Accepting request 247234 from Printing
CUPS additional fix for bnc#892587 a regression of the security fix bnc#887240 (forwarded request 247233 from jsmeix) OBS-URL: https://build.opensuse.org/request/show/247234 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cups?expand=0&rev=121
This commit is contained in:
Stephan Kulow
Git OBS Bridge
19
cups.changes
19
cups.changes
@@ -1,3 +1,22 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 2 15:48:23 CEST 2014 - jsmeix@suse.de
|
||||
|
||||
- Let fdupes only create symlinks in /usr/share/cups/templates/ to
|
||||
avoid a symlink /usr/share/cups/webcontent/images/cups-icon.png
|
||||
because the cupsd web server does no longer follow symlinks
|
||||
to avoid the security issues mentioned in the previous entry
|
||||
below (fixes bnc#892587 a regression of bnc#887240).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 2 15:26:36 CEST 2014 - jsmeix@suse.de
|
||||
|
||||
- str4450.CVE-2014-3537.str4455.CVE-2014-5029.CVE-2014-5030.CVE-2014-5031.CUPS-1.5.4.patch
|
||||
fixes that the web interface incorrectly served symlinked files
|
||||
and files that were not world-readable, potentially leading to
|
||||
a disclosure of information (CVE-2014-3537 STR #4450 plus the
|
||||
subsequent CVE-2014-5029 CVE-2014-5030 CVE-2014-5031 STR #4455
|
||||
all in bnc#887240).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu May 22 10:16:17 UTC 2014 - werner@suse.de
|
||||
|
||||
|
||||
20
cups.spec
20
cups.spec
@@ -222,6 +222,11 @@ Patch113: cups-1.5.4-CVE-2012-5519.patch
|
||||
Patch114: str4351.patch
|
||||
# Patch115 fixes STR #4388: no or malformed output from lpstat in charset other than utf-8
|
||||
Patch115: cups-1.5.4-strftime.patch
|
||||
# Patch116 fixes that the web interface incorrectly served symlinked files
|
||||
# and files that were not world-readable, potentially leading to
|
||||
# a disclosure of information (CVE-2014-3537 STR #4450 bnc#887240
|
||||
# plus the subsequent CVE-2014-5029 CVE-2014-5030 CVE-2014-5031 STR #4455):
|
||||
Patch116: str4450.CVE-2014-3537.str4455.CVE-2014-5029.CVE-2014-5030.CVE-2014-5031.CUPS-1.5.4.patch
|
||||
# Install into this non-root directory (required when norootforbuild is used):
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
|
||||
@@ -386,6 +391,11 @@ printer drivers for CUPS.
|
||||
%patch114
|
||||
# Patch115 fixes STR #4388: no or malformed output from lpstat in charset other than utf-8
|
||||
%patch115 -p1
|
||||
# Patch116 fixes that the web interface incorrectly served symlinked files
|
||||
# and files that were not world-readable, potentially leading to
|
||||
# a disclosure of information (CVE-2014-3537 STR #4450 bnc#887240
|
||||
# plus the subsequent CVE-2014-5029 CVE-2014-5030 CVE-2014-5031 STR #4455):
|
||||
%patch116
|
||||
|
||||
%build
|
||||
# Disable SILENT run of make so that make runs verbose as usual:
|
||||
@@ -576,8 +586,14 @@ sed -i -e 's|/var/lock|/run/lock|g' %{buildroot}/etc/init.d/cups
|
||||
# compare https://bugzilla.novell.com/show_bug.cgi?id=784869
|
||||
# so that fdupes can only run for specific directories where linking files is safe.
|
||||
# Using fdupes -s, which will create symlinks that are easier to grasp for rpm and
|
||||
# rpmlint will give a "dangling symlink" error if the file and link ended up in different packages:
|
||||
%fdupes -s %{buildroot}/%{_datadir}/cups
|
||||
# rpmlint will give a "dangling symlink" error if the file and link ended up in different packages.
|
||||
# All symlinks created by fdupes are in /usr/share/cups/templates/
|
||||
# except /usr/share/cups/webcontent/images/cups-icon.png -> /usr/share/cups/webcontent/images/cups.png
|
||||
# but that one must not be a symlink because since CUPS 1.7.4/1.7.5 the cupsd web server does no longer
|
||||
# follow symlink to avoid security issues (see bnc#892587 and bnc#887240 and and the upstream
|
||||
# issues http://www.cups.org/str.php?L4450 and https://www.cups.org/str.php?L4455)
|
||||
# so that fdupes should only create symlinks in /usr/share/cups/templates/:
|
||||
%fdupes -s %{buildroot}/%{_datadir}/cups/templates
|
||||
|
||||
%pre
|
||||
# Use a real bash script with an explicit "exit 0" at the end to be by default fail safe
|
||||
|
||||
@@ -0,0 +1,164 @@
|
||||
--- scheduler/client.c.orig 2014-09-02 11:26:57.000000000 +0200
|
||||
+++ scheduler/client.c 2014-09-02 12:35:05.000000000 +0200
|
||||
@@ -3672,51 +3672,72 @@ get_file(cupsd_client_t *con, /* I - C
|
||||
if ((ptr = strchr(filename, '?')) != NULL)
|
||||
*ptr = '\0';
|
||||
|
||||
/*
|
||||
* Grab the status for this language; if there isn't a language-specific file
|
||||
* then fallback to the default one...
|
||||
*/
|
||||
|
||||
- if ((status = stat(filename, filestats)) != 0 && language[0] &&
|
||||
+ if ((status = lstat(filename, filestats)) != 0 && language[0] &&
|
||||
strncmp(con->uri, "/icons/", 7) &&
|
||||
strncmp(con->uri, "/ppd/", 5) &&
|
||||
strncmp(con->uri, "/rss/", 5) &&
|
||||
strncmp(con->uri, "/admin/conf/", 12) &&
|
||||
strncmp(con->uri, "/admin/log/", 11))
|
||||
{
|
||||
/*
|
||||
* Drop the country code...
|
||||
*/
|
||||
|
||||
language[3] = '\0';
|
||||
snprintf(filename, len, "%s%s%s", DocumentRoot, language, con->uri);
|
||||
|
||||
if ((ptr = strchr(filename, '?')) != NULL)
|
||||
*ptr = '\0';
|
||||
|
||||
- if ((status = stat(filename, filestats)) != 0)
|
||||
+ if ((status = lstat(filename, filestats)) != 0)
|
||||
{
|
||||
/*
|
||||
* Drop the language prefix and try the root directory...
|
||||
*/
|
||||
|
||||
language[0] = '\0';
|
||||
snprintf(filename, len, "%s%s", DocumentRoot, con->uri);
|
||||
|
||||
if ((ptr = strchr(filename, '?')) != NULL)
|
||||
*ptr = '\0';
|
||||
|
||||
- status = stat(filename, filestats);
|
||||
+ status = lstat(filename, filestats);
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
- * If we're found a directory, get the index.html file instead...
|
||||
+ * If we've found a symlink, 404 the sucker to avoid disclosing information.
|
||||
+ */
|
||||
+
|
||||
+ if (!status && S_ISLNK(filestats->st_mode))
|
||||
+ {
|
||||
+ cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Symlinks such as \"%s\" are not allowed.", con->http.fd, filename);
|
||||
+ return (NULL);
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * Similarly, if the file/directory does not have world read permissions, do
|
||||
+ * not allow access...
|
||||
+ */
|
||||
+
|
||||
+ if (!status && !(filestats->st_mode & S_IROTH))
|
||||
+ {
|
||||
+ cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Files/directories such as \"%s\" must be world-readable.", con->http.fd, filename);
|
||||
+ return (NULL);
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * If we've found a directory, get the index.html file instead...
|
||||
*/
|
||||
|
||||
if (!status && S_ISDIR(filestats->st_mode))
|
||||
{
|
||||
/*
|
||||
* Make sure the URI ends with a slash...
|
||||
*/
|
||||
|
||||
@@ -3749,58 +3770,79 @@ get_file(cupsd_client_t *con, /* I - C
|
||||
|
||||
if ((ptr = strchr(filename, '?')) != NULL)
|
||||
*ptr = '\0';
|
||||
|
||||
ptr = filename + strlen(filename);
|
||||
plen = len - (ptr - filename);
|
||||
|
||||
strlcpy(ptr, "index.html", plen);
|
||||
- status = stat(filename, filestats);
|
||||
+ status = lstat(filename, filestats);
|
||||
|
||||
#ifdef HAVE_JAVA
|
||||
if (status)
|
||||
{
|
||||
strlcpy(ptr, "index.class", plen);
|
||||
- status = stat(filename, filestats);
|
||||
+ status = lstat(filename, filestats);
|
||||
}
|
||||
#endif /* HAVE_JAVA */
|
||||
|
||||
#ifdef HAVE_PERL
|
||||
if (status)
|
||||
{
|
||||
strlcpy(ptr, "index.pl", plen);
|
||||
- status = stat(filename, filestats);
|
||||
+ status = lstat(filename, filestats);
|
||||
}
|
||||
#endif /* HAVE_PERL */
|
||||
|
||||
#ifdef HAVE_PHP
|
||||
if (status)
|
||||
{
|
||||
strlcpy(ptr, "index.php", plen);
|
||||
- status = stat(filename, filestats);
|
||||
+ status = lstat(filename, filestats);
|
||||
}
|
||||
#endif /* HAVE_PHP */
|
||||
|
||||
#ifdef HAVE_PYTHON
|
||||
if (status)
|
||||
{
|
||||
strlcpy(ptr, "index.pyc", plen);
|
||||
- status = stat(filename, filestats);
|
||||
+ status = lstat(filename, filestats);
|
||||
}
|
||||
|
||||
if (status)
|
||||
{
|
||||
strlcpy(ptr, "index.py", plen);
|
||||
status = stat(filename, filestats);
|
||||
}
|
||||
#endif /* HAVE_PYTHON */
|
||||
|
||||
}
|
||||
while (status && language[0]);
|
||||
+
|
||||
+ /*
|
||||
+ * If we've found a symlink, 404 the sucker to avoid disclosing information.
|
||||
+ */
|
||||
+
|
||||
+ if (!status && S_ISLNK(filestats->st_mode))
|
||||
+ {
|
||||
+ cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Symlinks such as \"%s\" are not allowed.", con->http.fd, filename);
|
||||
+ return (NULL);
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * Similarly, if the file/directory does not have world read permissions, do
|
||||
+ * not allow access...
|
||||
+ */
|
||||
+
|
||||
+ if (!status && !(filestats->st_mode & S_IROTH))
|
||||
+ {
|
||||
+ cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Files/directories such as \"%s\" must be world-readable.", con->http.fd, filename);
|
||||
+ return (NULL);
|
||||
+ }
|
||||
}
|
||||
|
||||
cupsdLogMessage(CUPSD_LOG_DEBUG2,
|
||||
"get_file(con=%p(%d), filestats=%p, filename=%p, len=%d) = "
|
||||
"%s", con, con->http.fd, filestats, filename, len,
|
||||
status ? "(null)" : filename);
|
||||
|
||||
if (status)
|
||||
Reference in New Issue
Block a user