RHEL-60343 CVE-2024-47175 cups: remote command injection via attacker controlled data in PPD file

Resolves: RHEL-60343
This commit is contained in:
Zdenek Dohnal 2024-10-01 14:11:23 +02:00
parent 520fa88ae2
commit 2ff20f8600
6 changed files with 570 additions and 1 deletions

View File

@ -0,0 +1,24 @@
diff -up cups-2.3.3op2/cups/ppd-cache.c.fix-warn cups-2.3.3op2/cups/ppd-cache.c
--- cups-2.3.3op2/cups/ppd-cache.c.fix-warn 2024-09-30 17:30:39.098043436 +0200
+++ cups-2.3.3op2/cups/ppd-cache.c 2024-09-30 17:31:30.738393111 +0200
@@ -3051,8 +3051,7 @@ _ppdCreateFromIPP(char *buffer, /* I -
int resolutions[1000];
/* Array of resolution indices */
char msgid[256]; /* Message identifier (attr.value) */
- const char *keyword, /* Keyword value */
- *msgstr; /* Localized string */
+ const char *keyword; /* Keyword value */
cups_lang_t *lang = cupsLangDefault();
/* Localization info */
cups_array_t *strings = NULL;/* Printer strings file */
@@ -4661,9 +4660,8 @@ _ppdCreateFromIPP(char *buffer, /* I -
{
ipp_t *preset = ippGetCollection(attr, i);
/* Preset collection */
- const char *preset_name = ippGetString(ippFindAttribute(preset, "preset-name", IPP_TAG_ZERO), 0, NULL),
+ const char *preset_name = ippGetString(ippFindAttribute(preset, "preset-name", IPP_TAG_ZERO), 0, NULL);
/* Preset name */
- *localized_name; /* Localized preset name */
ipp_attribute_t *member; /* Member attribute in preset */
const char *member_name; /* Member attribute name */
char member_value[256]; /* Member attribute value */

View File

@ -0,0 +1,57 @@
diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c
index 977d0c6..c484d33 100644
--- a/cups/ppd-cache.c
+++ b/cups/ppd-cache.c
@@ -3134,10 +3134,10 @@ _ppdCreateFromIPP(char *buffer, /* I - Filename buffer */
cupsFilePuts(fp, "*cupsSNMPSupplies: False\n");
cupsFilePrintf(fp, "*cupsLanguages: \"%s\"\n", lang->language);
- if ((attr = ippFindAttribute(response, "printer-more-info", IPP_TAG_URI)) != NULL)
+ if ((attr = ippFindAttribute(response, "printer-more-info", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr))
cupsFilePrintf(fp, "*APSupplies: \"%s\"\n", ippGetString(attr, 0, NULL));
- if ((attr = ippFindAttribute(response, "printer-charge-info-uri", IPP_TAG_URI)) != NULL)
+ if ((attr = ippFindAttribute(response, "printer-charge-info-uri", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr))
cupsFilePrintf(fp, "*cupsChargeInfoURI: \"%s\"\n", ippGetString(attr, 0, NULL));
if ((attr = ippFindAttribute(response, "printer-strings-uri", IPP_TAG_URI)) != NULL)
diff --git a/scheduler/ipp.c b/scheduler/ipp.c
index 728d164..5089172 100644
--- a/scheduler/ipp.c
+++ b/scheduler/ipp.c
@@ -5773,6 +5773,18 @@ create_local_bg_thread(
cupsdLogMessage(CUPSD_LOG_DEBUG, "%s: IPP/1.1 Get-Printer-Attributes returned %s (%s)", printer->name, ippErrorString(cupsLastError()), cupsLastErrorString());
}
+ // Validate response from printer...
+ if (!ippValidateAttributes(response))
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR, "%s: The printer contains invalid attributes.", printer->name);
+
+ if (response)
+ ippDelete(response);
+
+ httpClose(http);
+ return (NULL);
+ }
+
// TODO: Grab printer icon file...
httpClose(http);
diff --git a/systemv/lpadmin.c b/systemv/lpadmin.c
index daf24d5..eba7551 100644
--- a/systemv/lpadmin.c
+++ b/systemv/lpadmin.c
@@ -1226,6 +1226,12 @@ get_printer_ppd(
ippAddStrings(request, IPP_TAG_OPERATION, IPP_TAG_KEYWORD, "requested-attributes", sizeof(pattrs) / sizeof(pattrs[0]), NULL, pattrs);
response = cupsDoRequest(http, request, resource);
+ if (response && !ippValidateAttributes(response))
+ {
+ _cupsLangPrintf(stderr, _("%s: The printer \"%s\" contains invalid IPP attributes."), "lpadmin", uri);
+ return (NULL);
+ }
+
if (cupsLastError() >= IPP_STATUS_REDIRECTION_OTHER_SITE)
{
_cupsLangPrintf(stderr, _("%s: Unable to query printer: %s"), "lpadmin", cupsLastErrorString());

View File

@ -0,0 +1,116 @@
From e0630cd18f76340d302000f2bf6516e99602b844 Mon Sep 17 00:00:00 2001
From: Michael R Sweet <msweet@msweet.org>
Date: Mon, 9 Sep 2024 15:59:57 -0400
Subject: [PATCH] PPDize preset and template names.
---
cups/ppd-cache.c | 33 ++++++++++++++++++++++++---------
1 file changed, 24 insertions(+), 9 deletions(-)
diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c
index 986c64f73..18c38d0ee 100644
--- a/cups/ppd-cache.c
+++ b/cups/ppd-cache.c
@@ -4975,12 +4975,14 @@ _ppdCreateFromIPP2(
cupsArrayAdd(templates, (void *)keyword);
+ pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
+
snprintf(msgid, sizeof(msgid), "finishing-template.%s", keyword);
if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
msgstr = keyword;
- cupsFilePrintf(fp, "*cupsFinishingTemplate %s: \"\n", keyword);
+ cupsFilePrintf(fp, "*cupsFinishingTemplate %s: \"\n", ppdname);
for (finishing_attr = ippFirstAttribute(finishing_col); finishing_attr; finishing_attr = ippNextAttribute(finishing_col))
{
if (ippGetValueTag(finishing_attr) == IPP_TAG_BEGIN_COLLECTION)
@@ -4993,7 +4995,7 @@ _ppdCreateFromIPP2(
}
}
cupsFilePuts(fp, "\"\n");
- cupsFilePrintf(fp, "*%s.cupsFinishingTemplate %s/%s: \"\"\n", lang->language, keyword, msgstr);
+ cupsFilePrintf(fp, "*%s.cupsFinishingTemplate %s/%s: \"\"\n", lang->language, ppdname, msgstr);
cupsFilePuts(fp, "*End\n");
}
@@ -5039,7 +5041,8 @@ _ppdCreateFromIPP2(
if (!preset || !preset_name)
continue;
- cupsFilePrintf(fp, "*APPrinterPreset %s: \"\n", preset_name);
+ pwg_ppdize_name(preset_name, ppdname, sizeof(ppdname));
+ cupsFilePrintf(fp, "*APPrinterPreset %s: \"\n", ppdname);
for (member = ippFirstAttribute(preset); member; member = ippNextAttribute(preset))
{
member_name = ippGetName(member);
@@ -5080,7 +5083,10 @@ _ppdCreateFromIPP2(
fin_col = ippGetCollection(member, i);
if ((keyword = ippGetString(ippFindAttribute(fin_col, "finishing-template", IPP_TAG_ZERO), 0, NULL)) != NULL)
- cupsFilePrintf(fp, "*cupsFinishingTemplate %s\n", keyword);
+ {
+ pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
+ cupsFilePrintf(fp, "*cupsFinishingTemplate %s\n", ppdname);
+ }
}
}
else if (!strcmp(member_name, "media"))
@@ -5107,13 +5113,13 @@ _ppdCreateFromIPP2(
if ((keyword = ippGetString(ippFindAttribute(media_col, "media-source", IPP_TAG_ZERO), 0, NULL)) != NULL)
{
pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
- cupsFilePrintf(fp, "*InputSlot %s\n", keyword);
+ cupsFilePrintf(fp, "*InputSlot %s\n", ppdname);
}
if ((keyword = ippGetString(ippFindAttribute(media_col, "media-type", IPP_TAG_ZERO), 0, NULL)) != NULL)
{
pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
- cupsFilePrintf(fp, "*MediaType %s\n", keyword);
+ cupsFilePrintf(fp, "*MediaType %s\n", ppdname);
}
}
else if (!strcmp(member_name, "print-quality"))
@@ -5159,7 +5165,10 @@ _ppdCreateFromIPP2(
cupsFilePuts(fp, "\"\n*End\n");
if ((localized_name = _cupsMessageLookup(strings, preset_name)) != preset_name)
- cupsFilePrintf(fp, "*%s.APPrinterPreset %s/%s: \"\"\n", lang->language, preset_name, localized_name);
+ {
+ pwg_ppdize_name(preset_name, ppdname, sizeof(ppdname));
+ cupsFilePrintf(fp, "*%s.APPrinterPreset %s/%s: \"\"\n", lang->language, ppdname, localized_name);
+ }
}
}
@@ -5543,7 +5552,7 @@ pwg_ppdize_name(const char *ipp, /* I - IPP keyword */
*end; /* End of name buffer */
- if (!ipp)
+ if (!ipp || !_cups_isalnum(*ipp))
{
*name = '\0';
return;
@@ -5558,8 +5567,14 @@ pwg_ppdize_name(const char *ipp, /* I - IPP keyword */
ipp ++;
*ptr++ = (char)toupper(*ipp++ & 255);
}
- else
+ else if (*ipp == '_' || *ipp == '.' || *ipp == '-' || _cups_isalnum(*ipp))
+ {
*ptr++ = *ipp++;
+ }
+ else
+ {
+ ipp ++;
+ }
}
*ptr = '\0';
--
2.46.1

View File

@ -0,0 +1,220 @@
diff -up cups-2.3.3op2/cups/ppd-cache.c.quote-ppd-strings cups-2.3.3op2/cups/ppd-cache.c
--- cups-2.3.3op2/cups/ppd-cache.c.quote-ppd-strings 2024-09-30 17:24:43.345405200 +0200
+++ cups-2.3.3op2/cups/ppd-cache.c 2024-09-30 17:29:35.752595925 +0200
@@ -29,6 +29,7 @@
*/
static int cups_get_url(http_t **http, const char *url, char *name, size_t namesize);
+static void ppd_put_string(cups_file_t *fp, cups_lang_t *lang, cups_array_t *strings, const char *ppd_option, const char *ppd_choice, const char *pwg_msgid);
static void pwg_add_finishing(cups_array_t *finishings, ipp_finishings_t template, const char *name, const char *value);
static void pwg_add_message(cups_array_t *a, const char *msg, const char *str);
static int pwg_compare_finishings(_pwg_finishings_t *a, _pwg_finishings_t *b);
@@ -3211,7 +3212,7 @@ _ppdCreateFromIPP(char *buffer, /* I -
if ((attr = ippFindAttribute(response, "printer-charge-info-uri", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr))
cupsFilePrintf(fp, "*cupsChargeInfoURI: \"%s\"\n", ippGetString(attr, 0, NULL));
- if ((attr = ippFindAttribute(response, "printer-strings-uri", IPP_TAG_URI)) != NULL)
+ if ((attr = ippFindAttribute(response, "printer-strings-uri", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr))
{
http_t *http = NULL; /* Connection to printer */
char stringsfile[1024]; /* Temporary strings file */
@@ -3768,13 +3769,16 @@ _ppdCreateFromIPP(char *buffer, /* I -
cupsFilePrintf(fp, "*DefaultInputSlot: %s\n", ppdname);
for (j = 0; j < (int)(sizeof(sources) / sizeof(sources[0])); j ++)
+ {
if (!strcmp(sources[j], keyword))
{
snprintf(msgid, sizeof(msgid), "media-source.%s", keyword);
+
cupsFilePrintf(fp, "*InputSlot %s: \"<</MediaPosition %d>>setpagedevice\"\n", ppdname, j);
- cupsFilePrintf(fp, "*%s.InputSlot %s/%s: \"\"\n", lang->language, ppdname, _cupsLangString(lang, msgid));
+ ppd_put_string(fp, lang, strings, "InputSlot", ppdname, msgid);
break;
}
+ }
}
cupsFilePuts(fp, "*CloseUI: *InputSlot\n");
}
@@ -3800,12 +3804,9 @@ _ppdCreateFromIPP(char *buffer, /* I -
pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
snprintf(msgid, sizeof(msgid), "media-type.%s", keyword);
- if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
- if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
- msgstr = keyword;
cupsFilePrintf(fp, "*MediaType %s: \"<</MediaType(%s)>>setpagedevice\"\n", ppdname, ppdname);
- cupsFilePrintf(fp, "*%s.MediaType %s/%s: \"\"\n", lang->language, ppdname, msgstr);
+ ppd_put_string(fp, lang, strings, "MediaType", ppdname, msgid);
}
cupsFilePuts(fp, "*CloseUI: *MediaType\n");
}
@@ -4035,12 +4036,9 @@ _ppdCreateFromIPP(char *buffer, /* I -
pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
snprintf(msgid, sizeof(msgid), "output-bin.%s", keyword);
- if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
- if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
- msgstr = keyword;
cupsFilePrintf(fp, "*OutputBin %s: \"\"\n", ppdname);
- cupsFilePrintf(fp, "*%s.OutputBin %s/%s: \"\"\n", lang->language, ppdname, msgstr);
+ ppd_put_string(fp, lang, strings, "OutputBin", ppdname, msgid);
if ((tray_ptr = ippGetOctetString(trays, i, &tray_len)) != NULL)
{
@@ -4159,9 +4157,6 @@ _ppdCreateFromIPP(char *buffer, /* I -
cupsArrayAdd(names, (char *)keyword);
snprintf(msgid, sizeof(msgid), "finishings.%d", value);
- if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
- if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
- msgstr = keyword;
if (value >= IPP_FINISHINGS_NONE && value <= IPP_FINISHINGS_LAMINATE)
ppd_keyword = base_keywords[value - IPP_FINISHINGS_NONE];
@@ -4176,7 +4171,7 @@ _ppdCreateFromIPP(char *buffer, /* I -
continue;
cupsFilePrintf(fp, "*StapleLocation %s: \"\"\n", ppd_keyword);
- cupsFilePrintf(fp, "*%s.StapleLocation %s/%s: \"\"\n", lang->language, ppd_keyword, msgstr);
+ ppd_put_string(fp, lang, strings, "StapleLocation", ppd_keyword, msgid);
cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*StapleLocation %s\"\n", value, keyword, ppd_keyword);
}
@@ -4239,9 +4234,6 @@ _ppdCreateFromIPP(char *buffer, /* I -
cupsArrayAdd(names, (char *)keyword);
snprintf(msgid, sizeof(msgid), "finishings.%d", value);
- if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
- if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
- msgstr = keyword;
if (value >= IPP_FINISHINGS_NONE && value <= IPP_FINISHINGS_LAMINATE)
ppd_keyword = base_keywords[value - IPP_FINISHINGS_NONE];
@@ -4256,7 +4248,7 @@ _ppdCreateFromIPP(char *buffer, /* I -
continue;
cupsFilePrintf(fp, "*FoldType %s: \"\"\n", ppd_keyword);
- cupsFilePrintf(fp, "*%s.FoldType %s/%s: \"\"\n", lang->language, ppd_keyword, msgstr);
+ ppd_put_string(fp, lang, strings, "FoldType", ppd_keyword, msgid);
cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*FoldType %s\"\n", value, keyword, ppd_keyword);
}
@@ -4327,9 +4319,6 @@ _ppdCreateFromIPP(char *buffer, /* I -
cupsArrayAdd(names, (char *)keyword);
snprintf(msgid, sizeof(msgid), "finishings.%d", value);
- if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
- if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
- msgstr = keyword;
if (value >= IPP_FINISHINGS_NONE && value <= IPP_FINISHINGS_LAMINATE)
ppd_keyword = base_keywords[value - IPP_FINISHINGS_NONE];
@@ -4344,7 +4333,7 @@ _ppdCreateFromIPP(char *buffer, /* I -
continue;
cupsFilePrintf(fp, "*PunchMedia %s: \"\"\n", ppd_keyword);
- cupsFilePrintf(fp, "*%s.PunchMedia %s/%s: \"\"\n", lang->language, ppd_keyword, msgstr);
+ ppd_put_string(fp, lang, strings, "PunchMedia", ppd_keyword, msgid);
cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*PunchMedia %s\"\n", value, keyword, ppd_keyword);
}
@@ -4415,9 +4404,6 @@ _ppdCreateFromIPP(char *buffer, /* I -
cupsArrayAdd(names, (char *)keyword);
snprintf(msgid, sizeof(msgid), "finishings.%d", value);
- if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
- if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
- msgstr = keyword;
if (value == IPP_FINISHINGS_TRIM)
ppd_keyword = "Auto";
@@ -4425,7 +4411,7 @@ _ppdCreateFromIPP(char *buffer, /* I -
ppd_keyword = trim_keywords[value - IPP_FINISHINGS_TRIM_AFTER_PAGES];
cupsFilePrintf(fp, "*CutMedia %s: \"\"\n", ppd_keyword);
- cupsFilePrintf(fp, "*%s.CutMedia %s/%s: \"\"\n", lang->language, ppd_keyword, msgstr);
+ ppd_put_string(fp, lang, strings, "CutMedia", ppd_keyword, msgid);
cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*CutMedia %s\"\n", value, keyword, ppd_keyword);
}
@@ -4467,9 +4453,6 @@ _ppdCreateFromIPP(char *buffer, /* I -
pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
snprintf(msgid, sizeof(msgid), "finishing-template.%s", keyword);
- if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
- if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
- msgstr = keyword;
cupsFilePrintf(fp, "*cupsFinishingTemplate %s: \"\n", ppdname);
for (finishing_attr = ippFirstAttribute(finishing_col); finishing_attr; finishing_attr = ippNextAttribute(finishing_col))
@@ -4484,7 +4467,7 @@ _ppdCreateFromIPP(char *buffer, /* I -
}
}
cupsFilePuts(fp, "\"\n");
- cupsFilePrintf(fp, "*%s.cupsFinishingTemplate %s/%s: \"\"\n", lang->language, ppdname, msgstr);
+ ppd_put_string(fp, lang, strings, "cupsFinishingTemplate", ppdname, msgid);
cupsFilePuts(fp, "*End\n");
}
@@ -4811,11 +4794,9 @@ _ppdCreateFromIPP(char *buffer, /* I -
cupsFilePuts(fp, "\"\n*End\n");
- if ((localized_name = _cupsMessageLookup(strings, preset_name)) != preset_name)
- {
- pwg_ppdize_name(preset_name, ppdname, sizeof(ppdname));
- cupsFilePrintf(fp, "*%s.APPrinterPreset %s/%s: \"\"\n", lang->language, ppdname, localized_name);
- }
+ snprintf(msgid, sizeof(msgid), "preset-name.%s", preset_name);
+ pwg_ppdize_name(preset_name, ppdname, sizeof(ppdname));
+ ppd_put_string(fp, lang, strings, "APPrinterPreset", ppdname, msgid);
}
}
@@ -5054,6 +5035,43 @@ cups_get_url(http_t **http, /* IO -
}
+/*
+ * 'ppd_put_strings()' - Write localization attributes to a PPD file.
+ */
+
+static void
+ppd_put_string(cups_file_t *fp, /* I - PPD file */
+ cups_lang_t *lang, /* I - Language */
+ cups_array_t *strings, /* I - Strings */
+ const char *ppd_option,/* I - PPD option */
+ const char *ppd_choice,/* I - PPD choice */
+ const char *pwg_msgid) /* I - PWG message ID */
+{
+ const char *text; /* Localized text */
+
+
+ if ((text = _cupsLangString(lang, pwg_msgid)) == pwg_msgid || !strcmp(pwg_msgid, text))
+ {
+ if ((text = _cupsMessageLookup(strings, pwg_msgid)) == pwg_msgid)
+ return;
+ }
+
+ // Add the first line of localized text...
+ cupsFilePrintf(fp, "*%s.%s %s/", lang->language, ppd_option, ppd_choice);
+ while (*text && *text != '\n')
+ {
+ // Escape ":" and "<"...
+ if (*text == ':' || *text == '<')
+ cupsFilePrintf(fp, "<%02X>", *text);
+ else
+ cupsFilePutChar(fp, *text);
+
+ text ++;
+ }
+ cupsFilePuts(fp, ": \"\"\n");
+}
+
+
/*
* 'pwg_add_finishing()' - Add a finishings value.
*/

View File

@ -0,0 +1,136 @@
diff -up cups-2.3.3op2/cups/ppd-cache.c.make-model-refact cups-2.3.3op2/cups/ppd-cache.c
--- cups-2.3.3op2/cups/ppd-cache.c.make-model-refact 2024-09-30 17:19:35.443100091 +0200
+++ cups-2.3.3op2/cups/ppd-cache.c 2024-09-30 17:24:10.927162954 +0200
@@ -3027,9 +3027,10 @@ _ppdCreateFromIPP(char *buffer, /* I -
ipp_t *media_col, /* Media collection */
*media_size; /* Media size collection */
char make[256], /* Make and model */
- *model, /* Model name */
+ *mptr, /* Pointer into make and model */
ppdname[PPD_MAX_NAME];
/* PPD keyword */
+ const char *model; /* Model name */
int i, j, /* Looping vars */
count, /* Number of values */
bottom, /* Largest bottom margin */
@@ -3090,35 +3091,105 @@ _ppdCreateFromIPP(char *buffer, /* I -
}
/*
- * Standard stuff for PPD file...
+ * Get a sanitized make and model...
*/
- cupsFilePuts(fp, "*PPD-Adobe: \"4.3\"\n");
- cupsFilePuts(fp, "*FormatVersion: \"4.3\"\n");
- cupsFilePrintf(fp, "*FileVersion: \"%d.%d\"\n", CUPS_VERSION_MAJOR, CUPS_VERSION_MINOR);
- cupsFilePuts(fp, "*LanguageVersion: English\n");
- cupsFilePuts(fp, "*LanguageEncoding: ISOLatin1\n");
- cupsFilePuts(fp, "*PSVersion: \"(3010.000) 0\"\n");
- cupsFilePuts(fp, "*LanguageLevel: \"3\"\n");
- cupsFilePuts(fp, "*FileSystem: False\n");
- cupsFilePuts(fp, "*PCFileName: \"ippeve.ppd\"\n");
+ if ((attr = ippFindAttribute(response, "printer-make-and-model", IPP_TAG_TEXT)) != NULL && ippValidateAttribute(attr))
+ {
+ /*
+ * Sanitize the model name to only contain PPD-safe characters.
+ */
- if ((attr = ippFindAttribute(response, "printer-make-and-model", IPP_TAG_TEXT)) != NULL)
strlcpy(make, ippGetString(attr, 0, NULL), sizeof(make));
+
+ for (mptr = make; *mptr; mptr ++)
+ {
+ if (*mptr < ' ' || *mptr >= 127 || *mptr == '\"')
+ {
+ /*
+ * Truncate the make and model on the first bad character...
+ */
+
+ *mptr = '\0';
+ break;
+ }
+ }
+
+ while (mptr > make)
+ {
+ /*
+ * Strip trailing whitespace...
+ */
+
+ mptr --;
+ if (*mptr == ' ')
+ *mptr = '\0';
+ }
+
+ if (!make[0])
+ {
+ /*
+ * Use a default make and model if nothing remains...
+ */
+
+ strlcpy(make, "Unknown", sizeof(make));
+ }
+ }
else
- strlcpy(make, "Unknown Printer", sizeof(make));
+ {
+ /*
+ * Use a default make and model...
+ */
+
+ strlcpy(make, "Unknown", sizeof(make));
+ }
if (!_cups_strncasecmp(make, "Hewlett Packard ", 16) ||
!_cups_strncasecmp(make, "Hewlett-Packard ", 16))
{
+ /*
+ * Normalize HP printer make and model...
+ */
+
model = make + 16;
strlcpy(make, "HP", sizeof(make));
+
+ if (!_cups_strncasecmp(model, "HP ", 3))
+ model += 3;
+ }
+ else if ((mptr = strchr(make, ' ')) != NULL)
+ {
+ /*
+ * Separate "MAKE MODEL"...
+ */
+
+ while (*mptr && *mptr == ' ')
+ *mptr++ = '\0';
+
+ model = mptr;
}
- else if ((model = strchr(make, ' ')) != NULL)
- *model++ = '\0';
else
- model = make;
+ {
+ /*
+ * No separate model name...
+ */
+
+ model = "Printer";
+ }
+
+ /*
+ * Standard stuff for PPD file...
+ */
+ cupsFilePuts(fp, "*PPD-Adobe: \"4.3\"\n");
+ cupsFilePuts(fp, "*FormatVersion: \"4.3\"\n");
+ cupsFilePrintf(fp, "*FileVersion: \"%d.%d\"\n", CUPS_VERSION_MAJOR, CUPS_VERSION_MINOR);
+ cupsFilePuts(fp, "*LanguageVersion: English\n");
+ cupsFilePuts(fp, "*LanguageEncoding: ISOLatin1\n");
+ cupsFilePuts(fp, "*PSVersion: \"(3010.000) 0\"\n");
+ cupsFilePuts(fp, "*LanguageLevel: \"3\"\n");
+ cupsFilePuts(fp, "*FileSystem: False\n");
+ cupsFilePuts(fp, "*PCFileName: \"ippeve.ppd\"\n");
cupsFilePrintf(fp, "*Manufacturer: \"%s\"\n", make);
cupsFilePrintf(fp, "*ModelName: \"%s\"\n", model);
cupsFilePrintf(fp, "*Product: \"(%s)\"\n", model);

View File

@ -24,7 +24,7 @@ Summary: CUPS printing system
Name: cups Name: cups
Epoch: 1 Epoch: 1
Version: 2.3.3%{OP_VER} Version: 2.3.3%{OP_VER}
Release: 30%{?dist} Release: 31%{?dist}
License: ASL 2.0 License: ASL 2.0
Url: http://www.cups.org/ Url: http://www.cups.org/
# Apple stopped uploading the new versions into github, use OpenPrinting fork # Apple stopped uploading the new versions into github, use OpenPrinting fork
@ -150,6 +150,12 @@ Patch43: cups-socket-remove-on-stop.patch
# https://github.com/OpenPrinting/cups/commit/74f437b # https://github.com/OpenPrinting/cups/commit/74f437b
# https://github.com/OpenPrinting/cups/commit/fb0c914 # https://github.com/OpenPrinting/cups/commit/fb0c914
Patch44: cups-check-for-listeners.patch Patch44: cups-check-for-listeners.patch
# RHEL-60343 CVE-2024-47175 cups: remote command injection via attacker controlled data in PPD file
Patch45: 0001-mirror-ipp-everywhere-printer-changes-from-master.patch
Patch46: 0001-refactor-make-and-model-code.patch
Patch47: 0001-ppdize-preset-and-template-names.patch
Patch48: 0001-quote-ppd-localized-strings.patch
Patch49: 0001-fix-warnings-for-unused-vars.patch
##### Patches removed because IMHO they aren't no longer needed ##### Patches removed because IMHO they aren't no longer needed
@ -428,6 +434,13 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
# https://github.com/OpenPrinting/cups/commit/74f437b # https://github.com/OpenPrinting/cups/commit/74f437b
# https://github.com/OpenPrinting/cups/commit/fb0c914 # https://github.com/OpenPrinting/cups/commit/fb0c914
%patch44 -p1 -b .cups-check-for-listeners.patch %patch44 -p1 -b .cups-check-for-listeners.patch
# RHEL-60343 CVE-2024-47175 cups: remote command injection via attacker controlled data in PPD file
%patch45 -p1 -b .ippeve-validate
%patch46 -p1 -b .make-model-refact
%patch47 -p1 -b .ppdize-presets
%patch48 -p1 -b .quote-ppd-strings
%patch49 -p1 -b .fix-warn
%if %{lspp} %if %{lspp}
# LSPP support. # LSPP support.
@ -862,6 +875,9 @@ rm -f %{cups_serverbin}/backend/smb
%{_mandir}/man7/ippeveps.7.gz %{_mandir}/man7/ippeveps.7.gz
%changelog %changelog
* Tue Oct 01 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-31
- RHEL-60343 CVE-2024-47175 cups: remote command injection via attacker controlled data in PPD file
* Thu Aug 15 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-30 * Thu Aug 15 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-30
- RHEL-6526 cups source rpm doesn't actually build lspp support - RHEL-6526 cups source rpm doesn't actually build lspp support
- fix memory leaks from LSPP - fix memory leaks from LSPP