Accepting request 1112570 from Printing

Security fixes CVE-2023-4504 bsc#1215204 and CVE-2023-32360 bsc#1214254 for CUPS (forwarded request 1112569 from jsmeix) OBS-URL: https://build.opensuse.org/request/show/1112570 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cups?expand=0&rev=169
2023-09-22 19:47:09 +00:00 · 2023-09-22 19:47:09 +00:00 · 2ab354e9f1
commit 2ab354e9f1
parent def6dd861f a26f0dde72
5 changed files with 91 additions and 10 deletions
--- a/cups-2.4.2-CVE-2023-32360.patch
+++ b/cups-2.4.2-CVE-2023-32360.patch
@ -0,0 +1,18 @@
+--- conf/cupsd.conf.in.orig	2022-05-26 08:17:21.000000000 +0200
+++ conf/cupsd.conf.in	2023-09-20 13:39:53.316719260 +0200
+@@ -68,7 +68,14 @@ IdleExitTimeout @EXIT_TIMEOUT@
+     Order deny,allow
+   </Limit>
+ 
+-  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job>
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # Require authentication for CUPS-Get-Document otherwise unauthenticated users could access print job documents:
+  <Limit CUPS-Get-Document>
+    AuthType Default
+     Require user @OWNER @SYSTEM
+     Order deny,allow
+   </Limit>
--- a/cups-2.4.2-CVE-2023-4504.patch
+++ b/cups-2.4.2-CVE-2023-4504.patch
@ -0,0 +1,21 @@
+--- cups/raster-interpret.c.orig	2022-05-26 08:17:21.000000000 +0200
+++ cups/raster-interpret.c	2023-09-20 14:56:44.666363324 +0200
+@@ -1113,6 +1113,18 @@ scan_ps(_cups_ps_stack_t *st,		/* I  - S
+ 
+ 	    cur ++;
+ 
+          /*
+           * Return NULL if we reached NULL terminator, a lone backslash
+           * is not a valid character in PostScript.
+           */
+
+           if (!*cur)
+           {
+             *ptr = NULL;
+
+             return (NULL);
+           }
+
+             if (*cur == 'b')
+ 	      *valptr++ = '\b';
+ 	    else if (*cur == 'f')
--- a/cups-2.4.2-additional_policies.patch
+++ b/cups-2.4.2-additional_policies.patch
@ -1,6 +1,6 @@
--- conf/cupsd.conf.in.orig	2014-04-02 18:52:53.000000000 +0200
-+++ conf/cupsd.conf.in	2015-07-01 14:39:58.000000000 +0200
-@@ -127,3 +127,45 @@ WebInterface @CUPS_WEBIF@
+--- conf/cupsd.conf.in.CVE-2023-32360.patched	2023-09-20 13:39:53.316719260 +0200
+++ conf/cupsd.conf.in	2023-09-20 13:46:48.474661749 +0200
+@@ -196,3 +196,45 @@ IdleExitTimeout @EXIT_TIMEOUT@
     Order deny,allow
   </Limit>
 </Policy>
@ -15,7 +15,7 @@
 +# print jobs from an internal network to any external destination, see
 +# http://en.opensuse.org/SDB:CUPS_in_a_Nutshell
 +# For documentation regarding 'Managing Operation Policies' see
-+# http://www.cups.org/documentation.php/doc-1.7/policies.html
+# https://openprinting.github.io/cups/doc/policies.html
 +<Policy allowallforanybody>
 +  # Allow anybody to access job's private values:
 +  JobPrivateAccess all
--- a/cups.changes
+++ b/cups.changes
@ -1,3 +1,25 @@
+-------------------------------------------------------------------
+Wed Sep 20 13:01:03 UTC 2023 - Johannes Meixner <jsmeix@suse.com>
+
+- cups-2.4.2-CVE-2023-4504.patch fixes CVE-2023-4504
+  "CUPS PostScript Parsing Heap Overflow"
+  https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h
+  bsc#1215204
+
+-------------------------------------------------------------------
+Wed Sep 20 11:55:35 UTC 2023 - Johannes Meixner <jsmeix@suse.com>
+
+- cups-2.4.2-CVE-2023-32360.patch fixes CVE-2023-32360
+  "Information leak through Cups-Get-Document operation"
+  by requiring authentication for CUPS-Get-Document in cupsd.conf
+  https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913
+  https://github.com/OpenPrinting/cups/security/advisories/GHSA-7pv4-hx8c-gr4g
+  bsc#1214254
+- cups-2.4.2-additional_policies.patch is an updated version
+  of cups-2.0.3-additional_policies.patch that replaces it
+  to add the 'allowallforanybody' policy to cupsd.conf
+  after cups-2.4.2-CVE-2023-32360.patch was applied
+
 -------------------------------------------------------------------
 Thu Jun 22 10:50:34 UTC 2023 - Johannes Meixner <jsmeix@suse.com>

--- a/cups.spec
+++ b/cups.spec
@ -80,9 +80,6 @@ Patch11:        cups-2.1.0-default-webcontent-path.patch
 # Patch100...Patch999 is for private patches from SUSE which are not intended for upstream:
 # Patch100 cups-pam.diff adds conf/pam.suse regarding support for PAM for SUSE:
 Patch100:       cups-pam.diff
-# Patch101 cups-2.0.3-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
-# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
-Patch101:       cups-2.0.3-additional_policies.patch
 # Patch103 cups-1.4-do_not_strip_recommended_from_PPDs.patch
 # reverts the change which was added by Michael Sweet in Jan 2007
 # which strips the word "recommended" from NickName in PPDs because
@ -112,6 +109,19 @@ Patch109:       cups-2.4.2-CVE-2023-32324.patch
 # https://github.com/OpenPrinting/cups/security/advisories/GHSA-qjgh-5hcq-5f25
 # https://bugzilla.suse.com/show_bug.cgi?id=1212230
 Patch110:       cups-2.4.2-CVE-2023-34241.patch
+# Patch111 cups-2.4.2-CVE-2023-32360.patch
+# fixes CVE-2023-32360 "Information leak through Cups-Get-Document operation"
+# https://github.com/OpenPrinting/cups/security/advisories/GHSA-7pv4-hx8c-gr4g
+# https://bugzilla.suse.com/show_bug.cgi?id=1214254
+Patch111:       cups-2.4.2-CVE-2023-32360.patch
+# Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
+# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
+Patch112:       cups-2.4.2-additional_policies.patch
+# Patch113 cups-2.4.2-CVE-2023-4504.patch
+# fixes CVE-2023-4504 "CUPS PostScript Parsing Heap Overflow"
+# https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h
+# https://bugzilla.suse.com/show_bug.cgi?id=1215204
+Patch113:       cups-2.4.2-CVE-2023-4504.patch
 # Build Requirements:
 BuildRequires:  dbus-1-devel
 BuildRequires:  fdupes
@ -317,9 +327,6 @@ printer drivers for CUPS.
 # Patch100...Patch999 is for private patches from SUSE which are not intended for upstream:
 # Patch100 cups-pam.diff adds conf/pam.suse regarding support for PAM for SUSE:
 %patch100 -b cups-pam.orig
-# Patch101 cups-2.0.3-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
-# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
-%patch101 -b additional_policies.orig
 # Patch103 cups-1.4-do_not_strip_recommended_from_PPDs.patch
 # reverts the change which was added by Michael Sweet in Jan 2007
 # which strips the word "recommended" from NickName in PPDs because
@ -349,6 +356,19 @@ printer drivers for CUPS.
 # https://github.com/OpenPrinting/cups/security/advisories/GHSA-qjgh-5hcq-5f25
 # https://bugzilla.suse.com/show_bug.cgi?id=1212230
 %patch110 -b cups-2.4.2-CVE-2023-34241.orig
+# Patch111 cups-2.4.2-CVE-2023-32360.patch
+# fixes CVE-2023-32360 "Information leak through Cups-Get-Document operation"
+# https://github.com/OpenPrinting/cups/security/advisories/GHSA-7pv4-hx8c-gr4g
+# https://bugzilla.suse.com/show_bug.cgi?id=1214254
+%patch111 -b cups-2.4.2-CVE-2023-32360.orig
+# Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
+# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
+%patch112 -b cups-2.4.2-additional_policies.orig
+# Patch113 cups-2.4.2-CVE-2023-4504.patch
+# fixes CVE-2023-4504 "CUPS PostScript Parsing Heap Overflow"
+# https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h
+# https://bugzilla.suse.com/show_bug.cgi?id=1215204
+%patch113 -b cups-2.4.2-CVE-2023-4504.orig

 %build
 # Remove ".SILENT" rule for verbose build output