import UBI cups-2.3.3op2-16.el9_2.1

This commit is contained in:
eabdullin 2023-08-29 15:08:13 +00:00
parent d65a78ce01
commit 6625f5268c
3 changed files with 237 additions and 1 deletions

View File

@ -0,0 +1,31 @@
From a0c8b9c9556882f00c68b9727a95a1b6d1452913 Mon Sep 17 00:00:00 2001
From: Michael R Sweet <michael.r.sweet@gmail.com>
Date: Tue, 6 Dec 2022 09:04:01 -0500
Subject: [PATCH] Require authentication for CUPS-Get-Document.
---
conf/cupsd.conf.in | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in
index b25884907..a07536f3e 100644
--- a/conf/cupsd.conf.in
+++ b/conf/cupsd.conf.in
@@ -68,7 +68,13 @@ IdleExitTimeout @EXIT_TIMEOUT@
Order deny,allow
</Limit>
- <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+ <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job>
+ Require user @OWNER @SYSTEM
+ Order deny,allow
+ </Limit>
+
+ <Limit CUPS-Get-Document>
+ AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
--
2.41.0

View File

@ -0,0 +1,171 @@
@PYTHON_SHEBANG@
"""
Upgrade script to enable authentication for CUPS-Get-Document in
default policy
"""
import os
import sys
from shutil import copy
def get_cupsd_conf():
"""
Get all lines from cupsd.conf
"""
if not os.path.exists('/etc/cups/cupsd.conf'):
return None
lines = []
with open('/etc/cups/cupsd.conf', 'r') as conf:
lines = conf.readlines()
return lines
def get_default_policy(lines):
"""
Get the default policy lines
:param list lines: lines from cupsd.conf
"""
default_policy = []
in_policy = False
for line in lines:
if not in_policy and not line.lstrip().startswith('<Policy default>'):
continue
default_policy.append(line)
if line.lstrip().startswith('</Policy>'):
return default_policy
in_policy = True
return default_policy
def get_limit_with_document(lines):
"""
Get <Limit> scope which defines CUPS-Get-Document operation
:param list lines: Lines containing the default policy
"""
limit = []
in_limit = False
for line in lines:
if not in_limit and not line.lstrip().startswith('<Limit'):
continue
if (not in_limit and line.lstrip().startswith('<Limit') and
not 'CUPS-Get-Document' in line.lstrip().split('#')[0][1:-1]):
continue
limit.append(line)
if line.lstrip().startswith('</Limit>'):
return limit
in_limit = True
return limit
def check_for_authtype(lines):
"""
Check if <Limit> defining CUPS-Get-Document defines
any authentication
:param list lines: Lines of <Limit> scope which defines CUPS-Get-Document
"""
for line in lines:
if line.lstrip().startswith('AuthType'):
return True
return False
def migrate_cupsd_conf(lines):
"""
Make changes to cupsd.conf contents to use authentication
for CUPS-Get-Document
:param list lines: Lines from cupsd.conf
"""
new_lines = []
in_policy = False
create_document_limit = False
for line in lines:
if (in_policy and line.lstrip().startswith('<Limit') and
not line.lstrip().startswith('<Limit CUPS-Get-Document>') and
'CUPS-Get-Document' in line.lstrip().split('#')[0][1:-1]):
line = line.replace(' CUPS-Get-Document', '')
create_document_limit = True
if in_policy and line.lstrip().startswith('</Policy>') and create_document_limit:
new_lines.append('\n')
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
'# added during upgrade\n')
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
'<Limit CUPS-Get-Document>\n')
new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' +
'AuthType Default\n')
new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' +
'Require user @OWNER @SYSTEM\n')
new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' +
'Order deny,allow\n')
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
'</Limit>\n')
create_document_limit = False
new_lines.append(line)
if not in_policy:
if line.lstrip().startswith('<Policy default>'):
in_policy = True
continue
if line.lstrip().startswith('<Limit CUPS-Get-Document>'):
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
'# added during upgrade\n')
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
'AuthType Default\n')
continue
if line.lstrip().startswith('</Policy>'):
in_policy = False
continue
return new_lines
def apply_changes(lines):
"""
Backup the original file if there is no .rpmsave already and
apply changes to the actual cupsd.conf
:param list lines: New lines for cupsd.conf
"""
if not os.path.exists('/etc/cups/cupsd.conf.rpmsave'):
copy('/etc/cups/cupsd.conf', '/etc/cups/cupsd.conf.rpmsave')
with open('/etc/cups/cupsd.conf', 'w') as conf:
conf.writelines(lines)
content = get_cupsd_conf()
if content is None:
sys.exit(1)
if check_for_authtype(get_limit_with_document(get_default_policy(content))):
sys.exit(0)
new_content = migrate_cupsd_conf(content)
apply_changes(new_content)
sys.exit(0)

View File

@ -7,6 +7,13 @@
# but we use lib for compatibility with 3rd party drivers (at upstream request). # but we use lib for compatibility with 3rd party drivers (at upstream request).
%global cups_serverbin %{_exec_prefix}/lib/cups %global cups_serverbin %{_exec_prefix}/lib/cups
# we still need something for python2...
%if 0%{?rhel} >= 8 || 0%{?fedora}
%bcond_without python3
%else
%bcond_with python3
%endif
#%%global prever rc1 #%%global prever rc1
#%%global VERSION %%{version}%%{prever} #%%global VERSION %%{version}%%{prever}
%global VERSION %{version} %global VERSION %{version}
@ -17,7 +24,7 @@ Summary: CUPS printing system
Name: cups Name: cups
Epoch: 1 Epoch: 1
Version: 2.3.3%{OP_VER} Version: 2.3.3%{OP_VER}
Release: 16%{?dist} Release: 16%{?dist}.1
License: ASL 2.0 License: ASL 2.0
Url: http://www.cups.org/ Url: http://www.cups.org/
# Apple stopped uploading the new versions into github, use OpenPrinting fork # Apple stopped uploading the new versions into github, use OpenPrinting fork
@ -26,6 +33,8 @@ Source0: https://github.com/OpenPrinting/cups/releases/download/v%{VERSION}/cups
Source1: cupsprinter.png Source1: cupsprinter.png
# cups_serverbin macro definition for use during builds # cups_serverbin macro definition for use during builds
Source2: macros.cups Source2: macros.cups
# CVE-2023-32360 migration script
Source3: upgrade_get_document.py.in
# PAM enablement, very old patch, not even git can track when or why # PAM enablement, very old patch, not even git can track when or why
# the patch was added. # the patch was added.
@ -103,6 +112,8 @@ Patch27: 0001-cups-tls-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch
Patch28: 0001-Update-man-pages-for-h-option-Issue-357.patch Patch28: 0001-Update-man-pages-for-h-option-Issue-357.patch
# CVE-2022-26691 cups: authorization bypass when using "local" authorization # CVE-2022-26691 cups: authorization bypass when using "local" authorization
Patch29: 0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch Patch29: 0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch
# CVE-2023-32360 cups: Information leak through Cups-Get-Document operation
Patch30: 0001-Require-authentication-for-CUPS-Get-Document.patch
##### Patches removed because IMHO they aren't no longer needed ##### Patches removed because IMHO they aren't no longer needed
@ -169,6 +180,13 @@ Requires(post): grep, sed
Requires(preun): systemd Requires(preun): systemd
Requires(postun): systemd Requires(postun): systemd
# for upgrade-get-document script
%if %{with python3}
Requires(post): python3
%else
Requires(post): python
%endif
%package client %package client
Summary: CUPS printing system - client programs Summary: CUPS printing system - client programs
@ -337,6 +355,8 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
%patch28 -p1 -b .manpage-update %patch28 -p1 -b .manpage-update
# CVE-2022-26691 cups: authorization bypass when using "local" authorization # CVE-2022-26691 cups: authorization bypass when using "local" authorization
%patch29 -p1 -b .cve26691 %patch29 -p1 -b .cve26691
# CVE-2023-32360 cups: Information leak through Cups-Get-Document operation
%patch30 -p1 -b .get-document-auth
%if %{lspp} %if %{lspp}
# LSPP support. # LSPP support.
@ -500,6 +520,15 @@ s:.*\('%{_datadir}'/\)\([^/_]\+\)\(.*\.po$\):%lang(\2) \1\2\3:
/^\([^%].*\)/d /^\([^%].*\)/d
' > %{name}.lang ' > %{name}.lang
# install get-document upgrade script
install -m 0755 %{SOURCE3} %{buildroot}%{_sbindir}/upgrade_get_document
%if %{with python3}
sed -i 's,@PYTHON_SHEBANG@,#!/usr/bin/python3,' %{buildroot}%{_sbindir}/upgrade_get_document
%else
sed -i 's,@PYTHON_SHEBANG@,#!/usr/bin/python,' %{buildroot}%{_sbindir}/upgrade_get_document
%endif
%post %post
%systemd_post %{name}.path %{name}.socket %{name}.service %systemd_post %{name}.path %{name}.socket %{name}.service
@ -547,6 +576,8 @@ do
done done
%endif %endif
%{_sbindir}/upgrade_get_document
exit 0 exit 0
%post client %post client
@ -760,6 +791,9 @@ rm -f %{cups_serverbin}/backend/smb
%{_mandir}/man7/ippeveps.7.gz %{_mandir}/man7/ippeveps.7.gz
%changelog %changelog
* Tue Aug 15 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-16.1
- CVE-2023-32360 cups: Information leak through Cups-Get-Document operation
* Thu Jun 16 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-16 * Thu Jun 16 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-16
- CVE-2022-26691 cups: authorization bypass when using "local" authorization - CVE-2022-26691 cups: authorization bypass when using "local" authorization