rpms/cups
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI cups-2.2.6-51.el8_8.1

Browse Source
This commit is contained in:
eabdullin 2023-08-30 00:53:35 +00:00
parent 96a3eee944
commit f47bbf6a0a
3 changed files with 237 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
SOURCES/0001-Require-authentication-for-CUPS-Get-Document.patch Normal file
View File

@ -0,0 +1,31 @@
From a0c8b9c9556882f00c68b9727a95a1b6d1452913 Mon Sep 17 00:00:00 2001
From: Michael R Sweet <michael.r.sweet@gmail.com>
Date: Tue, 6 Dec 2022 09:04:01 -0500
Subject: [PATCH] Require authentication for CUPS-Get-Document.
---
conf/cupsd.conf.in | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in
index b25884907..a07536f3e 100644
--- a/conf/cupsd.conf.in
+++ b/conf/cupsd.conf.in
@@ -68,7 +68,13 @@ IdleExitTimeout @EXIT_TIMEOUT@
Order deny,allow
</Limit>
- <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+ <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job>
+ Require user @OWNER @SYSTEM
+ Order deny,allow
+ </Limit>
+
+ <Limit CUPS-Get-Document>
+ AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
--
2.41.0

171
SOURCES/upgrade_get_document.py.in Executable file
View File

@ -0,0 +1,171 @@
@PYTHON_SHEBANG@
"""
Upgrade script to enable authentication for CUPS-Get-Document in
default policy
"""
import os
import sys
from shutil import copy
def get_cupsd_conf():
"""
Get all lines from cupsd.conf
"""
if not os.path.exists('/etc/cups/cupsd.conf'):
return None
lines = []
with open('/etc/cups/cupsd.conf', 'r') as conf:
lines = conf.readlines()
return lines
def get_default_policy(lines):
"""
Get the default policy lines
:param list lines: lines from cupsd.conf
"""
default_policy = []
in_policy = False
for line in lines:
if not in_policy and not line.lstrip().startswith('<Policy default>'):
continue
default_policy.append(line)
if line.lstrip().startswith('</Policy>'):
return default_policy
in_policy = True
return default_policy
def get_limit_with_document(lines):
"""
Get <Limit> scope which defines CUPS-Get-Document operation
:param list lines: Lines containing the default policy
"""
limit = []
in_limit = False
for line in lines:
if not in_limit and not line.lstrip().startswith('<Limit'):
continue
if (not in_limit and line.lstrip().startswith('<Limit') and
not 'CUPS-Get-Document' in line.lstrip().split('#')[0][1:-1]):
continue
limit.append(line)
if line.lstrip().startswith('</Limit>'):
return limit
in_limit = True
return limit
def check_for_authtype(lines):
"""
Check if <Limit> defining CUPS-Get-Document defines
any authentication
:param list lines: Lines of <Limit> scope which defines CUPS-Get-Document
"""
for line in lines:
if line.lstrip().startswith('AuthType'):
return True
return False
def migrate_cupsd_conf(lines):
"""
Make changes to cupsd.conf contents to use authentication
for CUPS-Get-Document
:param list lines: Lines from cupsd.conf
"""
new_lines = []
in_policy = False
create_document_limit = False
for line in lines:
if (in_policy and line.lstrip().startswith('<Limit') and
not line.lstrip().startswith('<Limit CUPS-Get-Document>') and
'CUPS-Get-Document' in line.lstrip().split('#')[0][1:-1]):
line = line.replace(' CUPS-Get-Document', '')
create_document_limit = True
if in_policy and line.lstrip().startswith('</Policy>') and create_document_limit:
new_lines.append('\n')
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
'# added during upgrade\n')
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
'<Limit CUPS-Get-Document>\n')
new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' +
'AuthType Default\n')
new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' +
'Require user @OWNER @SYSTEM\n')
new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' +
'Order deny,allow\n')
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
'</Limit>\n')
create_document_limit = False
new_lines.append(line)
if not in_policy:
if line.lstrip().startswith('<Policy default>'):
in_policy = True
continue
if line.lstrip().startswith('<Limit CUPS-Get-Document>'):
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
'# added during upgrade\n')
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
'AuthType Default\n')
continue
if line.lstrip().startswith('</Policy>'):
in_policy = False
continue
return new_lines
def apply_changes(lines):
"""
Backup the original file if there is no .rpmsave already and
apply changes to the actual cupsd.conf
:param list lines: New lines for cupsd.conf
"""
if not os.path.exists('/etc/cups/cupsd.conf.rpmsave'):
copy('/etc/cups/cupsd.conf', '/etc/cups/cupsd.conf.rpmsave')
with open('/etc/cups/cupsd.conf', 'w') as conf:
conf.writelines(lines)
content = get_cupsd_conf()
if content is None:
sys.exit(1)
if check_for_authtype(get_limit_with_document(get_default_policy(content))):
sys.exit(0)
new_content = migrate_cupsd_conf(content)
apply_changes(new_content)
sys.exit(0)

36
SPECS/cups.spec
View File

@ -7,6 +7,13 @@
# but we use lib for compatibility with 3rd party drivers (at upstream request). # but we use lib for compatibility with 3rd party drivers (at upstream request).
%global cups_serverbin %{_exec_prefix}/lib/cups %global cups_serverbin %{_exec_prefix}/lib/cups
# we still need something for python2...
%if 0%{?rhel} >= 8 || 0%{?fedora}
%bcond_without python3
%else
%bcond_with python3
%endif
#%%global prever rc1 #%%global prever rc1
#%%global VERSION %%{version}%%{prever} #%%global VERSION %%{version}%%{prever}
%global VERSION %{version} %global VERSION %{version}
@ -15,7 +22,7 @@ Summary: CUPS printing system
Name: cups Name: cups
Epoch: 1 Epoch: 1
Version: 2.2.6 Version: 2.2.6
Release: 51%{?dist} Release: 51%{?dist}.1
License: GPLv2+ and LGPLv2 with exceptions and AML License: GPLv2+ and LGPLv2 with exceptions and AML
Url: http://www.cups.org/ Url: http://www.cups.org/
Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz
@ -26,6 +33,8 @@ Source6: cups.logrotate
# Backend for NCP protocol # Backend for NCP protocol
Source7: ncp.backend Source7: ncp.backend
Source8: macros.cups Source8: macros.cups
# CVE-2023-32360 migration script
Source9: upgrade_get_document.py.in
Patch1: cups-no-gzip-man.patch Patch1: cups-no-gzip-man.patch
Patch2: cups-system-auth.patch Patch2: cups-system-auth.patch
@ -143,6 +152,8 @@ Patch77: cups-retry-current-job-man.patch
Patch78: 0001-Update-man-pages-for-h-option-Issue-357.patch Patch78: 0001-Update-man-pages-for-h-option-Issue-357.patch
# 2130391 - Kerberized IPP Printing Fails # 2130391 - Kerberized IPP Printing Fails
Patch79: cups-kerberos.patch Patch79: cups-kerberos.patch
# CVE-2023-32360 cups: Information leak through Cups-Get-Document operation
Patch80: 0001-Require-authentication-for-CUPS-Get-Document.patch
Patch1000: cups-lspp.patch Patch1000: cups-lspp.patch
@ -189,6 +200,13 @@ Requires(post): grep, sed
Requires(preun): systemd Requires(preun): systemd
Requires(postun): systemd Requires(postun): systemd
# for upgrade-get-document script
%if %{with python3}
Requires(post): python3
%else
Requires(post): python
%endif
# We ship udev rules which use setfacl. # We ship udev rules which use setfacl.
Requires: systemd Requires: systemd
Requires: acl Requires: acl
@ -429,6 +447,8 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
%patch78 -p1 -b .manpage-update %patch78 -p1 -b .manpage-update
# 2130391 - Kerberized IPP Printing Fails # 2130391 - Kerberized IPP Printing Fails
%patch79 -p1 -b .kerberos %patch79 -p1 -b .kerberos
# CVE-2023-32360 cups: Information leak through Cups-Get-Document operation
%patch80 -p1 -b .get-document-auth
sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in
@ -578,6 +598,15 @@ s:.*\('%{_datadir}'/\)\([^/_]\+\)\(.*\.po$\):%lang(\2) \1\2\3:
/^\([^%].*\)/d /^\([^%].*\)/d
' > %{name}.lang ' > %{name}.lang
# install get-document upgrade script
install -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/upgrade_get_document
%if %{with python3}
sed -i 's,@PYTHON_SHEBANG@,#!/usr/bin/python3,' %{buildroot}%{_sbindir}/upgrade_get_document
%else
sed -i 's,@PYTHON_SHEBANG@,#!/usr/bin/python,' %{buildroot}%{_sbindir}/upgrade_get_document
%endif
%post %post
%systemd_post %{name}.path %{name}.socket %{name}.service %systemd_post %{name}.path %{name}.socket %{name}.service
@ -640,6 +669,8 @@ fi
grep '^\s*IdleExitTimeout' %{_sysconfdir}/cups/cupsd.conf &> /dev/null || echo -e '\nIdleExitTimeout 0' \ grep '^\s*IdleExitTimeout' %{_sysconfdir}/cups/cupsd.conf &> /dev/null || echo -e '\nIdleExitTimeout 0' \
>> %{_sysconfdir}/cups/cupsd.conf >> %{_sysconfdir}/cups/cupsd.conf
%{_sbindir}/upgrade_get_document
exit 0 exit 0
%post client %post client
@ -848,6 +879,9 @@ rm -f %{cups_serverbin}/backend/smb
%{_mandir}/man5/ipptoolfile.5.gz %{_mandir}/man5/ipptoolfile.5.gz
%changelog %changelog
* Tue Aug 15 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-51.1
- CVE-2023-32360 cups: Information leak through Cups-Get-Document operation
* Wed Dec 14 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-51 * Wed Dec 14 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-51
- 2130391 - Kerberized IPP Printing Fails - 2130391 - Kerberized IPP Printing Fails