From 1aac869610f404b7388ab8646a3c9803aa2615b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= Date: Mon, 10 Jun 2024 10:26:59 +0200 Subject: [PATCH] Patch CVE-2024-35235: cupsd Listen arbitrary chmod 0140777 Resolves: RHEL-40386 --- 0001-Fix-domain-socket-handling.patch | 86 +++++++++++++++++++++++++++ cups.spec | 9 ++- 2 files changed, 94 insertions(+), 1 deletion(-) create mode 100644 0001-Fix-domain-socket-handling.patch diff --git a/0001-Fix-domain-socket-handling.patch b/0001-Fix-domain-socket-handling.patch new file mode 100644 index 0000000..35c9ebd --- /dev/null +++ b/0001-Fix-domain-socket-handling.patch @@ -0,0 +1,86 @@ +diff --git a/cups/http-addr.c b/cups/http-addr.c +index 61c86384b..e86dcb622 100644 +--- a/cups/http-addr.c ++++ b/cups/http-addr.c +@@ -198,31 +198,29 @@ httpAddrListen(http_addr_t *addr, /* I - Address to bind to */ + { + mode_t mask; /* Umask setting */ + +- /* +- * Remove any existing domain socket file... +- */ +- +- unlink(addr->un.sun_path); +- +- /* +- * Save the current umask and set it to 0 so that all users can access +- * the domain socket... +- */ +- +- mask = umask(0); +- +- /* +- * Bind the domain socket... +- */ ++ // Remove any existing domain socket file... ++ if ((status = unlink(addr->un.sun_path)) < 0) ++ { ++ DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno))); ++ if (errno == ENOENT) ++ status = 0; ++ } + +- status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr)); ++ if (!status) ++ { ++ // Save the current umask and set it to 0 so that all users can access ++ // the domain socket... ++ mask = umask(0); + +- /* +- * Restore the umask and fix permissions... +- */ ++ // Bind the domain socket... ++ if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0) ++ { ++ DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno))); ++ } + +- umask(mask); +- chmod(addr->un.sun_path, 0140777); ++ // Restore the umask... ++ umask(mask); ++ } + } + else + #endif /* AF_LOCAL */ +diff --git a/scheduler/conf.c b/scheduler/conf.c +index bc52d2add..93de8cf77 100644 +--- a/scheduler/conf.c ++++ b/scheduler/conf.c +@@ -3055,6 +3055,25 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */ + + cupsd_listener_t *lis; /* New listeners array */ + ++ /* ++ * If we are launched on-demand, do not use domain sockets from the config ++ * file. Also check that the domain socket path is not too long... ++ */ ++ ++#ifdef HAVE_ONDEMAND ++ if (*value == '/' && OnDemand) ++ { ++ if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET)) ++ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum); ++ continue; ++ } ++#endif // HAVE_ONDEMAND ++ ++ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1)) ++ { ++ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum); ++ continue; ++ } + + /* + * Get the address list... diff --git a/cups.spec b/cups.spec index fa0a0ed..3bcafb5 100644 --- a/cups.spec +++ b/cups.spec @@ -22,7 +22,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 2.2.6 -Release: 57%{?dist} +Release: 58%{?dist} License: GPLv2+ and LGPLv2 with exceptions and AML Url: http://www.cups.org/ Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz @@ -170,6 +170,8 @@ Patch86: cups-preservejob-leak.patch Patch87: 0001-scheduler-conf.c-Print-to-stderr-if-we-don-t-open-cu.patch # RHEL-10702 cupsGetJobs fails to connect if poll() gets POLLOUT|POLLHUP in revents Patch88: 0001-httpAddrConnect2-Check-for-error-if-POLLHUP-is-in-va.patch +# CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 +Patch89: 0001-Fix-domain-socket-handling.patch Patch1000: cups-lspp.patch @@ -477,6 +479,8 @@ Sends IPP requests to the specified URI and tests and/or displays the results. %patch87 -p1 -b .message-stderr # RHEL-10702 cupsGetJobs fails to connect if poll() gets POLLOUT|POLLHUP in revents %patch88 -p1 -b .cupsgetjobs-pollhup +# CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 +%patch89 -p1 -b .cve2024-35235 sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in @@ -903,6 +907,9 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man5/ipptoolfile.5.gz %changelog +* Mon Jun 10 2024 Pavol Zacik - 1:2.2.6-58 +- CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 + * Mon Feb 26 2024 Zdenek Dohnal - 1:2.2.6-57 - revert RHEL-19200 - no new subpackages are needed