From 35035e002c8f42f526d55ef63249859d4dc5efd7 Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Wed, 26 Apr 2023 15:33:55 +0200 Subject: [PATCH] 2189919 - CGI scripts don't work with local Negotiate authentication Resolves: rhbz#2189919 --- cups-local-negotiate.patch | 115 +++++++++++++++++++++++++++++++++++++ cups.spec | 9 ++- 2 files changed, 123 insertions(+), 1 deletion(-) create mode 100644 cups-local-negotiate.patch diff --git a/cups-local-negotiate.patch b/cups-local-negotiate.patch new file mode 100644 index 0000000..593d83c --- /dev/null +++ b/cups-local-negotiate.patch @@ -0,0 +1,115 @@ +diff --git a/cups/auth.c b/cups/auth.c +index db45bbb..b6fec6b 100644 +--- a/cups/auth.c ++++ b/cups/auth.c +@@ -90,6 +90,7 @@ static void cups_gss_printf(OM_uint32 major_status, OM_uint32 minor_status, + # define cups_gss_printf(major, minor, message) + # endif /* DEBUG */ + #endif /* HAVE_GSSAPI */ ++static int cups_is_local_connection(http_t *http); + static int cups_local_auth(http_t *http); + + +@@ -174,10 +175,10 @@ cupsDoAuthentication( + DEBUG_printf(("2cupsDoAuthentication: Trying scheme \"%s\"...", scheme)); + + #ifdef HAVE_GSSAPI +- if (!_cups_strcasecmp(scheme, "Negotiate")) ++ if (!_cups_strcasecmp(scheme, "Negotiate") && !cups_is_local_connection(http)) + { + /* +- * Kerberos authentication... ++ * Kerberos authentication to remote server... + */ + + int gss_status; /* Auth status */ +@@ -201,7 +202,9 @@ cupsDoAuthentication( + } + else + #endif /* HAVE_GSSAPI */ +- if (_cups_strcasecmp(scheme, "Basic") && _cups_strcasecmp(scheme, "Digest")) ++ if (_cups_strcasecmp(scheme, "Basic") && ++ _cups_strcasecmp(scheme, "Digest") && ++ _cups_strcasecmp(scheme, "Negotiate")) + { + /* + * Other schemes not yet supported... +@@ -215,7 +218,7 @@ cupsDoAuthentication( + * See if we should retry the current username:password... + */ + +- if ((http->digest_tries > 1 || !http->userpass[0]) && (!_cups_strcasecmp(scheme, "Basic") || (!_cups_strcasecmp(scheme, "Digest")))) ++ if (http->digest_tries > 1 || !http->userpass[0]) + { + /* + * Nope - get a new password from the user... +@@ -295,7 +298,7 @@ cupsDoAuthentication( + } + } + +- if (http->authstring) ++ if (http->authstring && http->authstring[0]) + { + DEBUG_printf(("1cupsDoAuthentication: authstring=\"%s\".", http->authstring)); + +@@ -916,6 +919,14 @@ cups_gss_printf(OM_uint32 major_status,/* I - Major status code */ + # endif /* DEBUG */ + #endif /* HAVE_GSSAPI */ + ++static int /* O - 0 if not a local connection */ ++ /* 1 if local connection */ ++cups_is_local_connection(http_t *http) /* I - HTTP connection to server */ ++{ ++ if (!httpAddrLocalhost(http->hostaddr) && _cups_strcasecmp(http->hostname, "localhost") != 0) ++ return 0; ++ return 1; ++} + + /* + * 'cups_local_auth()' - Get the local authorization certificate if +@@ -958,7 +969,7 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */ + * See if we are accessing localhost... + */ + +- if (!httpAddrLocalhost(http->hostaddr) && _cups_strcasecmp(http->hostname, "localhost") != 0) ++ if (!cups_is_local_connection(http)) + { + DEBUG_puts("8cups_local_auth: Not a local connection!"); + return (1); +@@ -1032,11 +1043,6 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */ + } + # endif /* HAVE_AUTHORIZATION_H */ + +-# ifdef HAVE_GSSAPI +- if (cups_auth_find(www_auth, "Negotiate")) +- return (1); +-# endif /* HAVE_GSSAPI */ +- + # if defined(SO_PEERCRED) && defined(AF_LOCAL) + /* + * See if we can authenticate using the peer credentials provided over a +diff --git a/scheduler/client.c b/scheduler/client.c +index 89c76bf..40708d9 100644 +--- a/scheduler/client.c ++++ b/scheduler/client.c +@@ -2244,18 +2244,13 @@ cupsdSendHeader( + } + else if (auth_type == CUPSD_AUTH_NEGOTIATE) + { +-#if defined(SO_PEERCRED) && defined(AF_LOCAL) +- if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL) +- strlcpy(auth_str, "PeerCred", sizeof(auth_str)); +- else +-#endif /* SO_PEERCRED && AF_LOCAL */ + strlcpy(auth_str, "Negotiate", sizeof(auth_str)); + } + +- if (con->best && auth_type != CUPSD_AUTH_NEGOTIATE && !con->is_browser && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost")) ++ if (con->best && !con->is_browser && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost")) + { + /* +- * Add a "trc" (try root certification) parameter for local non-Kerberos ++ * Add a "trc" (try root certification) parameter for local + * requests when the request requires system group membership - then the + * client knows the root certificate can/should be used. + * diff --git a/cups.spec b/cups.spec index b92b39d..42eb030 100644 --- a/cups.spec +++ b/cups.spec @@ -17,7 +17,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 2.3.3%{OP_VER} -Release: 17%{?dist} +Release: 18%{?dist} License: ASL 2.0 Url: http://www.cups.org/ # Apple stopped uploading the new versions into github, use OpenPrinting fork @@ -103,6 +103,8 @@ Patch27: 0001-cups-tls-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch Patch28: 0001-Update-man-pages-for-h-option-Issue-357.patch # CVE-2022-26691 cups: authorization bypass when using "local" authorization Patch29: 0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch +# 2189919 - CGI scripts don't work with local Negotiate authentication +Patch30: cups-local-negotiate.patch ##### Patches removed because IMHO they aren't no longer needed @@ -337,6 +339,8 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in %patch28 -p1 -b .manpage-update # CVE-2022-26691 cups: authorization bypass when using "local" authorization %patch29 -p1 -b .cve26691 +# 2189919 - CGI scripts don't work with local Negotiate authentication +%patch30 -p1 -b .local-negotiate %if %{lspp} # LSPP support. @@ -760,6 +764,9 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man7/ippeveps.7.gz %changelog +* Wed Apr 26 2023 Zdenek Dohnal - 1:2.3.3op2-18 +- 2189919 - CGI scripts don't work with local Negotiate authentication + * Mon Apr 03 2023 Zdenek Dohnal - 1:2.3.3op2-17 - RHEL-314 - Enable fmf tests in centos stream