From feafaa334edad30825341087bfd689a8f0974dff Mon Sep 17 00:00:00 2001 From: Jiri Popelka Date: Wed, 23 Jul 2014 17:18:39 +0200 Subject: [PATCH] CVE-2014-5029, CVE-2014-5030, CVE-2014-5031 (#1122601) --- cups-CVE-2014-5029-5030-5031.patch | 99 ++++++++++++++++++++++++++++++ cups.spec | 8 ++- 2 files changed, 106 insertions(+), 1 deletion(-) create mode 100644 cups-CVE-2014-5029-5030-5031.patch diff --git a/cups-CVE-2014-5029-5030-5031.patch b/cups-CVE-2014-5029-5030-5031.patch new file mode 100644 index 0000000..44c11b7 --- /dev/null +++ b/cups-CVE-2014-5029-5030-5031.patch @@ -0,0 +1,99 @@ +From d40220801eec992804cb728d51228d19496fffd9 Mon Sep 17 00:00:00 2001 +From: msweet +Date: Tue, 22 Jul 2014 14:03:19 +0000 +Subject: [PATCH] Mirror changes from trunk. + +git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/branches/branch-1.7@12057 a1ca3aef-8c08-0410-bb20-df032aa958be +--- +diff --git a/scheduler/client.c b/scheduler/client.c +index e5959fa..366b351 100644 +--- a/scheduler/client.c ++++ b/scheduler/client.c +@@ -3310,7 +3310,7 @@ get_file(cupsd_client_t *con, /* I - Client connection */ + * then fallback to the default one... + */ + +- if ((status = stat(filename, filestats)) != 0 && language[0] && ++ if ((status = lstat(filename, filestats)) != 0 && language[0] && + strncmp(con->uri, "/icons/", 7) && + strncmp(con->uri, "/ppd/", 5) && + strncmp(con->uri, "/rss/", 5) && +@@ -3408,13 +3408,13 @@ get_file(cupsd_client_t *con, /* I - Client connection */ + plen = len - (ptr - filename); + + strlcpy(ptr, "index.html", plen); +- status = stat(filename, filestats); ++ status = lstat(filename, filestats); + + #ifdef HAVE_JAVA + if (status) + { + strlcpy(ptr, "index.class", plen); +- status = stat(filename, filestats); ++ status = lstat(filename, filestats); + } + #endif /* HAVE_JAVA */ + +@@ -3422,7 +3422,7 @@ get_file(cupsd_client_t *con, /* I - Client connection */ + if (status) + { + strlcpy(ptr, "index.pl", plen); +- status = stat(filename, filestats); ++ status = lstat(filename, filestats); + } + #endif /* HAVE_PERL */ + +@@ -3430,7 +3430,7 @@ get_file(cupsd_client_t *con, /* I - Client connection */ + if (status) + { + strlcpy(ptr, "index.php", plen); +- status = stat(filename, filestats); ++ status = lstat(filename, filestats); + } + #endif /* HAVE_PHP */ + +@@ -3438,18 +3438,39 @@ get_file(cupsd_client_t *con, /* I - Client connection */ + if (status) + { + strlcpy(ptr, "index.pyc", plen); +- status = stat(filename, filestats); ++ status = lstat(filename, filestats); + } + + if (status) + { + strlcpy(ptr, "index.py", plen); +- status = stat(filename, filestats); ++ status = lstat(filename, filestats); + } + #endif /* HAVE_PYTHON */ + + } + while (status && language[0]); ++ ++ /* ++ * If we've found a symlink, 404 the sucker to avoid disclosing information. ++ */ ++ ++ if (!status && S_ISLNK(filestats->st_mode)) ++ { ++ cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Symlinks such as \"%s\" are not allowed.", con->http.fd, filename); ++ return (NULL); ++ } ++ ++ /* ++ * Similarly, if the file/directory does not have world read permissions, do ++ * not allow access... ++ */ ++ ++ if (!status && !(filestats->st_mode & S_IROTH)) ++ { ++ cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Files/directories such as \"%s\" must be world-readable.", con->http.fd, filename); ++ return (NULL); ++ } + } + + cupsdLogMessage(CUPSD_LOG_DEBUG2, +-- +1.9.3 + diff --git a/cups.spec b/cups.spec index b4b066d..c7abc06 100644 --- a/cups.spec +++ b/cups.spec @@ -11,7 +11,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 1.7.4 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2 Url: http://www.cups.org/ Source: http://www.cups.org/software/%{version}/cups-%{version}-source.tar.bz2 @@ -66,6 +66,7 @@ Patch37: cups-final-content-type.patch Patch38: cups-journal.patch Patch39: cups-synconclose.patch Patch40: cups-cgi.patch +Patch41: cups-CVE-2014-5029-5030-5031.patch Patch100: cups-lspp.patch @@ -255,6 +256,8 @@ Sends IPP requests to the specified URI and tests and/or displays the results. %patch39 -p1 -b .synconclose # Fix CGI handling (STR #4454). %patch40 -p1 -b .cgi +# CVE-2014-5029, CVE-2014-5030, CVE-2014-5031 (#1122601) +%patch41 -p1 -b .CVE-2014-5029-5030-5031 %if %lspp # LSPP support. @@ -643,6 +646,9 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man5/ipptoolfile.5.gz %changelog +* Wed Jul 23 2014 Jiri Popelka - 1:1.7.4-3 +- CVE-2014-5029, CVE-2014-5030, CVE-2014-5031 (#1122601) + * Wed Jul 23 2014 Tim Waugh - 1:1.7.4-2 - Fix CGI handling (STR #4454).