CVE-2023-32360 cups: Information leak through Cups-Get-Document operation

Resolves: rhbz#2230500
2023-08-29 08:43:15 +02:00 · 2023-08-29 08:43:15 +02:00 · 68f0f94ba5
parent d9071222ad
commit 68f0f94ba5
3 changed files with 237 additions and 1 deletions
--- a/0001-Require-authentication-for-CUPS-Get-Document.patch
+++ b/0001-Require-authentication-for-CUPS-Get-Document.patch
@ -0,0 +1,31 @@
+From a0c8b9c9556882f00c68b9727a95a1b6d1452913 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Tue, 6 Dec 2022 09:04:01 -0500
+Subject: [PATCH] Require authentication for CUPS-Get-Document.
+
+---
+ conf/cupsd.conf.in | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in
+index b25884907..a07536f3e 100644
+--- a/conf/cupsd.conf.in
+++ b/conf/cupsd.conf.in
+@@ -68,7 +68,13 @@ IdleExitTimeout @EXIT_TIMEOUT@
+     Order deny,allow
+   </Limit>
+ 
+-  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job>
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  <Limit CUPS-Get-Document>
+    AuthType Default
+     Require user @OWNER @SYSTEM
+     Order deny,allow
+   </Limit>
+-- 
+2.41.0
+
--- a/cups.spec
+++ b/cups.spec
@ -7,6 +7,13 @@
 # but we use lib for compatibility with 3rd party drivers (at upstream request).
 %global cups_serverbin %{_exec_prefix}/lib/cups

+# we still need something for python2...
+%if 0%{?rhel} >= 8 || 0%{?fedora}
+%bcond_without python3
+%else
+%bcond_with python3
+%endif
+
 #%%global prever rc1
 #%%global VERSION %%{version}%%{prever}
 %global VERSION %{version}
@ -17,7 +24,7 @@ Summary: CUPS printing system
 Name: cups
 Epoch: 1
 Version: 2.3.3%{OP_VER}
-Release: 19%{?dist}
+Release: 20%{?dist}
 License: ASL 2.0
 Url: http://www.cups.org/
 # Apple stopped uploading the new versions into github, use OpenPrinting fork
@ -26,6 +33,8 @@ Source0: https://github.com/OpenPrinting/cups/releases/download/v%{VERSION}/cups
 Source1: cupsprinter.png
 # cups_serverbin macro definition for use during builds
 Source2: macros.cups
+# CVE-2023-32360 migration script
+Source3: upgrade_get_document.py.in

 # PAM enablement, very old patch, not even git can track when or why
 # the patch was added.
@ -115,6 +124,8 @@ Patch33: 0001-cups-http-addr.c-Set-listen-backlog-size-to-INT_MAX-.patch
 Patch34: 0001-Log-result-of-httpGetHostname-BEFORE-closing-the-con.patch
 # CVE-2023-32324 cups: heap buffer overflow may lead to DoS
 Patch35: 0001-cups-strlcpy-handle-zero-size.patch
+# CVE-2023-32360 cups:  Information leak through Cups-Get-Document operation
+Patch36: 0001-Require-authentication-for-CUPS-Get-Document.patch


 ##### Patches removed because IMHO they aren't no longer needed
@ -181,6 +192,13 @@ Requires(post): grep, sed
 Requires(preun): systemd
 Requires(postun): systemd

+# for upgrade-get-document script
+%if %{with python3}
+Requires(post): python3
+%else
+Requires(post): python
+%endif
+

 %package client
 Summary: CUPS printing system - client programs
@ -361,6 +379,8 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
 %patch34 -p1 -b .cve34241
 # CVE-2023-32324 cups: heap buffer overflow may lead to DoS
 %patch35 -p1 -b .cve32324
+# CVE-2023-32360 cups: Information leak through Cups-Get-Document operation
+%patch36 -p1 -b .get-document-auth

 %if %{lspp}
 # LSPP support.
@ -524,6 +544,15 @@ s:.*\('%{_datadir}'/\)\([^/_]\+\)\(.*\.po$\):%lang(\2) \1\2\3:
 /^\([^%].*\)/d
 ' > %{name}.lang

+# install get-document upgrade script
+install -m 0755 %{SOURCE3} %{buildroot}%{_sbindir}/upgrade_get_document
+
+%if %{with python3}
+  sed -i 's,@PYTHON_SHEBANG@,#!/usr/bin/python3,' %{buildroot}%{_sbindir}/upgrade_get_document
+%else
+  sed -i 's,@PYTHON_SHEBANG@,#!/usr/bin/python,' %{buildroot}%{_sbindir}/upgrade_get_document
+%endif
+
 %post
 %systemd_post %{name}.path %{name}.socket %{name}.service

@ -571,6 +600,8 @@ do
 done
 %endif

+%{_sbindir}/upgrade_get_document
+
 exit 0

 %post client
@ -784,6 +815,9 @@ rm -f %{cups_serverbin}/backend/smb
 %{_mandir}/man7/ippeveps.7.gz

 %changelog
+* Tue Aug 29 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-20
+- CVE-2023-32360 cups: Information leak through Cups-Get-Document operation
+
 * Thu Jun 29 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-19
 - CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c
 - CVE-2023-32324 cups: heap buffer overflow may lead to DoS
--- a/upgrade_get_document.py.in
+++ b/upgrade_get_document.py.in
@ -0,0 +1,171 @@
+@PYTHON_SHEBANG@
+
+"""
+Upgrade script to enable authentication for CUPS-Get-Document in
+default policy
+"""
+
+import os
+import sys
+from shutil import copy
+
+
+def get_cupsd_conf():
+    """
+    Get all lines from cupsd.conf
+    """
+    if not os.path.exists('/etc/cups/cupsd.conf'):
+        return None
+
+    lines = []
+    with open('/etc/cups/cupsd.conf', 'r') as conf:
+        lines = conf.readlines()
+
+    return lines
+
+
+def get_default_policy(lines):
+    """
+    Get the default policy lines
+
+    :param list lines: lines from cupsd.conf
+    """
+    default_policy = []
+    in_policy = False
+
+    for line in lines:
+        if not in_policy and not line.lstrip().startswith('<Policy default>'):
+            continue
+
+        default_policy.append(line)
+
+        if line.lstrip().startswith('</Policy>'):
+            return default_policy
+
+        in_policy = True
+
+    return default_policy
+
+
+def get_limit_with_document(lines):
+    """
+    Get <Limit> scope which defines CUPS-Get-Document operation
+
+    :param list lines: Lines containing the default policy
+    """
+    limit = []
+    in_limit = False
+
+    for line in lines:
+        if not in_limit and not line.lstrip().startswith('<Limit'):
+            continue
+
+        if (not in_limit and line.lstrip().startswith('<Limit') and
+            not 'CUPS-Get-Document' in line.lstrip().split('#')[0][1:-1]):
+            continue
+
+        limit.append(line)
+
+        if line.lstrip().startswith('</Limit>'):
+            return limit
+
+        in_limit = True
+
+    return limit
+
+
+def check_for_authtype(lines):
+    """
+    Check if <Limit> defining CUPS-Get-Document defines
+    any authentication
+
+    :param list lines: Lines of <Limit> scope which defines CUPS-Get-Document
+    """
+    for line in lines:
+        if line.lstrip().startswith('AuthType'):
+            return True
+    return False
+
+
+def migrate_cupsd_conf(lines):
+    """
+    Make changes to cupsd.conf contents to use authentication
+    for CUPS-Get-Document
+
+    :param list lines: Lines from cupsd.conf
+    """
+    new_lines = []
+    in_policy = False
+    create_document_limit = False
+
+    for line in lines:
+        if (in_policy and line.lstrip().startswith('<Limit') and
+            not line.lstrip().startswith('<Limit CUPS-Get-Document>') and
+            'CUPS-Get-Document' in line.lstrip().split('#')[0][1:-1]):
+            line = line.replace(' CUPS-Get-Document', '')
+            create_document_limit = True
+
+        if in_policy and line.lstrip().startswith('</Policy>') and create_document_limit:
+            new_lines.append('\n')
+            new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
+                             '# added during upgrade\n')
+            new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
+                             '<Limit CUPS-Get-Document>\n')
+            new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' +
+                             'AuthType Default\n')
+            new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' +
+                             'Require user @OWNER @SYSTEM\n')
+            new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' +
+                             'Order deny,allow\n')
+            new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
+                             '</Limit>\n')
+            create_document_limit = False
+
+        new_lines.append(line)
+
+        if not in_policy:
+            if line.lstrip().startswith('<Policy default>'):
+                in_policy = True
+            continue
+
+        if line.lstrip().startswith('<Limit CUPS-Get-Document>'):
+            new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
+                             '# added during upgrade\n')
+            new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
+                             'AuthType Default\n')
+            continue
+
+        if line.lstrip().startswith('</Policy>'):
+            in_policy = False
+            continue
+
+    return new_lines
+
+
+def apply_changes(lines):
+    """
+    Backup the original file if there is no .rpmsave already and
+    apply changes to the actual cupsd.conf
+
+    :param list lines: New lines for cupsd.conf
+    """
+    if not os.path.exists('/etc/cups/cupsd.conf.rpmsave'):
+        copy('/etc/cups/cupsd.conf', '/etc/cups/cupsd.conf.rpmsave')
+
+    with open('/etc/cups/cupsd.conf', 'w') as conf:
+        conf.writelines(lines)
+
+
+
+content = get_cupsd_conf()
+if content is None:
+    sys.exit(1)
+
+if check_for_authtype(get_limit_with_document(get_default_policy(content))):
+    sys.exit(0)
+
+new_content = migrate_cupsd_conf(content)
+
+apply_changes(new_content)
+
+sys.exit(0)