Patch CVE-2024-35235: cupsd Listen arbitrary chmod 0140777
Resolves: RHEL-39940
This commit is contained in:
Pavol Žáčik
parent
2031f024f2
commit
8d18f8ed9c
86
0001-Fix-domain-socket-handling.patch
Normal file
86
0001-Fix-domain-socket-handling.patch
Normal file
@ -0,0 +1,86 @@
|
||||
diff --git a/cups/http-addr.c b/cups/http-addr.c
|
||||
index 86749c848..5b035e02b 100644
|
||||
--- a/cups/http-addr.c
|
||||
+++ b/cups/http-addr.c
|
||||
@@ -196,31 +196,29 @@ httpAddrListen(http_addr_t *addr, /* I - Address to bind to */
|
||||
{
|
||||
mode_t mask; /* Umask setting */
|
||||
|
||||
- /*
|
||||
- * Remove any existing domain socket file...
|
||||
- */
|
||||
-
|
||||
- unlink(addr->un.sun_path);
|
||||
-
|
||||
- /*
|
||||
- * Save the current umask and set it to 0 so that all users can access
|
||||
- * the domain socket...
|
||||
- */
|
||||
-
|
||||
- mask = umask(0);
|
||||
-
|
||||
- /*
|
||||
- * Bind the domain socket...
|
||||
- */
|
||||
+ // Remove any existing domain socket file...
|
||||
+ if ((status = unlink(addr->un.sun_path)) < 0)
|
||||
+ {
|
||||
+ DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno)));
|
||||
+ if (errno == ENOENT)
|
||||
+ status = 0;
|
||||
+ }
|
||||
|
||||
- status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr));
|
||||
+ if (!status)
|
||||
+ {
|
||||
+ // Save the current umask and set it to 0 so that all users can access
|
||||
+ // the domain socket...
|
||||
+ mask = umask(0);
|
||||
|
||||
- /*
|
||||
- * Restore the umask and fix permissions...
|
||||
- */
|
||||
+ // Bind the domain socket...
|
||||
+ if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0)
|
||||
+ {
|
||||
+ DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno)));
|
||||
+ }
|
||||
|
||||
- umask(mask);
|
||||
- chmod(addr->un.sun_path, 0140777);
|
||||
+ // Restore the umask...
|
||||
+ umask(mask);
|
||||
+ }
|
||||
}
|
||||
else
|
||||
#endif /* AF_LOCAL */
|
||||
diff --git a/scheduler/conf.c b/scheduler/conf.c
|
||||
index bb6049b2c..4c703c9b9 100644
|
||||
--- a/scheduler/conf.c
|
||||
+++ b/scheduler/conf.c
|
||||
@@ -3062,6 +3062,25 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */
|
||||
|
||||
cupsd_listener_t *lis; /* New listeners array */
|
||||
|
||||
+ /*
|
||||
+ * If we are launched on-demand, do not use domain sockets from the config
|
||||
+ * file. Also check that the domain socket path is not too long...
|
||||
+ */
|
||||
+
|
||||
+#ifdef HAVE_ONDEMAND
|
||||
+ if (*value == '/' && OnDemand)
|
||||
+ {
|
||||
+ if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
|
||||
+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum);
|
||||
+ continue;
|
||||
+ }
|
||||
+#endif // HAVE_ONDEMAND
|
||||
+
|
||||
+ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1))
|
||||
+ {
|
||||
+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum);
|
||||
+ continue;
|
||||
+ }
|
||||
|
||||
/*
|
||||
* Get the address list...
|
||||
@ -24,7 +24,7 @@ Summary: CUPS printing system
|
||||
Name: cups
|
||||
Epoch: 1
|
||||
Version: 2.3.3%{OP_VER}
|
||||
Release: 26%{?dist}
|
||||
Release: 27%{?dist}
|
||||
License: ASL 2.0
|
||||
Url: http://www.cups.org/
|
||||
# Apple stopped uploading the new versions into github, use OpenPrinting fork
|
||||
@ -137,6 +137,8 @@ Patch40: 0001-scheduler-Fix-sending-response-headers-to-client.patch
|
||||
# RHEL-32727 lpoptions with root writes to ~/.cups/lpoptions
|
||||
# https://github.com/OpenPrinting/cups/pull/456
|
||||
Patch41: 0001-cups-dest.c-Write-data-into-etc-cups-lpoptions-if-we.patch
|
||||
# CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
|
||||
Patch42: 0001-Fix-domain-socket-handling.patch
|
||||
|
||||
|
||||
##### Patches removed because IMHO they aren't no longer needed
|
||||
@ -402,6 +404,8 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
|
||||
%patch40 -p1 -b .sent-headers
|
||||
# RHEL-32727 lpoptions with root writes to ~/.cups/lpoptions
|
||||
%patch41 -p1 -b .root-lpoptions
|
||||
# CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
|
||||
%patch42 -p1 -b .cve2024-35235
|
||||
|
||||
%if %{lspp}
|
||||
# LSPP support.
|
||||
@ -836,6 +840,9 @@ rm -f %{cups_serverbin}/backend/smb
|
||||
%{_mandir}/man7/ippeveps.7.gz
|
||||
|
||||
%changelog
|
||||
* Mon Jun 10 2024 Pavol Zacik <pzacik@redhat.com> - 1:2.3.3op2-27
|
||||
- CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
|
||||
|
||||
* Mon Apr 15 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-26
|
||||
- RHEL-32727 lpoptions with root writes to ~/.cups/lpoptions
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user