RHEL-60338 CVE-2024-47175 cups: remote command injection via attacker controlled data in PPD file

Resolves: RHEL-60338
2024-11-27 16:23:18 +01:00 · 2024-11-27 16:23:18 +01:00 · 83b5a01997
commit 83b5a01997
parent 0f342d7f8e
5 changed files with 258 additions and 1 deletions
--- a/0001-Fix-make-and-model-whitespace-trimming-Issue-1096.patch
+++ b/0001-Fix-make-and-model-whitespace-trimming-Issue-1096.patch
@ -0,0 +1,26 @@
+From 5cc470c8d95df40f32e8a401b2946886c91b03d1 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Fri, 15 Nov 2024 11:55:07 -0500
+Subject: [PATCH] Fix make-and-model whitespace trimming (Issue #1096)
+
+---
+ CHANGES.md       | 1 +
+ cups/ppd-cache.c | 2 ++
+ 2 files changed, 3 insertions(+)
+
+diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c
+index a6163a0e1..a3198a795 100644
+--- a/cups/ppd-cache.c
+++ b/cups/ppd-cache.c
+@@ -3293,6 +3293,8 @@ _ppdCreateFromIPP2(
+       mptr --;
+       if (*mptr == ' ')
+ 	*mptr = '\0';
+      else
+        break;
+     }
+ 
+     if (!make[0])
+-- 
+2.47.0
+
--- a/0001-mirror-ipp-everywhere-printer-changes-from-master.patch
+++ b/0001-mirror-ipp-everywhere-printer-changes-from-master.patch
@ -0,0 +1,40 @@
+diff --git a/scheduler/ipp.c b/scheduler/ipp.c
+index 728d164..5089172 100644
+--- a/scheduler/ipp.c
+++ b/scheduler/ipp.c
+@@ -5773,6 +5773,18 @@ create_local_bg_thread(
+     cupsdLogMessage(CUPSD_LOG_DEBUG, "%s: IPP/1.1 Get-Printer-Attributes returned %s (%s)", printer->name, ippErrorString(cupsLastError()), cupsLastErrorString());
+   }
+ 
+  // Validate response from printer...
+  if (!ippValidateAttributes(response))
+  {
+    cupsdLogMessage(CUPSD_LOG_ERROR, "%s: The printer contains invalid attributes.", printer->name);
+
+    if (response)
+      ippDelete(response);
+
+    httpClose(http);
+    return (NULL);
+  }
+
+   // TODO: Grab printer icon file...
+   httpClose(http);
+ 
+diff --git a/systemv/lpadmin.c b/systemv/lpadmin.c
+index daf24d5..eba7551 100644
+--- a/systemv/lpadmin.c
+++ b/systemv/lpadmin.c
+@@ -1226,6 +1226,12 @@ get_printer_ppd(
+   ippAddStrings(request, IPP_TAG_OPERATION, IPP_TAG_KEYWORD, "requested-attributes", sizeof(pattrs) / sizeof(pattrs[0]), NULL, pattrs);
+   response = cupsDoRequest(http, request, resource);
+ 
+  if (response && !ippValidateAttributes(response))
+  {
+    _cupsLangPrintf(stderr, _("%s: The printer \"%s\" contains invalid IPP attributes."), "lpadmin", uri);
+    return (NULL);
+  }
+
+   if (cupsLastError() >= IPP_STATUS_REDIRECTION_OTHER_SITE)
+   {
+     _cupsLangPrintf(stderr, _("%s: Unable to query printer: %s"), "lpadmin", cupsLastErrorString());
--- a/0001-ppdize-preset-and-template-names.patch
+++ b/0001-ppdize-preset-and-template-names.patch
@ -0,0 +1,41 @@
+From e0630cd18f76340d302000f2bf6516e99602b844 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Mon, 9 Sep 2024 15:59:57 -0400
+Subject: [PATCH] PPDize preset and template names.
+
+---
+ cups/ppd-cache.c | 33 ++++++++++++++++++++++++---------
+ 1 file changed, 24 insertions(+), 9 deletions(-)
+
+diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c
+index 986c64f73..18c38d0ee 100644
+--- a/cups/ppd-cache.c
+++ b/cups/ppd-cache.c
+@@ -5543,7 +5552,7 @@ pwg_ppdize_name(const char *ipp,	/* I - IPP keyword */
+ 	*end;				/* End of name buffer */
+ 
+ 
+-  if (!ipp)
+  if (!ipp || !_cups_isalnum(*ipp))
+   {
+     *name = '\0';
+     return;
+@@ -5558,8 +5567,14 @@ pwg_ppdize_name(const char *ipp,	/* I - IPP keyword */
+       ipp ++;
+       *ptr++ = (char)toupper(*ipp++ & 255);
+     }
+-    else
+    else if (*ipp == '_' || *ipp == '.' || *ipp == '-' || _cups_isalnum(*ipp))
+    {
+       *ptr++ = *ipp++;
+    }
+    else
+    {
+      ipp ++;
+    }
+   }
+ 
+   *ptr = '\0';
+-- 
+2.46.1
+
--- a/0001-refactor-make-and-model-code.patch
+++ b/0001-refactor-make-and-model-code.patch
@ -0,0 +1,136 @@
+diff -up cups-2.2.6/cups/ppd-cache.c.make-model-refact cups-2.2.6/cups/ppd-cache.c
+--- cups-2.2.6/cups/ppd-cache.c.make-model-refact	2024-10-25 09:50:04.894056025 +0200
+++ cups-2.2.6/cups/ppd-cache.c	2024-10-25 09:51:15.832552712 +0200
+@@ -2937,9 +2937,10 @@ _ppdCreateFromIPP(char   *buffer,	/* I -
+ 			*x_dim, *y_dim;	/* Media dimensions */
+   ipp_t			*media_size;	/* Media size collection */
+   char			make[256],	/* Make and model */
+-			*model,		/* Model name */
+			*mptr,		/* Pointer into make and model */
+ 			ppdname[PPD_MAX_NAME];
+ 		    			/* PPD keyword */
+  const char		*model;		/* Model name */
+   int			i, j,		/* Looping vars */
+ 			count,		/* Number of values */
+ 			bottom,		/* Largest bottom margin */
+@@ -3057,35 +3058,105 @@ _ppdCreateFromIPP(char   *buffer,	/* I -
+   }
+ 
+  /*
+-  * Standard stuff for PPD file...
+  * Get a sanitized make and model...
+   */
+ 
+-  cupsFilePuts(fp, "*PPD-Adobe: \"4.3\"\n");
+-  cupsFilePuts(fp, "*FormatVersion: \"4.3\"\n");
+-  cupsFilePrintf(fp, "*FileVersion: \"%d.%d\"\n", CUPS_VERSION_MAJOR, CUPS_VERSION_MINOR);
+-  cupsFilePuts(fp, "*LanguageVersion: English\n");
+-  cupsFilePuts(fp, "*LanguageEncoding: ISOLatin1\n");
+-  cupsFilePuts(fp, "*PSVersion: \"(3010.000) 0\"\n");
+-  cupsFilePuts(fp, "*LanguageLevel: \"3\"\n");
+-  cupsFilePuts(fp, "*FileSystem: False\n");
+-  cupsFilePuts(fp, "*PCFileName: \"ippeve.ppd\"\n");
+  if ((attr = ippFindAttribute(response, "printer-make-and-model", IPP_TAG_TEXT)) != NULL && ippValidateAttribute(attr))
+  {
+   /*
+    * Sanitize the model name to only contain PPD-safe characters.
+    */
+ 
+-  if ((attr = ippFindAttribute(response, "printer-make-and-model", IPP_TAG_TEXT)) != NULL)
+     strlcpy(make, ippGetString(attr, 0, NULL), sizeof(make));
+
+    for (mptr = make; *mptr; mptr ++)
+    {
+      if (*mptr < ' ' || *mptr >= 127 || *mptr == '\"')
+      {
+       /*
+	* Truncate the make and model on the first bad character...
+	*/
+
+	*mptr = '\0';
+	break;
+      }
+    }
+
+    while (mptr > make)
+    {
+     /*
+      * Strip trailing whitespace...
+      */
+
+      mptr --;
+      if (*mptr == ' ')
+	*mptr = '\0';
+    }
+
+    if (!make[0])
+    {
+     /*
+      * Use a default make and model if nothing remains...
+      */
+
+      strlcpy(make, "Unknown", sizeof(make));
+    }
+  }
+   else
+-    strlcpy(make, "Unknown Printer", sizeof(make));
+  {
+   /*
+    * Use a default make and model...
+    */
+
+    strlcpy(make, "Unknown", sizeof(make));
+  }
+ 
+   if (!_cups_strncasecmp(make, "Hewlett Packard ", 16) ||
+       !_cups_strncasecmp(make, "Hewlett-Packard ", 16))
+   {
+   /*
+    * Normalize HP printer make and model...
+    */
+
+     model = make + 16;
+     strlcpy(make, "HP", sizeof(make));
+
+    if (!_cups_strncasecmp(model, "HP ", 3))
+      model += 3;
+  }
+  else if ((mptr = strchr(make, ' ')) != NULL)
+  {
+   /*
+    * Separate "MAKE MODEL"...
+    */
+
+    while (*mptr && *mptr == ' ')
+      *mptr++ = '\0';
+
+    model = mptr;
+   }
+-  else if ((model = strchr(make, ' ')) != NULL)
+-    *model++ = '\0';
+   else
+-    model = make;
+  {
+   /*
+    * No separate model name...
+    */
+ 
+    model = "Printer";
+  }
+
+ /*
+  * Standard stuff for PPD file...
+  */
+ 
+  cupsFilePuts(fp, "*PPD-Adobe: \"4.3\"\n");
+  cupsFilePuts(fp, "*FormatVersion: \"4.3\"\n");
+  cupsFilePrintf(fp, "*FileVersion: \"%d.%d\"\n", CUPS_VERSION_MAJOR, CUPS_VERSION_MINOR);
+  cupsFilePuts(fp, "*LanguageVersion: English\n");
+  cupsFilePuts(fp, "*LanguageEncoding: ISOLatin1\n");
+  cupsFilePuts(fp, "*PSVersion: \"(3010.000) 0\"\n");
+  cupsFilePuts(fp, "*LanguageLevel: \"3\"\n");
+  cupsFilePuts(fp, "*FileSystem: False\n");
+  cupsFilePuts(fp, "*PCFileName: \"ippeve.ppd\"\n");
+   cupsFilePrintf(fp, "*Manufacturer: \"%s\"\n", make);
+   cupsFilePrintf(fp, "*ModelName: \"%s\"\n", model);
+   cupsFilePrintf(fp, "*Product: \"(%s)\"\n", model);
--- a/cups.spec
+++ b/cups.spec
@ -22,7 +22,7 @@ Summary: CUPS printing system
 Name: cups
 Epoch: 1
 Version: 2.2.6
-Release: 61%{?dist}
+Release: 62%{?dist}
 License: GPLv2+ and LGPLv2 with exceptions and AML
 Url: http://www.cups.org/
 Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz
@ -186,6 +186,11 @@ Patch91: cups-socket-remove-on-stop.patch
 # https://github.com/OpenPrinting/cups/commit/74f437b
 # https://github.com/OpenPrinting/cups/commit/fb0c914
 Patch92: cups-check-for-listeners.patch
+# RHEL-60338 CVE-2024-47175 cups: remote command injection via attacker controlled data in PPD file
+Patch93: 0001-mirror-ipp-everywhere-printer-changes-from-master.patch
+Patch94: 0001-refactor-make-and-model-code.patch
+Patch95: 0001-ppdize-preset-and-template-names.patch
+Patch96: 0001-Fix-make-and-model-whitespace-trimming-Issue-1096.patch

 Patch1000: cups-lspp.patch

@ -509,6 +514,12 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
 # https://github.com/OpenPrinting/cups/commit/74f437b
 # https://github.com/OpenPrinting/cups/commit/fb0c914
 %patch92 -p1 -b .cups-check-for-listeners
+# RHEL-60338 CVE-2024-47175 cups: remote command injection via attacker controlled data in PPD file
+%patch93 -p1 -b .ippeve-validate
+%patch94 -p1 -b .make-model-refact
+%patch95 -p1 -b .ppdize-presets
+%patch96 -p1 -b .make-model-trim
+

 sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in

@ -935,6 +946,9 @@ rm -f %{cups_serverbin}/backend/smb
 %{_mandir}/man5/ipptoolfile.5.gz

 %changelog
+* Fri Oct 25 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-62
+- RHEL-60338 CVE-2024-47175 cups: remote command injection via attacker controlled data in PPD file
+
 * Thu Aug 15 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-61
 - RHEL-54038 cups source rpm doesn't actually build lspp support
 - fix memory leaks caused by lspp