CVE-2022-26691 cups: authorization bypass when using "local" authorization

Resolves: CVE-2022-26691
2022-06-16 12:18:00 +02:00 · 2022-06-16 12:18:00 +02:00 · b28bce56a2
commit b28bce56a2
parent 42d7ae9ec3
2 changed files with 43 additions and 1 deletions
--- a/0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch
+++ b/0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch
@ -0,0 +1,35 @@
+From de4f8c196106033e4c372dce3e91b9d42b0b9444 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Thu, 26 May 2022 06:27:04 +0200
+Subject: [PATCH] scheduler/cert.c: Fix string comparison (fixes
+ CVE-2022-26691)
+
+The previous algorithm didn't expect the strings can have a different
+length, so one string can be a substring of the other and such substring
+was reported as equal to the longer string.
+---
+ CHANGES.md       | 1 +
+ scheduler/cert.c | 9 ++++++++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/scheduler/cert.c b/scheduler/cert.c
+index b268bf1b2..9b65b96c9 100644
+--- a/scheduler/cert.c
+++ b/scheduler/cert.c
+@@ -444,5 +444,12 @@ ctcompare(const char *a,		/* I - First string */
+     b ++;
+   }
+ 
+-  return (result);
+ /*
+  * The while loop finishes when *a == '\0' or *b == '\0'
+  * so after the while loop either both *a and *b == '\0',
+  * or one points inside a string, so when we apply bitwise OR on *a,
+  * *b and result, we get a non-zero return value if the compared strings don't match.
+  */
+
+  return (result | *a | *b);
+ }
+-- 
+2.36.1
+
--- a/cups.spec
+++ b/cups.spec
@ -17,7 +17,7 @@ Summary: CUPS printing system
 Name: cups
 Epoch: 1
 Version: 2.3.3%{OP_VER}
-Release: 15%{?dist}
+Release: 16%{?dist}
 License: ASL 2.0
 Url: http://www.cups.org/
 # Apple stopped uploading the new versions into github, use OpenPrinting fork
@ -101,6 +101,8 @@ Patch26: 0001-cups-http-encode-memleaks-fixes-issue-322.patch
 Patch27: 0001-cups-tls-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch
 # 2091997 - manpage update to acknowledge order dependency of -h option
 Patch28: 0001-Update-man-pages-for-h-option-Issue-357.patch
+# CVE-2022-26691 cups: authorization bypass when using "local" authorization
+Patch29: 0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch


 ##### Patches removed because IMHO they aren't no longer needed
@ -333,6 +335,8 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
 %patch27 -p1 -b .gnutlsbye
 # 2091997 - manpage update to acknowledge order dependency of -h option
 %patch28 -p1 -b .manpage-update
+# CVE-2022-26691 cups: authorization bypass when using "local" authorization
+%patch29 -p1 -b .cve26691

 %if %{lspp}
 # LSPP support.
@ -756,6 +760,9 @@ rm -f %{cups_serverbin}/backend/smb
 %{_mandir}/man7/ippeveps.7.gz

 %changelog
+* Thu Jun 16 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-16
+- CVE-2022-26691 cups: authorization bypass when using "local" authorization
+
 * Fri Jun 10 2022 Richard Lescak <rlescak@redhat.com> - 1:2.3.3op2-15
 - 2091997 - update man pages to mention order dependency of -h option