From 2ff20f8600fef4e11bde3cf0550c4cd66eceeccf Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Tue, 1 Oct 2024 14:11:23 +0200 Subject: [PATCH] RHEL-60343 CVE-2024-47175 cups: remote command injection via attacker controlled data in PPD file Resolves: RHEL-60343 --- 0001-fix-warnings-for-unused-vars.patch | 24 ++ ...erywhere-printer-changes-from-master.patch | 57 +++++ 0001-ppdize-preset-and-template-names.patch | 116 +++++++++ 0001-quote-ppd-localized-strings.patch | 220 ++++++++++++++++++ 0001-refactor-make-and-model-code.patch | 136 +++++++++++ cups.spec | 18 +- 6 files changed, 570 insertions(+), 1 deletion(-) create mode 100644 0001-fix-warnings-for-unused-vars.patch create mode 100644 0001-mirror-ipp-everywhere-printer-changes-from-master.patch create mode 100644 0001-ppdize-preset-and-template-names.patch create mode 100644 0001-quote-ppd-localized-strings.patch create mode 100644 0001-refactor-make-and-model-code.patch diff --git a/0001-fix-warnings-for-unused-vars.patch b/0001-fix-warnings-for-unused-vars.patch new file mode 100644 index 0000000..e5950be --- /dev/null +++ b/0001-fix-warnings-for-unused-vars.patch @@ -0,0 +1,24 @@ +diff -up cups-2.3.3op2/cups/ppd-cache.c.fix-warn cups-2.3.3op2/cups/ppd-cache.c +--- cups-2.3.3op2/cups/ppd-cache.c.fix-warn 2024-09-30 17:30:39.098043436 +0200 ++++ cups-2.3.3op2/cups/ppd-cache.c 2024-09-30 17:31:30.738393111 +0200 +@@ -3051,8 +3051,7 @@ _ppdCreateFromIPP(char *buffer, /* I - + int resolutions[1000]; + /* Array of resolution indices */ + char msgid[256]; /* Message identifier (attr.value) */ +- const char *keyword, /* Keyword value */ +- *msgstr; /* Localized string */ ++ const char *keyword; /* Keyword value */ + cups_lang_t *lang = cupsLangDefault(); + /* Localization info */ + cups_array_t *strings = NULL;/* Printer strings file */ +@@ -4661,9 +4660,8 @@ _ppdCreateFromIPP(char *buffer, /* I - + { + ipp_t *preset = ippGetCollection(attr, i); + /* Preset collection */ +- const char *preset_name = ippGetString(ippFindAttribute(preset, "preset-name", IPP_TAG_ZERO), 0, NULL), ++ const char *preset_name = ippGetString(ippFindAttribute(preset, "preset-name", IPP_TAG_ZERO), 0, NULL); + /* Preset name */ +- *localized_name; /* Localized preset name */ + ipp_attribute_t *member; /* Member attribute in preset */ + const char *member_name; /* Member attribute name */ + char member_value[256]; /* Member attribute value */ diff --git a/0001-mirror-ipp-everywhere-printer-changes-from-master.patch b/0001-mirror-ipp-everywhere-printer-changes-from-master.patch new file mode 100644 index 0000000..31f1f7a --- /dev/null +++ b/0001-mirror-ipp-everywhere-printer-changes-from-master.patch @@ -0,0 +1,57 @@ +diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c +index 977d0c6..c484d33 100644 +--- a/cups/ppd-cache.c ++++ b/cups/ppd-cache.c +@@ -3134,10 +3134,10 @@ _ppdCreateFromIPP(char *buffer, /* I - Filename buffer */ + cupsFilePuts(fp, "*cupsSNMPSupplies: False\n"); + cupsFilePrintf(fp, "*cupsLanguages: \"%s\"\n", lang->language); + +- if ((attr = ippFindAttribute(response, "printer-more-info", IPP_TAG_URI)) != NULL) ++ if ((attr = ippFindAttribute(response, "printer-more-info", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr)) + cupsFilePrintf(fp, "*APSupplies: \"%s\"\n", ippGetString(attr, 0, NULL)); + +- if ((attr = ippFindAttribute(response, "printer-charge-info-uri", IPP_TAG_URI)) != NULL) ++ if ((attr = ippFindAttribute(response, "printer-charge-info-uri", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr)) + cupsFilePrintf(fp, "*cupsChargeInfoURI: \"%s\"\n", ippGetString(attr, 0, NULL)); + + if ((attr = ippFindAttribute(response, "printer-strings-uri", IPP_TAG_URI)) != NULL) +diff --git a/scheduler/ipp.c b/scheduler/ipp.c +index 728d164..5089172 100644 +--- a/scheduler/ipp.c ++++ b/scheduler/ipp.c +@@ -5773,6 +5773,18 @@ create_local_bg_thread( + cupsdLogMessage(CUPSD_LOG_DEBUG, "%s: IPP/1.1 Get-Printer-Attributes returned %s (%s)", printer->name, ippErrorString(cupsLastError()), cupsLastErrorString()); + } + ++ // Validate response from printer... ++ if (!ippValidateAttributes(response)) ++ { ++ cupsdLogMessage(CUPSD_LOG_ERROR, "%s: The printer contains invalid attributes.", printer->name); ++ ++ if (response) ++ ippDelete(response); ++ ++ httpClose(http); ++ return (NULL); ++ } ++ + // TODO: Grab printer icon file... + httpClose(http); + +diff --git a/systemv/lpadmin.c b/systemv/lpadmin.c +index daf24d5..eba7551 100644 +--- a/systemv/lpadmin.c ++++ b/systemv/lpadmin.c +@@ -1226,6 +1226,12 @@ get_printer_ppd( + ippAddStrings(request, IPP_TAG_OPERATION, IPP_TAG_KEYWORD, "requested-attributes", sizeof(pattrs) / sizeof(pattrs[0]), NULL, pattrs); + response = cupsDoRequest(http, request, resource); + ++ if (response && !ippValidateAttributes(response)) ++ { ++ _cupsLangPrintf(stderr, _("%s: The printer \"%s\" contains invalid IPP attributes."), "lpadmin", uri); ++ return (NULL); ++ } ++ + if (cupsLastError() >= IPP_STATUS_REDIRECTION_OTHER_SITE) + { + _cupsLangPrintf(stderr, _("%s: Unable to query printer: %s"), "lpadmin", cupsLastErrorString()); diff --git a/0001-ppdize-preset-and-template-names.patch b/0001-ppdize-preset-and-template-names.patch new file mode 100644 index 0000000..ec88f36 --- /dev/null +++ b/0001-ppdize-preset-and-template-names.patch @@ -0,0 +1,116 @@ +From e0630cd18f76340d302000f2bf6516e99602b844 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Mon, 9 Sep 2024 15:59:57 -0400 +Subject: [PATCH] PPDize preset and template names. + +--- + cups/ppd-cache.c | 33 ++++++++++++++++++++++++--------- + 1 file changed, 24 insertions(+), 9 deletions(-) + +diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c +index 986c64f73..18c38d0ee 100644 +--- a/cups/ppd-cache.c ++++ b/cups/ppd-cache.c +@@ -4975,12 +4975,14 @@ _ppdCreateFromIPP2( + + cupsArrayAdd(templates, (void *)keyword); + ++ pwg_ppdize_name(keyword, ppdname, sizeof(ppdname)); ++ + snprintf(msgid, sizeof(msgid), "finishing-template.%s", keyword); + if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr)) + if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid) + msgstr = keyword; + +- cupsFilePrintf(fp, "*cupsFinishingTemplate %s: \"\n", keyword); ++ cupsFilePrintf(fp, "*cupsFinishingTemplate %s: \"\n", ppdname); + for (finishing_attr = ippFirstAttribute(finishing_col); finishing_attr; finishing_attr = ippNextAttribute(finishing_col)) + { + if (ippGetValueTag(finishing_attr) == IPP_TAG_BEGIN_COLLECTION) +@@ -4993,7 +4995,7 @@ _ppdCreateFromIPP2( + } + } + cupsFilePuts(fp, "\"\n"); +- cupsFilePrintf(fp, "*%s.cupsFinishingTemplate %s/%s: \"\"\n", lang->language, keyword, msgstr); ++ cupsFilePrintf(fp, "*%s.cupsFinishingTemplate %s/%s: \"\"\n", lang->language, ppdname, msgstr); + cupsFilePuts(fp, "*End\n"); + } + +@@ -5039,7 +5041,8 @@ _ppdCreateFromIPP2( + if (!preset || !preset_name) + continue; + +- cupsFilePrintf(fp, "*APPrinterPreset %s: \"\n", preset_name); ++ pwg_ppdize_name(preset_name, ppdname, sizeof(ppdname)); ++ cupsFilePrintf(fp, "*APPrinterPreset %s: \"\n", ppdname); + for (member = ippFirstAttribute(preset); member; member = ippNextAttribute(preset)) + { + member_name = ippGetName(member); +@@ -5080,7 +5083,10 @@ _ppdCreateFromIPP2( + fin_col = ippGetCollection(member, i); + + if ((keyword = ippGetString(ippFindAttribute(fin_col, "finishing-template", IPP_TAG_ZERO), 0, NULL)) != NULL) +- cupsFilePrintf(fp, "*cupsFinishingTemplate %s\n", keyword); ++ { ++ pwg_ppdize_name(keyword, ppdname, sizeof(ppdname)); ++ cupsFilePrintf(fp, "*cupsFinishingTemplate %s\n", ppdname); ++ } + } + } + else if (!strcmp(member_name, "media")) +@@ -5107,13 +5113,13 @@ _ppdCreateFromIPP2( + if ((keyword = ippGetString(ippFindAttribute(media_col, "media-source", IPP_TAG_ZERO), 0, NULL)) != NULL) + { + pwg_ppdize_name(keyword, ppdname, sizeof(ppdname)); +- cupsFilePrintf(fp, "*InputSlot %s\n", keyword); ++ cupsFilePrintf(fp, "*InputSlot %s\n", ppdname); + } + + if ((keyword = ippGetString(ippFindAttribute(media_col, "media-type", IPP_TAG_ZERO), 0, NULL)) != NULL) + { + pwg_ppdize_name(keyword, ppdname, sizeof(ppdname)); +- cupsFilePrintf(fp, "*MediaType %s\n", keyword); ++ cupsFilePrintf(fp, "*MediaType %s\n", ppdname); + } + } + else if (!strcmp(member_name, "print-quality")) +@@ -5159,7 +5165,10 @@ _ppdCreateFromIPP2( + cupsFilePuts(fp, "\"\n*End\n"); + + if ((localized_name = _cupsMessageLookup(strings, preset_name)) != preset_name) +- cupsFilePrintf(fp, "*%s.APPrinterPreset %s/%s: \"\"\n", lang->language, preset_name, localized_name); ++ { ++ pwg_ppdize_name(preset_name, ppdname, sizeof(ppdname)); ++ cupsFilePrintf(fp, "*%s.APPrinterPreset %s/%s: \"\"\n", lang->language, ppdname, localized_name); ++ } + } + } + +@@ -5543,7 +5552,7 @@ pwg_ppdize_name(const char *ipp, /* I - IPP keyword */ + *end; /* End of name buffer */ + + +- if (!ipp) ++ if (!ipp || !_cups_isalnum(*ipp)) + { + *name = '\0'; + return; +@@ -5558,8 +5567,14 @@ pwg_ppdize_name(const char *ipp, /* I - IPP keyword */ + ipp ++; + *ptr++ = (char)toupper(*ipp++ & 255); + } +- else ++ else if (*ipp == '_' || *ipp == '.' || *ipp == '-' || _cups_isalnum(*ipp)) ++ { + *ptr++ = *ipp++; ++ } ++ else ++ { ++ ipp ++; ++ } + } + + *ptr = '\0'; +-- +2.46.1 + diff --git a/0001-quote-ppd-localized-strings.patch b/0001-quote-ppd-localized-strings.patch new file mode 100644 index 0000000..5d26c47 --- /dev/null +++ b/0001-quote-ppd-localized-strings.patch @@ -0,0 +1,220 @@ +diff -up cups-2.3.3op2/cups/ppd-cache.c.quote-ppd-strings cups-2.3.3op2/cups/ppd-cache.c +--- cups-2.3.3op2/cups/ppd-cache.c.quote-ppd-strings 2024-09-30 17:24:43.345405200 +0200 ++++ cups-2.3.3op2/cups/ppd-cache.c 2024-09-30 17:29:35.752595925 +0200 +@@ -29,6 +29,7 @@ + */ + + static int cups_get_url(http_t **http, const char *url, char *name, size_t namesize); ++static void ppd_put_string(cups_file_t *fp, cups_lang_t *lang, cups_array_t *strings, const char *ppd_option, const char *ppd_choice, const char *pwg_msgid); + static void pwg_add_finishing(cups_array_t *finishings, ipp_finishings_t template, const char *name, const char *value); + static void pwg_add_message(cups_array_t *a, const char *msg, const char *str); + static int pwg_compare_finishings(_pwg_finishings_t *a, _pwg_finishings_t *b); +@@ -3211,7 +3212,7 @@ _ppdCreateFromIPP(char *buffer, /* I - + if ((attr = ippFindAttribute(response, "printer-charge-info-uri", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr)) + cupsFilePrintf(fp, "*cupsChargeInfoURI: \"%s\"\n", ippGetString(attr, 0, NULL)); + +- if ((attr = ippFindAttribute(response, "printer-strings-uri", IPP_TAG_URI)) != NULL) ++ if ((attr = ippFindAttribute(response, "printer-strings-uri", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr)) + { + http_t *http = NULL; /* Connection to printer */ + char stringsfile[1024]; /* Temporary strings file */ +@@ -3768,13 +3769,16 @@ _ppdCreateFromIPP(char *buffer, /* I - + cupsFilePrintf(fp, "*DefaultInputSlot: %s\n", ppdname); + + for (j = 0; j < (int)(sizeof(sources) / sizeof(sources[0])); j ++) ++ { + if (!strcmp(sources[j], keyword)) + { + snprintf(msgid, sizeof(msgid), "media-source.%s", keyword); ++ + cupsFilePrintf(fp, "*InputSlot %s: \"<>setpagedevice\"\n", ppdname, j); +- cupsFilePrintf(fp, "*%s.InputSlot %s/%s: \"\"\n", lang->language, ppdname, _cupsLangString(lang, msgid)); ++ ppd_put_string(fp, lang, strings, "InputSlot", ppdname, msgid); + break; + } ++ } + } + cupsFilePuts(fp, "*CloseUI: *InputSlot\n"); + } +@@ -3800,12 +3804,9 @@ _ppdCreateFromIPP(char *buffer, /* I - + pwg_ppdize_name(keyword, ppdname, sizeof(ppdname)); + + snprintf(msgid, sizeof(msgid), "media-type.%s", keyword); +- if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr)) +- if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid) +- msgstr = keyword; + + cupsFilePrintf(fp, "*MediaType %s: \"<>setpagedevice\"\n", ppdname, ppdname); +- cupsFilePrintf(fp, "*%s.MediaType %s/%s: \"\"\n", lang->language, ppdname, msgstr); ++ ppd_put_string(fp, lang, strings, "MediaType", ppdname, msgid); + } + cupsFilePuts(fp, "*CloseUI: *MediaType\n"); + } +@@ -4035,12 +4036,9 @@ _ppdCreateFromIPP(char *buffer, /* I - + pwg_ppdize_name(keyword, ppdname, sizeof(ppdname)); + + snprintf(msgid, sizeof(msgid), "output-bin.%s", keyword); +- if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr)) +- if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid) +- msgstr = keyword; + + cupsFilePrintf(fp, "*OutputBin %s: \"\"\n", ppdname); +- cupsFilePrintf(fp, "*%s.OutputBin %s/%s: \"\"\n", lang->language, ppdname, msgstr); ++ ppd_put_string(fp, lang, strings, "OutputBin", ppdname, msgid); + + if ((tray_ptr = ippGetOctetString(trays, i, &tray_len)) != NULL) + { +@@ -4159,9 +4157,6 @@ _ppdCreateFromIPP(char *buffer, /* I - + cupsArrayAdd(names, (char *)keyword); + + snprintf(msgid, sizeof(msgid), "finishings.%d", value); +- if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr)) +- if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid) +- msgstr = keyword; + + if (value >= IPP_FINISHINGS_NONE && value <= IPP_FINISHINGS_LAMINATE) + ppd_keyword = base_keywords[value - IPP_FINISHINGS_NONE]; +@@ -4176,7 +4171,7 @@ _ppdCreateFromIPP(char *buffer, /* I - + continue; + + cupsFilePrintf(fp, "*StapleLocation %s: \"\"\n", ppd_keyword); +- cupsFilePrintf(fp, "*%s.StapleLocation %s/%s: \"\"\n", lang->language, ppd_keyword, msgstr); ++ ppd_put_string(fp, lang, strings, "StapleLocation", ppd_keyword, msgid); + cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*StapleLocation %s\"\n", value, keyword, ppd_keyword); + } + +@@ -4239,9 +4234,6 @@ _ppdCreateFromIPP(char *buffer, /* I - + cupsArrayAdd(names, (char *)keyword); + + snprintf(msgid, sizeof(msgid), "finishings.%d", value); +- if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr)) +- if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid) +- msgstr = keyword; + + if (value >= IPP_FINISHINGS_NONE && value <= IPP_FINISHINGS_LAMINATE) + ppd_keyword = base_keywords[value - IPP_FINISHINGS_NONE]; +@@ -4256,7 +4248,7 @@ _ppdCreateFromIPP(char *buffer, /* I - + continue; + + cupsFilePrintf(fp, "*FoldType %s: \"\"\n", ppd_keyword); +- cupsFilePrintf(fp, "*%s.FoldType %s/%s: \"\"\n", lang->language, ppd_keyword, msgstr); ++ ppd_put_string(fp, lang, strings, "FoldType", ppd_keyword, msgid); + cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*FoldType %s\"\n", value, keyword, ppd_keyword); + } + +@@ -4327,9 +4319,6 @@ _ppdCreateFromIPP(char *buffer, /* I - + cupsArrayAdd(names, (char *)keyword); + + snprintf(msgid, sizeof(msgid), "finishings.%d", value); +- if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr)) +- if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid) +- msgstr = keyword; + + if (value >= IPP_FINISHINGS_NONE && value <= IPP_FINISHINGS_LAMINATE) + ppd_keyword = base_keywords[value - IPP_FINISHINGS_NONE]; +@@ -4344,7 +4333,7 @@ _ppdCreateFromIPP(char *buffer, /* I - + continue; + + cupsFilePrintf(fp, "*PunchMedia %s: \"\"\n", ppd_keyword); +- cupsFilePrintf(fp, "*%s.PunchMedia %s/%s: \"\"\n", lang->language, ppd_keyword, msgstr); ++ ppd_put_string(fp, lang, strings, "PunchMedia", ppd_keyword, msgid); + cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*PunchMedia %s\"\n", value, keyword, ppd_keyword); + } + +@@ -4415,9 +4404,6 @@ _ppdCreateFromIPP(char *buffer, /* I - + cupsArrayAdd(names, (char *)keyword); + + snprintf(msgid, sizeof(msgid), "finishings.%d", value); +- if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr)) +- if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid) +- msgstr = keyword; + + if (value == IPP_FINISHINGS_TRIM) + ppd_keyword = "Auto"; +@@ -4425,7 +4411,7 @@ _ppdCreateFromIPP(char *buffer, /* I - + ppd_keyword = trim_keywords[value - IPP_FINISHINGS_TRIM_AFTER_PAGES]; + + cupsFilePrintf(fp, "*CutMedia %s: \"\"\n", ppd_keyword); +- cupsFilePrintf(fp, "*%s.CutMedia %s/%s: \"\"\n", lang->language, ppd_keyword, msgstr); ++ ppd_put_string(fp, lang, strings, "CutMedia", ppd_keyword, msgid); + cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*CutMedia %s\"\n", value, keyword, ppd_keyword); + } + +@@ -4467,9 +4453,6 @@ _ppdCreateFromIPP(char *buffer, /* I - + pwg_ppdize_name(keyword, ppdname, sizeof(ppdname)); + + snprintf(msgid, sizeof(msgid), "finishing-template.%s", keyword); +- if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr)) +- if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid) +- msgstr = keyword; + + cupsFilePrintf(fp, "*cupsFinishingTemplate %s: \"\n", ppdname); + for (finishing_attr = ippFirstAttribute(finishing_col); finishing_attr; finishing_attr = ippNextAttribute(finishing_col)) +@@ -4484,7 +4467,7 @@ _ppdCreateFromIPP(char *buffer, /* I - + } + } + cupsFilePuts(fp, "\"\n"); +- cupsFilePrintf(fp, "*%s.cupsFinishingTemplate %s/%s: \"\"\n", lang->language, ppdname, msgstr); ++ ppd_put_string(fp, lang, strings, "cupsFinishingTemplate", ppdname, msgid); + cupsFilePuts(fp, "*End\n"); + } + +@@ -4811,11 +4794,9 @@ _ppdCreateFromIPP(char *buffer, /* I - + + cupsFilePuts(fp, "\"\n*End\n"); + +- if ((localized_name = _cupsMessageLookup(strings, preset_name)) != preset_name) +- { +- pwg_ppdize_name(preset_name, ppdname, sizeof(ppdname)); +- cupsFilePrintf(fp, "*%s.APPrinterPreset %s/%s: \"\"\n", lang->language, ppdname, localized_name); +- } ++ snprintf(msgid, sizeof(msgid), "preset-name.%s", preset_name); ++ pwg_ppdize_name(preset_name, ppdname, sizeof(ppdname)); ++ ppd_put_string(fp, lang, strings, "APPrinterPreset", ppdname, msgid); + } + } + +@@ -5054,6 +5035,43 @@ cups_get_url(http_t **http, /* IO - + } + + ++/* ++ * 'ppd_put_strings()' - Write localization attributes to a PPD file. ++ */ ++ ++static void ++ppd_put_string(cups_file_t *fp, /* I - PPD file */ ++ cups_lang_t *lang, /* I - Language */ ++ cups_array_t *strings, /* I - Strings */ ++ const char *ppd_option,/* I - PPD option */ ++ const char *ppd_choice,/* I - PPD choice */ ++ const char *pwg_msgid) /* I - PWG message ID */ ++{ ++ const char *text; /* Localized text */ ++ ++ ++ if ((text = _cupsLangString(lang, pwg_msgid)) == pwg_msgid || !strcmp(pwg_msgid, text)) ++ { ++ if ((text = _cupsMessageLookup(strings, pwg_msgid)) == pwg_msgid) ++ return; ++ } ++ ++ // Add the first line of localized text... ++ cupsFilePrintf(fp, "*%s.%s %s/", lang->language, ppd_option, ppd_choice); ++ while (*text && *text != '\n') ++ { ++ // Escape ":" and "<"... ++ if (*text == ':' || *text == '<') ++ cupsFilePrintf(fp, "<%02X>", *text); ++ else ++ cupsFilePutChar(fp, *text); ++ ++ text ++; ++ } ++ cupsFilePuts(fp, ": \"\"\n"); ++} ++ ++ + /* + * 'pwg_add_finishing()' - Add a finishings value. + */ diff --git a/0001-refactor-make-and-model-code.patch b/0001-refactor-make-and-model-code.patch new file mode 100644 index 0000000..c556e5c --- /dev/null +++ b/0001-refactor-make-and-model-code.patch @@ -0,0 +1,136 @@ +diff -up cups-2.3.3op2/cups/ppd-cache.c.make-model-refact cups-2.3.3op2/cups/ppd-cache.c +--- cups-2.3.3op2/cups/ppd-cache.c.make-model-refact 2024-09-30 17:19:35.443100091 +0200 ++++ cups-2.3.3op2/cups/ppd-cache.c 2024-09-30 17:24:10.927162954 +0200 +@@ -3027,9 +3027,10 @@ _ppdCreateFromIPP(char *buffer, /* I - + ipp_t *media_col, /* Media collection */ + *media_size; /* Media size collection */ + char make[256], /* Make and model */ +- *model, /* Model name */ ++ *mptr, /* Pointer into make and model */ + ppdname[PPD_MAX_NAME]; + /* PPD keyword */ ++ const char *model; /* Model name */ + int i, j, /* Looping vars */ + count, /* Number of values */ + bottom, /* Largest bottom margin */ +@@ -3090,35 +3091,105 @@ _ppdCreateFromIPP(char *buffer, /* I - + } + + /* +- * Standard stuff for PPD file... ++ * Get a sanitized make and model... + */ + +- cupsFilePuts(fp, "*PPD-Adobe: \"4.3\"\n"); +- cupsFilePuts(fp, "*FormatVersion: \"4.3\"\n"); +- cupsFilePrintf(fp, "*FileVersion: \"%d.%d\"\n", CUPS_VERSION_MAJOR, CUPS_VERSION_MINOR); +- cupsFilePuts(fp, "*LanguageVersion: English\n"); +- cupsFilePuts(fp, "*LanguageEncoding: ISOLatin1\n"); +- cupsFilePuts(fp, "*PSVersion: \"(3010.000) 0\"\n"); +- cupsFilePuts(fp, "*LanguageLevel: \"3\"\n"); +- cupsFilePuts(fp, "*FileSystem: False\n"); +- cupsFilePuts(fp, "*PCFileName: \"ippeve.ppd\"\n"); ++ if ((attr = ippFindAttribute(response, "printer-make-and-model", IPP_TAG_TEXT)) != NULL && ippValidateAttribute(attr)) ++ { ++ /* ++ * Sanitize the model name to only contain PPD-safe characters. ++ */ + +- if ((attr = ippFindAttribute(response, "printer-make-and-model", IPP_TAG_TEXT)) != NULL) + strlcpy(make, ippGetString(attr, 0, NULL), sizeof(make)); ++ ++ for (mptr = make; *mptr; mptr ++) ++ { ++ if (*mptr < ' ' || *mptr >= 127 || *mptr == '\"') ++ { ++ /* ++ * Truncate the make and model on the first bad character... ++ */ ++ ++ *mptr = '\0'; ++ break; ++ } ++ } ++ ++ while (mptr > make) ++ { ++ /* ++ * Strip trailing whitespace... ++ */ ++ ++ mptr --; ++ if (*mptr == ' ') ++ *mptr = '\0'; ++ } ++ ++ if (!make[0]) ++ { ++ /* ++ * Use a default make and model if nothing remains... ++ */ ++ ++ strlcpy(make, "Unknown", sizeof(make)); ++ } ++ } + else +- strlcpy(make, "Unknown Printer", sizeof(make)); ++ { ++ /* ++ * Use a default make and model... ++ */ ++ ++ strlcpy(make, "Unknown", sizeof(make)); ++ } + + if (!_cups_strncasecmp(make, "Hewlett Packard ", 16) || + !_cups_strncasecmp(make, "Hewlett-Packard ", 16)) + { ++ /* ++ * Normalize HP printer make and model... ++ */ ++ + model = make + 16; + strlcpy(make, "HP", sizeof(make)); ++ ++ if (!_cups_strncasecmp(model, "HP ", 3)) ++ model += 3; ++ } ++ else if ((mptr = strchr(make, ' ')) != NULL) ++ { ++ /* ++ * Separate "MAKE MODEL"... ++ */ ++ ++ while (*mptr && *mptr == ' ') ++ *mptr++ = '\0'; ++ ++ model = mptr; + } +- else if ((model = strchr(make, ' ')) != NULL) +- *model++ = '\0'; + else +- model = make; ++ { ++ /* ++ * No separate model name... ++ */ ++ ++ model = "Printer"; ++ } ++ ++ /* ++ * Standard stuff for PPD file... ++ */ + ++ cupsFilePuts(fp, "*PPD-Adobe: \"4.3\"\n"); ++ cupsFilePuts(fp, "*FormatVersion: \"4.3\"\n"); ++ cupsFilePrintf(fp, "*FileVersion: \"%d.%d\"\n", CUPS_VERSION_MAJOR, CUPS_VERSION_MINOR); ++ cupsFilePuts(fp, "*LanguageVersion: English\n"); ++ cupsFilePuts(fp, "*LanguageEncoding: ISOLatin1\n"); ++ cupsFilePuts(fp, "*PSVersion: \"(3010.000) 0\"\n"); ++ cupsFilePuts(fp, "*LanguageLevel: \"3\"\n"); ++ cupsFilePuts(fp, "*FileSystem: False\n"); ++ cupsFilePuts(fp, "*PCFileName: \"ippeve.ppd\"\n"); + cupsFilePrintf(fp, "*Manufacturer: \"%s\"\n", make); + cupsFilePrintf(fp, "*ModelName: \"%s\"\n", model); + cupsFilePrintf(fp, "*Product: \"(%s)\"\n", model); diff --git a/cups.spec b/cups.spec index 790bb8d..236dda2 100644 --- a/cups.spec +++ b/cups.spec @@ -24,7 +24,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 2.3.3%{OP_VER} -Release: 30%{?dist} +Release: 31%{?dist} License: ASL 2.0 Url: http://www.cups.org/ # Apple stopped uploading the new versions into github, use OpenPrinting fork @@ -150,6 +150,12 @@ Patch43: cups-socket-remove-on-stop.patch # https://github.com/OpenPrinting/cups/commit/74f437b # https://github.com/OpenPrinting/cups/commit/fb0c914 Patch44: cups-check-for-listeners.patch +# RHEL-60343 CVE-2024-47175 cups: remote command injection via attacker controlled data in PPD file +Patch45: 0001-mirror-ipp-everywhere-printer-changes-from-master.patch +Patch46: 0001-refactor-make-and-model-code.patch +Patch47: 0001-ppdize-preset-and-template-names.patch +Patch48: 0001-quote-ppd-localized-strings.patch +Patch49: 0001-fix-warnings-for-unused-vars.patch ##### Patches removed because IMHO they aren't no longer needed @@ -428,6 +434,13 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in # https://github.com/OpenPrinting/cups/commit/74f437b # https://github.com/OpenPrinting/cups/commit/fb0c914 %patch44 -p1 -b .cups-check-for-listeners.patch +# RHEL-60343 CVE-2024-47175 cups: remote command injection via attacker controlled data in PPD file +%patch45 -p1 -b .ippeve-validate +%patch46 -p1 -b .make-model-refact +%patch47 -p1 -b .ppdize-presets +%patch48 -p1 -b .quote-ppd-strings +%patch49 -p1 -b .fix-warn + %if %{lspp} # LSPP support. @@ -862,6 +875,9 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man7/ippeveps.7.gz %changelog +* Tue Oct 01 2024 Zdenek Dohnal - 1:2.3.3op2-31 +- RHEL-60343 CVE-2024-47175 cups: remote command injection via attacker controlled data in PPD file + * Thu Aug 15 2024 Zdenek Dohnal - 1:2.3.3op2-30 - RHEL-6526 cups source rpm doesn't actually build lspp support - fix memory leaks from LSPP