!147 [sync] PR-144: fix CVE-2024-35235

From: @openeuler-sync-bot Reviewed-by: @dou33 Signed-off-by: @dou33
Fix domain socket handling
2024-06-21 00:56:52 +00:00 · 2024-06-17 11:17:52 +08:00 · 2023-10-07 08:52:06 +00:00 · 2023-09-28 09:02:23 +00:00 · 2023-09-25 09:11:46 +00:00 · 2023-09-25 16:34:31 +08:00
5 changed files with 273 additions and 2 deletions
--- a/backport-CVE-2023-34241.patch
+++ b/backport-CVE-2023-34241.patch
@ -0,0 +1,65 @@
 From ffd290b4ab247f82722927ba9b21358daa16dbf1 Mon Sep 17 00:00:00 2001
 From: Rose <83477269+AtariDreams@users.noreply.github.com>
 Date: Thu, 1 Jun 2023 11:33:39 -0400
 Subject: [PATCH] Log result of httpGetHostname BEFORE closing the connection
 httpClose frees the memory of con->http. This is problematic because httpGetHostname then tries to access the memory it points to.
 We have to log the hostname first.
 Reference:https://github.com/OpenPrinting/cups/commit/9809947a959e18409dcf562a3466ef246cb90cb2
 Conflict:NA
 ---
 scheduler/client.c | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)
 diff --git a/scheduler/client.c b/scheduler/client.c
 index 91e441188c..327473a4d1 100644
 --- a/scheduler/client.c
 +++ b/scheduler/client.c
@@ -193,13 +193,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
    /*
     * Can't have an unresolved IP address with double-lookups enabled...
     */
 -
 -    httpClose(con->http);
 -
     cupsdLogClient(con, CUPSD_LOG_WARN,
 -                    "Name lookup failed - connection from %s closed!",
 +                    "Name lookup failed - closing connection from %s!",
                     httpGetHostname(con->http, NULL, 0));
 +    httpClose(con->http);
     free(con);
     return;
   }
@@ -235,11 +233,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
       * with double-lookups enabled...
       */
 -      httpClose(con->http);
 -
       cupsdLogClient(con, CUPSD_LOG_WARN,
 -                      "IP lookup failed - connection from %s closed!",
 +                      "IP lookup failed - closing connection from %s!",
                       httpGetHostname(con->http, NULL, 0));
 +
 +      httpClose(con->http);
       free(con);
       return;
     }
@@ -256,11 +254,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
   if (!hosts_access(&wrap_req))
   {
 -    httpClose(con->http);
 -
     cupsdLogClient(con, CUPSD_LOG_WARN,
                     "Connection from %s refused by /etc/hosts.allow and "
 		    "/etc/hosts.deny rules.", httpGetHostname(con->http, NULL, 0));
 +
 +    httpClose(con->http);
     free(con);
     return;
   }
--- a/backport-CVE-2023-4504.patch
+++ b/backport-CVE-2023-4504.patch
@ -0,0 +1,44 @@
 From 2431caddb7e6a87f04ac90b5c6366ad268b6ff31 Mon Sep 17 00:00:00 2001
 From: Zdenek Dohnal <zdohnal@redhat.com>
 Date: Wed, 20 Sep 2023 14:45:17 +0200
 Subject: [PATCH] raster-interpret.c: Fix CVE-2023-4504
 We didn't check for end of buffer if it looks there is an escaped
 character - check for NULL terminator there and if found, return NULL
 as return value and in `ptr`, because a lone backslash is not
 a valid PostScript character.
 Reference:https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31
 Conflict:Patch context adaptation
 ---
 cups/raster-interpret.c | 14 +++++++++++++-
 1 files changed, 14 insertions(+)
 diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
 index 6fcf731b5..b8655c8c6 100644
 --- a/cups/raster-interpret.c
 +++ b/cups/raster-interpret.c
@@ -1116,7 +1116,19 @@ scan_ps(_cups_ps_stack_t *st,		/* I  - Stack */
 	    cur ++;
 -            if (*cur == 'b')
 +	   /*
 +	    * Return NULL if we reached NULL terminator, a lone backslash
 +	    * is not a valid character in PostScript.
 +	    */
 +
 +	    if (!*cur)
 +	    {
 +	      *ptr = NULL;
 +
 +	      return (NULL);
 +	    }
 +
 +	    if (*cur == 'b')
 	      *valptr++ = '\b';
 	    else if (*cur == 'f')
 	      *valptr++ = '\f';
--- a/backport-Fix-CVE-2024-35235.patch
+++ b/backport-Fix-CVE-2024-35235.patch
@ -0,0 +1,99 @@
 From a436956f374b0fd7f5da9df482e4f5840fa1c0d2 Mon Sep 17 00:00:00 2001
 From: Zdenek Dohnal <zdohnal@redhat.com>
 Date: Mon, 3 Jun 2024 18:53:58 +020
 Subject: [PATCH] Fix domain socket handling
 Reference: https://github.com/OpenPrinting/cups/commit/a436956f374b0fd7f5da9df482e4f5840fa1c0d2
 ---
 cups/http-addr.c | 40 +++++++++++++++++++---------------------
 scheduler/conf.c | 19 +++++++++++++++++++
 2 files changed, 38 insertions(+), 21 deletions(-)
 diff --git a/cups/http-addr.c b/cups/http-addr.c
 index 1926188..b806fbc 100644
 --- a/cups/http-addr.c
 +++ b/cups/http-addr.c
@@ -206,31 +206,29 @@ httpAddrListen(http_addr_t *addr,	/* I - Address to bind to */
   {
     mode_t	mask;			/* Umask setting */
 -   /*
 -    * Remove any existing domain socket file...
 -    */
 -
 -    unlink(addr->un.sun_path);
 -
 -   /*
 -    * Save the current umask and set it to 0 so that all users can access
 -    * the domain socket...
 -    */
 -
 -    mask = umask(0);
 +    if ((status = unlink(addr->un.sun_path)) < 0)
 +    {
 +      DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno)));
 -   /*
 -    * Bind the domain socket...
 -    */
 +      if (errno == ENOENT)
 +	status = 0;
 +    }
 -    status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr));
 +    if (!status)
 +    {
 +      // Save the current umask and set it to 0 so that all users can access
 +      // the domain socket...
 +      mask = umask(0);
 -   /*
 -    * Restore the umask and fix permissions...
 -    */
 +      // Bind the domain socket...
 +      if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0)
 +      {
 +	DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno)));
 +      }
 -    umask(mask);
 -    chmod(addr->un.sun_path, 0140777);
 +      // Restore the umask...
 +      umask(mask);
 +    }      
   }
   else
 #endif /* AF_LOCAL */
 diff --git a/scheduler/conf.c b/scheduler/conf.c
 index e44736b..a5ba6cb 100644
 --- a/scheduler/conf.c
 +++ b/scheduler/conf.c
@@ -3073,6 +3073,25 @@ read_cupsd_conf(cups_file_t *fp)	/* I - File to read from */
       cupsd_listener_t	*lis;		/* New listeners array */
 +     /*
 +      * If we are launched on-demand, do not use domain sockets from the config
 +      * file.  Also check that the domain socket path is not too long...
 +      */
 +
 +#ifdef HAVE_ONDEMAND
 +      if (*value == '/' && OnDemand)
 +      {
 +        if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
 +          cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum);
 +        continue;
 +      }
 +#endif // HAVE_ONDEMAND
 +
 +      if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1))
 +      {
 +        cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum);
 +        continue;
 +      }
      /*
       * Get the address list...
 -- 
 2.27.0
--- a/cups.spec
+++ b/cups.spec
@ -3,9 +3,9 @@
 Name:    cups
 Epoch:   1
 Version: 2.4.0
-Release: 6
+Release: 11
 Summary: CUPS is the standards-based, open source printing system for linux operating systems.
-License: GPLv2+ and LGPLv2+ with exceptions and AML
+License: Apache-2.0 WITH LLVM-exception
 Url:     https://openprinting.github.io/cups/
 # Apple stopped uploading the new versions into github, use OpenPrinting fork
 Source0: https://github.com/OpenPrinting/cups/releases/download/v%{version}/cups-%{version}-source.tar.gz
@ -28,6 +28,10 @@ Patch6000: backport-CVE-2022-26691.patch
 Patch6001: backport-Remove-legacy-code-for-RIP_MAX_CACHE-environment-variable.patch
 Patch6002: backport-Also-fix-cupsfilter.patch
 Patch6003: backport-CVE-2023-32324.patch
 Patch6004: fix-httpAddrGetList-test-case-fail.patch
 Patch6005: backport-CVE-2023-34241.patch
 Patch6006: backport-CVE-2023-4504.patch
 Patch6007: backport-Fix-CVE-2024-35235.patch
 BuildRequires: pam-devel pkgconf-pkg-config pkgconfig(gnutls) libacl-devel openldap-devel pkgconfig(libusb-1.0)
 BuildRequires: krb5-devel pkgconfig(avahi-client) systemd pkgconfig(libsystemd) pkgconfig(dbus-1) python3-cups
@ -449,6 +453,21 @@ rm -f %{_exec_prefix}/lib/cups/backend/smb
 %doc %{_datadir}/%{name}/www/apple-touch-icon.png
 %changelog
 * Wed Jun 12 2024 baiguo <baiguo@kylinos.cn> - 1:2.4.0-11
 - fix CVE-2024-35235
 * Fri Sep 22 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 1:2.4.0-10
 - fix CVE-2023-4504
 * Wed Jul 19 2023 haomimi <haomimi@uniontech.com> - 1:2.4.0-9
 - DESC:The license is changed to apache 2.0
 * Mon Jun 26 2023 zhouwenpei <zhouwenpei@h-partners.com> - 1:2.4.0-8
 - fix CVE-2023-34241
 * Fri Jun 9 2023 zhangpan <zhangpan103@h-partners.com> - 1:2.4.0-7
 - fix build error
 * Sat Jun 3 2023 zhouwenpei <zhouwenpei@h-partners.com> - 1:2.4.0-6
 - fix CVE-2023-32324
--- a/fix-httpAddrGetList-test-case-fail.patch
+++ b/fix-httpAddrGetList-test-case-fail.patch
@ -0,0 +1,44 @@
 From 079c00aac0db4d95383cf73be73e641ff26ebfc6 Mon Sep 17 00:00:00 2001
 From: zhangpan <zhangpan103@h-partners.com>
 Date: Fri, 9 Jun 2023 11:04:18 +0800
 Subject: [PATCH] fix httpAddrGetList test case fail
 ---
 cups/testhttp.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)
 diff --git a/cups/testhttp.c b/cups/testhttp.c
 index 313e4bb..f446d65 100644
 --- a/cups/testhttp.c
 +++ b/cups/testhttp.c
@@ -14,7 +14,7 @@
  */
 #include "cups-private.h"
 -
 +#include <unistd.h>
 /*
  * Types and structures...
@@ -231,7 +231,8 @@ main(int  argc,				/* I - Number of command-line arguments */
   char		scheme[HTTP_MAX_URI],	/* Scheme from URI */
 		hostname[HTTP_MAX_URI],	/* Hostname from URI */
 		username[HTTP_MAX_URI],	/* Username:password from URI */
 -		resource[HTTP_MAX_URI];	/* Resource from URI */
 +		resource[HTTP_MAX_URI],	/* Resource from URI */
 +		localhostname[HTTP_MAX_URI]; /* gethostname */
   int		port;			/* Port number from URI */
   http_uri_status_t uri_status;		/* Status of URI separation */
   http_addrlist_t *addrlist,		/* Address list */
@@ -391,7 +392,7 @@ main(int  argc,				/* I - Number of command-line arguments */
     printf("httpAddrGetList(%s): ", hostname);
 -    addrlist = httpAddrGetList(hostname, AF_UNSPEC, NULL);
 +    addrlist = httpAddrGetList(gethostname(localhostname, sizeof(localhostname)), AF_UNSPEC, NULL);
     if (addrlist)
     {
       for (i = 0, addr = addrlist; addr; i ++, addr = addr->next)
 -- 
 2.33.0
Author	SHA1	Message	Date
openeuler-ci-bot	fcf3bdaeea	!147 [sync] PR-144: fix CVE-2024-35235 From: @openeuler-sync-bot Reviewed-by: @dou33 Signed-off-by: @dou33	2024-06-21 00:56:52 +00:00
baiguo	f0174c8c86	Fix domain socket handling (cherry picked from commit 3ebc07758d76473d64f70b9183ce85c74c8642fc)	2024-06-17 11:17:52 +08:00
openeuler-ci-bot	7b8dcfbdde	!130 fix CVE-2023-4504 From: @zhouwenpei Reviewed-by: @weigangli Signed-off-by: @weigangli	2023-10-07 08:52:06 +00:00
zhouwenpei	0b20fb30d7	fix CVE-2023-4504	2023-09-28 09:02:23 +00:00
openeuler-ci-bot	48a26aa010	!126 [sync] PR-118: The license is changed to apache 2.0 From: @openeuler-sync-bot Reviewed-by: @leeffo Signed-off-by: @leeffo	2023-09-25 09:11:46 +00:00
ut004615	4f4819bd33	DESC:The license is changed to apache 2.0 (cherry picked from commit b03939a476ed34d9f90d79cf08d1a829bc6ec127)	2023-09-25 16:34:31 +08:00
openeuler-ci-bot	699595b287	!116 [sync] PR-111: fix CVE-2023-34241 From: @openeuler-sync-bot Reviewed-by: @t_feng Signed-off-by: @t_feng	2023-06-28 09:26:13 +00:00
zhouwenpei	19ea4d4c72	fix CVE-2023-34241 (cherry picked from commit 1c561cc745163b67507346dadc1852025f2f9536)	2023-06-28 14:32:34 +08:00
openeuler-ci-bot	549b05925d	!107 [sync] PR-103: fix build error From: @openeuler-sync-bot Reviewed-by: @t_feng Signed-off-by: @t_feng	2023-06-09 08:22:15 +00:00
zhangpan	8e9b0bc95e	fix build error (cherry picked from commit ead15a006f0dccfa32c8ede72e0fdc4cd1f70203)	2023-06-09 15:45:20 +08:00