From 8303b5790e59c1a39384acc52aa5b2727279d5d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= Date: Tue, 18 Jun 2024 12:35:41 +0200 Subject: [PATCH] Patch cupsd issues triggered by the CVE-2024-35235 fix Resolves: RHEL-40386 --- cups-check-for-listeners.patch | 94 ++++++++++++++++++++++++++++++++ cups-socket-remove-on-stop.patch | 12 ++++ cups.spec | 35 +++++++++++- 3 files changed, 138 insertions(+), 3 deletions(-) create mode 100644 cups-check-for-listeners.patch create mode 100644 cups-socket-remove-on-stop.patch diff --git a/cups-check-for-listeners.patch b/cups-check-for-listeners.patch new file mode 100644 index 0000000..ffbe8d2 --- /dev/null +++ b/cups-check-for-listeners.patch @@ -0,0 +1,94 @@ +diff --git a/scheduler/conf.c b/scheduler/conf.c +index c113eb3..77ce179 100644 +--- a/scheduler/conf.c ++++ b/scheduler/conf.c +@@ -573,6 +573,18 @@ cupsdReadConfiguration(void) + + cupsdDeleteAllListeners(); + ++ /* ++ * Allocate Listeners array ++ */ ++ ++ Listeners = cupsArrayNew(NULL, NULL); ++ ++ if (!Listeners) ++ { ++ fprintf(stderr, "Unable to allocate memory for array Listeners.\n"); ++ return (0); ++ } ++ + old_remote_port = RemotePort; + RemotePort = 0; + +@@ -1080,28 +1092,6 @@ cupsdReadConfiguration(void) + } + } + +- /* +- * Check that we have at least one listen/port line; if not, report this +- * as an error and exit! +- */ +- +- if (cupsArrayCount(Listeners) == 0) +- { +- /* +- * No listeners! +- */ +- +- cupsdLogMessage(CUPSD_LOG_EMERG, +- "No valid Listen or Port lines were found in the " +- "configuration file."); +- +- /* +- * Commit suicide... +- */ +- +- cupsdEndProcess(getpid(), 0); +- } +- + /* + * Set the default locale using the language and charset... + */ +@@ -3162,17 +3152,6 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */ + * Allocate another listener... + */ + +- if (!Listeners) +- Listeners = cupsArrayNew(NULL, NULL); +- +- if (!Listeners) +- { +- cupsdLogMessage(CUPSD_LOG_ERROR, +- "Unable to allocate %s at line %d - %s.", +- line, linenum, strerror(errno)); +- break; +- } +- + if ((lis = calloc(1, sizeof(cupsd_listener_t))) == NULL) + { + cupsdLogMessage(CUPSD_LOG_ERROR, +diff --git a/scheduler/main.c b/scheduler/main.c +index a6e2c3a..b935c52 100644 +--- a/scheduler/main.c ++++ b/scheduler/main.c +@@ -2113,6 +2113,21 @@ service_checkin(void) + service_add_listener(fd, 0); + } + #endif /* HAVE_LAUNCHD */ ++ ++ if (cupsArrayCount(Listeners) == 0) ++ { ++ /* ++ * No listeners! ++ */ ++ ++ cupsdLogMessage(CUPSD_LOG_EMERG, "No listener sockets present."); ++ ++ /* ++ * Commit suicide... ++ */ ++ ++ cupsdEndProcess(getpid(), 0); ++ } + } diff --git a/cups-socket-remove-on-stop.patch b/cups-socket-remove-on-stop.patch new file mode 100644 index 0000000..ea532d0 --- /dev/null +++ b/cups-socket-remove-on-stop.patch @@ -0,0 +1,12 @@ +diff --git a/scheduler/org.cups.cupsd.socket.in b/scheduler/org.cups.cupsd.socket.in +index 613b977a6..1deee826a 100644 +--- a/scheduler/org.cups.cupsd.socket.in ++++ b/scheduler/org.cups.cupsd.socket.in +@@ -4,6 +4,7 @@ PartOf=org.cups.cupsd.service + + [Socket] + ListenStream=@CUPS_DEFAULT_DOMAINSOCKET@ ++RemoveOnStop=on + + [Install] + WantedBy=sockets.target diff --git a/cups.spec b/cups.spec index 0286af2..81ecac8 100644 --- a/cups.spec +++ b/cups.spec @@ -22,7 +22,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 2.2.6 -Release: 59%{?dist} +Release: 60%{?dist} License: GPLv2+ and LGPLv2 with exceptions and AML Url: http://www.cups.org/ Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz @@ -170,10 +170,22 @@ Patch86: cups-preservejob-leak.patch Patch87: 0001-scheduler-conf.c-Print-to-stderr-if-we-don-t-open-cu.patch # RHEL-10702 cupsGetJobs fails to connect if poll() gets POLLOUT|POLLHUP in revents Patch88: 0001-httpAddrConnect2-Check-for-error-if-POLLHUP-is-in-va.patch -# CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 +# RHEL-40386 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 +# https://github.com/OpenPrinting/cups/commit/a436956 Patch89: 0001-Fix-domain-socket-handling.patch +# RHEL-40386 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 # https://github.com/OpenPrinting/cups/pull/31 Patch90: cups-require-cups-socket.patch +# RHEL-40386 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 +# https://github.com/OpenPrinting/cups/commit/3448c52 +Patch91: cups-socket-remove-on-stop.patch +# RHEL-40386 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 +# https://github.com/OpenPrinting/cups/commit/7adb508 +# https://github.com/OpenPrinting/cups/commit/824f49f +# https://github.com/OpenPrinting/cups/commit/56b9728 +# https://github.com/OpenPrinting/cups/commit/74f437b +# https://github.com/OpenPrinting/cups/commit/fb0c914 +Patch92: cups-check-for-listeners.patch Patch1000: cups-lspp.patch @@ -481,10 +493,22 @@ Sends IPP requests to the specified URI and tests and/or displays the results. %patch87 -p1 -b .message-stderr # RHEL-10702 cupsGetJobs fails to connect if poll() gets POLLOUT|POLLHUP in revents %patch88 -p1 -b .cupsgetjobs-pollhup -# CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 +# RHEL-40386 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 +# https://github.com/OpenPrinting/cups/commit/a436956 %patch89 -p1 -b .cve2024-35235 +# RHEL-40386 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 # https://github.com/OpenPrinting/cups/pull/31 %patch90 -p1 -b .cups-require-cups-socket +# RHEL-40386 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 +# https://github.com/OpenPrinting/cups/commit/3448c52 +%patch91 -p1 -b .cups-remove-on-stop +# RHEL-40386 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 +# https://github.com/OpenPrinting/cups/commit/7adb508 +# https://github.com/OpenPrinting/cups/commit/824f49f +# https://github.com/OpenPrinting/cups/commit/56b9728 +# https://github.com/OpenPrinting/cups/commit/74f437b +# https://github.com/OpenPrinting/cups/commit/fb0c914 +%patch92 -p1 -b .cups-check-for-listeners sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in @@ -911,6 +935,11 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man5/ipptoolfile.5.gz %changelog +* Tue Jun 18 2024 Pavol Zacik - 1:2.2.6-60 +- RHEL-40386 cups: Cupsd Listen arbitrary chmod 0140777 +- Delete the domain socket file after stopping the cups.socket service +- Fix cupsd Listener checks + * Fri Jun 14 2024 Pavol Zacik - 1:2.2.6-59 - RHEL-40386 cups: Cupsd Listen arbitrary chmod 0140777 - Require cups.socket in cupsd service file