import cups-2.2.6-40.el8
This commit is contained in:
parent
a1a82b79e6
commit
b97f1e1218
61
SOURCES/cups-cve202010001.patch
Normal file
61
SOURCES/cups-cve202010001.patch
Normal file
@ -0,0 +1,61 @@
|
||||
Fix for CVE-2020-10001, which is a bug in the CUPS ippReadIO function when it
|
||||
reads tagged string values (nameWithLanguage and textWithLanguage). The
|
||||
previous code verified that the length of the sub-strings (language identifier
|
||||
and name/text value) did not exceed the size of the allocated buffer (1 byte
|
||||
larger than the maximum IPP value size of 32767 bytes), but did not validate
|
||||
against the length of the actual IPP value.
|
||||
|
||||
The issues introduced by this vulnerability include:
|
||||
|
||||
- Potential information disclosure by copying uninitialized areas of memory into
|
||||
an IPP string value.
|
||||
- Potential Denial of Service by supplying/using invalid string values when
|
||||
strict validation has been disabled by the system administrator.
|
||||
|
||||
This change ensures that:
|
||||
|
||||
1. The language identifier does not extend beyond the end of the IPP value.
|
||||
2. The length of the name/text string is within the IPP value.
|
||||
3. The name/text string is within the IPP value.
|
||||
|
||||
diff --git a/cups/ipp.c b/cups/ipp.c
|
||||
index 3d529346c..adbb26fba 100644
|
||||
--- a/cups/ipp.c
|
||||
+++ b/cups/ipp.c
|
||||
@@ -2866,7 +2866,8 @@ ippReadIO(void *src, /* I - Data source */
|
||||
unsigned char *buffer, /* Data buffer */
|
||||
string[IPP_MAX_TEXT],
|
||||
/* Small string buffer */
|
||||
- *bufptr; /* Pointer into buffer */
|
||||
+ *bufptr, /* Pointer into buffer */
|
||||
+ *bufend; /* End of buffer */
|
||||
ipp_attribute_t *attr; /* Current attribute */
|
||||
ipp_tag_t tag; /* Current tag */
|
||||
ipp_tag_t value_tag; /* Current value tag */
|
||||
@@ -3441,6 +3442,7 @@ ippReadIO(void *src, /* I - Data source */
|
||||
}
|
||||
|
||||
bufptr = buffer;
|
||||
+ bufend = buffer + n;
|
||||
|
||||
/*
|
||||
* text-with-language and name-with-language are composite
|
||||
@@ -3454,7 +3456,7 @@ ippReadIO(void *src, /* I - Data source */
|
||||
|
||||
n = (bufptr[0] << 8) | bufptr[1];
|
||||
|
||||
- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string))
|
||||
+ if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string))
|
||||
{
|
||||
_cupsSetError(IPP_STATUS_ERROR_INTERNAL,
|
||||
_("IPP language length overflows value."), 1);
|
||||
@@ -3481,7 +3483,7 @@ ippReadIO(void *src, /* I - Data source */
|
||||
bufptr += 2 + n;
|
||||
n = (bufptr[0] << 8) | bufptr[1];
|
||||
|
||||
- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE))
|
||||
+ if ((bufptr + 2 + n) > bufend)
|
||||
{
|
||||
_cupsSetError(IPP_STATUS_ERROR_INTERNAL,
|
||||
_("IPP string length overflows value."), 1);
|
||||
|
110
SOURCES/cups-fix-preservejob-times.patch
Normal file
110
SOURCES/cups-fix-preservejob-times.patch
Normal file
@ -0,0 +1,110 @@
|
||||
diff --git a/scheduler/job.c b/scheduler/job.c
|
||||
index 82ef2eb..5d5e3aa 100644
|
||||
--- a/scheduler/job.c
|
||||
+++ b/scheduler/job.c
|
||||
@@ -448,10 +448,20 @@ cupsdCleanJobs(void)
|
||||
curtime = time(NULL);
|
||||
JobHistoryUpdate = 0;
|
||||
|
||||
+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCleanJobs: curtime=%d", (int)curtime);
|
||||
+
|
||||
for (job = (cupsd_job_t *)cupsArrayFirst(Jobs);
|
||||
job;
|
||||
job = (cupsd_job_t *)cupsArrayNext(Jobs))
|
||||
{
|
||||
+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCleanJobs: Job %d, state=%d, printer=%p, history_time=%d, file_time=%d", job->id, (int)job->state_value, (void *)job->printer, (int)job->history_time, (int)job->file_time);
|
||||
+
|
||||
+ if ((job->history_time && job->history_time < JobHistoryUpdate) || !JobHistoryUpdate)
|
||||
+ JobHistoryUpdate = job->history_time;
|
||||
+
|
||||
+ if ((job->file_time && job->file_time < JobHistoryUpdate) || !JobHistoryUpdate)
|
||||
+ JobHistoryUpdate = job->file_time;
|
||||
+
|
||||
if (job->state_value >= IPP_JOB_CANCELED && !job->printer)
|
||||
{
|
||||
/*
|
||||
@@ -462,26 +472,14 @@ cupsdCleanJobs(void)
|
||||
(job->history_time && job->history_time <= curtime))
|
||||
{
|
||||
cupsdLogJob(job, CUPSD_LOG_DEBUG, "Removing from history.");
|
||||
- cupsdDeleteJob(job, CUPSD_JOB_PURGE);
|
||||
+ cupsdDeleteJob(job, CUPSD_JOB_PURGE);
|
||||
}
|
||||
else if (job->file_time && job->file_time <= curtime)
|
||||
{
|
||||
cupsdLogJob(job, CUPSD_LOG_DEBUG, "Removing document files.");
|
||||
- cupsdLogJob(job, CUPSD_LOG_DEBUG2, "curtime=%ld, job->file_time=%ld", (long)curtime, (long)job->file_time);
|
||||
remove_job_files(job);
|
||||
|
||||
cupsdMarkDirty(CUPSD_DIRTY_JOBS);
|
||||
-
|
||||
- if (job->history_time < JobHistoryUpdate || !JobHistoryUpdate)
|
||||
- JobHistoryUpdate = job->history_time;
|
||||
- }
|
||||
- else
|
||||
- {
|
||||
- if (job->history_time < JobHistoryUpdate || !JobHistoryUpdate)
|
||||
- JobHistoryUpdate = job->history_time;
|
||||
-
|
||||
- if (job->file_time < JobHistoryUpdate || !JobHistoryUpdate)
|
||||
- JobHistoryUpdate = job->file_time;
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1873,7 +1871,7 @@ cupsdLoadJob(cupsd_job_t *job) /* I - Job */
|
||||
job->completed_time = attr->values[0].integer;
|
||||
|
||||
if (JobHistory < INT_MAX)
|
||||
- job->history_time = attr->values[0].integer + JobHistory;
|
||||
+ job->history_time = job->completed_time + JobHistory;
|
||||
else
|
||||
job->history_time = INT_MAX;
|
||||
|
||||
@@ -1884,7 +1882,7 @@ cupsdLoadJob(cupsd_job_t *job) /* I - Job */
|
||||
JobHistoryUpdate = job->history_time;
|
||||
|
||||
if (JobFiles < INT_MAX)
|
||||
- job->file_time = attr->values[0].integer + JobFiles;
|
||||
+ job->file_time = job->completed_time + JobFiles;
|
||||
else
|
||||
job->file_time = INT_MAX;
|
||||
|
||||
@@ -3100,8 +3098,10 @@ cupsdUpdateJobs(void)
|
||||
* Update history/file expiration times...
|
||||
*/
|
||||
|
||||
+ job->completed_time = attr->values[0].integer;
|
||||
+
|
||||
if (JobHistory < INT_MAX)
|
||||
- job->history_time = attr->values[0].integer + JobHistory;
|
||||
+ job->history_time = job->completed_time + JobHistory;
|
||||
else
|
||||
job->history_time = INT_MAX;
|
||||
|
||||
@@ -3115,7 +3115,7 @@ cupsdUpdateJobs(void)
|
||||
JobHistoryUpdate = job->history_time;
|
||||
|
||||
if (JobFiles < INT_MAX)
|
||||
- job->file_time = attr->values[0].integer + JobFiles;
|
||||
+ job->file_time = job->completed_time + JobFiles;
|
||||
else
|
||||
job->file_time = INT_MAX;
|
||||
|
||||
@@ -4909,7 +4909,7 @@ set_time(cupsd_job_t *job, /* I - Job to update */
|
||||
job->completed_time = curtime;
|
||||
|
||||
if (JobHistory < INT_MAX && attr)
|
||||
- job->history_time = attr->values[0].integer + JobHistory;
|
||||
+ job->history_time = job->completed_time + JobHistory;
|
||||
else
|
||||
job->history_time = INT_MAX;
|
||||
|
||||
@@ -4917,7 +4917,7 @@ set_time(cupsd_job_t *job, /* I - Job to update */
|
||||
JobHistoryUpdate = job->history_time;
|
||||
|
||||
if (JobFiles < INT_MAX && attr)
|
||||
- job->file_time = curtime + JobFiles;
|
||||
+ job->file_time = job->completed_time + JobFiles;
|
||||
else
|
||||
job->file_time = INT_MAX;
|
||||
|
100
SOURCES/cups-logs.patch
Normal file
100
SOURCES/cups-logs.patch
Normal file
@ -0,0 +1,100 @@
|
||||
diff --git a/scheduler/log.c b/scheduler/log.c
|
||||
index 33cdac6..d66bbf9 100644
|
||||
--- a/scheduler/log.c
|
||||
+++ b/scheduler/log.c
|
||||
@@ -597,51 +597,6 @@ cupsdLogJob(cupsd_job_t *job, /* I - Job */
|
||||
if (level > LogLevel && LogDebugHistory <= 0)
|
||||
return (1);
|
||||
|
||||
-#ifdef HAVE_SYSTEMD_SD_JOURNAL_H
|
||||
- if (!strcmp(ErrorLog, "syslog"))
|
||||
- {
|
||||
- cupsd_printer_t *printer = job ? (job->printer ? job->printer : (job->dest ? cupsdFindDest(job->dest) : NULL)) : NULL;
|
||||
- static const char * const job_states[] =
|
||||
- { /* job-state strings */
|
||||
- "Pending",
|
||||
- "PendingHeld",
|
||||
- "Processing",
|
||||
- "ProcessingStopped",
|
||||
- "Canceled",
|
||||
- "Aborted",
|
||||
- "Completed"
|
||||
- };
|
||||
-
|
||||
- va_start(ap, message);
|
||||
-
|
||||
- do
|
||||
- {
|
||||
- va_copy(ap2, ap);
|
||||
- status = format_log_line(message, ap2);
|
||||
- va_end(ap2);
|
||||
- }
|
||||
- while (status == 0);
|
||||
-
|
||||
- va_end(ap);
|
||||
-
|
||||
- if (job)
|
||||
- sd_journal_send("MESSAGE=%s", log_line,
|
||||
- "PRIORITY=%i", log_levels[level],
|
||||
- PWG_Event"=JobStateChanged",
|
||||
- PWG_ServiceURI"=%s", printer ? printer->uri : "",
|
||||
- PWG_JobID"=%d", job->id,
|
||||
- PWG_JobState"=%s", job->state_value < IPP_JSTATE_PENDING ? "" : job_states[job->state_value - IPP_JSTATE_PENDING],
|
||||
- PWG_JobImpressionsCompleted"=%d", ippGetInteger(job->impressions, 0),
|
||||
- NULL);
|
||||
- else
|
||||
- sd_journal_send("MESSAGE=%s", log_line,
|
||||
- "PRIORITY=%i", log_levels[level],
|
||||
- NULL);
|
||||
-
|
||||
- return (1);
|
||||
- }
|
||||
-#endif /* HAVE_SYSTEMD_SD_JOURNAL_H */
|
||||
-
|
||||
/*
|
||||
* Format and write the log message...
|
||||
*/
|
||||
@@ -705,7 +660,43 @@ cupsdLogJob(cupsd_job_t *job, /* I - Job */
|
||||
return (1);
|
||||
}
|
||||
else if (level <= LogLevel)
|
||||
+ {
|
||||
+#ifdef HAVE_SYSTEMD_SD_JOURNAL_H
|
||||
+ if (!strcmp(ErrorLog, "syslog"))
|
||||
+ {
|
||||
+ cupsd_printer_t *printer = job ? (job->printer ? job->printer : (job->dest ? cupsdFindDest(job->dest) : NULL)) : NULL;
|
||||
+ static const char * const job_states[] =
|
||||
+ { /* job-state strings */
|
||||
+ "Pending",
|
||||
+ "PendingHeld",
|
||||
+ "Processing",
|
||||
+ "ProcessingStopped",
|
||||
+ "Canceled",
|
||||
+ "Aborted",
|
||||
+ "Completed"
|
||||
+ };
|
||||
+
|
||||
+ if (job)
|
||||
+ sd_journal_send("MESSAGE=%s", log_line,
|
||||
+ "PRIORITY=%i", log_levels[level],
|
||||
+ PWG_Event"=JobStateChanged",
|
||||
+ PWG_ServiceURI"=%s", printer ? printer->uri : "",
|
||||
+ PWG_JobID"=%d", job->id,
|
||||
+ PWG_JobState"=%s", job->state_value < IPP_JSTATE_PENDING ? "" : job_states[job->state_value - IPP_JSTATE_PENDING],
|
||||
+ PWG_JobImpressionsCompleted"=%d", ippGetInteger(job->impressions, 0),
|
||||
+ NULL);
|
||||
+ else
|
||||
+ sd_journal_send("MESSAGE=%s", log_line,
|
||||
+ "PRIORITY=%i", log_levels[level],
|
||||
+ NULL);
|
||||
+
|
||||
+ return (1);
|
||||
+ }
|
||||
+ else
|
||||
+#endif /* HAVE_SYSTEMD_SD_JOURNAL_H */
|
||||
+
|
||||
return (cupsdWriteErrorLog(level, log_line));
|
||||
+ }
|
||||
else
|
||||
return (1);
|
||||
}
|
13
SOURCES/cups-sssd.patch
Normal file
13
SOURCES/cups-sssd.patch
Normal file
@ -0,0 +1,13 @@
|
||||
diff --git a/scheduler/org.cups.cupsd.service.in b/scheduler/org.cups.cupsd.service.in
|
||||
index 11e0662..6fb7a32 100644
|
||||
--- a/scheduler/org.cups.cupsd.service.in
|
||||
+++ b/scheduler/org.cups.cupsd.service.in
|
||||
@@ -1,7 +1,7 @@
|
||||
[Unit]
|
||||
Description=CUPS Scheduler
|
||||
Documentation=man:cupsd(8)
|
||||
-After=network.target ypbind.service
|
||||
+After=network.target nss-user-lookup.target
|
||||
|
||||
[Service]
|
||||
ExecStart=@sbindir@/cupsd -l
|
28
SOURCES/cups-validate-1st.patch
Normal file
28
SOURCES/cups-validate-1st.patch
Normal file
@ -0,0 +1,28 @@
|
||||
diff --git a/backend/ipp.c b/backend/ipp.c
|
||||
index 0a70a87..f8bf7e1 100644
|
||||
--- a/backend/ipp.c
|
||||
+++ b/backend/ipp.c
|
||||
@@ -327,6 +327,7 @@ main(int argc, /* I - Number of command-line args */
|
||||
get_job_attrs = 0, /* Does printer support Get-Job-Attributes? */
|
||||
send_document = 0, /* Does printer support Send-Document? */
|
||||
validate_job = 0, /* Does printer support Validate-Job? */
|
||||
+ validation_retried = 0, /* Indicate whether Validate-Job was retried */
|
||||
copies, /* Number of copies for job */
|
||||
copies_remaining; /* Number of copies remaining */
|
||||
const char *content_type, /* CONTENT_TYPE environment variable */
|
||||
@@ -1597,7 +1598,15 @@ main(int argc, /* I - Number of command-line args */
|
||||
ipp_status == IPP_BAD_REQUEST)
|
||||
break;
|
||||
else if (job_auth == NULL && ipp_status > IPP_BAD_REQUEST)
|
||||
+ {
|
||||
+ if (!validation_retried)
|
||||
+ {
|
||||
+ validation_retried = 1;
|
||||
+ sleep(10);
|
||||
+ continue;
|
||||
+ }
|
||||
goto cleanup;
|
||||
+ }
|
||||
}
|
||||
|
||||
/*
|
@ -15,7 +15,7 @@ Summary: CUPS printing system
|
||||
Name: cups
|
||||
Epoch: 1
|
||||
Version: 2.2.6
|
||||
Release: 38%{?dist}
|
||||
Release: 40%{?dist}
|
||||
License: GPLv2+ and LGPLv2 with exceptions and AML
|
||||
Url: http://www.cups.org/
|
||||
Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz
|
||||
@ -101,6 +101,16 @@ Patch56: cups-failover-backend.patch
|
||||
Patch57: cups-dirtyclean.patch
|
||||
# 1775590 - rastertoepson filter crashes with paper size A6
|
||||
Patch58: cups-rastertoepson-crash.patch
|
||||
# 1941437 - cupsd doesn't log job ids when logging into journal
|
||||
Patch59: cups-logs.patch
|
||||
# 1782216 - Print queue is paused after ipp backend ends with CUPS_BACKEND_STOP
|
||||
Patch60: cups-validate-1st.patch
|
||||
# 1938384 - CUPS doesn't start if sssd starts after cupsd
|
||||
Patch61: cups-sssd.patch
|
||||
# 1955964 - PreserveJobHistory doesn't work with seconds
|
||||
Patch62: cups-fix-preservejob-times.patch
|
||||
# 1927452 - CVE-2020-10001 cups: access to uninitialized buffer in ipp.c [rhel-8]
|
||||
Patch63: cups-cve202010001.patch
|
||||
|
||||
Patch100: cups-lspp.patch
|
||||
|
||||
@ -345,6 +355,16 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
|
||||
%patch57 -p1 -b .dirtyclean
|
||||
# 1775590 - rastertoepson filter crashes with paper size A6
|
||||
%patch58 -p1 -b .rastertoepson-crash
|
||||
# 1941437 - cupsd doesn't log job ids when logging into journal
|
||||
%patch59 -p1 -b .logs
|
||||
# 1782216 - Print queue is paused after ipp backend ends with CUPS_BACKEND_STOP
|
||||
%patch60 -p1 -b .validate-1st
|
||||
# 1938384 - CUPS doesn't start if sssd starts after cupsd
|
||||
%patch61 -p1 -b .sssd
|
||||
# 1955964 - PreserveJobHistory doesn't work with seconds
|
||||
%patch62 -p1 -b .cups-fix-preservejob-times
|
||||
# 1927452 - CVE-2020-10001 cups: access to uninitialized buffer in ipp.c [rhel-8]
|
||||
%patch63 -p1 -b .cve202010001
|
||||
|
||||
sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in
|
||||
|
||||
@ -755,6 +775,15 @@ rm -f %{cups_serverbin}/backend/smb
|
||||
%{_mandir}/man5/ipptoolfile.5.gz
|
||||
|
||||
%changelog
|
||||
* Fri May 14 2021 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-40
|
||||
- 1955964 - PreserveJobHistory doesn't work with seconds
|
||||
- 1927452 - CVE-2020-10001 cups: access to uninitialized buffer in ipp.c [rhel-8]
|
||||
|
||||
* Wed May 05 2021 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-39
|
||||
- 1941437 - cupsd doesn't log job ids when logging into journal
|
||||
- 1782216 - Print queue is paused after ipp backend ends with CUPS_BACKEND_STOP
|
||||
- 1938384 - CUPS doesn't start if sssd starts after cupsd
|
||||
|
||||
* Tue May 26 2020 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-38
|
||||
- 1775590 - rastertoepson filter crashes with paper size A6
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user