From 2423543e46d2befb7b2380ef2604197c3b460bf7 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 23 Jul 2024 20:28:35 +0000 Subject: [PATCH] import UBI cups-2.3.3op2-27.el9_4 --- SOURCES/0001-Fix-domain-socket-handling.patch | 86 +++++++++++++++++ SOURCES/cups-check-for-listeners.patch | 94 +++++++++++++++++++ SOURCES/cups-socket-remove-on-stop.patch | 12 +++ SPECS/cups.spec | 39 +++++++- 4 files changed, 230 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0001-Fix-domain-socket-handling.patch create mode 100644 SOURCES/cups-check-for-listeners.patch create mode 100644 SOURCES/cups-socket-remove-on-stop.patch diff --git a/SOURCES/0001-Fix-domain-socket-handling.patch b/SOURCES/0001-Fix-domain-socket-handling.patch new file mode 100644 index 0000000..1b1006c --- /dev/null +++ b/SOURCES/0001-Fix-domain-socket-handling.patch @@ -0,0 +1,86 @@ +diff --git a/cups/http-addr.c b/cups/http-addr.c +index 86749c848..5b035e02b 100644 +--- a/cups/http-addr.c ++++ b/cups/http-addr.c +@@ -196,31 +196,29 @@ httpAddrListen(http_addr_t *addr, /* I - Address to bind to */ + { + mode_t mask; /* Umask setting */ + +- /* +- * Remove any existing domain socket file... +- */ +- +- unlink(addr->un.sun_path); +- +- /* +- * Save the current umask and set it to 0 so that all users can access +- * the domain socket... +- */ +- +- mask = umask(0); +- +- /* +- * Bind the domain socket... +- */ ++ // Remove any existing domain socket file... ++ if ((status = unlink(addr->un.sun_path)) < 0) ++ { ++ DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno))); ++ if (errno == ENOENT) ++ status = 0; ++ } + +- status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr)); ++ if (!status) ++ { ++ // Save the current umask and set it to 0 so that all users can access ++ // the domain socket... ++ mask = umask(0); + +- /* +- * Restore the umask and fix permissions... +- */ ++ // Bind the domain socket... ++ if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0) ++ { ++ DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno))); ++ } + +- umask(mask); +- chmod(addr->un.sun_path, 0140777); ++ // Restore the umask... ++ umask(mask); ++ } + } + else + #endif /* AF_LOCAL */ +diff --git a/scheduler/conf.c b/scheduler/conf.c +index bb6049b2c..4c703c9b9 100644 +--- a/scheduler/conf.c ++++ b/scheduler/conf.c +@@ -3062,6 +3062,25 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */ + + cupsd_listener_t *lis; /* New listeners array */ + ++ /* ++ * If we are launched on-demand, do not use domain sockets from the config ++ * file. Also check that the domain socket path is not too long... ++ */ ++ ++#ifdef HAVE_ONDEMAND ++ if (*value == '/' && OnDemand) ++ { ++ if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET)) ++ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum); ++ continue; ++ } ++#endif // HAVE_ONDEMAND ++ ++ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1)) ++ { ++ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum); ++ continue; ++ } + + /* + * Get the address list... diff --git a/SOURCES/cups-check-for-listeners.patch b/SOURCES/cups-check-for-listeners.patch new file mode 100644 index 0000000..ffbe8d2 --- /dev/null +++ b/SOURCES/cups-check-for-listeners.patch @@ -0,0 +1,94 @@ +diff --git a/scheduler/conf.c b/scheduler/conf.c +index c113eb3..77ce179 100644 +--- a/scheduler/conf.c ++++ b/scheduler/conf.c +@@ -573,6 +573,18 @@ cupsdReadConfiguration(void) + + cupsdDeleteAllListeners(); + ++ /* ++ * Allocate Listeners array ++ */ ++ ++ Listeners = cupsArrayNew(NULL, NULL); ++ ++ if (!Listeners) ++ { ++ fprintf(stderr, "Unable to allocate memory for array Listeners.\n"); ++ return (0); ++ } ++ + old_remote_port = RemotePort; + RemotePort = 0; + +@@ -1080,28 +1092,6 @@ cupsdReadConfiguration(void) + } + } + +- /* +- * Check that we have at least one listen/port line; if not, report this +- * as an error and exit! +- */ +- +- if (cupsArrayCount(Listeners) == 0) +- { +- /* +- * No listeners! +- */ +- +- cupsdLogMessage(CUPSD_LOG_EMERG, +- "No valid Listen or Port lines were found in the " +- "configuration file."); +- +- /* +- * Commit suicide... +- */ +- +- cupsdEndProcess(getpid(), 0); +- } +- + /* + * Set the default locale using the language and charset... + */ +@@ -3162,17 +3152,6 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */ + * Allocate another listener... + */ + +- if (!Listeners) +- Listeners = cupsArrayNew(NULL, NULL); +- +- if (!Listeners) +- { +- cupsdLogMessage(CUPSD_LOG_ERROR, +- "Unable to allocate %s at line %d - %s.", +- line, linenum, strerror(errno)); +- break; +- } +- + if ((lis = calloc(1, sizeof(cupsd_listener_t))) == NULL) + { + cupsdLogMessage(CUPSD_LOG_ERROR, +diff --git a/scheduler/main.c b/scheduler/main.c +index a6e2c3a..b935c52 100644 +--- a/scheduler/main.c ++++ b/scheduler/main.c +@@ -2113,6 +2113,21 @@ service_checkin(void) + service_add_listener(fd, 0); + } + #endif /* HAVE_LAUNCHD */ ++ ++ if (cupsArrayCount(Listeners) == 0) ++ { ++ /* ++ * No listeners! ++ */ ++ ++ cupsdLogMessage(CUPSD_LOG_EMERG, "No listener sockets present."); ++ ++ /* ++ * Commit suicide... ++ */ ++ ++ cupsdEndProcess(getpid(), 0); ++ } + } diff --git a/SOURCES/cups-socket-remove-on-stop.patch b/SOURCES/cups-socket-remove-on-stop.patch new file mode 100644 index 0000000..0987774 --- /dev/null +++ b/SOURCES/cups-socket-remove-on-stop.patch @@ -0,0 +1,12 @@ +diff --git a/scheduler/cups.socket.in b/scheduler/cups.socket.in +index 613b977a6..1deee826a 100644 +--- a/scheduler/cups.socket.in ++++ b/scheduler/cups.socket.in +@@ -4,6 +4,7 @@ PartOf=org.cups.cupsd.service + + [Socket] + ListenStream=@CUPS_DEFAULT_DOMAINSOCKET@ ++RemoveOnStop=on + + [Install] + WantedBy=sockets.target diff --git a/SPECS/cups.spec b/SPECS/cups.spec index 7b7eb9c..4e1545c 100644 --- a/SPECS/cups.spec +++ b/SPECS/cups.spec @@ -24,7 +24,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 2.3.3%{OP_VER} -Release: 24%{?dist} +Release: 27%{?dist} License: ASL 2.0 Url: http://www.cups.org/ # Apple stopped uploading the new versions into github, use OpenPrinting fork @@ -132,6 +132,19 @@ Patch37: cups-preservejobfiles-leak.patch Patch38: 0001-scheduler-conf.c-Print-to-stderr-if-we-don-t-open-cu.patch # RHEL-19495 cupsGetJobs fails to connect if poll() gets POLLOUT|POLLHUP in revents Patch39: 0001-httpAddrConnect2-Check-for-error-if-POLLHUP-is-in-va.patch +# RHEL-40388 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 +# https://github.com/OpenPrinting/cups/commit/a436956 +Patch40: 0001-Fix-domain-socket-handling.patch +# RHEL-40388 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 +# https://github.com/OpenPrinting/cups/commit/3448c52 +Patch41: cups-socket-remove-on-stop.patch +# RHEL-40388 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 +# https://github.com/OpenPrinting/cups/commit/7adb508 +# https://github.com/OpenPrinting/cups/commit/824f49f +# https://github.com/OpenPrinting/cups/commit/56b9728 +# https://github.com/OpenPrinting/cups/commit/74f437b +# https://github.com/OpenPrinting/cups/commit/fb0c914 +Patch42: cups-check-for-listeners.patch ##### Patches removed because IMHO they aren't no longer needed @@ -393,6 +406,19 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in %patch38 -p1 -b .log-stderr # RHEL-19495 cupsGetJobs fails to connect if poll() gets POLLOUT|POLLHUP in revents %patch39 -p1 -b .cupsgetjobs-pollhup +# RHEL-40388 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 +# https://github.com/OpenPrinting/cups/commit/a436956 +%patch40 -p1 -b .cve2024-35235 +# RHEL-40388 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 +# https://github.com/OpenPrinting/cups/commit/3448c52 +%patch41 -p1 -b .cups-socket-remove-on-stop.patch +# RHEL-40388 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 +# https://github.com/OpenPrinting/cups/commit/7adb508 +# https://github.com/OpenPrinting/cups/commit/824f49f +# https://github.com/OpenPrinting/cups/commit/56b9728 +# https://github.com/OpenPrinting/cups/commit/74f437b +# https://github.com/OpenPrinting/cups/commit/fb0c914 +%patch42 -p1 -b .cups-check-for-listeners.patch %if %{lspp} # LSPP support. @@ -827,6 +853,17 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man7/ippeveps.7.gz %changelog +* Wed Jun 19 2024 Pavol Zacik - 1:2.3.3op2-27 +- Revert the cups-libs license identifier to the "legacy" format + +* Tue Jun 18 2024 Pavol Zacik - 1:2.3.3op2-26 +- RHEL-40388 cups: Cupsd Listen arbitrary chmod 0140777 +- Delete the domain socket file after stopping the cups.socket service +- Fix cupsd Listener checks + +* Mon Jun 10 2024 Pavol Zacik - 1:2.3.3op2-25 +- CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 + * Mon Feb 26 2024 Zdenek Dohnal - 1:2.3.3op2-24 - revert RHEL-19205 - new packages are not needed