Patch CVE-2024-35235: cupsd Listen arbitrary chmod 0140777
Resolves: RHEL-40386
This commit is contained in:
Pavol Žáčik
parent
c165394fad
commit
1aac869610
86
0001-Fix-domain-socket-handling.patch
Normal file
86
0001-Fix-domain-socket-handling.patch
Normal file
@ -0,0 +1,86 @@
|
||||
diff --git a/cups/http-addr.c b/cups/http-addr.c
|
||||
index 61c86384b..e86dcb622 100644
|
||||
--- a/cups/http-addr.c
|
||||
+++ b/cups/http-addr.c
|
||||
@@ -198,31 +198,29 @@ httpAddrListen(http_addr_t *addr, /* I - Address to bind to */
|
||||
{
|
||||
mode_t mask; /* Umask setting */
|
||||
|
||||
- /*
|
||||
- * Remove any existing domain socket file...
|
||||
- */
|
||||
-
|
||||
- unlink(addr->un.sun_path);
|
||||
-
|
||||
- /*
|
||||
- * Save the current umask and set it to 0 so that all users can access
|
||||
- * the domain socket...
|
||||
- */
|
||||
-
|
||||
- mask = umask(0);
|
||||
-
|
||||
- /*
|
||||
- * Bind the domain socket...
|
||||
- */
|
||||
+ // Remove any existing domain socket file...
|
||||
+ if ((status = unlink(addr->un.sun_path)) < 0)
|
||||
+ {
|
||||
+ DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno)));
|
||||
+ if (errno == ENOENT)
|
||||
+ status = 0;
|
||||
+ }
|
||||
|
||||
- status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr));
|
||||
+ if (!status)
|
||||
+ {
|
||||
+ // Save the current umask and set it to 0 so that all users can access
|
||||
+ // the domain socket...
|
||||
+ mask = umask(0);
|
||||
|
||||
- /*
|
||||
- * Restore the umask and fix permissions...
|
||||
- */
|
||||
+ // Bind the domain socket...
|
||||
+ if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0)
|
||||
+ {
|
||||
+ DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno)));
|
||||
+ }
|
||||
|
||||
- umask(mask);
|
||||
- chmod(addr->un.sun_path, 0140777);
|
||||
+ // Restore the umask...
|
||||
+ umask(mask);
|
||||
+ }
|
||||
}
|
||||
else
|
||||
#endif /* AF_LOCAL */
|
||||
diff --git a/scheduler/conf.c b/scheduler/conf.c
|
||||
index bc52d2add..93de8cf77 100644
|
||||
--- a/scheduler/conf.c
|
||||
+++ b/scheduler/conf.c
|
||||
@@ -3055,6 +3055,25 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */
|
||||
|
||||
cupsd_listener_t *lis; /* New listeners array */
|
||||
|
||||
+ /*
|
||||
+ * If we are launched on-demand, do not use domain sockets from the config
|
||||
+ * file. Also check that the domain socket path is not too long...
|
||||
+ */
|
||||
+
|
||||
+#ifdef HAVE_ONDEMAND
|
||||
+ if (*value == '/' && OnDemand)
|
||||
+ {
|
||||
+ if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
|
||||
+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum);
|
||||
+ continue;
|
||||
+ }
|
||||
+#endif // HAVE_ONDEMAND
|
||||
+
|
||||
+ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1))
|
||||
+ {
|
||||
+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum);
|
||||
+ continue;
|
||||
+ }
|
||||
|
||||
/*
|
||||
* Get the address list...
|
||||
@ -22,7 +22,7 @@ Summary: CUPS printing system
|
||||
Name: cups
|
||||
Epoch: 1
|
||||
Version: 2.2.6
|
||||
Release: 57%{?dist}
|
||||
Release: 58%{?dist}
|
||||
License: GPLv2+ and LGPLv2 with exceptions and AML
|
||||
Url: http://www.cups.org/
|
||||
Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz
|
||||
@ -170,6 +170,8 @@ Patch86: cups-preservejob-leak.patch
|
||||
Patch87: 0001-scheduler-conf.c-Print-to-stderr-if-we-don-t-open-cu.patch
|
||||
# RHEL-10702 cupsGetJobs fails to connect if poll() gets POLLOUT|POLLHUP in revents
|
||||
Patch88: 0001-httpAddrConnect2-Check-for-error-if-POLLHUP-is-in-va.patch
|
||||
# CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
|
||||
Patch89: 0001-Fix-domain-socket-handling.patch
|
||||
|
||||
Patch1000: cups-lspp.patch
|
||||
|
||||
@ -477,6 +479,8 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
|
||||
%patch87 -p1 -b .message-stderr
|
||||
# RHEL-10702 cupsGetJobs fails to connect if poll() gets POLLOUT|POLLHUP in revents
|
||||
%patch88 -p1 -b .cupsgetjobs-pollhup
|
||||
# CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
|
||||
%patch89 -p1 -b .cve2024-35235
|
||||
|
||||
sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in
|
||||
|
||||
@ -903,6 +907,9 @@ rm -f %{cups_serverbin}/backend/smb
|
||||
%{_mandir}/man5/ipptoolfile.5.gz
|
||||
|
||||
%changelog
|
||||
* Mon Jun 10 2024 Pavol Zacik <pzacik@redhat.com> - 1:2.2.6-58
|
||||
- CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
|
||||
|
||||
* Mon Feb 26 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-57
|
||||
- revert RHEL-19200 - no new subpackages are needed
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user