rpms/cups
7
0
Fork 0
Code Issues Pull Requests Releases Activity

RHEL-60354 CVE-2024-47175 cups: remote command injection via attacker controlled data in PPD file

Browse Source 
Resolves: RHEL-60354
This commit is contained in:
Zdenek Dohnal 2024-11-25 16:27:55 +01:00
parent d37b9bd35a
commit d164c1b7f0
7 changed files with 667 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
0001-Fix-make-and-model-whitespace-trimming-Issue-1096.patch Normal file
View File

@ -0,0 +1,26 @@
From 5cc470c8d95df40f32e8a401b2946886c91b03d1 Mon Sep 17 00:00:00 2001
From: Michael R Sweet <msweet@msweet.org>
Date: Fri, 15 Nov 2024 11:55:07 -0500
Subject: [PATCH] Fix make-and-model whitespace trimming (Issue #1096)
---
CHANGES.md | 1 +
cups/ppd-cache.c | 2 ++
2 files changed, 3 insertions(+)
diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c
index a6163a0e1..a3198a795 100644
--- a/cups/ppd-cache.c
+++ b/cups/ppd-cache.c
@@ -3293,6 +3293,8 @@ _ppdCreateFromIPP2(
mptr --;
if (*mptr == ' ')
*mptr = '\0';
+ else
+ break;
}
if (!make[0])
--
2.47.0

37
0001-fix-warnings-for-unused-vars.patch Normal file
View File

@ -0,0 +1,37 @@
From 2abe1ba8a66864aa82cd9836b37e57103b8e1a3b Mon Sep 17 00:00:00 2001
From: Michael R Sweet <msweet@msweet.org>
Date: Mon, 23 Sep 2024 10:11:31 -0400
Subject: [PATCH] Fix warnings for unused vars.
---
cups/ppd-cache.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c
index 85ede0f18..a6163a0e1 100644
--- a/cups/ppd-cache.c
+++ b/cups/ppd-cache.c
@@ -3222,8 +3222,7 @@ _ppdCreateFromIPP2(
int have_qdraft = 0,/* Have draft quality? */
have_qhigh = 0; /* Have high quality? */
char msgid[256]; /* Message identifier (attr.value) */
- const char *keyword, /* Keyword value */
- *msgstr; /* Localized string */
+ const char *keyword; /* Keyword value */
cups_array_t *strings = NULL;/* Printer strings file */
struct lconv *loc = localeconv();
/* Locale data */
@@ -5009,9 +5008,8 @@ _ppdCreateFromIPP2(
{
ipp_t *preset = ippGetCollection(attr, i);
/* Preset collection */
- const char *preset_name = ippGetString(ippFindAttribute(preset, "preset-name", IPP_TAG_ZERO), 0, NULL),
+ const char *preset_name = ippGetString(ippFindAttribute(preset, "preset-name", IPP_TAG_ZERO), 0, NULL);
/* Preset name */
- *localized_name; /* Localized preset name */
ipp_attribute_t *member; /* Member attribute in preset */
const char *member_name; /* Member attribute name */
char member_value[256]; /* Member attribute value */
--
2.46.1

79
0001-mirror-ipp-everywhere-printer-changes-from-master.patch Normal file
View File

@ -0,0 +1,79 @@
From 9939a70b750edd9d05270060cc5cf62ca98cfbe5 Mon Sep 17 00:00:00 2001
From: Michael R Sweet <msweet@msweet.org>
Date: Mon, 9 Sep 2024 10:03:10 -0400
Subject: [PATCH] Mirror IPP Everywhere printer changes from master.
---
cups/ppd-cache.c | 10 +++++-----
scheduler/ipp.c | 9 ++++++++-
2 files changed, 13 insertions(+), 6 deletions(-)
diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c
index 9cdb90a4f..8a99a865c 100644
--- a/cups/ppd-cache.c
+++ b/cups/ppd-cache.c
@@ -3316,10 +3316,10 @@ _ppdCreateFromIPP2(
}
cupsFilePuts(fp, "\"\n");
- if ((attr = ippFindAttribute(supported, "printer-more-info", IPP_TAG_URI)) != NULL)
+ if ((attr = ippFindAttribute(supported, "printer-more-info", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr))
cupsFilePrintf(fp, "*APSupplies: \"%s\"\n", ippGetString(attr, 0, NULL));
- if ((attr = ippFindAttribute(supported, "printer-charge-info-uri", IPP_TAG_URI)) != NULL)
+ if ((attr = ippFindAttribute(supported, "printer-charge-info-uri", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr))
cupsFilePrintf(fp, "*cupsChargeInfoURI: \"%s\"\n", ippGetString(attr, 0, NULL));
if ((attr = ippFindAttribute(supported, "printer-strings-uri", IPP_TAG_URI)) != NULL)
@@ -3388,10 +3388,10 @@ _ppdCreateFromIPP2(
if (ippGetBoolean(ippFindAttribute(supported, "job-accounting-user-id-supported", IPP_TAG_BOOLEAN), 0))
cupsFilePuts(fp, "*cupsJobAccountingUserId: True\n");
- if ((attr = ippFindAttribute(supported, "printer-privacy-policy-uri", IPP_TAG_URI)) != NULL)
+ if ((attr = ippFindAttribute(supported, "printer-privacy-policy-uri", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr))
cupsFilePrintf(fp, "*cupsPrivacyURI: \"%s\"\n", ippGetString(attr, 0, NULL));
- if ((attr = ippFindAttribute(supported, "printer-mandatory-job-attributes", IPP_TAG_KEYWORD)) != NULL)
+ if ((attr = ippFindAttribute(supported, "printer-mandatory-job-attributes", IPP_TAG_KEYWORD)) != NULL && ippValidateAttribute(attr))
{
char prefix = '\"'; // Prefix for string
@@ -3409,7 +3409,7 @@ _ppdCreateFromIPP2(
cupsFilePuts(fp, "\"\n");
}
- if ((attr = ippFindAttribute(supported, "printer-requested-job-attributes", IPP_TAG_KEYWORD)) != NULL)
+ if ((attr = ippFindAttribute(supported, "printer-requested-job-attributes", IPP_TAG_KEYWORD)) != NULL && ippValidateAttribute(attr))
{
char prefix = '\"'; // Prefix for string
diff --git a/scheduler/ipp.c b/scheduler/ipp.c
index d334f70cf..2d80a960e 100644
--- a/scheduler/ipp.c
+++ b/scheduler/ipp.c
@@ -1,7 +1,7 @@
/*
* IPP routines for the CUPS scheduler.
*
- * Copyright © 2020-2023 by OpenPrinting
+ * Copyright © 2020-2024 by OpenPrinting
* Copyright © 2007-2021 by Apple Inc.
* Copyright © 1997-2007 by Easy Software Products, all rights reserved.
*
@@ -5417,6 +5417,13 @@ create_local_bg_thread(
}
}
+ // Validate response from printer...
+ if (!ippValidateAttributes(response))
+ {
+ send_ipp_status(con, IPP_STATUS_ERROR_DEVICE, _("Printer returned invalid data: %s"), cupsLastErrorString());
+ goto finish_response;
+ }
+
// TODO: Grab printer icon file...
httpClose(http);
--
2.46.1

116
0001-ppdize-preset-and-template-names.patch Normal file
View File

@ -0,0 +1,116 @@
From e0630cd18f76340d302000f2bf6516e99602b844 Mon Sep 17 00:00:00 2001
From: Michael R Sweet <msweet@msweet.org>
Date: Mon, 9 Sep 2024 15:59:57 -0400
Subject: [PATCH] PPDize preset and template names.
---
cups/ppd-cache.c | 33 ++++++++++++++++++++++++---------
1 file changed, 24 insertions(+), 9 deletions(-)
diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c
index 986c64f73..18c38d0ee 100644
--- a/cups/ppd-cache.c
+++ b/cups/ppd-cache.c
@@ -4975,12 +4975,14 @@ _ppdCreateFromIPP2(
cupsArrayAdd(templates, (void *)keyword);
+ pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
+
snprintf(msgid, sizeof(msgid), "finishing-template.%s", keyword);
if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
msgstr = keyword;
- cupsFilePrintf(fp, "*cupsFinishingTemplate %s: \"\n", keyword);
+ cupsFilePrintf(fp, "*cupsFinishingTemplate %s: \"\n", ppdname);
for (finishing_attr = ippFirstAttribute(finishing_col); finishing_attr; finishing_attr = ippNextAttribute(finishing_col))
{
if (ippGetValueTag(finishing_attr) == IPP_TAG_BEGIN_COLLECTION)
@@ -4993,7 +4995,7 @@ _ppdCreateFromIPP2(
}
}
cupsFilePuts(fp, "\"\n");
- cupsFilePrintf(fp, "*%s.cupsFinishingTemplate %s/%s: \"\"\n", lang->language, keyword, msgstr);
+ cupsFilePrintf(fp, "*%s.cupsFinishingTemplate %s/%s: \"\"\n", lang->language, ppdname, msgstr);
cupsFilePuts(fp, "*End\n");
}
@@ -5039,7 +5041,8 @@ _ppdCreateFromIPP2(
if (!preset || !preset_name)
continue;
- cupsFilePrintf(fp, "*APPrinterPreset %s: \"\n", preset_name);
+ pwg_ppdize_name(preset_name, ppdname, sizeof(ppdname));
+ cupsFilePrintf(fp, "*APPrinterPreset %s: \"\n", ppdname);
for (member = ippFirstAttribute(preset); member; member = ippNextAttribute(preset))
{
member_name = ippGetName(member);
@@ -5080,7 +5083,10 @@ _ppdCreateFromIPP2(
fin_col = ippGetCollection(member, i);
if ((keyword = ippGetString(ippFindAttribute(fin_col, "finishing-template", IPP_TAG_ZERO), 0, NULL)) != NULL)
- cupsFilePrintf(fp, "*cupsFinishingTemplate %s\n", keyword);
+ {
+ pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
+ cupsFilePrintf(fp, "*cupsFinishingTemplate %s\n", ppdname);
+ }
}
}
else if (!strcmp(member_name, "media"))
@@ -5107,13 +5113,13 @@ _ppdCreateFromIPP2(
if ((keyword = ippGetString(ippFindAttribute(media_col, "media-source", IPP_TAG_ZERO), 0, NULL)) != NULL)
{
pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
- cupsFilePrintf(fp, "*InputSlot %s\n", keyword);
+ cupsFilePrintf(fp, "*InputSlot %s\n", ppdname);
}
if ((keyword = ippGetString(ippFindAttribute(media_col, "media-type", IPP_TAG_ZERO), 0, NULL)) != NULL)
{
pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
- cupsFilePrintf(fp, "*MediaType %s\n", keyword);
+ cupsFilePrintf(fp, "*MediaType %s\n", ppdname);
}
}
else if (!strcmp(member_name, "print-quality"))
@@ -5159,7 +5165,10 @@ _ppdCreateFromIPP2(
cupsFilePuts(fp, "\"\n*End\n");
if ((localized_name = _cupsMessageLookup(strings, preset_name)) != preset_name)
- cupsFilePrintf(fp, "*%s.APPrinterPreset %s/%s: \"\"\n", lang->language, preset_name, localized_name);
+ {
+ pwg_ppdize_name(preset_name, ppdname, sizeof(ppdname));
+ cupsFilePrintf(fp, "*%s.APPrinterPreset %s/%s: \"\"\n", lang->language, ppdname, localized_name);
+ }
}
}
@@ -5543,7 +5552,7 @@ pwg_ppdize_name(const char *ipp, /* I - IPP keyword */
*end; /* End of name buffer */
- if (!ipp)
+ if (!ipp || !_cups_isalnum(*ipp))
{
*name = '\0';
return;
@@ -5558,8 +5567,14 @@ pwg_ppdize_name(const char *ipp, /* I - IPP keyword */
ipp ++;
*ptr++ = (char)toupper(*ipp++ & 255);
}
- else
+ else if (*ipp == '_' || *ipp == '.' || *ipp == '-' || _cups_isalnum(*ipp))
+ {
*ptr++ = *ipp++;
+ }
+ else
+ {
+ ipp ++;
+ }
}
*ptr = '\0';
--
2.46.1

246
0001-quote-ppd-localized-strings.patch Normal file
View File

@ -0,0 +1,246 @@
From 1e6ca5913eceee906038bc04cc7ccfbe2923bdfd Mon Sep 17 00:00:00 2001
From: Michael R Sweet <msweet@msweet.org>
Date: Mon, 23 Sep 2024 09:36:39 -0400
Subject: [PATCH] Quote PPD localized strings.
---
cups/ppd-cache.c | 93 +++++++++++++++++++++++++++---------------------
1 file changed, 53 insertions(+), 40 deletions(-)
diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c
index 18c38d0ee..85ede0f18 100644
--- a/cups/ppd-cache.c
+++ b/cups/ppd-cache.c
@@ -32,6 +32,7 @@
static int cups_connect(http_t **http, const char *url, char *resource, size_t ressize);
static int cups_get_url(http_t **http, const char *url, char *name, size_t namesize);
static const char *ppd_inputslot_for_keyword(_ppd_cache_t *pc, const char *keyword);
+static void ppd_put_string(cups_file_t *fp, cups_lang_t *lang, cups_array_t *strings, const char *ppd_option, const char *ppd_choice, const char *pwg_msgid);
static void pwg_add_finishing(cups_array_t *finishings, ipp_finishings_t template, const char *name, const char *value);
static void pwg_add_message(cups_array_t *a, const char *msg, const char *str);
static int pwg_compare_finishings(_pwg_finishings_t *a, _pwg_finishings_t *b);
@@ -3393,7 +3394,7 @@ _ppdCreateFromIPP2(
if ((attr = ippFindAttribute(supported, "printer-charge-info-uri", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr))
cupsFilePrintf(fp, "*cupsChargeInfoURI: \"%s\"\n", ippGetString(attr, 0, NULL));
- if ((attr = ippFindAttribute(supported, "printer-strings-uri", IPP_TAG_URI)) != NULL)
+ if ((attr = ippFindAttribute(supported, "printer-strings-uri", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr))
{
http_t *http = NULL; /* Connection to printer */
char stringsfile[1024]; /* Temporary strings file */
@@ -3437,7 +3438,7 @@ _ppdCreateFromIPP2(
response = cupsDoRequest(http, request, resource);
- if ((attr = ippFindAttribute(response, "printer-strings-uri", IPP_TAG_URI)) != NULL)
+ if ((attr = ippFindAttribute(response, "printer-strings-uri", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr))
cupsFilePrintf(fp, "*cupsStringsURI %s: \"%s\"\n", keyword, ippGetString(attr, 0, NULL));
ippDelete(response);
@@ -4043,18 +4044,16 @@ _ppdCreateFromIPP2(
cupsFilePrintf(fp, "*DefaultInputSlot: %s\n", ppdname);
for (j = 0; j < (int)(sizeof(sources) / sizeof(sources[0])); j ++)
+ {
if (!strcmp(sources[j], keyword))
{
snprintf(msgid, sizeof(msgid), "media-source.%s", keyword);
- if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
- if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
- msgstr = keyword;
-
cupsFilePrintf(fp, "*InputSlot %s: \"<</MediaPosition %d>>setpagedevice\"\n", ppdname, j);
- cupsFilePrintf(fp, "*%s.InputSlot %s/%s: \"\"\n", lang->language, ppdname, msgstr);
+ ppd_put_string(fp, lang, strings, "InputSlot", ppdname, msgid);
break;
}
+ }
}
cupsFilePuts(fp, "*CloseUI: *InputSlot\n");
}
@@ -4080,12 +4079,9 @@ _ppdCreateFromIPP2(
pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
snprintf(msgid, sizeof(msgid), "media-type.%s", keyword);
- if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
- if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
- msgstr = keyword;
cupsFilePrintf(fp, "*MediaType %s: \"<</MediaType(%s)>>setpagedevice\"\n", ppdname, ppdname);
- cupsFilePrintf(fp, "*%s.MediaType %s/%s: \"\"\n", lang->language, ppdname, msgstr);
+ ppd_put_string(fp, lang, strings, "MediaType", ppdname, msgid);
}
cupsFilePuts(fp, "*CloseUI: *MediaType\n");
}
@@ -4546,12 +4542,9 @@ _ppdCreateFromIPP2(
pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
snprintf(msgid, sizeof(msgid), "output-bin.%s", keyword);
- if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
- if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
- msgstr = keyword;
cupsFilePrintf(fp, "*OutputBin %s: \"\"\n", ppdname);
- cupsFilePrintf(fp, "*%s.OutputBin %s/%s: \"\"\n", lang->language, ppdname, msgstr);
+ ppd_put_string(fp, lang, strings, "OutputBin", ppdname, msgid);
if ((tray_ptr = ippGetOctetString(trays, i, &tray_len)) != NULL)
{
@@ -4670,9 +4663,6 @@ _ppdCreateFromIPP2(
cupsArrayAdd(names, (char *)keyword);
snprintf(msgid, sizeof(msgid), "finishings.%d", value);
- if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
- if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
- msgstr = keyword;
if (value >= IPP_FINISHINGS_NONE && value <= IPP_FINISHINGS_LAMINATE)
ppd_keyword = base_keywords[value - IPP_FINISHINGS_NONE];
@@ -4687,7 +4677,7 @@ _ppdCreateFromIPP2(
continue;
cupsFilePrintf(fp, "*StapleLocation %s: \"\"\n", ppd_keyword);
- cupsFilePrintf(fp, "*%s.StapleLocation %s/%s: \"\"\n", lang->language, ppd_keyword, msgstr);
+ ppd_put_string(fp, lang, strings, "StapleLocation", ppd_keyword, msgid);
cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*StapleLocation %s\"\n", value, keyword, ppd_keyword);
}
@@ -4750,9 +4740,6 @@ _ppdCreateFromIPP2(
cupsArrayAdd(names, (char *)keyword);
snprintf(msgid, sizeof(msgid), "finishings.%d", value);
- if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
- if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
- msgstr = keyword;
if (value >= IPP_FINISHINGS_NONE && value <= IPP_FINISHINGS_LAMINATE)
ppd_keyword = base_keywords[value - IPP_FINISHINGS_NONE];
@@ -4767,7 +4754,7 @@ _ppdCreateFromIPP2(
continue;
cupsFilePrintf(fp, "*FoldType %s: \"\"\n", ppd_keyword);
- cupsFilePrintf(fp, "*%s.FoldType %s/%s: \"\"\n", lang->language, ppd_keyword, msgstr);
+ ppd_put_string(fp, lang, strings, "FoldType", ppd_keyword, msgid);
cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*FoldType %s\"\n", value, keyword, ppd_keyword);
}
@@ -4838,9 +4825,6 @@ _ppdCreateFromIPP2(
cupsArrayAdd(names, (char *)keyword);
snprintf(msgid, sizeof(msgid), "finishings.%d", value);
- if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
- if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
- msgstr = keyword;
if (value >= IPP_FINISHINGS_NONE && value <= IPP_FINISHINGS_LAMINATE)
ppd_keyword = base_keywords[value - IPP_FINISHINGS_NONE];
@@ -4855,7 +4839,7 @@ _ppdCreateFromIPP2(
continue;
cupsFilePrintf(fp, "*PunchMedia %s: \"\"\n", ppd_keyword);
- cupsFilePrintf(fp, "*%s.PunchMedia %s/%s: \"\"\n", lang->language, ppd_keyword, msgstr);
+ ppd_put_string(fp, lang, strings, "PunchMedia", ppd_keyword, msgid);
cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*PunchMedia %s\"\n", value, keyword, ppd_keyword);
}
@@ -4926,9 +4910,6 @@ _ppdCreateFromIPP2(
cupsArrayAdd(names, (char *)keyword);
snprintf(msgid, sizeof(msgid), "finishings.%d", value);
- if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
- if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
- msgstr = keyword;
if (value == IPP_FINISHINGS_TRIM)
ppd_keyword = "Auto";
@@ -4936,7 +4917,7 @@ _ppdCreateFromIPP2(
ppd_keyword = trim_keywords[value - IPP_FINISHINGS_TRIM_AFTER_PAGES];
cupsFilePrintf(fp, "*CutMedia %s: \"\"\n", ppd_keyword);
- cupsFilePrintf(fp, "*%s.CutMedia %s/%s: \"\"\n", lang->language, ppd_keyword, msgstr);
+ ppd_put_string(fp, lang, strings, "CutMedia", ppd_keyword, msgid);
cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*CutMedia %s\"\n", value, keyword, ppd_keyword);
}
@@ -4978,9 +4959,6 @@ _ppdCreateFromIPP2(
pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
snprintf(msgid, sizeof(msgid), "finishing-template.%s", keyword);
- if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
- if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
- msgstr = keyword;
cupsFilePrintf(fp, "*cupsFinishingTemplate %s: \"\n", ppdname);
for (finishing_attr = ippFirstAttribute(finishing_col); finishing_attr; finishing_attr = ippNextAttribute(finishing_col))
@@ -4995,7 +4973,7 @@ _ppdCreateFromIPP2(
}
}
cupsFilePuts(fp, "\"\n");
- cupsFilePrintf(fp, "*%s.cupsFinishingTemplate %s/%s: \"\"\n", lang->language, ppdname, msgstr);
+ ppd_put_string(fp, lang, strings, "cupsFinishingTemplate", ppdname, msgid);
cupsFilePuts(fp, "*End\n");
}
@@ -5164,11 +5142,9 @@ _ppdCreateFromIPP2(
cupsFilePuts(fp, "\"\n*End\n");
- if ((localized_name = _cupsMessageLookup(strings, preset_name)) != preset_name)
- {
- pwg_ppdize_name(preset_name, ppdname, sizeof(ppdname));
- cupsFilePrintf(fp, "*%s.APPrinterPreset %s/%s: \"\"\n", lang->language, ppdname, localized_name);
- }
+ snprintf(msgid, sizeof(msgid), "preset-name.%s", preset_name);
+ pwg_ppdize_name(preset_name, ppdname, sizeof(ppdname));
+ ppd_put_string(fp, lang, strings, "APPrinterPreset", ppdname, msgid);
}
}
@@ -5439,6 +5415,43 @@ cups_get_url(http_t **http, /* IO - Current HTTP connection */
}
+/*
+ * 'ppd_put_strings()' - Write localization attributes to a PPD file.
+ */
+
+static void
+ppd_put_string(cups_file_t *fp, /* I - PPD file */
+ cups_lang_t *lang, /* I - Language */
+ cups_array_t *strings, /* I - Strings */
+ const char *ppd_option,/* I - PPD option */
+ const char *ppd_choice,/* I - PPD choice */
+ const char *pwg_msgid) /* I - PWG message ID */
+{
+ const char *text; /* Localized text */
+
+
+ if ((text = _cupsLangString(lang, pwg_msgid)) == pwg_msgid || !strcmp(pwg_msgid, text))
+ {
+ if ((text = _cupsMessageLookup(strings, pwg_msgid)) == pwg_msgid)
+ return;
+ }
+
+ // Add the first line of localized text...
+ cupsFilePrintf(fp, "*%s.%s %s/", lang->language, ppd_option, ppd_choice);
+ while (*text && *text != '\n')
+ {
+ // Escape ":" and "<"...
+ if (*text == ':' || *text == '<')
+ cupsFilePrintf(fp, "<%02X>", *text);
+ else
+ cupsFilePutChar(fp, *text);
+
+ text ++;
+ }
+ cupsFilePuts(fp, ": \"\"\n");
+}
+
+
/*
* 'pwg_add_finishing()' - Add a finishings value.
*/
--
2.46.1

148
0001-refactor-make-and-model-code.patch Normal file
View File

@ -0,0 +1,148 @@
From 04bb2af4521b56c1699a2c2431c56c05a7102e69 Mon Sep 17 00:00:00 2001
From: Michael R Sweet <msweet@msweet.org>
Date: Mon, 9 Sep 2024 14:05:42 -0400
Subject: [PATCH] Refactor make-and-model code.
---
cups/ppd-cache.c | 103 +++++++++++++++++++++++++++++++++++++++--------
1 file changed, 87 insertions(+), 16 deletions(-)
diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c
index 8a99a865c..986c64f73 100644
--- a/cups/ppd-cache.c
+++ b/cups/ppd-cache.c
@@ -3196,9 +3196,10 @@ _ppdCreateFromIPP2(
ipp_t *media_col, /* Media collection */
*media_size; /* Media size collection */
char make[256], /* Make and model */
- *model, /* Model name */
+ *mptr, /* Pointer into make and model */
ppdname[PPD_MAX_NAME];
/* PPD keyword */
+ const char *model; /* Model name */
int i, j, /* Looping vars */
count, /* Number of values */
bottom, /* Largest bottom margin */
@@ -3259,34 +3260,104 @@ _ppdCreateFromIPP2(
}
/*
- * Standard stuff for PPD file...
+ * Get a sanitized make and model...
*/
- cupsFilePuts(fp, "*PPD-Adobe: \"4.3\"\n");
- cupsFilePuts(fp, "*FormatVersion: \"4.3\"\n");
- cupsFilePrintf(fp, "*FileVersion: \"%d.%d\"\n", CUPS_VERSION_MAJOR, CUPS_VERSION_MINOR);
- cupsFilePuts(fp, "*LanguageVersion: English\n");
- cupsFilePuts(fp, "*LanguageEncoding: ISOLatin1\n");
- cupsFilePuts(fp, "*PSVersion: \"(3010.000) 0\"\n");
- cupsFilePuts(fp, "*LanguageLevel: \"3\"\n");
- cupsFilePuts(fp, "*FileSystem: False\n");
- cupsFilePuts(fp, "*PCFileName: \"ippeve.ppd\"\n");
+ if ((attr = ippFindAttribute(supported, "printer-make-and-model", IPP_TAG_TEXT)) != NULL && ippValidateAttribute(attr))
+ {
+ /*
+ * Sanitize the model name to only contain PPD-safe characters.
+ */
- if ((attr = ippFindAttribute(supported, "printer-make-and-model", IPP_TAG_TEXT)) != NULL)
strlcpy(make, ippGetString(attr, 0, NULL), sizeof(make));
+
+ for (mptr = make; *mptr; mptr ++)
+ {
+ if (*mptr < ' ' || *mptr >= 127 || *mptr == '\"')
+ {
+ /*
+ * Truncate the make and model on the first bad character...
+ */
+
+ *mptr = '\0';
+ break;
+ }
+ }
+
+ while (mptr > make)
+ {
+ /*
+ * Strip trailing whitespace...
+ */
+
+ mptr --;
+ if (*mptr == ' ')
+ *mptr = '\0';
+ }
+
+ if (!make[0])
+ {
+ /*
+ * Use a default make and model if nothing remains...
+ */
+
+ strlcpy(make, "Unknown", sizeof(make));
+ }
+ }
else
- strlcpy(make, "Unknown Printer", sizeof(make));
+ {
+ /*
+ * Use a default make and model...
+ */
+
+ strlcpy(make, "Unknown", sizeof(make));
+ }
if (!_cups_strncasecmp(make, "Hewlett Packard ", 16) || !_cups_strncasecmp(make, "Hewlett-Packard ", 16))
{
+ /*
+ * Normalize HP printer make and model...
+ */
+
model = make + 16;
strlcpy(make, "HP", sizeof(make));
+
+ if (!_cups_strncasecmp(model, "HP ", 3))
+ model += 3;
+ }
+ else if ((mptr = strchr(make, ' ')) != NULL)
+ {
+ /*
+ * Separate "MAKE MODEL"...
+ */
+
+ while (*mptr && *mptr == ' ')
+ *mptr++ = '\0';
+
+ model = mptr;
}
- else if ((model = strchr(make, ' ')) != NULL)
- *model++ = '\0';
else
- model = make;
+ {
+ /*
+ * No separate model name...
+ */
+ model = "Printer";
+ }
+
+ /*
+ * Standard stuff for PPD file...
+ */
+
+ cupsFilePuts(fp, "*PPD-Adobe: \"4.3\"\n");
+ cupsFilePuts(fp, "*FormatVersion: \"4.3\"\n");
+ cupsFilePrintf(fp, "*FileVersion: \"%d.%d\"\n", CUPS_VERSION_MAJOR, CUPS_VERSION_MINOR);
+ cupsFilePuts(fp, "*LanguageVersion: English\n");
+ cupsFilePuts(fp, "*LanguageEncoding: ISOLatin1\n");
+ cupsFilePuts(fp, "*PSVersion: \"(3010.000) 0\"\n");
+ cupsFilePuts(fp, "*LanguageLevel: \"3\"\n");
+ cupsFilePuts(fp, "*FileSystem: False\n");
+ cupsFilePuts(fp, "*PCFileName: \"ippeve.ppd\"\n");
cupsFilePrintf(fp, "*Manufacturer: \"%s\"\n", make);
cupsFilePrintf(fp, "*ModelName: \"%s\"\n", model);
cupsFilePrintf(fp, "*Product: \"(%s)\"\n", model);
--
2.46.1

15
cups.spec
View File

@ -91,6 +91,13 @@ Patch1002: 0001-Fix-IPP-everywhere-printer-setup-Issue-1033.patch
Patch1003: 0001-dest.c-Don-t-look-for-user-config-in-cupsGetNamedDes.patch
# RHEL-45525 cups-2.4.10-2.el10: RHEL SAST Automation: address 1 High impact true positive(s)
Patch1004: 0001-Fix-Coverity-discovered-issues.patch
# RHEL-60354 CVE-2024-47175 cups: remote command injection via attacker controlled data in PPD file
Patch1005: 0001-mirror-ipp-everywhere-printer-changes-from-master.patch
Patch1006: 0001-refactor-make-and-model-code.patch
Patch1007: 0001-ppdize-preset-and-template-names.patch
Patch1008: 0001-quote-ppd-localized-strings.patch
Patch1009: 0001-fix-warnings-for-unused-vars.patch
Patch1010: 0001-Fix-make-and-model-whitespace-trimming-Issue-1096.patch
##### Patches removed because IMHO they aren't no longer needed
@ -335,6 +342,13 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
%patch -P 1003 -p1 -b .root-cupsgetnameddest
# RHEL-45525 cups-2.4.10-2.el10: RHEL SAST Automation: address 1 High impact true positive(s)
%patch -P 1004 -p1 -b .sast-fix
# RHEL-60354 CVE-2024-47175 cups: remote command injection via attacker controlled data in PPD file
%patch -P 1005 -p1 -b .ipp-everywhere
%patch -P 1006 -p1 -b .refactor-make-model
%patch -P 1007 -p1 -b .ppdize-preset
%patch -P 1008 -p1 -b .quote-ppd-strings
%patch -P 1009 -p1 -b .unused-vars
%patch -P 1010 -p1 -b .trim-make-model
# Log to the system journal by default (bug #1078781, bug #1519331).
@ -806,6 +820,7 @@ rm -f %{cups_serverbin}/backend/smb
%changelog
* Mon Nov 25 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.4.10-8
- RHEL-45525 cups-2.4.10-2.el10: RHEL SAST Automation: address 1 High impact true positive(s)
- RHEL-60354 CVE-2024-47175 cups: remote command injection via attacker controlled data in PPD file
* Fri Nov 22 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.4.10-8
- RHEL-54579 [rhel-10] Do not look into /root/.cups/lpoptions when using cupsGetNamedDest as root