From a26f0dde72691592316c52d19b86e7f5f198c4d932ba21f4e282a0bed2f33a06 Mon Sep 17 00:00:00 2001
From: Johannes Meixner <jsmeix@suse.com>
Date: Wed, 20 Sep 2023 13:12:23 +0000
Subject: [PATCH] Accepting request 1112569 from home:jsmeix:branches:Printing

Security fixes CVE-2023-4504 bsc#1215204 and CVE-2023-32360 bsc#1214254 for CUPS

OBS-URL: https://build.opensuse.org/request/show/1112569
OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=401
---
 cups-2.4.2-CVE-2023-32360.patch               | 18 +++++++++++
 cups-2.4.2-CVE-2023-4504.patch                | 21 ++++++++++++
 ...ch => cups-2.4.2-additional_policies.patch |  8 ++---
 cups.changes                                  | 22 +++++++++++++
 cups.spec                                     | 32 +++++++++++++++----
 5 files changed, 91 insertions(+), 10 deletions(-)
 create mode 100644 cups-2.4.2-CVE-2023-32360.patch
 create mode 100644 cups-2.4.2-CVE-2023-4504.patch
 rename cups-2.0.3-additional_policies.patch => cups-2.4.2-additional_policies.patch (89%)

diff --git a/cups-2.4.2-CVE-2023-32360.patch b/cups-2.4.2-CVE-2023-32360.patch
new file mode 100644
index 0000000..aa267e9
--- /dev/null
+++ b/cups-2.4.2-CVE-2023-32360.patch
@@ -0,0 +1,18 @@
+--- conf/cupsd.conf.in.orig	2022-05-26 08:17:21.000000000 +0200
++++ conf/cupsd.conf.in	2023-09-20 13:39:53.316719260 +0200
+@@ -68,7 +68,14 @@ IdleExitTimeout @EXIT_TIMEOUT@
+     Order deny,allow
+   </Limit>
+ 
+-  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
++  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job>
++    Require user @OWNER @SYSTEM
++    Order deny,allow
++  </Limit>
++
++  # Require authentication for CUPS-Get-Document otherwise unauthenticated users could access print job documents:
++  <Limit CUPS-Get-Document>
++    AuthType Default
+     Require user @OWNER @SYSTEM
+     Order deny,allow
+   </Limit>
diff --git a/cups-2.4.2-CVE-2023-4504.patch b/cups-2.4.2-CVE-2023-4504.patch
new file mode 100644
index 0000000..9f2cbff
--- /dev/null
+++ b/cups-2.4.2-CVE-2023-4504.patch
@@ -0,0 +1,21 @@
+--- cups/raster-interpret.c.orig	2022-05-26 08:17:21.000000000 +0200
++++ cups/raster-interpret.c	2023-09-20 14:56:44.666363324 +0200
+@@ -1113,6 +1113,18 @@ scan_ps(_cups_ps_stack_t *st,		/* I  - S
+ 
+ 	    cur ++;
+ 
++          /*
++           * Return NULL if we reached NULL terminator, a lone backslash
++           * is not a valid character in PostScript.
++           */
++
++           if (!*cur)
++           {
++             *ptr = NULL;
++
++             return (NULL);
++           }
++
+             if (*cur == 'b')
+ 	      *valptr++ = '\b';
+ 	    else if (*cur == 'f')
diff --git a/cups-2.0.3-additional_policies.patch b/cups-2.4.2-additional_policies.patch
similarity index 89%
rename from cups-2.0.3-additional_policies.patch
rename to cups-2.4.2-additional_policies.patch
index a6a06ac..e6fa164 100644
--- a/cups-2.0.3-additional_policies.patch
+++ b/cups-2.4.2-additional_policies.patch
@@ -1,6 +1,6 @@
---- conf/cupsd.conf.in.orig	2014-04-02 18:52:53.000000000 +0200
-+++ conf/cupsd.conf.in	2015-07-01 14:39:58.000000000 +0200
-@@ -127,3 +127,45 @@ WebInterface @CUPS_WEBIF@
+--- conf/cupsd.conf.in.CVE-2023-32360.patched	2023-09-20 13:39:53.316719260 +0200
++++ conf/cupsd.conf.in	2023-09-20 13:46:48.474661749 +0200
+@@ -196,3 +196,45 @@ IdleExitTimeout @EXIT_TIMEOUT@
      Order deny,allow
    </Limit>
  </Policy>
@@ -15,7 +15,7 @@
 +# print jobs from an internal network to any external destination, see
 +# http://en.opensuse.org/SDB:CUPS_in_a_Nutshell
 +# For documentation regarding 'Managing Operation Policies' see
-+# http://www.cups.org/documentation.php/doc-1.7/policies.html
++# https://openprinting.github.io/cups/doc/policies.html
 +<Policy allowallforanybody>
 +  # Allow anybody to access job's private values:
 +  JobPrivateAccess all
diff --git a/cups.changes b/cups.changes
index ff215c6..8fffa48 100644
--- a/cups.changes
+++ b/cups.changes
@@ -1,3 +1,25 @@
+-------------------------------------------------------------------
+Wed Sep 20 13:01:03 UTC 2023 - Johannes Meixner <jsmeix@suse.com>
+
+- cups-2.4.2-CVE-2023-4504.patch fixes CVE-2023-4504
+  "CUPS PostScript Parsing Heap Overflow"
+  https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h
+  bsc#1215204
+
+-------------------------------------------------------------------
+Wed Sep 20 11:55:35 UTC 2023 - Johannes Meixner <jsmeix@suse.com>
+
+- cups-2.4.2-CVE-2023-32360.patch fixes CVE-2023-32360
+  "Information leak through Cups-Get-Document operation"
+  by requiring authentication for CUPS-Get-Document in cupsd.conf
+  https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913
+  https://github.com/OpenPrinting/cups/security/advisories/GHSA-7pv4-hx8c-gr4g
+  bsc#1214254
+- cups-2.4.2-additional_policies.patch is an updated version
+  of cups-2.0.3-additional_policies.patch that replaces it
+  to add the 'allowallforanybody' policy to cupsd.conf
+  after cups-2.4.2-CVE-2023-32360.patch was applied
+
 -------------------------------------------------------------------
 Thu Jun 22 10:50:34 UTC 2023 - Johannes Meixner <jsmeix@suse.com>
 
diff --git a/cups.spec b/cups.spec
index 41501e7..7c26ff5 100644
--- a/cups.spec
+++ b/cups.spec
@@ -80,9 +80,6 @@ Patch11:        cups-2.1.0-default-webcontent-path.patch
 # Patch100...Patch999 is for private patches from SUSE which are not intended for upstream:
 # Patch100 cups-pam.diff adds conf/pam.suse regarding support for PAM for SUSE:
 Patch100:       cups-pam.diff
-# Patch101 cups-2.0.3-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
-# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
-Patch101:       cups-2.0.3-additional_policies.patch
 # Patch103 cups-1.4-do_not_strip_recommended_from_PPDs.patch
 # reverts the change which was added by Michael Sweet in Jan 2007
 # which strips the word "recommended" from NickName in PPDs because
@@ -112,6 +109,19 @@ Patch109:       cups-2.4.2-CVE-2023-32324.patch
 # https://github.com/OpenPrinting/cups/security/advisories/GHSA-qjgh-5hcq-5f25
 # https://bugzilla.suse.com/show_bug.cgi?id=1212230
 Patch110:       cups-2.4.2-CVE-2023-34241.patch
+# Patch111 cups-2.4.2-CVE-2023-32360.patch
+# fixes CVE-2023-32360 "Information leak through Cups-Get-Document operation"
+# https://github.com/OpenPrinting/cups/security/advisories/GHSA-7pv4-hx8c-gr4g
+# https://bugzilla.suse.com/show_bug.cgi?id=1214254
+Patch111:       cups-2.4.2-CVE-2023-32360.patch
+# Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
+# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
+Patch112:       cups-2.4.2-additional_policies.patch
+# Patch113 cups-2.4.2-CVE-2023-4504.patch
+# fixes CVE-2023-4504 "CUPS PostScript Parsing Heap Overflow"
+# https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h
+# https://bugzilla.suse.com/show_bug.cgi?id=1215204
+Patch113:       cups-2.4.2-CVE-2023-4504.patch
 # Build Requirements:
 BuildRequires:  dbus-1-devel
 BuildRequires:  fdupes
@@ -317,9 +327,6 @@ printer drivers for CUPS.
 # Patch100...Patch999 is for private patches from SUSE which are not intended for upstream:
 # Patch100 cups-pam.diff adds conf/pam.suse regarding support for PAM for SUSE:
 %patch100 -b cups-pam.orig
-# Patch101 cups-2.0.3-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
-# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
-%patch101 -b additional_policies.orig
 # Patch103 cups-1.4-do_not_strip_recommended_from_PPDs.patch
 # reverts the change which was added by Michael Sweet in Jan 2007
 # which strips the word "recommended" from NickName in PPDs because
@@ -349,6 +356,19 @@ printer drivers for CUPS.
 # https://github.com/OpenPrinting/cups/security/advisories/GHSA-qjgh-5hcq-5f25
 # https://bugzilla.suse.com/show_bug.cgi?id=1212230
 %patch110 -b cups-2.4.2-CVE-2023-34241.orig
+# Patch111 cups-2.4.2-CVE-2023-32360.patch
+# fixes CVE-2023-32360 "Information leak through Cups-Get-Document operation"
+# https://github.com/OpenPrinting/cups/security/advisories/GHSA-7pv4-hx8c-gr4g
+# https://bugzilla.suse.com/show_bug.cgi?id=1214254
+%patch111 -b cups-2.4.2-CVE-2023-32360.orig
+# Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
+# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
+%patch112 -b cups-2.4.2-additional_policies.orig
+# Patch113 cups-2.4.2-CVE-2023-4504.patch
+# fixes CVE-2023-4504 "CUPS PostScript Parsing Heap Overflow"
+# https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h
+# https://bugzilla.suse.com/show_bug.cgi?id=1215204
+%patch113 -b cups-2.4.2-CVE-2023-4504.orig
 
 %build
 # Remove ".SILENT" rule for verbose build output