import cups-2.2.6-45.el8_6.2

2022-06-15 08:22:56 -04:00 · 2022-06-15 08:22:56 -04:00 · 92b1684eec
commit 92b1684eec
parent 0c9d2a4f96
3 changed files with 105 additions and 1 deletions
--- a/SOURCES/0001-cups-tls-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch
+++ b/SOURCES/0001-cups-tls-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch
@ -0,0 +1,55 @@
+From bdb1ca45454d90410031c4c2054005a995f76180 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Wed, 6 Apr 2022 15:04:45 +0200
+Subject: [PATCH] cups/tls-gnutls.c: Use always GNUTLS_SHUT_WR
+
+The current mode for `gnutls_bye()` in client use cases strictly
+follows TLS v1.2 standard, which in this particular part says:
+
+```
+Unless some other fatal alert has been transmitted, each party is
+required to send a close_notify alert before closing the write
+side of the connection.  The other party MUST respond with a
+close_notify alert of its own and close down the connection immediately,
+discarding any pending writes.  It is not required for the initiator
+of the close to wait for the responding close_notify alert before
+closing the read side of the connection.
+```
+
+and waits for the other side of TLS connection to confirm the close.
+
+Unfortunately it can undesired for reasons:
+- we support switching of TLS versions in CUPS, and this mode strictly
+  follows TLS v1.2 - so for older version this behavior is not expected
+  and can cause delays
+- even some TLS v1.2 implementations (like Windows Server 2016) don't
+  comply TLS v1.2 behavior even if it says it does - in that case,
+  encrypted printing takes 30s till HTTP timeout is reached, because the
+  other side didn't send confirmation
+- AFAIU openssl's SSL_shutdown() doesn't make this TLS v1.2 difference,
+  so we could end up with two TLS implementations in CUPS which will
+  behave differently
+
+Since the standard defines that waiting for confirmation is not required
+and due the problems above, I would propose using GNUTLS_SHUT_WR mode
+regardless of HTTP mode.
+---
+ cups/tls-gnutls.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c
+index c55995b2b..f87b4f4df 100644
+--- a/cups/tls-gnutls.c
+++ b/cups/tls-gnutls.c
+@@ -1667,7 +1667,7 @@ _httpTLSStop(http_t *http)		/* I - Connection to server */
+   int	error;				/* Error code */
+ 
+ 
+-  error = gnutls_bye(http->tls, http->mode == _HTTP_MODE_CLIENT ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
+  error = gnutls_bye(http->tls, GNUTLS_SHUT_WR);
+   if (error != GNUTLS_E_SUCCESS)
+     _cupsSetError(IPP_STATUS_ERROR_INTERNAL, gnutls_strerror(errno), 0);
+ 
+-- 
+2.35.1
+
--- a/SOURCES/0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch
+++ b/SOURCES/0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch
@ -0,0 +1,35 @@
+From de4f8c196106033e4c372dce3e91b9d42b0b9444 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Thu, 26 May 2022 06:27:04 +0200
+Subject: [PATCH] scheduler/cert.c: Fix string comparison (fixes
+ CVE-2022-26691)
+
+The previous algorithm didn't expect the strings can have a different
+length, so one string can be a substring of the other and such substring
+was reported as equal to the longer string.
+---
+ CHANGES.md       | 1 +
+ scheduler/cert.c | 9 ++++++++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/scheduler/cert.c b/scheduler/cert.c
+index b268bf1b2..9b65b96c9 100644
+--- a/scheduler/cert.c
+++ b/scheduler/cert.c
+@@ -444,5 +444,12 @@ ctcompare(const char *a,		/* I - First string */
+     b ++;
+   }
+ 
+-  return (result);
+ /*
+  * The while loop finishes when *a == '\0' or *b == '\0'
+  * so after the while loop either both *a and *b == '\0',
+  * or one points inside a string, so when we apply bitwise OR on *a,
+  * *b and result, we get a non-zero return value if the compared strings don't match.
+  */
+
+  return (result | *a | *b);
+ }
+-- 
+2.36.1
+
--- a/SPECS/cups.spec
+++ b/SPECS/cups.spec
@ -15,7 +15,7 @@ Summary: CUPS printing system
 Name: cups
 Epoch: 1
 Version: 2.2.6
-Release: 44%{?dist}
+Release: 45%{?dist}.2
 License: GPLv2+ and LGPLv2 with exceptions and AML
 Url: http://www.cups.org/
 Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz
@ -129,6 +129,10 @@ Patch70: 0001-Add-with-idle-exit-timeout-configure-option.patch
 Patch71: 0001-Add-with-systemd-timeoutstartsec-configure-option.patch
 # 2032965 - [RFE] RHEL8 - CUPS Web UI supports adding IPP Everywhere
 Patch72: cups-ippeve-web-support.patch
+# 2073531 - 30-second delays printing to Windows 2016 server via HTTPS
+Patch73: 0001-cups-tls-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch
+# CVE-2022-26691 cups: authorization bypass when using "local" authorization
+Patch74: 0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch

 Patch1000: cups-lspp.patch

@ -401,6 +405,10 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
 %patch71 -p1 -b .timeoutstartsec
 # 2032965 - [RFE] RHEL8 - CUPS Web UI supports adding IPP Everywhere
 %patch72 -p1 -b .ippeve-web-support
+# 2073531 - 30-second delays printing to Windows 2016 server via HTTPS
+%patch73 -p1 -b .gnutlsbye
+# CVE-2022-26691 cups: authorization bypass when using "local" authorization
+%patch74 -p1 -b .cve26691

 sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in

@ -820,6 +828,12 @@ rm -f %{cups_serverbin}/backend/smb
 %{_mandir}/man5/ipptoolfile.5.gz

 %changelog
+* Thu May 26 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-45.2
+- CVE-2022-26691 cups: authorization bypass when using "local" authorization
+
+* Sat Apr 09 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-45.1
+- 2073531 - 30-second delays printing to Windows 2016 server via HTTPS
+
 * Wed Jan 19 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-44
 - 2015182 - RFE: Implement IdleExitTimeout configuration during build