CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c

Resolves: CVE-2023-34241
2023-06-29 19:35:50 +02:00 · 2023-06-29 19:35:50 +02:00 · f8d61137f8
parent 28d51928bf
commit f8d61137f8
2 changed files with 69 additions and 0 deletions
--- a/0001-Log-result-of-httpGetHostname-BEFORE-closing-the-con.patch
+++ b/0001-Log-result-of-httpGetHostname-BEFORE-closing-the-con.patch
@ -0,0 +1,64 @@
+From ffd290b4ab247f82722927ba9b21358daa16dbf1 Mon Sep 17 00:00:00 2001
+From: Rose <83477269+AtariDreams@users.noreply.github.com>
+Date: Thu, 1 Jun 2023 11:33:39 -0400
+Subject: [PATCH] Log result of httpGetHostname BEFORE closing the connection
+
+httpClose frees the memory of con->http. This is problematic because httpGetHostname then tries to access the memory it points to.
+
+We have to log the hostname first.
+---
+ scheduler/client.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/scheduler/client.c b/scheduler/client.c
+index 91e441188..327473a4d 100644
+--- a/scheduler/client.c
+++ b/scheduler/client.c
+@@ -193,13 +193,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
+    /*
+     * Can't have an unresolved IP address with double-lookups enabled...
+     */
+-
+-    httpClose(con->http);
+-
+     cupsdLogClient(con, CUPSD_LOG_WARN,
+-                    "Name lookup failed - connection from %s closed!",
+                    "Name lookup failed - closing connection from %s!",
+                     httpGetHostname(con->http, NULL, 0));
+ 
+    httpClose(con->http);
+     free(con);
+     return;
+   }
+@@ -235,11 +233,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
+       * with double-lookups enabled...
+       */
+ 
+-      httpClose(con->http);
+-
+       cupsdLogClient(con, CUPSD_LOG_WARN,
+-                      "IP lookup failed - connection from %s closed!",
+                      "IP lookup failed - closing connection from %s!",
+                       httpGetHostname(con->http, NULL, 0));
+
+      httpClose(con->http);
+       free(con);
+       return;
+     }
+@@ -256,11 +254,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
+ 
+   if (!hosts_access(&wrap_req))
+   {
+-    httpClose(con->http);
+-
+     cupsdLogClient(con, CUPSD_LOG_WARN,
+                     "Connection from %s refused by /etc/hosts.allow and "
+ 		    "/etc/hosts.deny rules.", httpGetHostname(con->http, NULL, 0));
+
+    httpClose(con->http);
+     free(con);
+     return;
+   }
+-- 
+2.41.0
+
--- a/cups.spec
+++ b/cups.spec
@ -149,6 +149,8 @@ Patch80: 0001-Fix-delays-printing-to-lpd-when-reserved-ports-are-e.patch
 Patch81: 0001-Use-purge-job-instead-of-purge-jobs-when-canceling-a.patch
 # 2217955 - Enlarge backlog queue for listen() in cupsd
 Patch82: 0001-cups-http-addr.c-Set-listen-backlog-size-to-INT_MAX-.patch
+# CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c
+Patch83: 0001-Log-result-of-httpGetHostname-BEFORE-closing-the-con.patch

 Patch1000: cups-lspp.patch

@ -441,6 +443,8 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
 %patch81 -p1 -b .purge-job
 # 2217955 - Enlarge backlog queue for listen() in cupsd
 %patch82 -p1 -b .listen-backlog
+# CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c
+%patch83 -p1 -b .cve34241

 sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in

@ -864,6 +868,7 @@ rm -f %{cups_serverbin}/backend/smb
 - 2217178 - Delays printing to lpd when reserved ports are exhausted
 - 2217283 - The command "cancel -x <job>" does not remove job files
 - 2217955 - Enlarge backlog queue for listen() in cupsd
+- CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c

 * Mon Apr 03 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-51
 - RHEL-316 - Enable fmf tests in centos stream