import UBI cups-2.3.3op2-16.el9_2.1
This commit is contained in:
parent
d65a78ce01
commit
6625f5268c
@ -0,0 +1,31 @@
|
|||||||
|
From a0c8b9c9556882f00c68b9727a95a1b6d1452913 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michael R Sweet <michael.r.sweet@gmail.com>
|
||||||
|
Date: Tue, 6 Dec 2022 09:04:01 -0500
|
||||||
|
Subject: [PATCH] Require authentication for CUPS-Get-Document.
|
||||||
|
|
||||||
|
---
|
||||||
|
conf/cupsd.conf.in | 8 +++++++-
|
||||||
|
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in
|
||||||
|
index b25884907..a07536f3e 100644
|
||||||
|
--- a/conf/cupsd.conf.in
|
||||||
|
+++ b/conf/cupsd.conf.in
|
||||||
|
@@ -68,7 +68,13 @@ IdleExitTimeout @EXIT_TIMEOUT@
|
||||||
|
Order deny,allow
|
||||||
|
</Limit>
|
||||||
|
|
||||||
|
- <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
|
||||||
|
+ <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job>
|
||||||
|
+ Require user @OWNER @SYSTEM
|
||||||
|
+ Order deny,allow
|
||||||
|
+ </Limit>
|
||||||
|
+
|
||||||
|
+ <Limit CUPS-Get-Document>
|
||||||
|
+ AuthType Default
|
||||||
|
Require user @OWNER @SYSTEM
|
||||||
|
Order deny,allow
|
||||||
|
</Limit>
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
171
SOURCES/upgrade_get_document.py.in
Executable file
171
SOURCES/upgrade_get_document.py.in
Executable file
@ -0,0 +1,171 @@
|
|||||||
|
@PYTHON_SHEBANG@
|
||||||
|
|
||||||
|
"""
|
||||||
|
Upgrade script to enable authentication for CUPS-Get-Document in
|
||||||
|
default policy
|
||||||
|
"""
|
||||||
|
|
||||||
|
import os
|
||||||
|
import sys
|
||||||
|
from shutil import copy
|
||||||
|
|
||||||
|
|
||||||
|
def get_cupsd_conf():
|
||||||
|
"""
|
||||||
|
Get all lines from cupsd.conf
|
||||||
|
"""
|
||||||
|
if not os.path.exists('/etc/cups/cupsd.conf'):
|
||||||
|
return None
|
||||||
|
|
||||||
|
lines = []
|
||||||
|
with open('/etc/cups/cupsd.conf', 'r') as conf:
|
||||||
|
lines = conf.readlines()
|
||||||
|
|
||||||
|
return lines
|
||||||
|
|
||||||
|
|
||||||
|
def get_default_policy(lines):
|
||||||
|
"""
|
||||||
|
Get the default policy lines
|
||||||
|
|
||||||
|
:param list lines: lines from cupsd.conf
|
||||||
|
"""
|
||||||
|
default_policy = []
|
||||||
|
in_policy = False
|
||||||
|
|
||||||
|
for line in lines:
|
||||||
|
if not in_policy and not line.lstrip().startswith('<Policy default>'):
|
||||||
|
continue
|
||||||
|
|
||||||
|
default_policy.append(line)
|
||||||
|
|
||||||
|
if line.lstrip().startswith('</Policy>'):
|
||||||
|
return default_policy
|
||||||
|
|
||||||
|
in_policy = True
|
||||||
|
|
||||||
|
return default_policy
|
||||||
|
|
||||||
|
|
||||||
|
def get_limit_with_document(lines):
|
||||||
|
"""
|
||||||
|
Get <Limit> scope which defines CUPS-Get-Document operation
|
||||||
|
|
||||||
|
:param list lines: Lines containing the default policy
|
||||||
|
"""
|
||||||
|
limit = []
|
||||||
|
in_limit = False
|
||||||
|
|
||||||
|
for line in lines:
|
||||||
|
if not in_limit and not line.lstrip().startswith('<Limit'):
|
||||||
|
continue
|
||||||
|
|
||||||
|
if (not in_limit and line.lstrip().startswith('<Limit') and
|
||||||
|
not 'CUPS-Get-Document' in line.lstrip().split('#')[0][1:-1]):
|
||||||
|
continue
|
||||||
|
|
||||||
|
limit.append(line)
|
||||||
|
|
||||||
|
if line.lstrip().startswith('</Limit>'):
|
||||||
|
return limit
|
||||||
|
|
||||||
|
in_limit = True
|
||||||
|
|
||||||
|
return limit
|
||||||
|
|
||||||
|
|
||||||
|
def check_for_authtype(lines):
|
||||||
|
"""
|
||||||
|
Check if <Limit> defining CUPS-Get-Document defines
|
||||||
|
any authentication
|
||||||
|
|
||||||
|
:param list lines: Lines of <Limit> scope which defines CUPS-Get-Document
|
||||||
|
"""
|
||||||
|
for line in lines:
|
||||||
|
if line.lstrip().startswith('AuthType'):
|
||||||
|
return True
|
||||||
|
return False
|
||||||
|
|
||||||
|
|
||||||
|
def migrate_cupsd_conf(lines):
|
||||||
|
"""
|
||||||
|
Make changes to cupsd.conf contents to use authentication
|
||||||
|
for CUPS-Get-Document
|
||||||
|
|
||||||
|
:param list lines: Lines from cupsd.conf
|
||||||
|
"""
|
||||||
|
new_lines = []
|
||||||
|
in_policy = False
|
||||||
|
create_document_limit = False
|
||||||
|
|
||||||
|
for line in lines:
|
||||||
|
if (in_policy and line.lstrip().startswith('<Limit') and
|
||||||
|
not line.lstrip().startswith('<Limit CUPS-Get-Document>') and
|
||||||
|
'CUPS-Get-Document' in line.lstrip().split('#')[0][1:-1]):
|
||||||
|
line = line.replace(' CUPS-Get-Document', '')
|
||||||
|
create_document_limit = True
|
||||||
|
|
||||||
|
if in_policy and line.lstrip().startswith('</Policy>') and create_document_limit:
|
||||||
|
new_lines.append('\n')
|
||||||
|
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
|
||||||
|
'# added during upgrade\n')
|
||||||
|
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
|
||||||
|
'<Limit CUPS-Get-Document>\n')
|
||||||
|
new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' +
|
||||||
|
'AuthType Default\n')
|
||||||
|
new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' +
|
||||||
|
'Require user @OWNER @SYSTEM\n')
|
||||||
|
new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' +
|
||||||
|
'Order deny,allow\n')
|
||||||
|
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
|
||||||
|
'</Limit>\n')
|
||||||
|
create_document_limit = False
|
||||||
|
|
||||||
|
new_lines.append(line)
|
||||||
|
|
||||||
|
if not in_policy:
|
||||||
|
if line.lstrip().startswith('<Policy default>'):
|
||||||
|
in_policy = True
|
||||||
|
continue
|
||||||
|
|
||||||
|
if line.lstrip().startswith('<Limit CUPS-Get-Document>'):
|
||||||
|
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
|
||||||
|
'# added during upgrade\n')
|
||||||
|
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
|
||||||
|
'AuthType Default\n')
|
||||||
|
continue
|
||||||
|
|
||||||
|
if line.lstrip().startswith('</Policy>'):
|
||||||
|
in_policy = False
|
||||||
|
continue
|
||||||
|
|
||||||
|
return new_lines
|
||||||
|
|
||||||
|
|
||||||
|
def apply_changes(lines):
|
||||||
|
"""
|
||||||
|
Backup the original file if there is no .rpmsave already and
|
||||||
|
apply changes to the actual cupsd.conf
|
||||||
|
|
||||||
|
:param list lines: New lines for cupsd.conf
|
||||||
|
"""
|
||||||
|
if not os.path.exists('/etc/cups/cupsd.conf.rpmsave'):
|
||||||
|
copy('/etc/cups/cupsd.conf', '/etc/cups/cupsd.conf.rpmsave')
|
||||||
|
|
||||||
|
with open('/etc/cups/cupsd.conf', 'w') as conf:
|
||||||
|
conf.writelines(lines)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
content = get_cupsd_conf()
|
||||||
|
if content is None:
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
if check_for_authtype(get_limit_with_document(get_default_policy(content))):
|
||||||
|
sys.exit(0)
|
||||||
|
|
||||||
|
new_content = migrate_cupsd_conf(content)
|
||||||
|
|
||||||
|
apply_changes(new_content)
|
||||||
|
|
||||||
|
sys.exit(0)
|
@ -7,6 +7,13 @@
|
|||||||
# but we use lib for compatibility with 3rd party drivers (at upstream request).
|
# but we use lib for compatibility with 3rd party drivers (at upstream request).
|
||||||
%global cups_serverbin %{_exec_prefix}/lib/cups
|
%global cups_serverbin %{_exec_prefix}/lib/cups
|
||||||
|
|
||||||
|
# we still need something for python2...
|
||||||
|
%if 0%{?rhel} >= 8 || 0%{?fedora}
|
||||||
|
%bcond_without python3
|
||||||
|
%else
|
||||||
|
%bcond_with python3
|
||||||
|
%endif
|
||||||
|
|
||||||
#%%global prever rc1
|
#%%global prever rc1
|
||||||
#%%global VERSION %%{version}%%{prever}
|
#%%global VERSION %%{version}%%{prever}
|
||||||
%global VERSION %{version}
|
%global VERSION %{version}
|
||||||
@ -17,7 +24,7 @@ Summary: CUPS printing system
|
|||||||
Name: cups
|
Name: cups
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
Version: 2.3.3%{OP_VER}
|
Version: 2.3.3%{OP_VER}
|
||||||
Release: 16%{?dist}
|
Release: 16%{?dist}.1
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
Url: http://www.cups.org/
|
Url: http://www.cups.org/
|
||||||
# Apple stopped uploading the new versions into github, use OpenPrinting fork
|
# Apple stopped uploading the new versions into github, use OpenPrinting fork
|
||||||
@ -26,6 +33,8 @@ Source0: https://github.com/OpenPrinting/cups/releases/download/v%{VERSION}/cups
|
|||||||
Source1: cupsprinter.png
|
Source1: cupsprinter.png
|
||||||
# cups_serverbin macro definition for use during builds
|
# cups_serverbin macro definition for use during builds
|
||||||
Source2: macros.cups
|
Source2: macros.cups
|
||||||
|
# CVE-2023-32360 migration script
|
||||||
|
Source3: upgrade_get_document.py.in
|
||||||
|
|
||||||
# PAM enablement, very old patch, not even git can track when or why
|
# PAM enablement, very old patch, not even git can track when or why
|
||||||
# the patch was added.
|
# the patch was added.
|
||||||
@ -103,6 +112,8 @@ Patch27: 0001-cups-tls-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch
|
|||||||
Patch28: 0001-Update-man-pages-for-h-option-Issue-357.patch
|
Patch28: 0001-Update-man-pages-for-h-option-Issue-357.patch
|
||||||
# CVE-2022-26691 cups: authorization bypass when using "local" authorization
|
# CVE-2022-26691 cups: authorization bypass when using "local" authorization
|
||||||
Patch29: 0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch
|
Patch29: 0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch
|
||||||
|
# CVE-2023-32360 cups: Information leak through Cups-Get-Document operation
|
||||||
|
Patch30: 0001-Require-authentication-for-CUPS-Get-Document.patch
|
||||||
|
|
||||||
|
|
||||||
##### Patches removed because IMHO they aren't no longer needed
|
##### Patches removed because IMHO they aren't no longer needed
|
||||||
@ -169,6 +180,13 @@ Requires(post): grep, sed
|
|||||||
Requires(preun): systemd
|
Requires(preun): systemd
|
||||||
Requires(postun): systemd
|
Requires(postun): systemd
|
||||||
|
|
||||||
|
# for upgrade-get-document script
|
||||||
|
%if %{with python3}
|
||||||
|
Requires(post): python3
|
||||||
|
%else
|
||||||
|
Requires(post): python
|
||||||
|
%endif
|
||||||
|
|
||||||
|
|
||||||
%package client
|
%package client
|
||||||
Summary: CUPS printing system - client programs
|
Summary: CUPS printing system - client programs
|
||||||
@ -337,6 +355,8 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
|
|||||||
%patch28 -p1 -b .manpage-update
|
%patch28 -p1 -b .manpage-update
|
||||||
# CVE-2022-26691 cups: authorization bypass when using "local" authorization
|
# CVE-2022-26691 cups: authorization bypass when using "local" authorization
|
||||||
%patch29 -p1 -b .cve26691
|
%patch29 -p1 -b .cve26691
|
||||||
|
# CVE-2023-32360 cups: Information leak through Cups-Get-Document operation
|
||||||
|
%patch30 -p1 -b .get-document-auth
|
||||||
|
|
||||||
%if %{lspp}
|
%if %{lspp}
|
||||||
# LSPP support.
|
# LSPP support.
|
||||||
@ -500,6 +520,15 @@ s:.*\('%{_datadir}'/\)\([^/_]\+\)\(.*\.po$\):%lang(\2) \1\2\3:
|
|||||||
/^\([^%].*\)/d
|
/^\([^%].*\)/d
|
||||||
' > %{name}.lang
|
' > %{name}.lang
|
||||||
|
|
||||||
|
# install get-document upgrade script
|
||||||
|
install -m 0755 %{SOURCE3} %{buildroot}%{_sbindir}/upgrade_get_document
|
||||||
|
|
||||||
|
%if %{with python3}
|
||||||
|
sed -i 's,@PYTHON_SHEBANG@,#!/usr/bin/python3,' %{buildroot}%{_sbindir}/upgrade_get_document
|
||||||
|
%else
|
||||||
|
sed -i 's,@PYTHON_SHEBANG@,#!/usr/bin/python,' %{buildroot}%{_sbindir}/upgrade_get_document
|
||||||
|
%endif
|
||||||
|
|
||||||
%post
|
%post
|
||||||
%systemd_post %{name}.path %{name}.socket %{name}.service
|
%systemd_post %{name}.path %{name}.socket %{name}.service
|
||||||
|
|
||||||
@ -547,6 +576,8 @@ do
|
|||||||
done
|
done
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
%{_sbindir}/upgrade_get_document
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
|
|
||||||
%post client
|
%post client
|
||||||
@ -760,6 +791,9 @@ rm -f %{cups_serverbin}/backend/smb
|
|||||||
%{_mandir}/man7/ippeveps.7.gz
|
%{_mandir}/man7/ippeveps.7.gz
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Aug 15 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-16.1
|
||||||
|
- CVE-2023-32360 cups: Information leak through Cups-Get-Document operation
|
||||||
|
|
||||||
* Thu Jun 16 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-16
|
* Thu Jun 16 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-16
|
||||||
- CVE-2022-26691 cups: authorization bypass when using "local" authorization
|
- CVE-2022-26691 cups: authorization bypass when using "local" authorization
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user