From 8d18f8ed9c0b5360ade65f8b0795b6e60236afbe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= Date: Mon, 10 Jun 2024 10:48:31 +0200 Subject: [PATCH] Patch CVE-2024-35235: cupsd Listen arbitrary chmod 0140777 Resolves: RHEL-39940 --- 0001-Fix-domain-socket-handling.patch | 86 +++++++++++++++++++++++++++ cups.spec | 9 ++- 2 files changed, 94 insertions(+), 1 deletion(-) create mode 100644 0001-Fix-domain-socket-handling.patch diff --git a/0001-Fix-domain-socket-handling.patch b/0001-Fix-domain-socket-handling.patch new file mode 100644 index 0000000..1b1006c --- /dev/null +++ b/0001-Fix-domain-socket-handling.patch @@ -0,0 +1,86 @@ +diff --git a/cups/http-addr.c b/cups/http-addr.c +index 86749c848..5b035e02b 100644 +--- a/cups/http-addr.c ++++ b/cups/http-addr.c +@@ -196,31 +196,29 @@ httpAddrListen(http_addr_t *addr, /* I - Address to bind to */ + { + mode_t mask; /* Umask setting */ + +- /* +- * Remove any existing domain socket file... +- */ +- +- unlink(addr->un.sun_path); +- +- /* +- * Save the current umask and set it to 0 so that all users can access +- * the domain socket... +- */ +- +- mask = umask(0); +- +- /* +- * Bind the domain socket... +- */ ++ // Remove any existing domain socket file... ++ if ((status = unlink(addr->un.sun_path)) < 0) ++ { ++ DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno))); ++ if (errno == ENOENT) ++ status = 0; ++ } + +- status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr)); ++ if (!status) ++ { ++ // Save the current umask and set it to 0 so that all users can access ++ // the domain socket... ++ mask = umask(0); + +- /* +- * Restore the umask and fix permissions... +- */ ++ // Bind the domain socket... ++ if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0) ++ { ++ DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno))); ++ } + +- umask(mask); +- chmod(addr->un.sun_path, 0140777); ++ // Restore the umask... ++ umask(mask); ++ } + } + else + #endif /* AF_LOCAL */ +diff --git a/scheduler/conf.c b/scheduler/conf.c +index bb6049b2c..4c703c9b9 100644 +--- a/scheduler/conf.c ++++ b/scheduler/conf.c +@@ -3062,6 +3062,25 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */ + + cupsd_listener_t *lis; /* New listeners array */ + ++ /* ++ * If we are launched on-demand, do not use domain sockets from the config ++ * file. Also check that the domain socket path is not too long... ++ */ ++ ++#ifdef HAVE_ONDEMAND ++ if (*value == '/' && OnDemand) ++ { ++ if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET)) ++ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum); ++ continue; ++ } ++#endif // HAVE_ONDEMAND ++ ++ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1)) ++ { ++ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum); ++ continue; ++ } + + /* + * Get the address list... diff --git a/cups.spec b/cups.spec index 0314643..1727b40 100644 --- a/cups.spec +++ b/cups.spec @@ -24,7 +24,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 2.3.3%{OP_VER} -Release: 26%{?dist} +Release: 27%{?dist} License: ASL 2.0 Url: http://www.cups.org/ # Apple stopped uploading the new versions into github, use OpenPrinting fork @@ -137,6 +137,8 @@ Patch40: 0001-scheduler-Fix-sending-response-headers-to-client.patch # RHEL-32727 lpoptions with root writes to ~/.cups/lpoptions # https://github.com/OpenPrinting/cups/pull/456 Patch41: 0001-cups-dest.c-Write-data-into-etc-cups-lpoptions-if-we.patch +# CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 +Patch42: 0001-Fix-domain-socket-handling.patch ##### Patches removed because IMHO they aren't no longer needed @@ -402,6 +404,8 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in %patch40 -p1 -b .sent-headers # RHEL-32727 lpoptions with root writes to ~/.cups/lpoptions %patch41 -p1 -b .root-lpoptions +# CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 +%patch42 -p1 -b .cve2024-35235 %if %{lspp} # LSPP support. @@ -836,6 +840,9 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man7/ippeveps.7.gz %changelog +* Mon Jun 10 2024 Pavol Zacik - 1:2.3.3op2-27 +- CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 + * Mon Apr 15 2024 Zdenek Dohnal - 1:2.3.3op2-26 - RHEL-32727 lpoptions with root writes to ~/.cups/lpoptions