Accepting request 880085 from home:scabrero:branches:Printing
- fix-negotiate-authentication-between-CGIs-and-scheduler.patch fixes web UI Kerberos authentication (bsc#1175960) OBS-URL: https://build.opensuse.org/request/show/880085 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=368
This commit is contained in:
parent
8bc3e5eae8
commit
349342e05e
@ -1,3 +1,9 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Mar 19 12:02:38 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
|
||||
|
||||
- fix-negotiate-authentication-between-CGIs-and-scheduler.patch
|
||||
fixes web UI Kerberos authentication (bsc#1175960)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Mar 18 18:18:18 UTC 2021 - olaf@aepfle.de
|
||||
|
||||
|
@ -78,6 +78,8 @@ Patch104: cups-config-libs.patch
|
||||
# Patch105 CVE-2020-10001.patch fixes CVE-2020-10001 (bsc#1180520)
|
||||
# access to uninitialized buffer in ipp.c
|
||||
Patch105: CVE-2020-10001.patch
|
||||
# Patch106 Fixes web UI Kerberos authentication (bsc#1175960)
|
||||
Patch106: fix-negotiate-authentication-between-CGIs-and-scheduler.patch
|
||||
# Build Requirements:
|
||||
BuildRequires: dbus-1-devel
|
||||
BuildRequires: fdupes
|
||||
@ -189,8 +191,8 @@ printers drivers.
|
||||
Summary: CUPS library configuration files
|
||||
Group: Hardware/Printing
|
||||
%if 0%{?suse_version} >= 1330
|
||||
Requires(pre): user(lp)
|
||||
Requires(pre): group(lp)
|
||||
Requires(pre): user(lp)
|
||||
Requires(pre): group(lp)
|
||||
%endif
|
||||
|
||||
%description config
|
||||
@ -302,6 +304,8 @@ printer drivers for CUPS.
|
||||
# Patch105 CVE-2020-10001.patch fixes CVE-2020-10001 (bsc#1180520)
|
||||
# access to uninitialized buffer in ipp.c
|
||||
%patch105 -b CVE-2020-10001.orig
|
||||
# Patch106 Fixes web UI Kerberos authentication (bsc#1175960)
|
||||
%patch106 -p1
|
||||
|
||||
%build
|
||||
# Remove ".SILENT" rule for verbose build output
|
||||
|
223
fix-negotiate-authentication-between-CGIs-and-scheduler.patch
Normal file
223
fix-negotiate-authentication-between-CGIs-and-scheduler.patch
Normal file
@ -0,0 +1,223 @@
|
||||
From d4521ed0df7e625ccf2bc079bab6f48c46ef9bf9 Mon Sep 17 00:00:00 2001
|
||||
From: Samuel Cabrero <scabrero@suse.de>
|
||||
Date: Mon, 26 Oct 2020 17:35:22 +0100
|
||||
Subject: [PATCH 1/4] Avoid infinite loop in admin.cgi when negotiate is used
|
||||
|
||||
SetAuthorizationString with NULL argument sets an empty string.
|
||||
|
||||
Related: #5596
|
||||
|
||||
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
|
||||
---
|
||||
cups/auth.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/cups/auth.c b/cups/auth.c
|
||||
index db45bbba6..f2409350a 100644
|
||||
--- a/cups/auth.c
|
||||
+++ b/cups/auth.c
|
||||
@@ -295,7 +295,7 @@ cupsDoAuthentication(
|
||||
}
|
||||
}
|
||||
|
||||
- if (http->authstring)
|
||||
+ if (http->authstring && http->authstring[0])
|
||||
{
|
||||
DEBUG_printf(("1cupsDoAuthentication: authstring=\"%s\".", http->authstring));
|
||||
|
||||
--
|
||||
2.30.2
|
||||
|
||||
|
||||
From 61ad7780bc7d0593e3225d088ac6dff31badf801 Mon Sep 17 00:00:00 2001
|
||||
From: Samuel Cabrero <scabrero@suse.de>
|
||||
Date: Tue, 27 Oct 2020 16:11:41 +0100
|
||||
Subject: [PATCH 2/4] Add cups_is_local_connection() to check if connection is
|
||||
to localhost
|
||||
|
||||
Related: #5596
|
||||
|
||||
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
|
||||
---
|
||||
cups/auth.c | 11 ++++++++++-
|
||||
1 file changed, 10 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/cups/auth.c b/cups/auth.c
|
||||
index f2409350a..d2956438d 100644
|
||||
--- a/cups/auth.c
|
||||
+++ b/cups/auth.c
|
||||
@@ -90,6 +90,7 @@ static void cups_gss_printf(OM_uint32 major_status, OM_uint32 minor_status,
|
||||
# define cups_gss_printf(major, minor, message)
|
||||
# endif /* DEBUG */
|
||||
#endif /* HAVE_GSSAPI */
|
||||
+static int cups_is_local_connection(http_t *http);
|
||||
static int cups_local_auth(http_t *http);
|
||||
|
||||
|
||||
@@ -916,6 +917,14 @@ cups_gss_printf(OM_uint32 major_status,/* I - Major status code */
|
||||
# endif /* DEBUG */
|
||||
#endif /* HAVE_GSSAPI */
|
||||
|
||||
+static int /* O - 0 if not a local connection */
|
||||
+ /* 1 if local connection */
|
||||
+cups_is_local_connection(http_t *http) /* I - HTTP connection to server */
|
||||
+{
|
||||
+ if (!httpAddrLocalhost(http->hostaddr) && _cups_strcasecmp(http->hostname, "localhost") != 0)
|
||||
+ return 0;
|
||||
+ return 1;
|
||||
+}
|
||||
|
||||
/*
|
||||
* 'cups_local_auth()' - Get the local authorization certificate if
|
||||
@@ -958,7 +967,7 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */
|
||||
* See if we are accessing localhost...
|
||||
*/
|
||||
|
||||
- if (!httpAddrLocalhost(http->hostaddr) && _cups_strcasecmp(http->hostname, "localhost") != 0)
|
||||
+ if (!cups_is_local_connection(http))
|
||||
{
|
||||
DEBUG_puts("8cups_local_auth: Not a local connection!");
|
||||
return (1);
|
||||
--
|
||||
2.30.2
|
||||
|
||||
|
||||
From f629d079750a86b1b605c285f99c0dea3933ca50 Mon Sep 17 00:00:00 2001
|
||||
From: Samuel Cabrero <scabrero@suse.de>
|
||||
Date: Tue, 27 Oct 2020 16:23:30 +0100
|
||||
Subject: [PATCH 3/4] Try local kerberos ccache credentials only for remote
|
||||
servers
|
||||
|
||||
If connecting to localhost then proceed to ask the client for the
|
||||
authorization using cupsGetPassword2. The get password callback will
|
||||
return 401 to the client with WWW-Authenticate: Negotiate.
|
||||
|
||||
Fixes: #5596
|
||||
|
||||
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
|
||||
---
|
||||
cups/auth.c | 10 ++++++----
|
||||
1 file changed, 6 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/cups/auth.c b/cups/auth.c
|
||||
index d2956438d..9661657fc 100644
|
||||
--- a/cups/auth.c
|
||||
+++ b/cups/auth.c
|
||||
@@ -175,10 +175,10 @@ cupsDoAuthentication(
|
||||
DEBUG_printf(("2cupsDoAuthentication: Trying scheme \"%s\"...", scheme));
|
||||
|
||||
#ifdef HAVE_GSSAPI
|
||||
- if (!_cups_strcasecmp(scheme, "Negotiate"))
|
||||
+ if (!_cups_strcasecmp(scheme, "Negotiate") && !cups_is_local_connection(http))
|
||||
{
|
||||
/*
|
||||
- * Kerberos authentication...
|
||||
+ * Kerberos authentication to remote server...
|
||||
*/
|
||||
|
||||
int gss_status; /* Auth status */
|
||||
@@ -202,7 +202,9 @@ cupsDoAuthentication(
|
||||
}
|
||||
else
|
||||
#endif /* HAVE_GSSAPI */
|
||||
- if (_cups_strcasecmp(scheme, "Basic") && _cups_strcasecmp(scheme, "Digest"))
|
||||
+ if (_cups_strcasecmp(scheme, "Basic") &&
|
||||
+ _cups_strcasecmp(scheme, "Digest") &&
|
||||
+ _cups_strcasecmp(scheme, "Negotiate"))
|
||||
{
|
||||
/*
|
||||
* Other schemes not yet supported...
|
||||
@@ -216,7 +218,7 @@ cupsDoAuthentication(
|
||||
* See if we should retry the current username:password...
|
||||
*/
|
||||
|
||||
- if ((http->digest_tries > 1 || !http->userpass[0]) && (!_cups_strcasecmp(scheme, "Basic") || (!_cups_strcasecmp(scheme, "Digest"))))
|
||||
+ if (http->digest_tries > 1 || !http->userpass[0])
|
||||
{
|
||||
/*
|
||||
* Nope - get a new password from the user...
|
||||
--
|
||||
2.30.2
|
||||
|
||||
|
||||
From 0563a28b18b21d5574a5e0e38b74246146074bbf Mon Sep 17 00:00:00 2001
|
||||
From: Samuel Cabrero <scabrero@suse.de>
|
||||
Date: Tue, 27 Oct 2020 16:18:03 +0100
|
||||
Subject: [PATCH 4/4] Allow Local authentication for Negotiate
|
||||
|
||||
PeerCred is also possible if address family is AF_LOCAL. This will allow
|
||||
the CGI programs to generate the authorization from the local
|
||||
certificates based on PID also when Negotiate is used for local
|
||||
connections:
|
||||
|
||||
Client CGI
|
||||
Browser <- Remote conn -> admin.cgi <--- Localhost conn ---> Scheduler
|
||||
| | |
|
||||
+ --- HTTP/POST /admin/ --> | |
|
||||
| + --- CUPS-Get-Devices ------------> |
|
||||
| | |
|
||||
| | <-- 401 Unauthorized --------------+
|
||||
| | WWW-Authenticate: |
|
||||
| | Negotiate, (PeerCred,) Local |
|
||||
| | |
|
||||
| <-- 401 Unauthorized -----+ |
|
||||
| WWW-Authenticate: | |
|
||||
| Negotiate | |
|
||||
| | |
|
||||
| --- HTTP/POST /admin/ --> | |
|
||||
| Authorization: + --- IPP CUPS-GetDevices ---------> |
|
||||
| Negotiate | Authorization: Local <cert> |
|
||||
| | |
|
||||
|
||||
Fixes: #5596
|
||||
|
||||
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
|
||||
---
|
||||
cups/auth.c | 5 -----
|
||||
scheduler/client.c | 9 ++-------
|
||||
2 files changed, 2 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/cups/auth.c b/cups/auth.c
|
||||
index 9661657fc..b6fec6b98 100644
|
||||
--- a/cups/auth.c
|
||||
+++ b/cups/auth.c
|
||||
@@ -1043,11 +1043,6 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */
|
||||
}
|
||||
# endif /* HAVE_AUTHORIZATION_H */
|
||||
|
||||
-# ifdef HAVE_GSSAPI
|
||||
- if (cups_auth_find(www_auth, "Negotiate"))
|
||||
- return (1);
|
||||
-# endif /* HAVE_GSSAPI */
|
||||
-
|
||||
# if defined(SO_PEERCRED) && defined(AF_LOCAL)
|
||||
/*
|
||||
* See if we can authenticate using the peer credentials provided over a
|
||||
diff --git a/scheduler/client.c b/scheduler/client.c
|
||||
index c2ee8f12a..56797d58d 100644
|
||||
--- a/scheduler/client.c
|
||||
+++ b/scheduler/client.c
|
||||
@@ -2109,18 +2109,13 @@ cupsdSendHeader(
|
||||
}
|
||||
else if (auth_type == CUPSD_AUTH_NEGOTIATE)
|
||||
{
|
||||
-#if defined(SO_PEERCRED) && defined(AF_LOCAL)
|
||||
- if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
|
||||
- strlcpy(auth_str, "PeerCred", sizeof(auth_str));
|
||||
- else
|
||||
-#endif /* SO_PEERCRED && AF_LOCAL */
|
||||
strlcpy(auth_str, "Negotiate", sizeof(auth_str));
|
||||
}
|
||||
|
||||
- if (con->best && auth_type != CUPSD_AUTH_NEGOTIATE && !con->is_browser && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost"))
|
||||
+ if (con->best && !con->is_browser && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost"))
|
||||
{
|
||||
/*
|
||||
- * Add a "trc" (try root certification) parameter for local non-Kerberos
|
||||
+ * Add a "trc" (try root certification) parameter for local
|
||||
* requests when the request requires system group membership - then the
|
||||
* client knows the root certificate can/should be used.
|
||||
*
|
||||
--
|
||||
2.30.2
|
||||
|
Loading…
Reference in New Issue
Block a user