import cups-2.2.6-45.el8_6.2

This commit is contained in:
CentOS Sources 2022-06-15 08:22:56 -04:00 committed by Stepan Oksanichenko
parent 0c9d2a4f96
commit 92b1684eec
3 changed files with 105 additions and 1 deletions

View File

@ -0,0 +1,55 @@
From bdb1ca45454d90410031c4c2054005a995f76180 Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Wed, 6 Apr 2022 15:04:45 +0200
Subject: [PATCH] cups/tls-gnutls.c: Use always GNUTLS_SHUT_WR
The current mode for `gnutls_bye()` in client use cases strictly
follows TLS v1.2 standard, which in this particular part says:
```
Unless some other fatal alert has been transmitted, each party is
required to send a close_notify alert before closing the write
side of the connection. The other party MUST respond with a
close_notify alert of its own and close down the connection immediately,
discarding any pending writes. It is not required for the initiator
of the close to wait for the responding close_notify alert before
closing the read side of the connection.
```
and waits for the other side of TLS connection to confirm the close.
Unfortunately it can undesired for reasons:
- we support switching of TLS versions in CUPS, and this mode strictly
follows TLS v1.2 - so for older version this behavior is not expected
and can cause delays
- even some TLS v1.2 implementations (like Windows Server 2016) don't
comply TLS v1.2 behavior even if it says it does - in that case,
encrypted printing takes 30s till HTTP timeout is reached, because the
other side didn't send confirmation
- AFAIU openssl's SSL_shutdown() doesn't make this TLS v1.2 difference,
so we could end up with two TLS implementations in CUPS which will
behave differently
Since the standard defines that waiting for confirmation is not required
and due the problems above, I would propose using GNUTLS_SHUT_WR mode
regardless of HTTP mode.
---
cups/tls-gnutls.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c
index c55995b2b..f87b4f4df 100644
--- a/cups/tls-gnutls.c
+++ b/cups/tls-gnutls.c
@@ -1667,7 +1667,7 @@ _httpTLSStop(http_t *http) /* I - Connection to server */
int error; /* Error code */
- error = gnutls_bye(http->tls, http->mode == _HTTP_MODE_CLIENT ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
+ error = gnutls_bye(http->tls, GNUTLS_SHUT_WR);
if (error != GNUTLS_E_SUCCESS)
_cupsSetError(IPP_STATUS_ERROR_INTERNAL, gnutls_strerror(errno), 0);
--
2.35.1

View File

@ -0,0 +1,35 @@
From de4f8c196106033e4c372dce3e91b9d42b0b9444 Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Thu, 26 May 2022 06:27:04 +0200
Subject: [PATCH] scheduler/cert.c: Fix string comparison (fixes
CVE-2022-26691)
The previous algorithm didn't expect the strings can have a different
length, so one string can be a substring of the other and such substring
was reported as equal to the longer string.
---
CHANGES.md | 1 +
scheduler/cert.c | 9 ++++++++-
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/scheduler/cert.c b/scheduler/cert.c
index b268bf1b2..9b65b96c9 100644
--- a/scheduler/cert.c
+++ b/scheduler/cert.c
@@ -444,5 +444,12 @@ ctcompare(const char *a, /* I - First string */
b ++;
}
- return (result);
+ /*
+ * The while loop finishes when *a == '\0' or *b == '\0'
+ * so after the while loop either both *a and *b == '\0',
+ * or one points inside a string, so when we apply bitwise OR on *a,
+ * *b and result, we get a non-zero return value if the compared strings don't match.
+ */
+
+ return (result | *a | *b);
}
--
2.36.1

View File

@ -15,7 +15,7 @@ Summary: CUPS printing system
Name: cups
Epoch: 1
Version: 2.2.6
Release: 44%{?dist}
Release: 45%{?dist}.2
License: GPLv2+ and LGPLv2 with exceptions and AML
Url: http://www.cups.org/
Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz
@ -129,6 +129,10 @@ Patch70: 0001-Add-with-idle-exit-timeout-configure-option.patch
Patch71: 0001-Add-with-systemd-timeoutstartsec-configure-option.patch
# 2032965 - [RFE] RHEL8 - CUPS Web UI supports adding IPP Everywhere
Patch72: cups-ippeve-web-support.patch
# 2073531 - 30-second delays printing to Windows 2016 server via HTTPS
Patch73: 0001-cups-tls-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch
# CVE-2022-26691 cups: authorization bypass when using "local" authorization
Patch74: 0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch
Patch1000: cups-lspp.patch
@ -401,6 +405,10 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
%patch71 -p1 -b .timeoutstartsec
# 2032965 - [RFE] RHEL8 - CUPS Web UI supports adding IPP Everywhere
%patch72 -p1 -b .ippeve-web-support
# 2073531 - 30-second delays printing to Windows 2016 server via HTTPS
%patch73 -p1 -b .gnutlsbye
# CVE-2022-26691 cups: authorization bypass when using "local" authorization
%patch74 -p1 -b .cve26691
sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in
@ -820,6 +828,12 @@ rm -f %{cups_serverbin}/backend/smb
%{_mandir}/man5/ipptoolfile.5.gz
%changelog
* Thu May 26 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-45.2
- CVE-2022-26691 cups: authorization bypass when using "local" authorization
* Sat Apr 09 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-45.1
- 2073531 - 30-second delays printing to Windows 2016 server via HTTPS
* Wed Jan 19 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-44
- 2015182 - RFE: Implement IdleExitTimeout configuration during build