CVE-2014-5029, CVE-2014-5030, CVE-2014-5031 (#1122601)

This commit is contained in:
Jiri Popelka 2014-07-23 17:18:39 +02:00
parent 3c29b9339f
commit feafaa334e
2 changed files with 106 additions and 1 deletions

View File

@ -0,0 +1,99 @@
From d40220801eec992804cb728d51228d19496fffd9 Mon Sep 17 00:00:00 2001
From: msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be>
Date: Tue, 22 Jul 2014 14:03:19 +0000
Subject: [PATCH] Mirror changes from trunk.
git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/branches/branch-1.7@12057 a1ca3aef-8c08-0410-bb20-df032aa958be
---
diff --git a/scheduler/client.c b/scheduler/client.c
index e5959fa..366b351 100644
--- a/scheduler/client.c
+++ b/scheduler/client.c
@@ -3310,7 +3310,7 @@ get_file(cupsd_client_t *con, /* I - Client connection */
* then fallback to the default one...
*/
- if ((status = stat(filename, filestats)) != 0 && language[0] &&
+ if ((status = lstat(filename, filestats)) != 0 && language[0] &&
strncmp(con->uri, "/icons/", 7) &&
strncmp(con->uri, "/ppd/", 5) &&
strncmp(con->uri, "/rss/", 5) &&
@@ -3408,13 +3408,13 @@ get_file(cupsd_client_t *con, /* I - Client connection */
plen = len - (ptr - filename);
strlcpy(ptr, "index.html", plen);
- status = stat(filename, filestats);
+ status = lstat(filename, filestats);
#ifdef HAVE_JAVA
if (status)
{
strlcpy(ptr, "index.class", plen);
- status = stat(filename, filestats);
+ status = lstat(filename, filestats);
}
#endif /* HAVE_JAVA */
@@ -3422,7 +3422,7 @@ get_file(cupsd_client_t *con, /* I - Client connection */
if (status)
{
strlcpy(ptr, "index.pl", plen);
- status = stat(filename, filestats);
+ status = lstat(filename, filestats);
}
#endif /* HAVE_PERL */
@@ -3430,7 +3430,7 @@ get_file(cupsd_client_t *con, /* I - Client connection */
if (status)
{
strlcpy(ptr, "index.php", plen);
- status = stat(filename, filestats);
+ status = lstat(filename, filestats);
}
#endif /* HAVE_PHP */
@@ -3438,18 +3438,39 @@ get_file(cupsd_client_t *con, /* I - Client connection */
if (status)
{
strlcpy(ptr, "index.pyc", plen);
- status = stat(filename, filestats);
+ status = lstat(filename, filestats);
}
if (status)
{
strlcpy(ptr, "index.py", plen);
- status = stat(filename, filestats);
+ status = lstat(filename, filestats);
}
#endif /* HAVE_PYTHON */
}
while (status && language[0]);
+
+ /*
+ * If we've found a symlink, 404 the sucker to avoid disclosing information.
+ */
+
+ if (!status && S_ISLNK(filestats->st_mode))
+ {
+ cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Symlinks such as \"%s\" are not allowed.", con->http.fd, filename);
+ return (NULL);
+ }
+
+ /*
+ * Similarly, if the file/directory does not have world read permissions, do
+ * not allow access...
+ */
+
+ if (!status && !(filestats->st_mode & S_IROTH))
+ {
+ cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Files/directories such as \"%s\" must be world-readable.", con->http.fd, filename);
+ return (NULL);
+ }
}
cupsdLogMessage(CUPSD_LOG_DEBUG2,
--
1.9.3

View File

@ -11,7 +11,7 @@ Summary: CUPS printing system
Name: cups Name: cups
Epoch: 1 Epoch: 1
Version: 1.7.4 Version: 1.7.4
Release: 2%{?dist} Release: 3%{?dist}
License: GPLv2 License: GPLv2
Url: http://www.cups.org/ Url: http://www.cups.org/
Source: http://www.cups.org/software/%{version}/cups-%{version}-source.tar.bz2 Source: http://www.cups.org/software/%{version}/cups-%{version}-source.tar.bz2
@ -66,6 +66,7 @@ Patch37: cups-final-content-type.patch
Patch38: cups-journal.patch Patch38: cups-journal.patch
Patch39: cups-synconclose.patch Patch39: cups-synconclose.patch
Patch40: cups-cgi.patch Patch40: cups-cgi.patch
Patch41: cups-CVE-2014-5029-5030-5031.patch
Patch100: cups-lspp.patch Patch100: cups-lspp.patch
@ -255,6 +256,8 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
%patch39 -p1 -b .synconclose %patch39 -p1 -b .synconclose
# Fix CGI handling (STR #4454). # Fix CGI handling (STR #4454).
%patch40 -p1 -b .cgi %patch40 -p1 -b .cgi
# CVE-2014-5029, CVE-2014-5030, CVE-2014-5031 (#1122601)
%patch41 -p1 -b .CVE-2014-5029-5030-5031
%if %lspp %if %lspp
# LSPP support. # LSPP support.
@ -643,6 +646,9 @@ rm -f %{cups_serverbin}/backend/smb
%{_mandir}/man5/ipptoolfile.5.gz %{_mandir}/man5/ipptoolfile.5.gz
%changelog %changelog
* Wed Jul 23 2014 Jiri Popelka <jpopelka@redhat.com> - 1:1.7.4-3
- CVE-2014-5029, CVE-2014-5030, CVE-2014-5031 (#1122601)
* Wed Jul 23 2014 Tim Waugh <twaugh@redhat.com> - 1:1.7.4-2 * Wed Jul 23 2014 Tim Waugh <twaugh@redhat.com> - 1:1.7.4-2
- Fix CGI handling (STR #4454). - Fix CGI handling (STR #4454).