From fbe35570098bd333f977d43110b7f5a525afd21c Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Mon, 9 Dec 2024 18:48:16 +0100 Subject: [PATCH] RHEL-68414 Inability to disable weak ciphers in CUPS configuration Resolves: RHEL-68414 --- ...se-system-crypto-policy-if-available.patch | 31 +++++++++++++++++++ cups.spec | 9 +++++- 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 0001-tls-gnutls.c-Use-system-crypto-policy-if-available.patch diff --git a/0001-tls-gnutls.c-Use-system-crypto-policy-if-available.patch b/0001-tls-gnutls.c-Use-system-crypto-policy-if-available.patch new file mode 100644 index 0000000..2cfdb23 --- /dev/null +++ b/0001-tls-gnutls.c-Use-system-crypto-policy-if-available.patch @@ -0,0 +1,31 @@ +From 331a202a87db30b5d1d5386ccc99de6843eef03e Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal +Date: Fri, 6 Dec 2024 07:59:16 +0100 +Subject: [PATCH] tls-gnutls.c: Use system crypto policy if available + +Some Linux systems provide a way how to control cryptography on system or service level via cryptographic policies. OpenSSL implementation reflects system changes to some degree, however GnuTLS implementation does not take system policy into account. + +GnuTLS supports fallback mechanism, so we can fallback to NORMAL if @System is not defined on the system. + +Fortunately, the current GnuTLS implementation allows overrides via priority strings (so no "this cipher/hash is disabled" if we enabled them in our application by priority string), so allowing to honor system policy can save us work if someone wants to disable a specific cipher, so we don't have to implement it in libcups. +--- + CHANGES.md | 2 ++ + cups/tls-gnutls.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c +index f3f71a055..719161da7 100644 +--- a/cups/tls-gnutls.c ++++ b/cups/tls-gnutls.c +@@ -1504,7 +1504,7 @@ _httpTLSStart(http_t *http) /* I - Connection to server */ + return (-1); + } + +- strlcpy(priority_string, "NORMAL", sizeof(priority_string)); ++ strlcpy(priority_string, "@SYSTEM,NORMAL", sizeof(priority_string)); + + if (tls_max_version < _HTTP_TLS_MAX) + { +-- +2.47.1 + diff --git a/cups.spec b/cups.spec index 236dda2..12ed71a 100644 --- a/cups.spec +++ b/cups.spec @@ -24,7 +24,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 2.3.3%{OP_VER} -Release: 31%{?dist} +Release: 32%{?dist} License: ASL 2.0 Url: http://www.cups.org/ # Apple stopped uploading the new versions into github, use OpenPrinting fork @@ -156,6 +156,8 @@ Patch46: 0001-refactor-make-and-model-code.patch Patch47: 0001-ppdize-preset-and-template-names.patch Patch48: 0001-quote-ppd-localized-strings.patch Patch49: 0001-fix-warnings-for-unused-vars.patch +# RHEL-68414 Inability to disable weak ciphers in CUPS configuration +Patch50: 0001-tls-gnutls.c-Use-system-crypto-policy-if-available.patch ##### Patches removed because IMHO they aren't no longer needed @@ -440,6 +442,8 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in %patch47 -p1 -b .ppdize-presets %patch48 -p1 -b .quote-ppd-strings %patch49 -p1 -b .fix-warn +# RHEL-68414 Inability to disable weak ciphers in CUPS configuration +%patch50 -p1 -b .tls-system %if %{lspp} @@ -875,6 +879,9 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man7/ippeveps.7.gz %changelog +* Mon Dec 09 2024 Zdenek Dohnal - 1:2.3.3op2-32 +- RHEL-68414 Inability to disable weak ciphers in CUPS configuration + * Tue Oct 01 2024 Zdenek Dohnal - 1:2.3.3op2-31 - RHEL-60343 CVE-2024-47175 cups: remote command injection via attacker controlled data in PPD file