fix use-after-free reported by OSH
Resolves: RHEL-129729
This commit is contained in:
parent
b265443ecb
commit
49f4908cbd
@ -0,0 +1,29 @@
|
||||
From c1d2c631267f28131dd31df5b895b8bfb3005b0d Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Dohnal <zdohnal@redhat.com>
|
||||
Date: Thu, 11 Dec 2025 15:12:55 +0100
|
||||
Subject: [PATCH] scheduler: Fix possible use_after_free in `cupsdReadClient()`
|
||||
|
||||
If `cupsdSendHeader()` fails, we free the connection and return -1, but
|
||||
in that case we try to free the connection again in `cupsdReadClient()`.
|
||||
---
|
||||
scheduler/client.c | 3 ---
|
||||
1 file changed, 3 deletions(-)
|
||||
|
||||
diff --git a/scheduler/client.c b/scheduler/client.c
|
||||
index f6166091e..63844d531 100644
|
||||
--- a/scheduler/client.c
|
||||
+++ b/scheduler/client.c
|
||||
@@ -2761,10 +2761,7 @@ check_start_tls(cupsd_client_t *con) /* I - Client connection */
|
||||
httpSetField(con->http, HTTP_FIELD_CONTENT_LENGTH, "0");
|
||||
|
||||
if (!cupsdSendHeader(con, HTTP_STATUS_OK, NULL, CUPSD_AUTH_NONE))
|
||||
- {
|
||||
- cupsdCloseClient(con);
|
||||
return (-1);
|
||||
- }
|
||||
}
|
||||
|
||||
return (1);
|
||||
--
|
||||
2.52.0
|
||||
|
||||
10
cups.spec
10
cups.spec
@ -22,7 +22,7 @@ Summary: CUPS printing system
|
||||
Name: cups
|
||||
Epoch: 1
|
||||
Version: 2.2.6
|
||||
Release: 65%{?dist}
|
||||
Release: 66%{?dist}
|
||||
License: GPLv2+ and LGPLv2 with exceptions and AML
|
||||
Url: http://www.cups.org/
|
||||
Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz
|
||||
@ -209,6 +209,9 @@ Patch102: 0001-Fix-an-infinite-loop-issue-in-GTK-Issue-1439.patch
|
||||
# 0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch
|
||||
Patch103: 0001-Fix-various-issues-in-cupsd.patch
|
||||
Patch104: 0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch
|
||||
# fix use-after-free reported by OSH
|
||||
# https://github.com/OpenPrinting/cups/pull/1454
|
||||
Patch105: 0001-scheduler-Fix-possible-use_after_free-in-cupsdReadCl.patch
|
||||
|
||||
Patch1000: cups-lspp.patch
|
||||
|
||||
@ -549,6 +552,8 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
|
||||
# RHEL-129720 CVE-2025-61915 cups: Local denial-of-service via cupsd.conf update and related issues
|
||||
%patch103 -p1 -b .config-issues
|
||||
%patch104 -p1 -b .ignore-unknown
|
||||
# fix use-after-free reported by OSH
|
||||
%patch105 -p1 -b .osh-use-after-free
|
||||
|
||||
|
||||
sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in
|
||||
@ -976,6 +981,9 @@ rm -f %{cups_serverbin}/backend/smb
|
||||
%{_mandir}/man5/ipptoolfile.5.gz
|
||||
|
||||
%changelog
|
||||
* Fri Dec 12 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-66
|
||||
- fix use-after-free reported by OSH
|
||||
|
||||
* Tue Dec 09 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-65
|
||||
- RHEL-129729 CVE-2025-58436 cups: Slow client communication leads to a possible DoS attack
|
||||
- RHEL-129720 CVE-2025-61915 cups: Local denial-of-service via cupsd.conf update and related issues
|
||||
|
||||
Loading…
Reference in New Issue
Block a user