RHEL-129720 CVE-2025-61915 cups: Local denial-of-service via cupsd.conf update and related issues

Resolves: RHEL-129720
2025-12-10 14:28:37 +01:00 · 2025-12-10 14:28:37 +01:00 · b265443ecb
commit b265443ecb
parent e4481e60a5
3 changed files with 335 additions and 0 deletions
--- a/0001-Fix-various-issues-in-cupsd.patch
+++ b/0001-Fix-various-issues-in-cupsd.patch
@ -0,0 +1,283 @@
+diff -up cups-2.2.6/conf/cups-files.conf.in.config-issues cups-2.2.6/conf/cups-files.conf.in
+--- cups-2.2.6/conf/cups-files.conf.in.config-issues	2025-12-10 09:55:08.849687904 +0100
+++ cups-2.2.6/conf/cups-files.conf.in	2025-12-10 09:55:08.963762383 +0100
+@@ -19,6 +19,9 @@
+ SystemGroup @CUPS_SYSTEM_GROUPS@
+ @CUPS_SYSTEM_AUTHKEY@
+ 
+# Are Unix domain socket peer credentials used for authorization?
+PeerCred @CUPS_PEER_CRED@
+
+ # User that is substituted for unauthenticated (remote) root accesses...
+ #RemoteRoot remroot
+ 
+diff -up cups-2.2.6/config.h.in.config-issues cups-2.2.6/config.h.in
+--- cups-2.2.6/config.h.in.config-issues	2025-12-10 09:55:08.852849134 +0100
+++ cups-2.2.6/config.h.in	2025-12-10 09:56:38.680857561 +0100
+@@ -88,6 +88,13 @@
+ 
+ 
+ /*
+ * Default PeerCred value...
+ */
+
+#define CUPS_DEFAULT_PEER_CRED "on"
+
+
+/*
+  * Default MaxCopies value...
+  */
+ 
+diff -up cups-2.2.6/config-scripts/cups-defaults.m4.config-issues cups-2.2.6/config-scripts/cups-defaults.m4
+--- cups-2.2.6/config-scripts/cups-defaults.m4.config-issues	2025-12-10 09:55:08.913734163 +0100
+++ cups-2.2.6/config-scripts/cups-defaults.m4	2025-12-10 09:55:57.696584490 +0100
+@@ -95,6 +95,15 @@ AC_ARG_WITH(log_level, [  --with-log-lev
+ AC_SUBST(CUPS_LOG_LEVEL)
+ AC_DEFINE_UNQUOTED(CUPS_DEFAULT_LOG_LEVEL, "$CUPS_LOG_LEVEL")
+ 
+dnl Default PeerCred
+AC_ARG_WITH([peer_cred], AS_HELP_STRING([--with-peer-cred], [set default PeerCred value (on/off/root-only), default=on]), [
+    CUPS_PEER_CRED="$withval"
+], [
+    CUPS_PEER_CRED="on"
+])
+AC_SUBST([CUPS_PEER_CRED])
+AC_DEFINE_UNQUOTED([CUPS_DEFAULT_PEER_CRED], ["$CUPS_PEER_CRED"], [Default PeerCred value.])
+
+ dnl Default AccessLogLevel
+ AC_ARG_WITH(access_log_level, [  --with-access-log-level set default AccessLogLevel value, default=none],
+ 	CUPS_ACCESS_LOG_LEVEL="$withval",
+diff -up cups-2.2.6/doc/help/man-cups-files.conf.html.config-issues cups-2.2.6/doc/help/man-cups-files.conf.html
+--- cups-2.2.6/doc/help/man-cups-files.conf.html.config-issues	2025-12-10 09:55:08.849902857 +0100
+++ cups-2.2.6/doc/help/man-cups-files.conf.html	2025-12-10 09:57:25.160598126 +0100
+@@ -119,6 +119,13 @@ The server name may be included in filen
+ 
+ </pre>
+ The default is "/var/log/cups/page_log".
+<dt><a name="PeerCred"></a><b>PeerCred off</b>
+<dd style="margin-left: 5.0em"><dt><b>PeerCred on</b>
+<dd style="margin-left: 5.0em"><dt><b>PeerCred root-only</b>
+<dd style="margin-left: 5.0em">Specifies whether peer credentials are used for authorization when communicating over the UNIX domain socket.
+When <b>on</b>, the peer credentials of any user are accepted for authorization.
+The value <b>off</b> disables the use of peer credentials entirely, while the value <b>root-only</b> allows peer credentials only for the root user.
+Note: for security reasons, the <b>on</b> setting is reduced to <b>root-only</b> for authorization of PUT requests.
+ <dt><a name="RemoteRoot"></a><b>RemoteRoot </b><i>username</i>
+ <dd style="margin-left: 5.0em">Specifies the username that is associated with unauthenticated accesses by clients claiming to be the root user.
+ The default is "remroot".
+diff -up cups-2.2.6/man/cups-files.conf.man.in.config-issues cups-2.2.6/man/cups-files.conf.man.in
+--- cups-2.2.6/man/cups-files.conf.man.in.config-issues	2025-12-10 09:59:33.227883234 +0100
+++ cups-2.2.6/man/cups-files.conf.man.in	2025-12-10 09:59:57.400174430 +0100
+@@ -162,6 +162,17 @@ The default is "/var/log/cups/page_log".
+ \fBPassEnv \fIvariable \fR[ ... \fIvariable \fR]
+ Passes the specified environment variable(s) to child processes.
+ Note: the standard CUPS filter and backend environment variables cannot be overridden using this directive.
+.\"#PeerCred
+.TP 5
+\fBPeerCred off\fR
+.TP 5
+\fBPeerCred on\fR
+.TP 5
+\fBPeerCred root-only\fR
+Specifies whether peer credentials are used for authorization when communicating over the UNIX domain socket.
+When \fBon\fR, the peer credentials of any user are accepted for authorization.
+The value \fBoff\fR disables the use of peer credentials entirely, while the value \fBroot-only\fR allows peer credentials only for the root user.
+Note: for security reasons, the \fBon\fR setting is reduced to \fBroot-only\fR for authorization of PUT requests.
+ .\"#RemoteRoot
+ .TP 5
+ \fBRemoteRoot \fIusername\fR
+diff -up cups-2.2.6/scheduler/auth.c.config-issues cups-2.2.6/scheduler/auth.c
+--- cups-2.2.6/scheduler/auth.c.config-issues	2025-12-10 09:55:08.953939209 +0100
+++ cups-2.2.6/scheduler/auth.c	2025-12-10 09:55:08.965011783 +0100
+@@ -401,7 +401,7 @@ cupsdAuthorize(cupsd_client_t *con)	/* I
+   }
+ #endif /* HAVE_AUTHORIZATION_H */
+ #if defined(SO_PEERCRED) && defined(AF_LOCAL)
+-  else if (!strncmp(authorization, "PeerCred ", 9) &&
+  else if (PeerCred != CUPSD_PEERCRED_OFF && !strncmp(authorization, "PeerCred ", 9) &&
+            con->http->hostaddr->addr.sa_family == AF_LOCAL && con->best)
+   {
+    /*
+@@ -444,6 +444,12 @@ cupsdAuthorize(cupsd_client_t *con)	/* I
+     }
+ #endif /* HAVE_AUTHORIZATION_H */
+ 
+    if ((PeerCred == CUPSD_PEERCRED_ROOTONLY || httpGetState(con->http) == HTTP_STATE_PUT_RECV) && strcmp(authorization + 9, "root"))
+    {
+      cupsdLogClient(con, CUPSD_LOG_INFO, "User \"%s\" is not allowed to use peer credentials.", authorization + 9);
+      return;
+    }
+
+     if ((pwd = getpwnam(authorization + 9)) == NULL)
+     {
+       cupsdLogClient(con, CUPSD_LOG_ERROR, "User \"%s\" does not exist.", authorization + 9);
+diff -up cups-2.2.6/scheduler/auth.h.config-issues cups-2.2.6/scheduler/auth.h
+--- cups-2.2.6/scheduler/auth.h.config-issues	2017-11-01 15:57:53.000000000 +0100
+++ cups-2.2.6/scheduler/auth.h	2025-12-10 10:00:29.472254041 +0100
+@@ -52,6 +52,10 @@
+ #define CUPSD_AUTH_LIMIT_ALL	127	/* Limit all requests */
+ #define CUPSD_AUTH_LIMIT_IPP	128	/* Limit IPP requests */
+ 
+#define CUPSD_PEERCRED_OFF	0	/* Don't allow PeerCred authorization */
+#define CUPSD_PEERCRED_ON	1	/* Allow PeerCred authorization for all users */
+#define CUPSD_PEERCRED_ROOTONLY	2	/* Allow PeerCred authorization for root user */
+
+ #define IPP_ANY_OPERATION	(ipp_op_t)0
+ 					/* Any IPP operation */
+ #define IPP_BAD_OPERATION	(ipp_op_t)-1
+@@ -109,6 +113,9 @@ typedef struct cupsd_client_s cupsd_clie
+ 
+ VAR cups_array_t	*Locations	VALUE(NULL);
+ 					/* Authorization locations */
+VAR int			PeerCred	VALUE(CUPSD_PEERCRED_ON);
+					/* Allow PeerCred authorization? */
+
+ #ifdef HAVE_SSL
+ VAR http_encryption_t	DefaultEncryption VALUE(HTTP_ENCRYPT_REQUIRED);
+ 					/* Default encryption for authentication */
+diff -up cups-2.2.6/scheduler/client.c.config-issues cups-2.2.6/scheduler/client.c
+diff -up cups-2.2.6/scheduler/conf.c.config-issues cups-2.2.6/scheduler/conf.c
+--- cups-2.2.6/scheduler/conf.c.config-issues	2025-12-10 09:55:08.946765727 +0100
+++ cups-2.2.6/scheduler/conf.c	2025-12-10 09:55:08.964315379 +0100
+@@ -52,6 +52,7 @@ typedef enum
+ {
+   CUPSD_VARTYPE_INTEGER,		/* Integer option */
+   CUPSD_VARTYPE_TIME,			/* Time interval option */
+  CUPSD_VARTYPE_NULLSTRING,		/* String option or NULL/empty string */
+   CUPSD_VARTYPE_STRING,			/* String option */
+   CUPSD_VARTYPE_BOOLEAN,		/* Boolean option */
+   CUPSD_VARTYPE_PATHNAME,		/* File/directory name option */
+@@ -74,7 +75,7 @@ static const cupsd_var_t	cupsd_vars[] =
+ {
+   { "AutoPurgeJobs", 		&JobAutoPurge,		CUPSD_VARTYPE_BOOLEAN },
+ #if defined(HAVE_DNSSD) || defined(HAVE_AVAHI)
+-  { "BrowseDNSSDSubTypes",	&DNSSDSubTypes,		CUPSD_VARTYPE_STRING },
+  { "BrowseDNSSDSubTypes",	&DNSSDSubTypes,		CUPSD_VARTYPE_NULLSTRING },
+ #endif /* HAVE_DNSSD || HAVE_AVAHI */
+   { "BrowseWebIF",		&BrowseWebIF,		CUPSD_VARTYPE_BOOLEAN },
+   { "Browsing",			&Browsing,		CUPSD_VARTYPE_BOOLEAN },
+@@ -124,7 +125,7 @@ static const cupsd_var_t	cupsd_vars[] =
+   { "MaxSubscriptionsPerPrinter",&MaxSubscriptionsPerPrinter,	CUPSD_VARTYPE_INTEGER },
+   { "MaxSubscriptionsPerUser",	&MaxSubscriptionsPerUser,	CUPSD_VARTYPE_INTEGER },
+   { "MultipleOperationTimeout",	&MultipleOperationTimeout,	CUPSD_VARTYPE_TIME },
+-  { "PageLogFormat",		&PageLogFormat,		CUPSD_VARTYPE_STRING },
+  { "PageLogFormat",		&PageLogFormat,		CUPSD_VARTYPE_NULLSTRING },
+   { "PreserveJobFiles",		&JobFiles,		CUPSD_VARTYPE_TIME },
+   { "PreserveJobHistory",	&JobHistory,		CUPSD_VARTYPE_TIME },
+   { "ReloadTimeout",		&ReloadTimeout,		CUPSD_VARTYPE_TIME },
+@@ -807,6 +808,13 @@ cupsdReadConfiguration(void)
+   IdleExitTimeout = 60;
+ #endif /* HAVE_ONDEMAND */
+ 
+  if (!strcmp(CUPS_DEFAULT_PEER_CRED, "off"))
+    PeerCred = CUPSD_PEERCRED_OFF;
+  else if (!strcmp(CUPS_DEFAULT_PEER_CRED, "root-only"))
+    PeerCred = CUPSD_PEERCRED_ROOTONLY;
+  else
+    PeerCred = CUPSD_PEERCRED_ON;
+
+  /*
+   * Setup environment variables...
+   */
+@@ -1837,7 +1845,7 @@ get_addr_and_mask(const char *value,	/*
+ 
+     family  = AF_INET6;
+ 
+-    for (i = 0, ptr = value + 1; *ptr && i < 8; i ++)
+    for (i = 0, ptr = value + 1; *ptr && i >= 0 && i < 8; i ++)
+     {
+       if (*ptr == ']')
+         break;
+@@ -1986,7 +1994,7 @@ get_addr_and_mask(const char *value,	/*
+ #ifdef AF_INET6
+       if (family == AF_INET6)
+       {
+-        if (i > 128)
+        if (i < 0 || i > 128)
+ 	  return (0);
+ 
+         i = 128 - i;
+@@ -2020,7 +2028,7 @@ get_addr_and_mask(const char *value,	/*
+       else
+ #endif /* AF_INET6 */
+       {
+-        if (i > 32)
+        if (i < 0 || i > 32)
+ 	  return (0);
+ 
+         mask[0] = 0xffffffff;
+@@ -2930,7 +2938,17 @@ parse_variable(
+ 	cupsdSetString((char **)var->ptr, temp);
+ 	break;
+ 
+    case CUPSD_VARTYPE_NULLSTRING :
+	cupsdSetString((char **)var->ptr, value);
+	break;
+
+     case CUPSD_VARTYPE_STRING :
+        if (!value)
+        {
+	  cupsdLogMessage(CUPSD_LOG_ERROR, "Missing value for %s on line %d of %s.", line, linenum, filename);
+	  return (0);
+        }
+
+ 	cupsdSetString((char **)var->ptr, value);
+ 	break;
+   }
+@@ -3438,9 +3456,10 @@ read_cupsd_conf(cups_file_t *fp)	/* I -
+ 		      line, value ? " " : "", value ? value : "", linenum,
+ 		      ConfigurationFile, CupsFilesFile);
+     }
+-    else
+-      parse_variable(ConfigurationFile, linenum, line, value,
+-                     sizeof(cupsd_vars) / sizeof(cupsd_vars[0]), cupsd_vars);
+    else if (!parse_variable(ConfigurationFile, linenum, line, value,
+			     sizeof(cupsd_vars) / sizeof(cupsd_vars[0]), cupsd_vars) &&
+	     (FatalErrors & CUPSD_FATAL_CONFIG))
+      return (0);
+   }
+ 
+   return (1);
+@@ -3575,6 +3594,31 @@ read_cups_files_conf(cups_file_t *fp)	/*
+ 	    break;
+       }
+     }
+    else if (!_cups_strcasecmp(line, "PeerCred") && value)
+    {
+     /*
+      * PeerCred {off,on,root-only}
+      */
+
+      if (!_cups_strcasecmp(value, "off"))
+      {
+        PeerCred = CUPSD_PEERCRED_OFF;
+      }
+      else if (!_cups_strcasecmp(value, "on"))
+      {
+        PeerCred = CUPSD_PEERCRED_ON;
+      }
+      else if (!_cups_strcasecmp(value, "root-only"))
+      {
+        PeerCred = CUPSD_PEERCRED_ROOTONLY;
+      }
+      else
+      {
+	cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown PeerCred \"%s\" on line %d of %s.", value, linenum, CupsFilesFile);
+        if (FatalErrors & CUPSD_FATAL_CONFIG)
+          return (0);
+      }
+    }
+     else if (!_cups_strcasecmp(line, "PrintcapFormat") && value)
+     {
+      /*
+diff -up cups-2.2.6/test/run-stp-tests.sh.config-issues cups-2.2.6/test/run-stp-tests.sh
+--- cups-2.2.6/test/run-stp-tests.sh.config-issues	2025-12-10 09:55:08.861374808 +0100
+++ cups-2.2.6/test/run-stp-tests.sh	2025-12-10 09:55:08.964582228 +0100
+@@ -511,7 +511,7 @@ fi
+ 
+ cat >$BASE/cups-files.conf <<EOF
+ FileDevice yes
+-Printcap
+Printcap $BASE/printcap
+ User $user
+ ServerRoot $BASE
+ StateDir $BASE
--- a/0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch
+++ b/0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch
@ -0,0 +1,43 @@
+From 277d3b1c49895f070bbf4b73cada011d71fbf9f3 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Thu, 4 Dec 2025 09:04:37 +0100
+Subject: [PATCH] conf.c: Fix stopping scheduler on unknown directive
+
+Change the return value to do not trigger stopping the scheduler in case
+of unknown directive, because stopping the scheduler on config errors
+should only happen in case of syntax errors.
+---
+ scheduler/conf.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/scheduler/conf.c b/scheduler/conf.c
+index 7d6da0252..0e7be0ef4 100644
+--- a/scheduler/conf.c
+++ b/scheduler/conf.c
+@@ -2708,16 +2708,16 @@ parse_variable(
+   {
+    /*
+     * Unknown directive!  Output an error message and continue...
+    *
+    * Return value 1 is on purpose - we ignore unknown directives to log
+    * error, but do not stop the scheduler in case error in configuration
+    * is set to be fatal.
+     */
+ 
+-    if (!value)
+-      cupsdLogMessage(CUPSD_LOG_ERROR, "Missing value for %s on line %d of %s.",
+-		      line, linenum, filename);
+-    else
+-      cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown directive %s on line %d of %s.",
+-		      line, linenum, filename);
+    cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown directive %s on line %d of %s.",
+		    line, linenum, filename);
+ 
+-    return (0);
+    return (1);
+   }
+ 
+   switch (var->type)
+-- 
+2.52.0
+
--- a/cups.spec
+++ b/cups.spec
@ -204,6 +204,11 @@ Patch99: 0001-_httpWait-s-usessl-parameter-wasn-t-being-used.patch
 Patch100: 0001-Setting-the-timeout-should-also-timeout-the-TLS-nego.patch
 Patch101: cups-CVE-2025-58436.patch
 Patch102: 0001-Fix-an-infinite-loop-issue-in-GTK-Issue-1439.patch
+# RHEL-129720 CVE-2025-61915 cups: Local denial-of-service via cupsd.conf update and related issues
+# 0001-Fix-various-issues-in-cupsd.patch
+# 0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch
+Patch103: 0001-Fix-various-issues-in-cupsd.patch
+Patch104: 0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch

 Patch1000: cups-lspp.patch

@ -541,6 +546,9 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
 %patch100 -p1 -b .timeout-tls
 %patch101 -p1 -b .slow-client
 %patch102 -p1 -b .gtk-infinite-loop
+# RHEL-129720 CVE-2025-61915 cups: Local denial-of-service via cupsd.conf update and related issues
+%patch103 -p1 -b .config-issues
+%patch104 -p1 -b .ignore-unknown


 sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in
@ -970,6 +978,7 @@ rm -f %{cups_serverbin}/backend/smb
 %changelog
 * Tue Dec 09 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-65
 - RHEL-129729 CVE-2025-58436 cups: Slow client communication leads to a possible DoS attack
+- RHEL-129720 CVE-2025-61915 cups: Local denial-of-service via cupsd.conf update and related issues

 * Wed Oct 22 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-64
 - RHEL-122045 CVE-2025-58364 cups: Null Pointer Dereference in CUPS ipp_read_io() Leading to Remote DoS