fix use-after-free reported by OSH

Resolves: RHEL-129729
This commit is contained in:
Zdenek Dohnal 2025-12-12 09:48:18 +01:00
parent b265443ecb
commit 49f4908cbd
2 changed files with 38 additions and 1 deletions

View File

@ -0,0 +1,29 @@
From c1d2c631267f28131dd31df5b895b8bfb3005b0d Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Thu, 11 Dec 2025 15:12:55 +0100
Subject: [PATCH] scheduler: Fix possible use_after_free in `cupsdReadClient()`
If `cupsdSendHeader()` fails, we free the connection and return -1, but
in that case we try to free the connection again in `cupsdReadClient()`.
---
scheduler/client.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/scheduler/client.c b/scheduler/client.c
index f6166091e..63844d531 100644
--- a/scheduler/client.c
+++ b/scheduler/client.c
@@ -2761,10 +2761,7 @@ check_start_tls(cupsd_client_t *con) /* I - Client connection */
httpSetField(con->http, HTTP_FIELD_CONTENT_LENGTH, "0");
if (!cupsdSendHeader(con, HTTP_STATUS_OK, NULL, CUPSD_AUTH_NONE))
- {
- cupsdCloseClient(con);
return (-1);
- }
}
return (1);
--
2.52.0

View File

@ -22,7 +22,7 @@ Summary: CUPS printing system
Name: cups
Epoch: 1
Version: 2.2.6
Release: 65%{?dist}
Release: 66%{?dist}
License: GPLv2+ and LGPLv2 with exceptions and AML
Url: http://www.cups.org/
Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz
@ -209,6 +209,9 @@ Patch102: 0001-Fix-an-infinite-loop-issue-in-GTK-Issue-1439.patch
# 0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch
Patch103: 0001-Fix-various-issues-in-cupsd.patch
Patch104: 0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch
# fix use-after-free reported by OSH
# https://github.com/OpenPrinting/cups/pull/1454
Patch105: 0001-scheduler-Fix-possible-use_after_free-in-cupsdReadCl.patch
Patch1000: cups-lspp.patch
@ -549,6 +552,8 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
# RHEL-129720 CVE-2025-61915 cups: Local denial-of-service via cupsd.conf update and related issues
%patch103 -p1 -b .config-issues
%patch104 -p1 -b .ignore-unknown
# fix use-after-free reported by OSH
%patch105 -p1 -b .osh-use-after-free
sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in
@ -976,6 +981,9 @@ rm -f %{cups_serverbin}/backend/smb
%{_mandir}/man5/ipptoolfile.5.gz
%changelog
* Fri Dec 12 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-66
- fix use-after-free reported by OSH
* Tue Dec 09 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-65
- RHEL-129729 CVE-2025-58436 cups: Slow client communication leads to a possible DoS attack
- RHEL-129720 CVE-2025-61915 cups: Local denial-of-service via cupsd.conf update and related issues