diff --git a/0001-Require-authentication-for-CUPS-Get-Document.patch b/0001-Require-authentication-for-CUPS-Get-Document.patch new file mode 100644 index 0000000..e2852e1 --- /dev/null +++ b/0001-Require-authentication-for-CUPS-Get-Document.patch @@ -0,0 +1,31 @@ +From a0c8b9c9556882f00c68b9727a95a1b6d1452913 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Tue, 6 Dec 2022 09:04:01 -0500 +Subject: [PATCH] Require authentication for CUPS-Get-Document. + +--- + conf/cupsd.conf.in | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in +index b25884907..a07536f3e 100644 +--- a/conf/cupsd.conf.in ++++ b/conf/cupsd.conf.in +@@ -68,7 +68,13 @@ IdleExitTimeout @EXIT_TIMEOUT@ + Order deny,allow + + +- ++ ++ Require user @OWNER @SYSTEM ++ Order deny,allow ++ ++ ++ ++ AuthType Default + Require user @OWNER @SYSTEM + Order deny,allow + +-- +2.41.0 + diff --git a/cups.spec b/cups.spec index d564509..b24d5e9 100644 --- a/cups.spec +++ b/cups.spec @@ -7,6 +7,13 @@ # but we use lib for compatibility with 3rd party drivers (at upstream request). %global cups_serverbin %{_exec_prefix}/lib/cups +# we still need something for python2... +%if 0%{?rhel} >= 8 || 0%{?fedora} +%bcond_without python3 +%else +%bcond_with python3 +%endif + #%%global prever rc1 #%%global VERSION %%{version}%%{prever} %global VERSION %{version} @@ -17,7 +24,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 2.3.3%{OP_VER} -Release: 19%{?dist} +Release: 20%{?dist} License: ASL 2.0 Url: http://www.cups.org/ # Apple stopped uploading the new versions into github, use OpenPrinting fork @@ -26,6 +33,8 @@ Source0: https://github.com/OpenPrinting/cups/releases/download/v%{VERSION}/cups Source1: cupsprinter.png # cups_serverbin macro definition for use during builds Source2: macros.cups +# CVE-2023-32360 migration script +Source3: upgrade_get_document.py.in # PAM enablement, very old patch, not even git can track when or why # the patch was added. @@ -115,6 +124,8 @@ Patch33: 0001-cups-http-addr.c-Set-listen-backlog-size-to-INT_MAX-.patch Patch34: 0001-Log-result-of-httpGetHostname-BEFORE-closing-the-con.patch # CVE-2023-32324 cups: heap buffer overflow may lead to DoS Patch35: 0001-cups-strlcpy-handle-zero-size.patch +# CVE-2023-32360 cups: Information leak through Cups-Get-Document operation +Patch36: 0001-Require-authentication-for-CUPS-Get-Document.patch ##### Patches removed because IMHO they aren't no longer needed @@ -181,6 +192,13 @@ Requires(post): grep, sed Requires(preun): systemd Requires(postun): systemd +# for upgrade-get-document script +%if %{with python3} +Requires(post): python3 +%else +Requires(post): python +%endif + %package client Summary: CUPS printing system - client programs @@ -361,6 +379,8 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in %patch34 -p1 -b .cve34241 # CVE-2023-32324 cups: heap buffer overflow may lead to DoS %patch35 -p1 -b .cve32324 +# CVE-2023-32360 cups: Information leak through Cups-Get-Document operation +%patch36 -p1 -b .get-document-auth %if %{lspp} # LSPP support. @@ -524,6 +544,15 @@ s:.*\('%{_datadir}'/\)\([^/_]\+\)\(.*\.po$\):%lang(\2) \1\2\3: /^\([^%].*\)/d ' > %{name}.lang +# install get-document upgrade script +install -m 0755 %{SOURCE3} %{buildroot}%{_sbindir}/upgrade_get_document + +%if %{with python3} + sed -i 's,@PYTHON_SHEBANG@,#!/usr/bin/python3,' %{buildroot}%{_sbindir}/upgrade_get_document +%else + sed -i 's,@PYTHON_SHEBANG@,#!/usr/bin/python,' %{buildroot}%{_sbindir}/upgrade_get_document +%endif + %post %systemd_post %{name}.path %{name}.socket %{name}.service @@ -571,6 +600,8 @@ do done %endif +%{_sbindir}/upgrade_get_document + exit 0 %post client @@ -784,6 +815,9 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man7/ippeveps.7.gz %changelog +* Tue Aug 29 2023 Zdenek Dohnal - 1:2.3.3op2-20 +- CVE-2023-32360 cups: Information leak through Cups-Get-Document operation + * Thu Jun 29 2023 Zdenek Dohnal - 1:2.3.3op2-19 - CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c - CVE-2023-32324 cups: heap buffer overflow may lead to DoS diff --git a/upgrade_get_document.py.in b/upgrade_get_document.py.in new file mode 100755 index 0000000..91d393f --- /dev/null +++ b/upgrade_get_document.py.in @@ -0,0 +1,171 @@ +@PYTHON_SHEBANG@ + +""" +Upgrade script to enable authentication for CUPS-Get-Document in +default policy +""" + +import os +import sys +from shutil import copy + + +def get_cupsd_conf(): + """ + Get all lines from cupsd.conf + """ + if not os.path.exists('/etc/cups/cupsd.conf'): + return None + + lines = [] + with open('/etc/cups/cupsd.conf', 'r') as conf: + lines = conf.readlines() + + return lines + + +def get_default_policy(lines): + """ + Get the default policy lines + + :param list lines: lines from cupsd.conf + """ + default_policy = [] + in_policy = False + + for line in lines: + if not in_policy and not line.lstrip().startswith(''): + continue + + default_policy.append(line) + + if line.lstrip().startswith(''): + return default_policy + + in_policy = True + + return default_policy + + +def get_limit_with_document(lines): + """ + Get scope which defines CUPS-Get-Document operation + + :param list lines: Lines containing the default policy + """ + limit = [] + in_limit = False + + for line in lines: + if not in_limit and not line.lstrip().startswith(''): + return limit + + in_limit = True + + return limit + + +def check_for_authtype(lines): + """ + Check if defining CUPS-Get-Document defines + any authentication + + :param list lines: Lines of scope which defines CUPS-Get-Document + """ + for line in lines: + if line.lstrip().startswith('AuthType'): + return True + return False + + +def migrate_cupsd_conf(lines): + """ + Make changes to cupsd.conf contents to use authentication + for CUPS-Get-Document + + :param list lines: Lines from cupsd.conf + """ + new_lines = [] + in_policy = False + create_document_limit = False + + for line in lines: + if (in_policy and line.lstrip().startswith('') and + 'CUPS-Get-Document' in line.lstrip().split('#')[0][1:-1]): + line = line.replace(' CUPS-Get-Document', '') + create_document_limit = True + + if in_policy and line.lstrip().startswith('') and create_document_limit: + new_lines.append('\n') + new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' + + '# added during upgrade\n') + new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' + + '\n') + new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' + + 'AuthType Default\n') + new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' + + 'Require user @OWNER @SYSTEM\n') + new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' + + 'Order deny,allow\n') + new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' + + '\n') + create_document_limit = False + + new_lines.append(line) + + if not in_policy: + if line.lstrip().startswith(''): + in_policy = True + continue + + if line.lstrip().startswith(''): + new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' + + '# added during upgrade\n') + new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' + + 'AuthType Default\n') + continue + + if line.lstrip().startswith(''): + in_policy = False + continue + + return new_lines + + +def apply_changes(lines): + """ + Backup the original file if there is no .rpmsave already and + apply changes to the actual cupsd.conf + + :param list lines: New lines for cupsd.conf + """ + if not os.path.exists('/etc/cups/cupsd.conf.rpmsave'): + copy('/etc/cups/cupsd.conf', '/etc/cups/cupsd.conf.rpmsave') + + with open('/etc/cups/cupsd.conf', 'w') as conf: + conf.writelines(lines) + + + +content = get_cupsd_conf() +if content is None: + sys.exit(1) + +if check_for_authtype(get_limit_with_document(get_default_policy(content))): + sys.exit(0) + +new_content = migrate_cupsd_conf(content) + +apply_changes(new_content) + +sys.exit(0)