diff --git a/SOURCES/0001-cfGetPrinterAttributes5-Validate-response-attributes.patch b/SOURCES/0001-cfGetPrinterAttributes5-Validate-response-attributes.patch new file mode 100644 index 0000000..be5d86c --- /dev/null +++ b/SOURCES/0001-cfGetPrinterAttributes5-Validate-response-attributes.patch @@ -0,0 +1,34 @@ +diff --git a/utils/cups-browsed.c b/utils/cups-browsed.c +index 2b30c63..a6d6fd2 100644 +--- a/utils/cups-browsed.c ++++ b/utils/cups-browsed.c +@@ -3576,6 +3576,12 @@ create_remote_printer_entry (const char *queue_name, + NULL, pattrs); + response = cupsDoRequest(http_printer, request, resource); + ++ if (response && !ippValidateAttributes(response)) ++ { ++ fprintf(stderr, "The printer %s contains invalid attributes.", p->queue_name); ++ goto fail; ++ } ++ + /* Log all printer attributes for debugging */ + if (debug_stderr || debug_logfile) { + debug_printf("Full list of IPP attributes (get-printer-attributes) for printer %s:\n", +diff --git a/utils/driverless.c b/utils/driverless.c +index fe61e58..0360bff 100644 +--- a/utils/driverless.c ++++ b/utils/driverless.c +@@ -513,6 +513,12 @@ generate_ppd (const char *uri) + NULL, pattrs); + response = cupsDoRequest(http, request, resource); + ++ if (response && !ippValidateAttributes(response)) ++ { ++ fprintf(stderr, "ERROR: The printer provides invalid attributes, skipping."); ++ goto fail; ++ } ++ + /* Log all printer attributes for debugging */ + if (debug) { + attr = ippFirstAttribute(response); diff --git a/SOURCES/cups-filters-CVE-2024-47175.patch b/SOURCES/cups-filters-CVE-2024-47175.patch new file mode 100644 index 0000000..eeec025 --- /dev/null +++ b/SOURCES/cups-filters-CVE-2024-47175.patch @@ -0,0 +1,356 @@ +diff --git a/cupsfilters/ppdgenerator.c b/cupsfilters/ppdgenerator.c +index 44d9313..a8acde4 100644 +--- a/cupsfilters/ppdgenerator.c ++++ b/cupsfilters/ppdgenerator.c +@@ -82,6 +82,7 @@ typedef struct _pwg_finishings_s /**** PWG finishings mapping data ****/ + + static void pwg_ppdize_name(const char *ipp, char *name, size_t namesize); + static void pwg_ppdize_resolution(ipp_attribute_t *attr, int element, int *xres, int *yres, char *name, size_t namesize); ++static void ppd_put_string(cups_file_t *fp, cups_lang_t *lang, const char *ppd_option, const char *ppd_choice, const char *pwg_msgid); + + /* + * '_cupsSetError()' - Set the last PPD generator status-message. +@@ -1188,9 +1189,10 @@ ppdCreateFromIPP(char *buffer, /* I - Filename buffer */ + ipp_t *media_col, /* Media collection */ + *media_size; /* Media size collection */ + char make[256], /* Make and model */ +- *model, /* Model name */ ++ *mptr, // Pointer into make and model + ppdname[PPD_MAX_NAME]; + /* PPD keyword */ ++ const char *model; /* Model name */ + int i, j, /* Looping vars */ + count = 0, /* Number of values */ + bottom, /* Largest bottom margin */ +@@ -1263,6 +1265,69 @@ ppdCreateFromIPP(char *buffer, /* I - Filename buffer */ + return (NULL); + } + ++ // ++ // Get a sanitized make and model... ++ // ++ ++ if ((attr = ippFindAttribute(response, "printer-make-and-model", IPP_TAG_TEXT)) != NULL && ippValidateAttribute(attr)) ++ { ++ // Sanitize the model name to only contain PPD-safe characters. ++ strlcpy(make, ippGetString(attr, 0, NULL), sizeof(make)); ++ ++ for (mptr = make; *mptr; mptr ++) ++ { ++ if (*mptr < ' ' || *mptr >= 127 || *mptr == '\"') ++ { ++ // Truncate the make and model on the first bad character... ++ *mptr = '\0'; ++ break; ++ } ++ } ++ ++ while (mptr > make) ++ { ++ // Strip trailing whitespace... ++ mptr --; ++ if (*mptr == ' ') ++ *mptr = '\0'; ++ } ++ ++ if (!make[0]) ++ { ++ // Use a default make and model if nothing remains... ++ strlcpy(make, "Unknown", sizeof(make)); ++ } ++ } ++ else ++ { ++ // Use a default make and model... ++ strlcpy(make, "Unknown", sizeof(make)); ++ } ++ ++ if (!strncasecmp(make, "Hewlett Packard ", 16) || !strncasecmp(make, "Hewlett-Packard ", 16)) ++ { ++ // Normalize HP printer make and model... ++ model = make + 16; ++ strlcpy(make, "HP", sizeof(make)); ++ ++ if (!strncasecmp(model, "HP ", 3)) ++ model += 3; ++ } ++ else if ((mptr = strchr(make, ' ')) != NULL) ++ { ++ // Separate "MAKE MODEL"... ++ while (*mptr && *mptr == ' ') ++ *mptr++ = '\0'; ++ ++ model = mptr; ++ } ++ else ++ { ++ // No separate model name... ++ model = "Printer"; ++ } ++ ++ + /* + * Standard stuff for PPD file... + */ +@@ -1277,24 +1342,6 @@ ppdCreateFromIPP(char *buffer, /* I - Filename buffer */ + cupsFilePuts(fp, "*FileSystem: False\n"); + cupsFilePuts(fp, "*PCFileName: \"drvless.ppd\"\n"); + +- if ((attr = ippFindAttribute(response, "printer-make-and-model", IPP_TAG_TEXT)) != NULL) +- strlcpy(make, ippGetString(attr, 0, NULL), sizeof(make)); +- else if (make_model && make_model[0] != '\0') +- strlcpy(make, make_model, sizeof(make)); +- else +- strlcpy(make, "Unknown Printer", sizeof(make)); +- +- if (!_cups_strncasecmp(make, "Hewlett Packard ", 16) || +- !_cups_strncasecmp(make, "Hewlett-Packard ", 16)) +- { +- model = make + 16; +- strlcpy(make, "HP", sizeof(make)); +- } +- else if ((model = strchr(make, ' ')) != NULL) +- *model++ = '\0'; +- else +- model = make; +- + cupsFilePrintf(fp, "*Manufacturer: \"%s\"\n", make); + cupsFilePrintf(fp, "*ModelName: \"%s %s\"\n", make, model); + cupsFilePrintf(fp, "*Product: \"(%s %s)\"\n", make, model); +@@ -1311,10 +1358,10 @@ ppdCreateFromIPP(char *buffer, /* I - Filename buffer */ + cupsFilePuts(fp, "*cupsSNMPSupplies: False\n"); + cupsFilePuts(fp, "*cupsLanguages: \"en\"\n"); + +- if ((attr = ippFindAttribute(response, "printer-more-info", IPP_TAG_URI)) != NULL) ++ if ((attr = ippFindAttribute(response, "printer-more-info", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr)) + cupsFilePrintf(fp, "*APSupplies: \"%s\"\n", ippGetString(attr, 0, NULL)); + +- if ((attr = ippFindAttribute(response, "printer-charge-info-uri", IPP_TAG_URI)) != NULL) ++ if ((attr = ippFindAttribute(response, "printer-charge-info-uri", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr)) + cupsFilePrintf(fp, "*cupsChargeInfoURI: \"%s\"\n", ippGetString(attr, 0, NULL)); + + /* Message catalogs for UI strings */ +@@ -1322,7 +1369,7 @@ ppdCreateFromIPP(char *buffer, /* I - Filename buffer */ + opt_strings_catalog = optArrayNew(); + load_opt_strings_catalog(NULL, opt_strings_catalog); + } +- if ((attr = ippFindAttribute(response, "printer-strings-uri", IPP_TAG_URI)) != NULL) { ++ if ((attr = ippFindAttribute(response, "printer-strings-uri", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr)) { + printer_opt_strings_catalog = optArrayNew(); + load_opt_strings_catalog(ippGetString(attr, 0, NULL), printer_opt_strings_catalog); + if (printer_opt_strings_catalog) +@@ -2150,13 +2197,15 @@ ppdCreateFromIPP(char *buffer, /* I - Filename buffer */ + break; + } + if (j >= 0) +- cupsFilePrintf(fp, "*InputSlot %s/%s: \"<>setpagedevice\"\n", +- ppdname, human_readable, j); ++ { ++ cupsFilePrintf(fp, "*InputSlot %s: \"<>setpagedevice\"\n", ppdname, j); ++ ppd_put_string(fp, lang, "InputSlot", ppdname, human_readable); ++ } + else +- cupsFilePrintf(fp, "*InputSlot %s%s%s: \"\"\n", +- ppdname, +- (human_readable ? "/" : ""), +- (human_readable ? human_readable : "")); ++ { ++ cupsFilePrintf(fp, "*InputSlot %s%s%s:\"\"\n", ppdname, human_readable ? "/" : "", human_readable ? human_readable : ""); ++ ppd_put_string(fp, lang, "InputSlot", ppdname, human_readable); ++ } + } + cupsFilePuts(fp, "*CloseUI: *InputSlot\n"); + } +@@ -2337,11 +2386,8 @@ ppdCreateFromIPP(char *buffer, /* I - Filename buffer */ + human_readable = (char *)_cupsLangString(lang, media_types[j][1]); + break; + } +- cupsFilePrintf(fp, "*MediaType %s%s%s: \"<>setpagedevice\"\n", +- ppdname, +- (human_readable ? "/" : ""), +- (human_readable ? human_readable : ""), +- ppdname); ++ cupsFilePrintf(fp, "*MediaType %s: \"<>setpagedevice\"\n", ppdname, ppdname); ++ ppd_put_string(fp, lang, "MediaType", ppdname, human_readable); + } + cupsFilePuts(fp, "*CloseUI: *MediaType\n"); + } +@@ -2755,10 +2801,8 @@ ppdCreateFromIPP(char *buffer, /* I - Filename buffer */ + human_readable = (char *)_cupsLangString(lang, output_bins[j][1]); + break; + } +- cupsFilePrintf(fp, "*OutputBin %s%s%s: \"\"\n", +- ppdname, +- (human_readable ? "/" : ""), +- (human_readable ? human_readable : "")); ++ cupsFilePrintf(fp, "*OutputBin %s: \"\"\n", ppdname); ++ ppd_put_string(fp, lang, "OutputBin", ppdname, human_readable); + } + cupsFilePuts(fp, "*CloseUI: *OutputBin\n"); + } +@@ -2898,9 +2942,8 @@ ppdCreateFromIPP(char *buffer, /* I - Filename buffer */ + human_readable = (char *)_cupsLangString(lang, finishings[j][1]); + break; + } +- cupsFilePrintf(fp, "*StapleLocation %s%s%s: \"\"\n", name, +- (human_readable ? "/" : ""), +- (human_readable ? human_readable : "")); ++ cupsFilePrintf(fp, "*StapleLocation %s: \"\"\n", name); ++ ppd_put_string(fp, lang, "StapleLocation", name, human_readable); + cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*StapleLocation %s\"\n", value, name, name); + } + +@@ -2955,9 +2998,8 @@ ppdCreateFromIPP(char *buffer, /* I - Filename buffer */ + human_readable = (char *)_cupsLangString(lang, finishings[j][1]); + break; + } +- cupsFilePrintf(fp, "*FoldType %s%s%s: \"\"\n", name, +- (human_readable ? "/" : ""), +- (human_readable ? human_readable : "")); ++ cupsFilePrintf(fp, "*FoldType %s: \"\"\n", name); ++ ppd_put_string(fp, lang, "FoldType", name, human_readable); + cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*FoldType %s\"\n", value, name, name); + } + +@@ -3012,9 +3054,8 @@ ppdCreateFromIPP(char *buffer, /* I - Filename buffer */ + human_readable = (char *)_cupsLangString(lang, finishings[j][1]); + break; + } +- cupsFilePrintf(fp, "*PunchMedia %s%s%s: \"\"\n", name, +- (human_readable ? "/" : ""), +- (human_readable ? human_readable : "")); ++ cupsFilePrintf(fp, "*PunchMedia %s: \"\"\n", name); ++ ppd_put_string(fp, lang, "PunchMedia", name, human_readable); + cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*PunchMedia %s\"\n", value, name, name); + } + +@@ -3076,7 +3117,9 @@ ppdCreateFromIPP(char *buffer, /* I - Filename buffer */ + printer_opt_strings_catalog); + if (human_readable == NULL) + human_readable = (char *)keyword; +- cupsFilePrintf(fp, "*cupsFinishingTemplate %s/%s: \"\n", keyword, human_readable); ++ pwg_ppdize_name(keyword, ppdname, sizeof(ppdname)); ++ cupsFilePrintf(fp, "*cupsFinishingTemplate %s: \"\n", ppdname); ++ ppd_put_string(fp, lang, "cupsFinishingTemplate", ppdname, human_readable); + for (finishing_attr = ippFirstAttribute(finishing_col); finishing_attr; finishing_attr = ippNextAttribute(finishing_col)) + { + if (ippGetValueTag(finishing_attr) == IPP_TAG_BEGIN_COLLECTION) +@@ -3332,11 +3375,11 @@ ppdCreateFromIPP(char *buffer, /* I - Filename buffer */ + if (!preset || !preset_name) + continue; + +- if ((localized_name = lookup_option((char *)preset_name, opt_strings_catalog, +- printer_opt_strings_catalog)) == NULL) +- cupsFilePrintf(fp, "*APPrinterPreset %s: \"\n", preset_name); +- else +- cupsFilePrintf(fp, "*APPrinterPreset %s/%s: \"\n", preset_name, localized_name); ++ pwg_ppdize_name(preset_name, ppdname, sizeof(ppdname)); ++ ++ localized_name = lookup_option((char *)preset_name, opt_strings_catalog, printer_opt_strings_catalog); ++ cupsFilePrintf(fp, "*APPrinterPreset %s: \"\n", ppdname); ++ ppd_put_string(fp, lang, "APPrinterPreset", ppdname, localized_name); + + for (member = ippFirstAttribute(preset); member; member = ippNextAttribute(preset)) + { +@@ -3378,7 +3421,10 @@ ppdCreateFromIPP(char *buffer, /* I - Filename buffer */ + fin_col = ippGetCollection(member, i); + + if ((keyword = ippGetString(ippFindAttribute(fin_col, "finishing-template", IPP_TAG_ZERO), 0, NULL)) != NULL) +- cupsFilePrintf(fp, "*cupsFinishingTemplate %s\n", keyword); ++ { ++ pwg_ppdize_name(keyword, ppdname, sizeof(ppdname)); ++ cupsFilePrintf(fp, "*cupsFinishingTemplate %s\n", ppdname); ++ } + } + } + else if (!strcmp(member_name, "media")) +@@ -3405,13 +3451,13 @@ ppdCreateFromIPP(char *buffer, /* I - Filename buffer */ + if ((keyword = ippGetString(ippFindAttribute(media_col, "media-source", IPP_TAG_ZERO), 0, NULL)) != NULL) + { + pwg_ppdize_name(keyword, ppdname, sizeof(ppdname)); +- cupsFilePrintf(fp, "*InputSlot %s\n", keyword); ++ cupsFilePrintf(fp, "*InputSlot %s\n", ppdname); + } + + if ((keyword = ippGetString(ippFindAttribute(media_col, "media-type", IPP_TAG_ZERO), 0, NULL)) != NULL) + { + pwg_ppdize_name(keyword, ppdname, sizeof(ppdname)); +- cupsFilePrintf(fp, "*MediaType %s\n", keyword); ++ cupsFilePrintf(fp, "*MediaType %s\n", ppdname); + } + } + else if (!strcmp(member_name, "print-quality")) +@@ -3670,18 +3716,29 @@ pwg_ppdize_name(const char *ipp, /* I - IPP keyword */ + char *ptr, /* Pointer into name buffer */ + *end; /* End of name buffer */ + ++ if (!ipp || !_cups_isalnum(*ipp)) ++ { ++ *name = '\0'; ++ return; ++ } + + *name = (char)toupper(*ipp++); + + for (ptr = name + 1, end = name + namesize - 1; *ipp && ptr < end;) + { +- if (*ipp == '-' && _cups_isalpha(ipp[1])) ++ if (*ipp == '-' && isalnum(ipp[1])) + { + ipp ++; + *ptr++ = (char)toupper(*ipp++ & 255); + } +- else ++ else if (*ipp == '_' || *ipp == '.' || *ipp == '-' || isalnum(*ipp)) ++ { + *ptr++ = *ipp++; ++ } ++ else ++ { ++ ipp ++; ++ } + } + + *ptr = '\0'; +@@ -3721,6 +3778,41 @@ pwg_ppdize_resolution( + snprintf(name, namesize, "%dx%ddpi", *xres, *yres); + } + } ++ ++ ++/* ++ * 'ppd_put_strings()' - Write localization attributes to a PPD file. ++ */ ++ ++static void ++ppd_put_string(cups_file_t *fp, /* I - PPD file */ ++ cups_lang_t *lang, /* I - Language */ ++ const char *ppd_option,/* I - PPD option */ ++ const char *ppd_choice,/* I - PPD choice */ ++ const char *text) /* I - Localized text */ ++{ ++ if (!text) ++ return; ++ ++ // Add the first line of localized text... ++#if CUPS_VERSION_MAJOR > 2 ++ cupsFilePrintf(fp, "*%s.%s %s/", cupsLangGetName(lang), ppd_option, ppd_choice); ++#else ++ cupsFilePrintf(fp, "*%s.%s %s/", lang->language, ppd_option, ppd_choice); ++#endif // CUPS_VERSION_MAJOR > 2 ++ ++ while (*text && *text != '\n') ++ { ++ // Escape ":" and "<"... ++ if (*text == ':' || *text == '<') ++ cupsFilePrintf(fp, "<%02X>", *text); ++ else ++ cupsFilePutChar(fp, *text); ++ ++ text ++; ++ } ++ cupsFilePuts(fp, ": \"\"\n"); ++} + #endif /* HAVE_CUPS_1_6 */ + + /* diff --git a/SPECS/cups-filters.spec b/SPECS/cups-filters.spec index 85d9906..34f0290 100644 --- a/SPECS/cups-filters.spec +++ b/SPECS/cups-filters.spec @@ -11,7 +11,7 @@ Summary: OpenPrinting CUPS filters and backends Name: cups-filters Version: 1.20.0 -Release: 34%{?dist} +Release: 35%{?dist} # For a breakdown of the licensing, see COPYING file # GPLv2: filters: commandto*, imagetoraster, pdftops, rasterto*, @@ -73,6 +73,10 @@ Patch18: beh-cve2023.patch Patch19: 0001-gstoraster-Improved-detection-whether-input-is-PostS.patch # RHEL-16034 pdftopdf results with (N > 1)^2 copies if a file is sent to IPP printer with collate Patch20: 0001-pdftopdf-Fixed-printing-multiple-copies-on-driverles.patch +# CVE-2024-47175 cups-filters: remote command injection via attacker controlled data in PPD file +Patch21: cups-filters-CVE-2024-47175.patch +# CVE-2024-47076 cups-filters: `cfGetPrinterAttributes` API does not perform sanitization on returned IPP attributes +Patch22: 0001-cfGetPrinterAttributes5-Validate-response-attributes.patch %if %{with braille} @@ -250,6 +254,10 @@ The package provides filters and cups-brf backend needed for braille printing. %patch19 -p1 -b .gstoraster-psdetect # RHEL-16034 pdftopdf results with (N > 1)^2 copies if a file is sent to IPP printer with collate %patch20 -p1 -b .pdftopdf-ncopies +# CVE-2024-47175 cups-filters: remote command injection via attacker controlled data in PPD file +%patch21 -p1 -b .CVE-2024-47175 +# CVE-2024-47076 cups-filters: `cfGetPrinterAttributes` API does not perform sanitization on returned IPP attributes +%patch22 -p1 -b .CVE-2024-47076 %build @@ -283,6 +291,7 @@ The package provides filters and cups-brf backend needed for braille printing. %else --disable-braille \ %endif + --with-browseremoteprotocols=none\ --enable-auto-setup-driverless make %{?_smp_mflags} @@ -332,6 +341,14 @@ make check %post %systemd_post cups-browsed.service +# Set BrowseRemoteProtocols to none in light of CVE-2024-47176 +if ! grep -Fxq "# added by post scriptlet" %{_sysconfdir}/cups/cups-browsed.conf +then + cp %{_sysconfdir}/cups/cups-browsed.conf %{_sysconfdir}/cups/cups-browsed.conf.rpmsave + sed -i "s/^\s*BrowseRemoteProtocols.*/# added by post scriptlet\nBrowseRemoteProtocols none/" %{_sysconfdir}/cups/cups-browsed.conf +fi + + %preun %systemd_preun cups-browsed.service @@ -347,7 +364,7 @@ make check %{_pkgdocdir}/README %{_pkgdocdir}/AUTHORS %{_pkgdocdir}/NEWS -%config(noreplace) %{_sysconfdir}/cups/cups-browsed.conf +%config(noreplace) %verify(not size filedigest mtime) %{_sysconfdir}/cups/cups-browsed.conf %attr(0755,root,root) %{_cups_serverbin}/backend/parallel # Serial backend needs to run as root (bug #212577#c4). %attr(0700,root,root) %{_cups_serverbin}/backend/serial @@ -460,6 +477,11 @@ make check %endif %changelog +* Fri Sep 27 2024 Zdenek Dohnal - 1.20.0-35 +- CVE-2024-47175 cups-filters: remote command injection via attacker controlled data in PPD file +- CVE-2024-47076 cups-filters: `cfGetPrinterAttributes` API does not perform sanitization on returned IPP attributes +- CVE-2024-47176 cups-filters: cups-browsed binds on UDP INADDR_ANY:631 trusting any packet from any source + * Mon Feb 26 2024 Zdenek Dohnal - 1.20.0-34 - RHEL-13211 redhat-lsb unnecessary pulls in cups and avahi dependencies