CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c

Resolves: CVE-2023-34241
2023-06-29 09:31:40 +02:00 · 2023-06-29 09:31:40 +02:00 · 90181701d3
commit 90181701d3
parent bf783d1772
2 changed files with 71 additions and 0 deletions
--- a/0001-Log-result-of-httpGetHostname-BEFORE-closing-the-con.patch
+++ b/0001-Log-result-of-httpGetHostname-BEFORE-closing-the-con.patch
@ -0,0 +1,64 @@
+From ffd290b4ab247f82722927ba9b21358daa16dbf1 Mon Sep 17 00:00:00 2001
+From: Rose <83477269+AtariDreams@users.noreply.github.com>
+Date: Thu, 1 Jun 2023 11:33:39 -0400
+Subject: [PATCH] Log result of httpGetHostname BEFORE closing the connection
+
+httpClose frees the memory of con->http. This is problematic because httpGetHostname then tries to access the memory it points to.
+
+We have to log the hostname first.
+---
+ scheduler/client.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/scheduler/client.c b/scheduler/client.c
+index 91e441188..327473a4d 100644
+--- a/scheduler/client.c
+++ b/scheduler/client.c
+@@ -193,13 +193,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
+    /*
+     * Can't have an unresolved IP address with double-lookups enabled...
+     */
+-
+-    httpClose(con->http);
+-
+     cupsdLogClient(con, CUPSD_LOG_WARN,
+-                    "Name lookup failed - connection from %s closed!",
+                    "Name lookup failed - closing connection from %s!",
+                     httpGetHostname(con->http, NULL, 0));
+ 
+    httpClose(con->http);
+     free(con);
+     return;
+   }
+@@ -235,11 +233,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
+       * with double-lookups enabled...
+       */
+ 
+-      httpClose(con->http);
+-
+       cupsdLogClient(con, CUPSD_LOG_WARN,
+-                      "IP lookup failed - connection from %s closed!",
+                      "IP lookup failed - closing connection from %s!",
+                       httpGetHostname(con->http, NULL, 0));
+
+      httpClose(con->http);
+       free(con);
+       return;
+     }
+@@ -256,11 +254,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
+ 
+   if (!hosts_access(&wrap_req))
+   {
+-    httpClose(con->http);
+-
+     cupsdLogClient(con, CUPSD_LOG_WARN,
+                     "Connection from %s refused by /etc/hosts.allow and "
+ 		    "/etc/hosts.deny rules.", httpGetHostname(con->http, NULL, 0));
+
+    httpClose(con->http);
+     free(con);
+     return;
+   }
+-- 
+2.41.0
+
--- a/cups.spec
+++ b/cups.spec
@ -111,6 +111,8 @@ Patch31: 0001-Fix-delays-printing-to-lpd-when-reserved-ports-are-e.patch
 Patch32: 0001-Use-purge-job-instead-of-purge-jobs-when-canceling-a.patch
 # 2217954 - Enlarge backlog queue for listen() in cupsd
 Patch33: 0001-cups-http-addr.c-Set-listen-backlog-size-to-INT_MAX-.patch
+# CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c
+Patch34: 0001-Log-result-of-httpGetHostname-BEFORE-closing-the-con.patch


 ##### Patches removed because IMHO they aren't no longer needed
@ -353,6 +355,8 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
 %patch32 -p1 -b .purge-job
 # 2217954 - Enlarge backlog queue for listen() in cupsd
 %patch33 -p1 -b .listen-backlog
+# CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c
+%patch34 -p1 -b .cve34241

 %if %{lspp}
 # LSPP support.
@ -776,6 +780,9 @@ rm -f %{cups_serverbin}/backend/smb
 %{_mandir}/man7/ippeveps.7.gz

 %changelog
+* Thu Jun 29 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-19
+- CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c
+
 * Wed Jun 28 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-19
 - 2217177 - Delays printing to lpd when reserved ports are exhausted
 - 2217284 - The command "cancel -x <job>" does not remove job files