-addr.c
+index 1926188..b806fbc 100644
+--- a/cups/http-addr.c
++++ b/cups/http-addr.c
+@@ -206,31 +206,29 @@ httpAddrListen(http_addr_t *addr,	/* I - Address to bind to */
+   {
+     mode_t	mask;			/* Umask setting */
+ 
+-   /*
+-    * Remove any existing domain socket file...
+-    */
+-
+-    unlink(addr->un.sun_path);
+-
+-   /*
+-    * Save the current umask and set it to 0 so that all users can access
+-    * the domain socket...
+-    */
+-
+-    mask = umask(0);
++    if ((status = unlink(addr->un.sun_path)) < 0)
++    {
++      DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno)));
+ 
+-   /*
+-    * Bind the domain socket...
+-    */
++      if (errno == ENOENT)
++	status = 0;
++    }
+ 
+-    status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr));
++    if (!status)
++    {
++      // Save the current umask and set it to 0 so that all users can access
++      // the domain socket...
++      mask = umask(0);
+ 
+-   /*
+-    * Restore the umask and fix permissions...
+-    */
++      // Bind the domain socket...
++      if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0)
++      {
++	DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno)));
++      }
+ 
+-    umask(mask);
+-    chmod(addr->un.sun_path, 0140777);
++      // Restore the umask...
++      umask(mask);
++    }      
+   }
+   else
+ #endif /* AF_LOCAL */
+diff --git a/scheduler/conf.c b/scheduler/conf.c
+index e44736b..a5ba6cb 100644
+--- a/scheduler/conf.c
++++ b/scheduler/conf.c
+@@ -3073,6 +3073,25 @@ read_cupsd_conf(cups_file_t *fp)	/* I - File to read from */
+ 
+       cupsd_listener_t	*lis;		/* New listeners array */
+ 
++     /*
++      * If we are launched on-demand, do not use domain sockets from the config
++      * file.  Also check that the domain socket path is not too long...
++      */
++
++#ifdef HAVE_ONDEMAND
++      if (*value == '/' && OnDemand)
++      {
++        if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
++          cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum);
++        continue;
++      }
++#endif // HAVE_ONDEMAND
++
++      if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1))
++      {
++        cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum);
++        continue;
++      }
+ 
+      /*
+       * Get the address list...
+-- 
+2.27.0
+

cups.spec

@@ -3,9 +3,9 @@
 Name:    cups
 Epoch:   1
 Version: 2.4.0
-Release: 6
+Release: 11
 Summary: CUPS is the standards-based, open source printing system for linux operating systems.
-License: GPLv2+ and LGPLv2+ with exceptions and AML
+License: Apache-2.0 WITH LLVM-exception
 Url:     https://openprinting.github.io/cups/
 # Apple stopped uploading the new versions into github, use OpenPrinting fork
 Source0: https://github.com/OpenPrinting/cups/releases/download/v%{version}/cups-%{version}-source.tar.gz
@@ -28,6 +28,10 @@ Patch6000: backport-CVE-2022-26691.patch
 Patch6001: backport-Remove-legacy-code-for-RIP_MAX_CACHE-environment-variable.patch
 Patch6002: backport-Also-fix-cupsfilter.patch
 Patch6003: backport-CVE-2023-32324.patch
+Patch6004: fix-httpAddrGetList-test-case-fail.patch
+Patch6005: backport-CVE-2023-34241.patch
+Patch6006: backport-CVE-2023-4504.patch
+Patch6007: backport-Fix-CVE-2024-35235.patch
 
 BuildRequires: pam-devel pkgconf-pkg-config pkgconfig(gnutls) libacl-devel openldap-devel pkgconfig(libusb-1.0)
 BuildRequires: krb5-devel pkgconfig(avahi-client) systemd pkgconfig(libsystemd) pkgconfig(dbus-1) python3-cups
@@ -449,6 +453,21 @@ rm -f %{_exec_prefix}/lib/cups/backend/smb
 %doc %{_datadir}/%{name}/www/apple-touch-icon.png
 
 %changelog
+* Wed Jun 12 2024 baiguo <baiguo@kylinos.cn> - 1:2.4.0-11
+- fix CVE-2024-35235
+
+* Fri Sep 22 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 1:2.4.0-10
+- fix CVE-2023-4504
+
+* Wed Jul 19 2023 haomimi <haomimi@uniontech.com> - 1:2.4.0-9
+- DESC:The license is changed to apache 2.0
+
+* Mon Jun 26 2023 zhouwenpei <zhouwenpei@h-partners.com> - 1:2.4.0-8
+- fix CVE-2023-34241
+
+* Fri Jun 9 2023 zhangpan <zhangpan103@h-partners.com> - 1:2.4.0-7
+- fix build error
+
 * Sat Jun 3 2023 zhouwenpei <zhouwenpei@h-partners.com> - 1:2.4.0-6
 - fix CVE-2023-32324
 

fix-httpAddrGetList-test-case-fail.patch

@@ -0,0 +1,44 @@
+From 079c00aac0db4d95383cf73be73e641ff26ebfc6 Mon Sep 17 00:00:00 2001
+From: zhangpan <zhangpan103@h-partners.com>
+Date: Fri, 9 Jun 2023 11:04:18 +0800
+Subject: [PATCH] fix httpAddrGetList test case fail
+
+---
+ cups/testhttp.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/cups/testhttp.c b/cups/testhttp.c
+index 313e4bb..f446d65 100644
+--- a/cups/testhttp.c
++++ b/cups/testhttp.c
+@@ -14,7 +14,7 @@
+  */
+ 
+ #include "cups-private.h"
+-
++#include <unistd.h>
+ 
+ /*
+  * Types and structures...
+@@ -231,7 +231,8 @@ main(int  argc,				/* I - Number of command-line arguments */
+   char		scheme[HTTP_MAX_URI],	/* Scheme from URI */
+ 		hostname[HTTP_MAX_URI],	/* Hostname from URI */
+ 		username[HTTP_MAX_URI],	/* Username:password from URI */
+-		resource[HTTP_MAX_URI];	/* Resource from URI */
++		resource[HTTP_MAX_URI],	/* Resource from URI */
++		localhostname[HTTP_MAX_URI]; /* gethostname */
+   int		port;			/* Port number from URI */
+   http_uri_status_t uri_status;		/* Status of URI separation */
+   http_addrlist_t *addrlist,		/* Address list */
+@@ -391,7 +392,7 @@ main(int  argc,				/* I - Number of command-line arguments */
+ 
+     printf("httpAddrGetList(%s): ", hostname);
+ 
+-    addrlist = httpAddrGetList(hostname, AF_UNSPEC, NULL);
++    addrlist = httpAddrGetList(gethostname(localhostname, sizeof(localhostname)), AF_UNSPEC, NULL);
+     if (addrlist)
+     {
+       for (i = 0, addr = addrlist; addr; i ++, addr = addr->next)
+-- 
+2.33.0
+