CVE-2022-26691 cups: authorization bypass when using "local" authorization

Resolves: CVE-2022-26691
This commit is contained in:
Zdenek Dohnal 2022-06-16 12:18:00 +02:00
parent 42d7ae9ec3
commit b28bce56a2
2 changed files with 43 additions and 1 deletions

View File

@ -0,0 +1,35 @@
From de4f8c196106033e4c372dce3e91b9d42b0b9444 Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Thu, 26 May 2022 06:27:04 +0200
Subject: [PATCH] scheduler/cert.c: Fix string comparison (fixes
CVE-2022-26691)
The previous algorithm didn't expect the strings can have a different
length, so one string can be a substring of the other and such substring
was reported as equal to the longer string.
---
CHANGES.md | 1 +
scheduler/cert.c | 9 ++++++++-
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/scheduler/cert.c b/scheduler/cert.c
index b268bf1b2..9b65b96c9 100644
--- a/scheduler/cert.c
+++ b/scheduler/cert.c
@@ -444,5 +444,12 @@ ctcompare(const char *a, /* I - First string */
b ++;
}
- return (result);
+ /*
+ * The while loop finishes when *a == '\0' or *b == '\0'
+ * so after the while loop either both *a and *b == '\0',
+ * or one points inside a string, so when we apply bitwise OR on *a,
+ * *b and result, we get a non-zero return value if the compared strings don't match.
+ */
+
+ return (result | *a | *b);
}
--
2.36.1

View File

@ -17,7 +17,7 @@ Summary: CUPS printing system
Name: cups
Epoch: 1
Version: 2.3.3%{OP_VER}
Release: 15%{?dist}
Release: 16%{?dist}
License: ASL 2.0
Url: http://www.cups.org/
# Apple stopped uploading the new versions into github, use OpenPrinting fork
@ -101,6 +101,8 @@ Patch26: 0001-cups-http-encode-memleaks-fixes-issue-322.patch
Patch27: 0001-cups-tls-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch
# 2091997 - manpage update to acknowledge order dependency of -h option
Patch28: 0001-Update-man-pages-for-h-option-Issue-357.patch
# CVE-2022-26691 cups: authorization bypass when using "local" authorization
Patch29: 0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch
##### Patches removed because IMHO they aren't no longer needed
@ -333,6 +335,8 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
%patch27 -p1 -b .gnutlsbye
# 2091997 - manpage update to acknowledge order dependency of -h option
%patch28 -p1 -b .manpage-update
# CVE-2022-26691 cups: authorization bypass when using "local" authorization
%patch29 -p1 -b .cve26691
%if %{lspp}
# LSPP support.
@ -756,6 +760,9 @@ rm -f %{cups_serverbin}/backend/smb
%{_mandir}/man7/ippeveps.7.gz
%changelog
* Thu Jun 16 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-16
- CVE-2022-26691 cups: authorization bypass when using "local" authorization
* Fri Jun 10 2022 Richard Lescak <rlescak@redhat.com> - 1:2.3.3op2-15
- 2091997 - update man pages to mention order dependency of -h option