From 92b1684eec3be8c4e9e135e01d45433028471f2b Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Wed, 15 Jun 2022 08:22:56 -0400 Subject: [PATCH] import cups-2.2.6-45.el8_6.2 --- ...s-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch | 55 +++++++++++++++++++ ...-Fix-string-comparison-fixes-CVE-202.patch | 35 ++++++++++++ SPECS/cups.spec | 16 +++++- 3 files changed, 105 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0001-cups-tls-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch create mode 100644 SOURCES/0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch diff --git a/SOURCES/0001-cups-tls-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch b/SOURCES/0001-cups-tls-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch new file mode 100644 index 0000000..67e2edc --- /dev/null +++ b/SOURCES/0001-cups-tls-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch @@ -0,0 +1,55 @@ +From bdb1ca45454d90410031c4c2054005a995f76180 Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal +Date: Wed, 6 Apr 2022 15:04:45 +0200 +Subject: [PATCH] cups/tls-gnutls.c: Use always GNUTLS_SHUT_WR + +The current mode for `gnutls_bye()` in client use cases strictly +follows TLS v1.2 standard, which in this particular part says: + +``` +Unless some other fatal alert has been transmitted, each party is +required to send a close_notify alert before closing the write +side of the connection. The other party MUST respond with a +close_notify alert of its own and close down the connection immediately, +discarding any pending writes. It is not required for the initiator +of the close to wait for the responding close_notify alert before +closing the read side of the connection. +``` + +and waits for the other side of TLS connection to confirm the close. + +Unfortunately it can undesired for reasons: +- we support switching of TLS versions in CUPS, and this mode strictly + follows TLS v1.2 - so for older version this behavior is not expected + and can cause delays +- even some TLS v1.2 implementations (like Windows Server 2016) don't + comply TLS v1.2 behavior even if it says it does - in that case, + encrypted printing takes 30s till HTTP timeout is reached, because the + other side didn't send confirmation +- AFAIU openssl's SSL_shutdown() doesn't make this TLS v1.2 difference, + so we could end up with two TLS implementations in CUPS which will + behave differently + +Since the standard defines that waiting for confirmation is not required +and due the problems above, I would propose using GNUTLS_SHUT_WR mode +regardless of HTTP mode. +--- + cups/tls-gnutls.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c +index c55995b2b..f87b4f4df 100644 +--- a/cups/tls-gnutls.c ++++ b/cups/tls-gnutls.c +@@ -1667,7 +1667,7 @@ _httpTLSStop(http_t *http) /* I - Connection to server */ + int error; /* Error code */ + + +- error = gnutls_bye(http->tls, http->mode == _HTTP_MODE_CLIENT ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR); ++ error = gnutls_bye(http->tls, GNUTLS_SHUT_WR); + if (error != GNUTLS_E_SUCCESS) + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, gnutls_strerror(errno), 0); + +-- +2.35.1 + diff --git a/SOURCES/0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch b/SOURCES/0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch new file mode 100644 index 0000000..0aa9c99 --- /dev/null +++ b/SOURCES/0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch @@ -0,0 +1,35 @@ +From de4f8c196106033e4c372dce3e91b9d42b0b9444 Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal +Date: Thu, 26 May 2022 06:27:04 +0200 +Subject: [PATCH] scheduler/cert.c: Fix string comparison (fixes + CVE-2022-26691) + +The previous algorithm didn't expect the strings can have a different +length, so one string can be a substring of the other and such substring +was reported as equal to the longer string. +--- + CHANGES.md | 1 + + scheduler/cert.c | 9 ++++++++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/scheduler/cert.c b/scheduler/cert.c +index b268bf1b2..9b65b96c9 100644 +--- a/scheduler/cert.c ++++ b/scheduler/cert.c +@@ -444,5 +444,12 @@ ctcompare(const char *a, /* I - First string */ + b ++; + } + +- return (result); ++ /* ++ * The while loop finishes when *a == '\0' or *b == '\0' ++ * so after the while loop either both *a and *b == '\0', ++ * or one points inside a string, so when we apply bitwise OR on *a, ++ * *b and result, we get a non-zero return value if the compared strings don't match. ++ */ ++ ++ return (result | *a | *b); + } +-- +2.36.1 + diff --git a/SPECS/cups.spec b/SPECS/cups.spec index 1d2ac8b..5a60c95 100644 --- a/SPECS/cups.spec +++ b/SPECS/cups.spec @@ -15,7 +15,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 2.2.6 -Release: 44%{?dist} +Release: 45%{?dist}.2 License: GPLv2+ and LGPLv2 with exceptions and AML Url: http://www.cups.org/ Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz @@ -129,6 +129,10 @@ Patch70: 0001-Add-with-idle-exit-timeout-configure-option.patch Patch71: 0001-Add-with-systemd-timeoutstartsec-configure-option.patch # 2032965 - [RFE] RHEL8 - CUPS Web UI supports adding IPP Everywhere Patch72: cups-ippeve-web-support.patch +# 2073531 - 30-second delays printing to Windows 2016 server via HTTPS +Patch73: 0001-cups-tls-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch +# CVE-2022-26691 cups: authorization bypass when using "local" authorization +Patch74: 0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch Patch1000: cups-lspp.patch @@ -401,6 +405,10 @@ Sends IPP requests to the specified URI and tests and/or displays the results. %patch71 -p1 -b .timeoutstartsec # 2032965 - [RFE] RHEL8 - CUPS Web UI supports adding IPP Everywhere %patch72 -p1 -b .ippeve-web-support +# 2073531 - 30-second delays printing to Windows 2016 server via HTTPS +%patch73 -p1 -b .gnutlsbye +# CVE-2022-26691 cups: authorization bypass when using "local" authorization +%patch74 -p1 -b .cve26691 sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in @@ -820,6 +828,12 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man5/ipptoolfile.5.gz %changelog +* Thu May 26 2022 Zdenek Dohnal - 1:2.2.6-45.2 +- CVE-2022-26691 cups: authorization bypass when using "local" authorization + +* Sat Apr 09 2022 Zdenek Dohnal - 1:2.2.6-45.1 +- 2073531 - 30-second delays printing to Windows 2016 server via HTTPS + * Wed Jan 19 2022 Zdenek Dohnal - 1:2.2.6-44 - 2015182 - RFE: Implement IdleExitTimeout configuration during build