Patch CVE-2024-35235: cupsd Listen arbitrary chmod 0140777

This commit is contained in:
Pavol Žáčik 2024-06-10 10:48:31 +02:00 committed by root
parent 2031f024f2
commit 9c73d36088
3 changed files with 95 additions and 1 deletions

1
.cups.metadata Normal file
View File

@ -0,0 +1 @@
23108e0f6ca7d8caa1a6a6224f5322e21ba0a27d cups-2.3.3op2-source.tar.gz

View File

@ -0,0 +1,86 @@
diff --git a/cups/http-addr.c b/cups/http-addr.c
index 86749c848..5b035e02b 100644
--- a/cups/http-addr.c
+++ b/cups/http-addr.c
@@ -196,31 +196,29 @@ httpAddrListen(http_addr_t *addr, /* I - Address to bind to */
{
mode_t mask; /* Umask setting */
- /*
- * Remove any existing domain socket file...
- */
-
- unlink(addr->un.sun_path);
-
- /*
- * Save the current umask and set it to 0 so that all users can access
- * the domain socket...
- */
-
- mask = umask(0);
-
- /*
- * Bind the domain socket...
- */
+ // Remove any existing domain socket file...
+ if ((status = unlink(addr->un.sun_path)) < 0)
+ {
+ DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno)));
+ if (errno == ENOENT)
+ status = 0;
+ }
- status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr));
+ if (!status)
+ {
+ // Save the current umask and set it to 0 so that all users can access
+ // the domain socket...
+ mask = umask(0);
- /*
- * Restore the umask and fix permissions...
- */
+ // Bind the domain socket...
+ if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0)
+ {
+ DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno)));
+ }
- umask(mask);
- chmod(addr->un.sun_path, 0140777);
+ // Restore the umask...
+ umask(mask);
+ }
}
else
#endif /* AF_LOCAL */
diff --git a/scheduler/conf.c b/scheduler/conf.c
index bb6049b2c..4c703c9b9 100644
--- a/scheduler/conf.c
+++ b/scheduler/conf.c
@@ -3062,6 +3062,25 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */
cupsd_listener_t *lis; /* New listeners array */
+ /*
+ * If we are launched on-demand, do not use domain sockets from the config
+ * file. Also check that the domain socket path is not too long...
+ */
+
+#ifdef HAVE_ONDEMAND
+ if (*value == '/' && OnDemand)
+ {
+ if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum);
+ continue;
+ }
+#endif // HAVE_ONDEMAND
+
+ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1))
+ {
+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum);
+ continue;
+ }
/*
* Get the address list...

View File

@ -24,7 +24,7 @@ Summary: CUPS printing system
Name: cups Name: cups
Epoch: 1 Epoch: 1
Version: 2.3.3%{OP_VER} Version: 2.3.3%{OP_VER}
Release: 26%{?dist} Release: 27%{?dist}
License: ASL 2.0 License: ASL 2.0
Url: http://www.cups.org/ Url: http://www.cups.org/
# Apple stopped uploading the new versions into github, use OpenPrinting fork # Apple stopped uploading the new versions into github, use OpenPrinting fork
@ -137,6 +137,8 @@ Patch40: 0001-scheduler-Fix-sending-response-headers-to-client.patch
# RHEL-32727 lpoptions with root writes to ~/.cups/lpoptions # RHEL-32727 lpoptions with root writes to ~/.cups/lpoptions
# https://github.com/OpenPrinting/cups/pull/456 # https://github.com/OpenPrinting/cups/pull/456
Patch41: 0001-cups-dest.c-Write-data-into-etc-cups-lpoptions-if-we.patch Patch41: 0001-cups-dest.c-Write-data-into-etc-cups-lpoptions-if-we.patch
# CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
Patch42: 0001-Fix-domain-socket-handling.patch
##### Patches removed because IMHO they aren't no longer needed ##### Patches removed because IMHO they aren't no longer needed
@ -402,6 +404,8 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
%patch40 -p1 -b .sent-headers %patch40 -p1 -b .sent-headers
# RHEL-32727 lpoptions with root writes to ~/.cups/lpoptions # RHEL-32727 lpoptions with root writes to ~/.cups/lpoptions
%patch41 -p1 -b .root-lpoptions %patch41 -p1 -b .root-lpoptions
# CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
%patch42 -p1 -b .cve2024-35235
%if %{lspp} %if %{lspp}
# LSPP support. # LSPP support.
@ -836,6 +840,9 @@ rm -f %{cups_serverbin}/backend/smb
%{_mandir}/man7/ippeveps.7.gz %{_mandir}/man7/ippeveps.7.gz
%changelog %changelog
* Mon Jun 10 2024 Pavol Zacik <pzacik@redhat.com> - 1:2.3.3op2-27
- CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
* Mon Apr 15 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-26 * Mon Apr 15 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-26
- RHEL-32727 lpoptions with root writes to ~/.cups/lpoptions - RHEL-32727 lpoptions with root writes to ~/.cups/lpoptions