CVE-2014-5029, CVE-2014-5030, CVE-2014-5031 (#1122601)
This commit is contained in:
parent
3c29b9339f
commit
feafaa334e
99
cups-CVE-2014-5029-5030-5031.patch
Normal file
99
cups-CVE-2014-5029-5030-5031.patch
Normal file
@ -0,0 +1,99 @@
|
|||||||
|
From d40220801eec992804cb728d51228d19496fffd9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be>
|
||||||
|
Date: Tue, 22 Jul 2014 14:03:19 +0000
|
||||||
|
Subject: [PATCH] Mirror changes from trunk.
|
||||||
|
|
||||||
|
git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/branches/branch-1.7@12057 a1ca3aef-8c08-0410-bb20-df032aa958be
|
||||||
|
---
|
||||||
|
diff --git a/scheduler/client.c b/scheduler/client.c
|
||||||
|
index e5959fa..366b351 100644
|
||||||
|
--- a/scheduler/client.c
|
||||||
|
+++ b/scheduler/client.c
|
||||||
|
@@ -3310,7 +3310,7 @@ get_file(cupsd_client_t *con, /* I - Client connection */
|
||||||
|
* then fallback to the default one...
|
||||||
|
*/
|
||||||
|
|
||||||
|
- if ((status = stat(filename, filestats)) != 0 && language[0] &&
|
||||||
|
+ if ((status = lstat(filename, filestats)) != 0 && language[0] &&
|
||||||
|
strncmp(con->uri, "/icons/", 7) &&
|
||||||
|
strncmp(con->uri, "/ppd/", 5) &&
|
||||||
|
strncmp(con->uri, "/rss/", 5) &&
|
||||||
|
@@ -3408,13 +3408,13 @@ get_file(cupsd_client_t *con, /* I - Client connection */
|
||||||
|
plen = len - (ptr - filename);
|
||||||
|
|
||||||
|
strlcpy(ptr, "index.html", plen);
|
||||||
|
- status = stat(filename, filestats);
|
||||||
|
+ status = lstat(filename, filestats);
|
||||||
|
|
||||||
|
#ifdef HAVE_JAVA
|
||||||
|
if (status)
|
||||||
|
{
|
||||||
|
strlcpy(ptr, "index.class", plen);
|
||||||
|
- status = stat(filename, filestats);
|
||||||
|
+ status = lstat(filename, filestats);
|
||||||
|
}
|
||||||
|
#endif /* HAVE_JAVA */
|
||||||
|
|
||||||
|
@@ -3422,7 +3422,7 @@ get_file(cupsd_client_t *con, /* I - Client connection */
|
||||||
|
if (status)
|
||||||
|
{
|
||||||
|
strlcpy(ptr, "index.pl", plen);
|
||||||
|
- status = stat(filename, filestats);
|
||||||
|
+ status = lstat(filename, filestats);
|
||||||
|
}
|
||||||
|
#endif /* HAVE_PERL */
|
||||||
|
|
||||||
|
@@ -3430,7 +3430,7 @@ get_file(cupsd_client_t *con, /* I - Client connection */
|
||||||
|
if (status)
|
||||||
|
{
|
||||||
|
strlcpy(ptr, "index.php", plen);
|
||||||
|
- status = stat(filename, filestats);
|
||||||
|
+ status = lstat(filename, filestats);
|
||||||
|
}
|
||||||
|
#endif /* HAVE_PHP */
|
||||||
|
|
||||||
|
@@ -3438,18 +3438,39 @@ get_file(cupsd_client_t *con, /* I - Client connection */
|
||||||
|
if (status)
|
||||||
|
{
|
||||||
|
strlcpy(ptr, "index.pyc", plen);
|
||||||
|
- status = stat(filename, filestats);
|
||||||
|
+ status = lstat(filename, filestats);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (status)
|
||||||
|
{
|
||||||
|
strlcpy(ptr, "index.py", plen);
|
||||||
|
- status = stat(filename, filestats);
|
||||||
|
+ status = lstat(filename, filestats);
|
||||||
|
}
|
||||||
|
#endif /* HAVE_PYTHON */
|
||||||
|
|
||||||
|
}
|
||||||
|
while (status && language[0]);
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * If we've found a symlink, 404 the sucker to avoid disclosing information.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+ if (!status && S_ISLNK(filestats->st_mode))
|
||||||
|
+ {
|
||||||
|
+ cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Symlinks such as \"%s\" are not allowed.", con->http.fd, filename);
|
||||||
|
+ return (NULL);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Similarly, if the file/directory does not have world read permissions, do
|
||||||
|
+ * not allow access...
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+ if (!status && !(filestats->st_mode & S_IROTH))
|
||||||
|
+ {
|
||||||
|
+ cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Files/directories such as \"%s\" must be world-readable.", con->http.fd, filename);
|
||||||
|
+ return (NULL);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
cupsdLogMessage(CUPSD_LOG_DEBUG2,
|
||||||
|
--
|
||||||
|
1.9.3
|
||||||
|
|
@ -11,7 +11,7 @@ Summary: CUPS printing system
|
|||||||
Name: cups
|
Name: cups
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
Version: 1.7.4
|
Version: 1.7.4
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
Url: http://www.cups.org/
|
Url: http://www.cups.org/
|
||||||
Source: http://www.cups.org/software/%{version}/cups-%{version}-source.tar.bz2
|
Source: http://www.cups.org/software/%{version}/cups-%{version}-source.tar.bz2
|
||||||
@ -66,6 +66,7 @@ Patch37: cups-final-content-type.patch
|
|||||||
Patch38: cups-journal.patch
|
Patch38: cups-journal.patch
|
||||||
Patch39: cups-synconclose.patch
|
Patch39: cups-synconclose.patch
|
||||||
Patch40: cups-cgi.patch
|
Patch40: cups-cgi.patch
|
||||||
|
Patch41: cups-CVE-2014-5029-5030-5031.patch
|
||||||
|
|
||||||
Patch100: cups-lspp.patch
|
Patch100: cups-lspp.patch
|
||||||
|
|
||||||
@ -255,6 +256,8 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
|
|||||||
%patch39 -p1 -b .synconclose
|
%patch39 -p1 -b .synconclose
|
||||||
# Fix CGI handling (STR #4454).
|
# Fix CGI handling (STR #4454).
|
||||||
%patch40 -p1 -b .cgi
|
%patch40 -p1 -b .cgi
|
||||||
|
# CVE-2014-5029, CVE-2014-5030, CVE-2014-5031 (#1122601)
|
||||||
|
%patch41 -p1 -b .CVE-2014-5029-5030-5031
|
||||||
|
|
||||||
%if %lspp
|
%if %lspp
|
||||||
# LSPP support.
|
# LSPP support.
|
||||||
@ -643,6 +646,9 @@ rm -f %{cups_serverbin}/backend/smb
|
|||||||
%{_mandir}/man5/ipptoolfile.5.gz
|
%{_mandir}/man5/ipptoolfile.5.gz
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jul 23 2014 Jiri Popelka <jpopelka@redhat.com> - 1:1.7.4-3
|
||||||
|
- CVE-2014-5029, CVE-2014-5030, CVE-2014-5031 (#1122601)
|
||||||
|
|
||||||
* Wed Jul 23 2014 Tim Waugh <twaugh@redhat.com> - 1:1.7.4-2
|
* Wed Jul 23 2014 Tim Waugh <twaugh@redhat.com> - 1:1.7.4-2
|
||||||
- Fix CGI handling (STR #4454).
|
- Fix CGI handling (STR #4454).
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user