CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c
Resolves: CVE-2023-34241
This commit is contained in:
parent
28d51928bf
commit
f8d61137f8
@ -0,0 +1,64 @@
|
|||||||
|
From ffd290b4ab247f82722927ba9b21358daa16dbf1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rose <83477269+AtariDreams@users.noreply.github.com>
|
||||||
|
Date: Thu, 1 Jun 2023 11:33:39 -0400
|
||||||
|
Subject: [PATCH] Log result of httpGetHostname BEFORE closing the connection
|
||||||
|
|
||||||
|
httpClose frees the memory of con->http. This is problematic because httpGetHostname then tries to access the memory it points to.
|
||||||
|
|
||||||
|
We have to log the hostname first.
|
||||||
|
---
|
||||||
|
scheduler/client.c | 16 +++++++---------
|
||||||
|
1 file changed, 7 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/scheduler/client.c b/scheduler/client.c
|
||||||
|
index 91e441188..327473a4d 100644
|
||||||
|
--- a/scheduler/client.c
|
||||||
|
+++ b/scheduler/client.c
|
||||||
|
@@ -193,13 +193,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
|
||||||
|
/*
|
||||||
|
* Can't have an unresolved IP address with double-lookups enabled...
|
||||||
|
*/
|
||||||
|
-
|
||||||
|
- httpClose(con->http);
|
||||||
|
-
|
||||||
|
cupsdLogClient(con, CUPSD_LOG_WARN,
|
||||||
|
- "Name lookup failed - connection from %s closed!",
|
||||||
|
+ "Name lookup failed - closing connection from %s!",
|
||||||
|
httpGetHostname(con->http, NULL, 0));
|
||||||
|
|
||||||
|
+ httpClose(con->http);
|
||||||
|
free(con);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
@@ -235,11 +233,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
|
||||||
|
* with double-lookups enabled...
|
||||||
|
*/
|
||||||
|
|
||||||
|
- httpClose(con->http);
|
||||||
|
-
|
||||||
|
cupsdLogClient(con, CUPSD_LOG_WARN,
|
||||||
|
- "IP lookup failed - connection from %s closed!",
|
||||||
|
+ "IP lookup failed - closing connection from %s!",
|
||||||
|
httpGetHostname(con->http, NULL, 0));
|
||||||
|
+
|
||||||
|
+ httpClose(con->http);
|
||||||
|
free(con);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
@@ -256,11 +254,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
|
||||||
|
|
||||||
|
if (!hosts_access(&wrap_req))
|
||||||
|
{
|
||||||
|
- httpClose(con->http);
|
||||||
|
-
|
||||||
|
cupsdLogClient(con, CUPSD_LOG_WARN,
|
||||||
|
"Connection from %s refused by /etc/hosts.allow and "
|
||||||
|
"/etc/hosts.deny rules.", httpGetHostname(con->http, NULL, 0));
|
||||||
|
+
|
||||||
|
+ httpClose(con->http);
|
||||||
|
free(con);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -149,6 +149,8 @@ Patch80: 0001-Fix-delays-printing-to-lpd-when-reserved-ports-are-e.patch
|
|||||||
Patch81: 0001-Use-purge-job-instead-of-purge-jobs-when-canceling-a.patch
|
Patch81: 0001-Use-purge-job-instead-of-purge-jobs-when-canceling-a.patch
|
||||||
# 2217955 - Enlarge backlog queue for listen() in cupsd
|
# 2217955 - Enlarge backlog queue for listen() in cupsd
|
||||||
Patch82: 0001-cups-http-addr.c-Set-listen-backlog-size-to-INT_MAX-.patch
|
Patch82: 0001-cups-http-addr.c-Set-listen-backlog-size-to-INT_MAX-.patch
|
||||||
|
# CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c
|
||||||
|
Patch83: 0001-Log-result-of-httpGetHostname-BEFORE-closing-the-con.patch
|
||||||
|
|
||||||
Patch1000: cups-lspp.patch
|
Patch1000: cups-lspp.patch
|
||||||
|
|
||||||
@ -441,6 +443,8 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
|
|||||||
%patch81 -p1 -b .purge-job
|
%patch81 -p1 -b .purge-job
|
||||||
# 2217955 - Enlarge backlog queue for listen() in cupsd
|
# 2217955 - Enlarge backlog queue for listen() in cupsd
|
||||||
%patch82 -p1 -b .listen-backlog
|
%patch82 -p1 -b .listen-backlog
|
||||||
|
# CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c
|
||||||
|
%patch83 -p1 -b .cve34241
|
||||||
|
|
||||||
sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in
|
sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in
|
||||||
|
|
||||||
@ -864,6 +868,7 @@ rm -f %{cups_serverbin}/backend/smb
|
|||||||
- 2217178 - Delays printing to lpd when reserved ports are exhausted
|
- 2217178 - Delays printing to lpd when reserved ports are exhausted
|
||||||
- 2217283 - The command "cancel -x <job>" does not remove job files
|
- 2217283 - The command "cancel -x <job>" does not remove job files
|
||||||
- 2217955 - Enlarge backlog queue for listen() in cupsd
|
- 2217955 - Enlarge backlog queue for listen() in cupsd
|
||||||
|
- CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c
|
||||||
|
|
||||||
* Mon Apr 03 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-51
|
* Mon Apr 03 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-51
|
||||||
- RHEL-316 - Enable fmf tests in centos stream
|
- RHEL-316 - Enable fmf tests in centos stream
|
||||||
|
Loading…
Reference in New Issue
Block a user