import UBI cups-2.3.3op2-16.el9_2.1
This commit is contained in:
parent
d65a78ce01
commit
6625f5268c
@ -0,0 +1,31 @@
|
||||
From a0c8b9c9556882f00c68b9727a95a1b6d1452913 Mon Sep 17 00:00:00 2001
|
||||
From: Michael R Sweet <michael.r.sweet@gmail.com>
|
||||
Date: Tue, 6 Dec 2022 09:04:01 -0500
|
||||
Subject: [PATCH] Require authentication for CUPS-Get-Document.
|
||||
|
||||
---
|
||||
conf/cupsd.conf.in | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in
|
||||
index b25884907..a07536f3e 100644
|
||||
--- a/conf/cupsd.conf.in
|
||||
+++ b/conf/cupsd.conf.in
|
||||
@@ -68,7 +68,13 @@ IdleExitTimeout @EXIT_TIMEOUT@
|
||||
Order deny,allow
|
||||
</Limit>
|
||||
|
||||
- <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
|
||||
+ <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job>
|
||||
+ Require user @OWNER @SYSTEM
|
||||
+ Order deny,allow
|
||||
+ </Limit>
|
||||
+
|
||||
+ <Limit CUPS-Get-Document>
|
||||
+ AuthType Default
|
||||
Require user @OWNER @SYSTEM
|
||||
Order deny,allow
|
||||
</Limit>
|
||||
--
|
||||
2.41.0
|
||||
|
171
SOURCES/upgrade_get_document.py.in
Executable file
171
SOURCES/upgrade_get_document.py.in
Executable file
@ -0,0 +1,171 @@
|
||||
@PYTHON_SHEBANG@
|
||||
|
||||
"""
|
||||
Upgrade script to enable authentication for CUPS-Get-Document in
|
||||
default policy
|
||||
"""
|
||||
|
||||
import os
|
||||
import sys
|
||||
from shutil import copy
|
||||
|
||||
|
||||
def get_cupsd_conf():
|
||||
"""
|
||||
Get all lines from cupsd.conf
|
||||
"""
|
||||
if not os.path.exists('/etc/cups/cupsd.conf'):
|
||||
return None
|
||||
|
||||
lines = []
|
||||
with open('/etc/cups/cupsd.conf', 'r') as conf:
|
||||
lines = conf.readlines()
|
||||
|
||||
return lines
|
||||
|
||||
|
||||
def get_default_policy(lines):
|
||||
"""
|
||||
Get the default policy lines
|
||||
|
||||
:param list lines: lines from cupsd.conf
|
||||
"""
|
||||
default_policy = []
|
||||
in_policy = False
|
||||
|
||||
for line in lines:
|
||||
if not in_policy and not line.lstrip().startswith('<Policy default>'):
|
||||
continue
|
||||
|
||||
default_policy.append(line)
|
||||
|
||||
if line.lstrip().startswith('</Policy>'):
|
||||
return default_policy
|
||||
|
||||
in_policy = True
|
||||
|
||||
return default_policy
|
||||
|
||||
|
||||
def get_limit_with_document(lines):
|
||||
"""
|
||||
Get <Limit> scope which defines CUPS-Get-Document operation
|
||||
|
||||
:param list lines: Lines containing the default policy
|
||||
"""
|
||||
limit = []
|
||||
in_limit = False
|
||||
|
||||
for line in lines:
|
||||
if not in_limit and not line.lstrip().startswith('<Limit'):
|
||||
continue
|
||||
|
||||
if (not in_limit and line.lstrip().startswith('<Limit') and
|
||||
not 'CUPS-Get-Document' in line.lstrip().split('#')[0][1:-1]):
|
||||
continue
|
||||
|
||||
limit.append(line)
|
||||
|
||||
if line.lstrip().startswith('</Limit>'):
|
||||
return limit
|
||||
|
||||
in_limit = True
|
||||
|
||||
return limit
|
||||
|
||||
|
||||
def check_for_authtype(lines):
|
||||
"""
|
||||
Check if <Limit> defining CUPS-Get-Document defines
|
||||
any authentication
|
||||
|
||||
:param list lines: Lines of <Limit> scope which defines CUPS-Get-Document
|
||||
"""
|
||||
for line in lines:
|
||||
if line.lstrip().startswith('AuthType'):
|
||||
return True
|
||||
return False
|
||||
|
||||
|
||||
def migrate_cupsd_conf(lines):
|
||||
"""
|
||||
Make changes to cupsd.conf contents to use authentication
|
||||
for CUPS-Get-Document
|
||||
|
||||
:param list lines: Lines from cupsd.conf
|
||||
"""
|
||||
new_lines = []
|
||||
in_policy = False
|
||||
create_document_limit = False
|
||||
|
||||
for line in lines:
|
||||
if (in_policy and line.lstrip().startswith('<Limit') and
|
||||
not line.lstrip().startswith('<Limit CUPS-Get-Document>') and
|
||||
'CUPS-Get-Document' in line.lstrip().split('#')[0][1:-1]):
|
||||
line = line.replace(' CUPS-Get-Document', '')
|
||||
create_document_limit = True
|
||||
|
||||
if in_policy and line.lstrip().startswith('</Policy>') and create_document_limit:
|
||||
new_lines.append('\n')
|
||||
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
|
||||
'# added during upgrade\n')
|
||||
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
|
||||
'<Limit CUPS-Get-Document>\n')
|
||||
new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' +
|
||||
'AuthType Default\n')
|
||||
new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' +
|
||||
'Require user @OWNER @SYSTEM\n')
|
||||
new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' +
|
||||
'Order deny,allow\n')
|
||||
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
|
||||
'</Limit>\n')
|
||||
create_document_limit = False
|
||||
|
||||
new_lines.append(line)
|
||||
|
||||
if not in_policy:
|
||||
if line.lstrip().startswith('<Policy default>'):
|
||||
in_policy = True
|
||||
continue
|
||||
|
||||
if line.lstrip().startswith('<Limit CUPS-Get-Document>'):
|
||||
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
|
||||
'# added during upgrade\n')
|
||||
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
|
||||
'AuthType Default\n')
|
||||
continue
|
||||
|
||||
if line.lstrip().startswith('</Policy>'):
|
||||
in_policy = False
|
||||
continue
|
||||
|
||||
return new_lines
|
||||
|
||||
|
||||
def apply_changes(lines):
|
||||
"""
|
||||
Backup the original file if there is no .rpmsave already and
|
||||
apply changes to the actual cupsd.conf
|
||||
|
||||
:param list lines: New lines for cupsd.conf
|
||||
"""
|
||||
if not os.path.exists('/etc/cups/cupsd.conf.rpmsave'):
|
||||
copy('/etc/cups/cupsd.conf', '/etc/cups/cupsd.conf.rpmsave')
|
||||
|
||||
with open('/etc/cups/cupsd.conf', 'w') as conf:
|
||||
conf.writelines(lines)
|
||||
|
||||
|
||||
|
||||
content = get_cupsd_conf()
|
||||
if content is None:
|
||||
sys.exit(1)
|
||||
|
||||
if check_for_authtype(get_limit_with_document(get_default_policy(content))):
|
||||
sys.exit(0)
|
||||
|
||||
new_content = migrate_cupsd_conf(content)
|
||||
|
||||
apply_changes(new_content)
|
||||
|
||||
sys.exit(0)
|
@ -7,6 +7,13 @@
|
||||
# but we use lib for compatibility with 3rd party drivers (at upstream request).
|
||||
%global cups_serverbin %{_exec_prefix}/lib/cups
|
||||
|
||||
# we still need something for python2...
|
||||
%if 0%{?rhel} >= 8 || 0%{?fedora}
|
||||
%bcond_without python3
|
||||
%else
|
||||
%bcond_with python3
|
||||
%endif
|
||||
|
||||
#%%global prever rc1
|
||||
#%%global VERSION %%{version}%%{prever}
|
||||
%global VERSION %{version}
|
||||
@ -17,7 +24,7 @@ Summary: CUPS printing system
|
||||
Name: cups
|
||||
Epoch: 1
|
||||
Version: 2.3.3%{OP_VER}
|
||||
Release: 16%{?dist}
|
||||
Release: 16%{?dist}.1
|
||||
License: ASL 2.0
|
||||
Url: http://www.cups.org/
|
||||
# Apple stopped uploading the new versions into github, use OpenPrinting fork
|
||||
@ -26,6 +33,8 @@ Source0: https://github.com/OpenPrinting/cups/releases/download/v%{VERSION}/cups
|
||||
Source1: cupsprinter.png
|
||||
# cups_serverbin macro definition for use during builds
|
||||
Source2: macros.cups
|
||||
# CVE-2023-32360 migration script
|
||||
Source3: upgrade_get_document.py.in
|
||||
|
||||
# PAM enablement, very old patch, not even git can track when or why
|
||||
# the patch was added.
|
||||
@ -103,6 +112,8 @@ Patch27: 0001-cups-tls-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch
|
||||
Patch28: 0001-Update-man-pages-for-h-option-Issue-357.patch
|
||||
# CVE-2022-26691 cups: authorization bypass when using "local" authorization
|
||||
Patch29: 0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch
|
||||
# CVE-2023-32360 cups: Information leak through Cups-Get-Document operation
|
||||
Patch30: 0001-Require-authentication-for-CUPS-Get-Document.patch
|
||||
|
||||
|
||||
##### Patches removed because IMHO they aren't no longer needed
|
||||
@ -169,6 +180,13 @@ Requires(post): grep, sed
|
||||
Requires(preun): systemd
|
||||
Requires(postun): systemd
|
||||
|
||||
# for upgrade-get-document script
|
||||
%if %{with python3}
|
||||
Requires(post): python3
|
||||
%else
|
||||
Requires(post): python
|
||||
%endif
|
||||
|
||||
|
||||
%package client
|
||||
Summary: CUPS printing system - client programs
|
||||
@ -337,6 +355,8 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
|
||||
%patch28 -p1 -b .manpage-update
|
||||
# CVE-2022-26691 cups: authorization bypass when using "local" authorization
|
||||
%patch29 -p1 -b .cve26691
|
||||
# CVE-2023-32360 cups: Information leak through Cups-Get-Document operation
|
||||
%patch30 -p1 -b .get-document-auth
|
||||
|
||||
%if %{lspp}
|
||||
# LSPP support.
|
||||
@ -500,6 +520,15 @@ s:.*\('%{_datadir}'/\)\([^/_]\+\)\(.*\.po$\):%lang(\2) \1\2\3:
|
||||
/^\([^%].*\)/d
|
||||
' > %{name}.lang
|
||||
|
||||
# install get-document upgrade script
|
||||
install -m 0755 %{SOURCE3} %{buildroot}%{_sbindir}/upgrade_get_document
|
||||
|
||||
%if %{with python3}
|
||||
sed -i 's,@PYTHON_SHEBANG@,#!/usr/bin/python3,' %{buildroot}%{_sbindir}/upgrade_get_document
|
||||
%else
|
||||
sed -i 's,@PYTHON_SHEBANG@,#!/usr/bin/python,' %{buildroot}%{_sbindir}/upgrade_get_document
|
||||
%endif
|
||||
|
||||
%post
|
||||
%systemd_post %{name}.path %{name}.socket %{name}.service
|
||||
|
||||
@ -547,6 +576,8 @@ do
|
||||
done
|
||||
%endif
|
||||
|
||||
%{_sbindir}/upgrade_get_document
|
||||
|
||||
exit 0
|
||||
|
||||
%post client
|
||||
@ -760,6 +791,9 @@ rm -f %{cups_serverbin}/backend/smb
|
||||
%{_mandir}/man7/ippeveps.7.gz
|
||||
|
||||
%changelog
|
||||
* Tue Aug 15 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-16.1
|
||||
- CVE-2023-32360 cups: Information leak through Cups-Get-Document operation
|
||||
|
||||
* Thu Jun 16 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-16
|
||||
- CVE-2022-26691 cups: authorization bypass when using "local" authorization
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user