CVE-2023-24805 cups-filters: remote code execution in cups-filters, beh CUPS backend

Resolves: CVE-2023-24805
This commit is contained in:
Zdenek Dohnal 2023-06-07 10:06:54 +02:00
parent 4cd786b89f
commit 887e219f24
2 changed files with 115 additions and 1 deletions

107
beh-cve2023.patch Normal file
View File

@ -0,0 +1,107 @@
diff --git a/backend/beh.c b/backend/beh.c
index 225fd27..5e9cee0 100644
--- a/backend/beh.c
+++ b/backend/beh.c
@@ -22,6 +22,7 @@
#include "backend-private.h"
#include <cups/array.h>
#include <ctype.h>
+#include <sys/wait.h>
/*
* Local globals...
@@ -213,10 +214,14 @@ call_backend(char *uri, /* I - URI of final destination */
char **argv, /* I - Command-line arguments */
char *filename) { /* I - File name of input data */
const char *cups_serverbin; /* Location of programs */
+ char *backend_argv[8]; // Arguments for called CUPS backend
char scheme[1024], /* Scheme from URI */
*ptr, /* Pointer into scheme */
- cmdline[65536]; /* Backend command line */
- int retval;
+ backend_path[2048]; // Backend path
+ int pid,
+ wait_pid,
+ wait_status,
+ retval = 0;
/*
* Build the backend command line...
@@ -235,16 +240,19 @@ call_backend(char *uri, /* I - URI of final destination */
fprintf(stderr,
"ERROR: beh: Direct output into a file not supported.\n");
exit (CUPS_BACKEND_FAILED);
- } else
- snprintf(cmdline, sizeof(cmdline),
- "%s/backend/%s '%s' '%s' '%s' '%s' '%s' %s",
- cups_serverbin, scheme, argv[1], argv[2], argv[3],
- /* Apply number of copies only if beh was called with a
- file name and not with the print data in stdin, as
- backends should handle copies only if they are called
- with a file name */
- (argc == 6 ? "1" : argv[4]),
- argv[5], filename);
+ }
+
+ backend_argv[0] = uri;
+ backend_argv[1] = argv[1];
+ backend_argv[2] = argv[2];
+ backend_argv[3] = argv[3];
+ backend_argv[4] = (argc == 6 ? "1" : argv[4]);
+ backend_argv[5] = argv[5];
+ backend_argv[6] = filename;
+ backend_argv[7] = NULL;
+
+ snprintf(backend_path, sizeof(backend_path),
+ "%s/backend/%s", cups_serverbin, scheme);
/*
* Overwrite the device URI and run the actual backend...
@@ -253,17 +261,41 @@ call_backend(char *uri, /* I - URI of final destination */
setenv("DEVICE_URI", uri, 1);
fprintf(stderr,
- "DEBUG: beh: Executing backend command line \"%s\"...\n",
- cmdline);
+ "DEBUG: beh: Executing backend command line \"%s '%s' '%s' '%s' '%s' '%s'%s%s\"...\n",
+ backend_path, backend_argv[1], backend_argv[2], backend_argv[3],
+ backend_argv[4], backend_argv[5],
+ (backend_argv[6] && backend_argv[6][0] ? " " : ""),
+ (backend_argv[6] && backend_argv[6][0] ? backend_argv[6] : ""));
fprintf(stderr,
"DEBUG: beh: Using device URI: %s\n",
uri);
- retval = system(cmdline) >> 8;
+ if ((pid = fork()) == 0)
+ {
+ retval = execv(backend_path, backend_argv);
+
+ if (retval == -1)
+ fprintf(stderr, "ERROR: Unable to execute backend: %s\n",
+ strerror(errno));
+ exit (CUPS_BACKEND_FAILED);
+ }
+ else if (pid < 0)
+ {
+ fprintf(stderr, "ERROR: Unable to fork for backend\n");
+ return (CUPS_BACKEND_FAILED);
+ }
+
+ while ((wait_pid = wait(&wait_status)) < 0 && errno == EINTR);
- if (retval == -1)
- fprintf(stderr, "ERROR: Unable to execute backend command line: %s\n",
- strerror(errno));
+ if (wait_pid >= 0 && wait_status)
+ {
+ if (WIFEXITED(wait_status))
+ retval = WEXITSTATUS(wait_status);
+ else if (WTERMSIG(wait_status) != SIGTERM)
+ retval = WTERMSIG(wait_status);
+ else
+ retval = 0;
+ }
return (retval);
}

View File

@ -11,7 +11,7 @@
Summary: OpenPrinting CUPS filters and backends
Name: cups-filters
Version: 1.20.0
Release: 30%{?dist}
Release: 31%{?dist}
# For a breakdown of the licensing, see COPYING file
# GPLv2: filters: commandto*, imagetoraster, pdftops, rasterto*,
@ -65,6 +65,8 @@ Patch15: cups-browsed-renew.patch
Patch16: 0001-libcupsfilters-Fix-page-range-like-10-in-pdftopdf-fi.patch
# 2185675 - Edges cropped when printing PostScript document
Patch17: gstoraster-margins.patch
# CVE-2023-24805 cups-filters: remote code execution in cups-filters, beh CUPS backend
Patch18: beh-cve2023.patch
%if %{with braille}
Recommends: %{name}-braille%{?_isa} = %{version}-%{release}
@ -237,6 +239,8 @@ The package provides filters and cups-brf backend needed for braille printing.
%patch16 -p1 -b .ranges
# 2185675 - Edges cropped when printing PostScript document
%patch17 -p1 -b .margins
# CVE-2023-24805 cups-filters: remote code execution in cups-filters, beh CUPS backend
%patch18 -p1 -b .cve202324805
%build
@ -439,6 +443,9 @@ make check
%endif
%changelog
* Wed Jun 07 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1.20.0-31
- CVE-2023-24805 cups-filters: remote code execution in cups-filters, beh CUPS backend
* Thu Apr 13 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1.20.0-30
- 2185675 - Edges cropped when printing PostScript document