Remote command injection in cups-browsed (bug #1083327).

2014-04-02 10:03:19 +02:00 · 2014-04-02 10:03:19 +02:00 · f813aa7457
commit f813aa7457
parent 285b84a7cd
2 changed files with 87 additions and 1 deletions
--- a/cups-filters-bug1083327.patch
+++ b/cups-filters-bug1083327.patch
@ -0,0 +1,79 @@
+From 1e2b77cd1661f2fb2565e21a558295e631763baa Mon Sep 17 00:00:00 2001
+From: Jiri Popelka <jpopelka@redhat.com>
+Date: Wed, 2 Apr 2014 09:57:32 +0200
+Subject: [PATCH] cups-browsed: SECURITY FIX to prevent arbitrary code
+ injection (RHBZ#1083327)
+
+into the System V interface scripts generated for
+queues for discovered native IPP printers by a malicious IPP
+print service with forged make/model and/or PDL string.
+---
+ utils/cups-browsed.c | 31 +++++++++++++++++++++++++++----
+ 1 file changed, 27 insertions(+), 4 deletions(-)
+
+diff --git a/utils/cups-browsed.c b/utils/cups-browsed.c
+index c312804..ec64a4d 100644
+--- a/utils/cups-browsed.c
+++ b/utils/cups-browsed.c
+@@ -563,7 +563,28 @@ create_local_queue (const char *name,
+   return NULL;
+ }
+ 
+-char *generate_queue_name(const char *str_orig)
+/*
+ * Remove all illegal characters and replace each group of such characters
+ * by a single dash
+ *
+ * mode = 0: Only allow letters, numbers, and dashes, for turning make/model
+ *           info into a valid print queue name or inro a string which can
+ *           be supplied as option value in a filter command line without
+ *           need of quoting
+ * mode = 1: Allow also '/', '.', ',', '_', for cleaning up MIME type
+ *           strings (here available Page Description Languages, PDLs) to
+ *           supply them on a filter command line without quoting
+ *
+ * Especially this prevents from arbitrary code execution by interface scripts
+ * generated for print queues to native IPP printers when a malicious IPP
+ * print service with forged PDL and/or make/model info gets broadcasted into
+ * the local network.
+ */
+
+char *                                 /* O - Cleaned string */
+remove_bad_chars(const char *str_orig, /* I - Original string */
+		 int mode)             /* I - 0: Make/Model, queue name */
+                                       /*     1: MIME types/PDLs */
+ {
+   int i, j;
+   int havedash = 0;
+@@ -576,7 +597,9 @@ char *generate_queue_name(const char *str_orig)
+   for (i = 0, j = 0; i < strlen(str); i++, j++) {
+     if (((str[i] >= 'A') && (str[i] <= 'Z')) ||
+ 	((str[i] >= 'a') && (str[i] <= 'z')) ||
+-	((str[i] >= '0') && (str[i] <= '9'))) {
+	((str[i] >= '0') && (str[i] <= '9')) ||
+	(mode == 1 && (str[i] == '/' || str[i] == '_' ||
+		       str[i] == '.' || str[i] == ','))) {
+       /* Letter or number, keep it */
+       havedash = 0;
+     } else {
+@@ -950,7 +973,7 @@ void generate_local_queue(const char *host,
+ 	if (entry) {
+ 	  avahi_string_list_get_pair(entry, &key, &value, NULL);
+ 	  if (key && value && !strcmp(key, *f) && strlen(value) >= 3) {
+-	    remote_queue = generate_queue_name(value);
+	    remote_queue = remove_bad_chars(value, 0);
+ 	    break;
+ 	  }
+ 	}
+@@ -959,7 +982,7 @@ void generate_local_queue(const char *host,
+       if (entry) {
+ 	avahi_string_list_get_pair(entry, &key, &value, NULL);
+ 	if (key && value && !strcmp(key, "pdl") && strlen(value) >= 3) {
+-	  pdl = strdup(value);
+	  pdl = remove_bad_chars(value, 1);
+ 	}
+       }
+     }
+-- 
+1.9.0
+
--- a/cups-filters.spec
+++ b/cups-filters.spec
@ -4,7 +4,7 @@
 Summary: OpenPrinting CUPS filters and backends
 Name:    cups-filters
 Version: 1.0.41
-Release: 5%{?dist}
+Release: 6%{?dist}

 # For a breakdown of the licensing, see COPYING file
 # GPLv2:   filters: commandto*, imagetoraster, pdftops, rasterto*,
@ -27,6 +27,7 @@ Patch3: cups-filters-memory-leaks.patch
 Patch4: cups-filters-filter-costs.patch
 Patch5:  cups-filters-urftopdf.patch
 Patch6:  cups-filters-pdftoopvp.patch
+Patch7: cups-filters-bug1083327.patch

 Requires: cups-filters-libs%{?_isa} = %{version}-%{release}

@ -129,6 +130,9 @@ This is the development package for OpenPrinting CUPS filters and backends.
 # Don't ship pdftoopvp for now (bug #1027557).
 %patch6 -p1 -b .pdftoopvp

+# Remote command injection in cups-browsed (bug #1083327).
+%patch7 -p1 -b .bug1083327
+
 %build
 # work-around Rpath
 ./autogen.sh
@ -242,6 +246,9 @@ fi
 %{_libdir}/libfontembed.so

 %changelog
+* Wed Apr 02 2014 Jiri Popelka <jpopelka@redhat.com> - 1.0.41-6
+- Remote command injection in cups-browsed (bug #1083327).
+
 * Tue Mar 11 2014 Jiri Popelka <jpopelka@redhat.com> - 1.0.41-5
 - Don't ship pdftoopvp (#1027557) and urftopdf (#1002947).