From 62673a16e4fbd4e2b8aa70567c4dac17ae32945103ee37f51a93dcc93c46be22 Mon Sep 17 00:00:00 2001 From: OBS User autobuild Date: Mon, 16 Nov 2009 09:36:12 +0000 Subject: [PATCH] checked in OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=175 --- ...-1.3.11-CVE-2009-2820-regression-fix.patch | 27 -- cups-1.3.11-CVE-2009-2820.patch | 424 ------------------ cups.changes | 15 - cups.spec | 14 - 4 files changed, 480 deletions(-) delete mode 100644 cups-1.3.11-CVE-2009-2820-regression-fix.patch delete mode 100644 cups-1.3.11-CVE-2009-2820.patch diff --git a/cups-1.3.11-CVE-2009-2820-regression-fix.patch b/cups-1.3.11-CVE-2009-2820-regression-fix.patch deleted file mode 100644 index 2b48048..0000000 --- a/cups-1.3.11-CVE-2009-2820-regression-fix.patch +++ /dev/null @@ -1,27 +0,0 @@ ---- cgi-bin/admin.c.after-cups-1.3.11-CVE-2009-2820-patch 2009-11-03 12:33:53.000000000 +0100 -+++ cgi-bin/admin.c 2009-11-03 12:37:37.000000000 +0100 -@@ -486,6 +486,7 @@ do_am_class(http_t *http, /* I - HTTP c - ipp_attribute_t *attr; /* member-uris attribute */ - char uri[HTTP_MAX_URI]; /* Device or printer URI */ - const char *name, /* Pointer to class name */ -+ *op, /* Operation name */ - *ptr; /* Pointer to CGI variable */ - const char *title; /* Title of page */ - static const char * const pattrs[] = /* Requested printer attributes */ -@@ -497,6 +498,7 @@ do_am_class(http_t *http, /* I - HTTP c - - - title = cgiText(modify ? _("Modify Class") : _("Add Class")); -+ op = cgiGetVariable("OP"); - name = cgiGetVariable("PRINTER_NAME"); - - if (cgiGetVariable("PRINTER_LOCATION") == NULL) -@@ -516,6 +518,8 @@ do_am_class(http_t *http, /* I - HTTP c - */ - - cgiClearVariables(); -+ if (op) -+ cgiSetVariable("OP", op); - if (name) - cgiSetVariable("PRINTER_NAME", name); - diff --git a/cups-1.3.11-CVE-2009-2820.patch b/cups-1.3.11-CVE-2009-2820.patch deleted file mode 100644 index ca92046..0000000 --- a/cups-1.3.11-CVE-2009-2820.patch +++ /dev/null @@ -1,424 +0,0 @@ -diff -upr cups-1.3.11.orig/cgi-bin/admin.c cups-1.3.11/cgi-bin/admin.c ---- cups-1.3.11.orig/cgi-bin/admin.c 2009-06-18 23:42:45.000000000 +0200 -+++ cups-1.3.11/cgi-bin/admin.c 2009-10-21 11:43:02.000000000 +0200 -@@ -104,6 +104,7 @@ main(int argc, /* I - Number of comm - */ - - cgiSetVariable("SECTION", "admin"); -+ cgiSetVariable("REFRESH_PAGE", ""); - - /* - * See if we have form data... -@@ -134,16 +135,61 @@ main(int argc, /* I - Number of comm - - - if (getenv("HTTPS")) -- snprintf(prefix, sizeof(prefix), "https://%s:%s", -- getenv("SERVER_NAME"), getenv("SERVER_PORT")); -+ snprintf(prefix, sizeof(prefix), "https://%s:%s", -+ getenv("SERVER_NAME"), getenv("SERVER_PORT")); - else -- snprintf(prefix, sizeof(prefix), "http://%s:%s", -- getenv("SERVER_NAME"), getenv("SERVER_PORT")); -+ snprintf(prefix, sizeof(prefix), "http://%s:%s", -+ getenv("SERVER_NAME"), getenv("SERVER_PORT")); -+ -+ fprintf(stderr, "DEBUG: redirecting with prefix %s!\n", prefix); - - if ((url = cgiGetVariable("URL")) != NULL) -- printf("Location: %s%s\n\n", prefix, url); -+ { -+ char encoded[1024], /* Encoded URL string */ -+ *ptr; /* Pointer into encoded string */ -+ -+ -+ ptr = encoded; -+ if (*url != '/') -+ *ptr++ = '/'; -+ -+ for (; *url && ptr < (encoded + sizeof(encoded) - 4); url ++) -+ { -+ if (strchr("%@&+ <>#=", *url) || *url < ' ' || *url & 128) -+ { -+ /* -+ * Percent-encode this character; safe because we have at least 4 -+ * bytes left in the array... -+ */ -+ -+ sprintf(ptr, "%%%02X", *url & 255); -+ ptr += 3; -+ } -+ else -+ *ptr++ = *url; -+ } -+ -+ *ptr = '\0'; -+ -+ if (*url) -+ { -+ /* -+ * URL was too long, just redirect to the admin page... -+ */ -+ -+ printf("Location: %s/admin\n\n", prefix); -+ } -+ else -+ { -+ /* -+ * URL is OK, redirect there... -+ */ -+ -+ printf("Location: %s%s\n\n", prefix, encoded); -+ } -+ } - else -- printf("Location: %s/admin\n\n", prefix); -+ printf("Location: %s/admin\n\n", prefix); - } - else if (!strcmp(op, "start-printer")) - do_printer_op(http, IPP_RESUME_PRINTER, cgiText(_("Start Printer"))); -@@ -293,6 +339,31 @@ do_add_rss_subscription(http_t *http) /* - * and classes and (re)show the add page... - */ - -+ if (cgiGetVariable("EVENT_JOB_CREATED")) -+ cgiSetVariable("EVENT_JOB_CREATED", "CHECKED"); -+ if (cgiGetVariable("EVENT_JOB_COMPLETED")) -+ cgiSetVariable("EVENT_JOB_COMPLETED", "CHECKED"); -+ if (cgiGetVariable("EVENT_JOB_STOPPED")) -+ cgiSetVariable("EVENT_JOB_STOPPED", "CHECKED"); -+ if (cgiGetVariable("EVENT_JOB_CONFIG_CHANGED")) -+ cgiSetVariable("EVENT_JOB_CONFIG_CHANGED", "CHECKED"); -+ if (cgiGetVariable("EVENT_PRINTER_STOPPED")) -+ cgiSetVariable("EVENT_PRINTER_STOPPED", "CHECKED"); -+ if (cgiGetVariable("EVENT_PRINTER_ADDED")) -+ cgiSetVariable("EVENT_PRINTER_ADDED", "CHECKED"); -+ if (cgiGetVariable("EVENT_PRINTER_MODIFIED")) -+ cgiSetVariable("EVENT_PRINTER_MODIFIED", "CHECKED"); -+ if (cgiGetVariable("EVENT_PRINTER_DELETED")) -+ cgiSetVariable("EVENT_PRINTER_DELETED", "CHECKED"); -+ if (cgiGetVariable("EVENT_SERVER_STARTED")) -+ cgiSetVariable("EVENT_SERVER_STARTED", "CHECKED"); -+ if (cgiGetVariable("EVENT_SERVER_STOPPED")) -+ cgiSetVariable("EVENT_SERVER_STOPPED", "CHECKED"); -+ if (cgiGetVariable("EVENT_SERVER_RESTARTED")) -+ cgiSetVariable("EVENT_SERVER_RESTARTED", "CHECKED"); -+ if (cgiGetVariable("EVENT_SERVER_AUDIT")) -+ cgiSetVariable("EVENT_SERVER_AUDIT", "CHECKED"); -+ - request = ippNewRequest(CUPS_GET_PRINTERS); - response = cupsDoRequest(http, request, "/"); - -@@ -450,6 +521,10 @@ do_am_class(http_t *http, /* I - HTTP c - * Do the request and get back a response... - */ - -+ cgiClearVariables(); -+ if (name) -+ cgiSetVariable("PRINTER_NAME", name); -+ - if ((response = cupsDoRequest(http, request, "/")) != NULL) - { - /* -@@ -2336,7 +2411,9 @@ do_menu(http_t *http) /* I - HTTP conn - if ((val = cupsGetOption("DefaultAuthType", num_settings, - settings)) != NULL && !strcasecmp(val, "Negotiate")) - cgiSetVariable("KERBEROS", "CHECKED"); -+ else - #endif /* HAVE_GSSAPI */ -+ cgiSetVariable("KERBEROS", ""); - - cupsFreeOptions(num_settings, settings); - -diff -upr cups-1.3.11.orig/cgi-bin/cgi.h cups-1.3.11/cgi-bin/cgi.h ---- cups-1.3.11.orig/cgi-bin/cgi.h 2008-07-12 00:48:49.000000000 +0200 -+++ cups-1.3.11/cgi-bin/cgi.h 2009-10-21 11:42:42.000000000 +0200 -@@ -54,6 +54,7 @@ typedef struct cgi_file_s /**** Uploade - extern void cgiAbort(const char *title, const char *stylesheet, - const char *format, ...); - extern int cgiCheckVariables(const char *names); -+extern void cgiClearVariables(void); - extern void *cgiCompileSearch(const char *query); - extern void cgiCopyTemplateFile(FILE *out, const char *tmpl); - extern void cgiCopyTemplateLang(const char *tmpl); -diff -upr cups-1.3.11.orig/cgi-bin/classes.c cups-1.3.11/cgi-bin/classes.c ---- cups-1.3.11.orig/cgi-bin/classes.c 2008-07-12 00:48:49.000000000 +0200 -+++ cups-1.3.11/cgi-bin/classes.c 2009-10-21 11:43:16.000000000 +0200 -@@ -69,6 +69,7 @@ main(int argc, /* I - Number of comm - */ - - cgiSetVariable("SECTION", "classes"); -+ cgiSetVariable("REFRESH_PAGE", ""); - - /* - * See if we are displaying a printer or all classes... -diff -upr cups-1.3.11.orig/cgi-bin/help.c cups-1.3.11/cgi-bin/help.c ---- cups-1.3.11.orig/cgi-bin/help.c 2008-07-12 00:48:49.000000000 +0200 -+++ cups-1.3.11/cgi-bin/help.c 2009-10-21 11:43:06.000000000 +0200 -@@ -63,6 +63,7 @@ main(int argc, /* I - Number of comm - */ - - cgiSetVariable("SECTION", "help"); -+ cgiSetVariable("REFRESH_PAGE", ""); - - /* - * Load the help index... -@@ -102,7 +103,7 @@ main(int argc, /* I - Number of comm - */ - - for (i = 0; i < argc; i ++) -- fprintf(stderr, "argv[%d]=\"%s\"\n", i, argv[i]); -+ fprintf(stderr, "DEBUG: argv[%d]=\"%s\"\n", i, argv[i]); - - if ((helpfile = getenv("PATH_INFO")) != NULL) - { -@@ -179,6 +180,12 @@ main(int argc, /* I - Number of comm - topic = cgiGetVariable("TOPIC"); - si = helpSearchIndex(hi, query, topic, helpfile); - -+ cgiClearVariables(); -+ if (query) -+ cgiSetVariable("QUERY", query); -+ if (topic) -+ cgiSetVariable("TOPIC", topic); -+ - fprintf(stderr, "DEBUG: query=\"%s\", topic=\"%s\"\n", - query ? query : "(null)", topic ? topic : "(null)"); - -diff -upr cups-1.3.11.orig/cgi-bin/ipp-var.c cups-1.3.11/cgi-bin/ipp-var.c ---- cups-1.3.11.orig/cgi-bin/ipp-var.c 2009-03-05 19:44:14.000000000 +0100 -+++ cups-1.3.11/cgi-bin/ipp-var.c 2009-10-21 11:42:57.000000000 +0200 -@@ -1220,7 +1220,9 @@ cgiShowJobs(http_t *http, /* I - Co - int ascending, /* Order of jobs (0 = descending) */ - first, /* First job to show */ - count; /* Number of jobs */ -- const char *var; /* Form variable */ -+ const char *var, /* Form variable */ -+ *query, /* Query string */ -+ *section; /* Section in web interface */ - void *search; /* Search data */ - char url[1024], /* URL for prev/next/this */ - *urlptr, /* Position in URL */ -@@ -1265,10 +1267,13 @@ cgiShowJobs(http_t *http, /* I - Co - * Get a list of matching job objects. - */ - -- if ((var = cgiGetVariable("QUERY")) != NULL) -- search = cgiCompileSearch(var); -+ if ((query = cgiGetVariable("QUERY")) != NULL) -+ search = cgiCompileSearch(query); - else -+ { -+ query = NULL; - search = NULL; -+ } - - jobs = cgiGetIPPObjects(response, search); - count = cupsArrayCount(jobs); -@@ -1293,16 +1298,27 @@ cgiShowJobs(http_t *http, /* I - Co - if (first < 0) - first = 0; - -- sprintf(url, "%d", count); -- cgiSetVariable("TOTAL", url); -- - if ((var = cgiGetVariable("ORDER")) != NULL) - ascending = !strcasecmp(var, "asc"); - else -- { - ascending = !which_jobs || !strcasecmp(which_jobs, "not-completed"); -- cgiSetVariable("ORDER", ascending ? "asc" : "dec"); -- } -+ -+ section = cgiGetVariable("SECTION"); -+ -+ cgiClearVariables(); -+ -+ if (query) -+ cgiSetVariable("QUERY", query); -+ -+ cgiSetVariable("ORDER", ascending ? "asc" : "dec"); -+ -+ cgiSetVariable("SECTION", section); -+ -+ sprintf(url, "%d", count); -+ cgiSetVariable("TOTAL", url); -+ -+ if (which_jobs) -+ cgiSetVariable("WHICH_JOBS", which_jobs); - - if (ascending) - { -@@ -1325,11 +1341,10 @@ cgiShowJobs(http_t *http, /* I - Co - - urlend = url + sizeof(url); - -- if ((var = cgiGetVariable("QUERY")) != NULL) -+ if (query != NULL) - { - if (dest) -- snprintf(url, sizeof(url), "/%s/%s?QUERY=", cgiGetVariable("SECTION"), -- dest); -+ snprintf(url, sizeof(url), "/%s/%s?QUERY=", section, dest); - else - strlcpy(url, "/jobs/?QUERY=", sizeof(url)); - -@@ -1344,7 +1359,7 @@ cgiShowJobs(http_t *http, /* I - Co - else - { - if (dest) -- snprintf(url, sizeof(url), "/%s/%s?", cgiGetVariable("SECTION"), dest); -+ snprintf(url, sizeof(url), "/%s/%s?", section, dest); - else - strlcpy(url, "/jobs/?", sizeof(url)); - -diff -upr cups-1.3.11.orig/cgi-bin/jobs.c cups-1.3.11/cgi-bin/jobs.c ---- cups-1.3.11.orig/cgi-bin/jobs.c 2008-07-12 00:48:49.000000000 +0200 -+++ cups-1.3.11/cgi-bin/jobs.c 2009-10-21 11:43:13.000000000 +0200 -@@ -57,6 +57,7 @@ main(int argc, /* I - Number of comm - */ - - cgiSetVariable("SECTION", "jobs"); -+ cgiSetVariable("REFRESH_PAGE", ""); - - /* - * Connect to the HTTP server... -diff -upr cups-1.3.11.orig/cgi-bin/printers.c cups-1.3.11/cgi-bin/printers.c ---- cups-1.3.11.orig/cgi-bin/printers.c 2008-07-12 00:48:49.000000000 +0200 -+++ cups-1.3.11/cgi-bin/printers.c 2009-10-21 11:42:30.000000000 +0200 -@@ -72,6 +72,7 @@ main(int argc, /* I - Number of comm - */ - - cgiSetVariable("SECTION", "printers"); -+ cgiSetVariable("REFRESH_PAGE", ""); - - /* - * See if we are displaying a printer or all printers... -diff -upr cups-1.3.11.orig/cgi-bin/template.c cups-1.3.11/cgi-bin/template.c ---- cups-1.3.11.orig/cgi-bin/template.c 2008-07-12 00:48:49.000000000 +0200 -+++ cups-1.3.11/cgi-bin/template.c 2009-10-21 11:42:50.000000000 +0200 -@@ -639,6 +639,8 @@ cgi_puts(const char *s, /* I - String - fputs(">", out); - else if (*s == '\"') - fputs(""", out); -+ else if (*s == '\'') -+ fputs("'", out); - else if (*s == '&') - fputs("&", out); - else -@@ -659,7 +661,7 @@ cgi_puturi(const char *s, /* I - String - { - while (*s) - { -- if (strchr("%&+ <>#=", *s) || *s & 128) -+ if (strchr("%@&+ <>#=", *s) || *s < ' ' || *s & 128) - fprintf(out, "%%%02X", *s & 255); - else - putc(*s, out); -diff -upr cups-1.3.11.orig/cgi-bin/var.c cups-1.3.11/cgi-bin/var.c ---- cups-1.3.11.orig/cgi-bin/var.c 2009-05-08 06:56:54.000000000 +0200 -+++ cups-1.3.11/cgi-bin/var.c 2009-10-21 11:43:09.000000000 +0200 -@@ -15,6 +15,7 @@ - * Contents: - * - * cgiCheckVariables() - Check for the presence of "required" variables. -+ * cgiClearVariables() - Clear all form variables. - * cgiGetArray() - Get an element from a form array... - * cgiGetFile() - Get the file (if any) that was submitted in the form. - * cgiGetSize() - Get the size of a form array value. -@@ -135,6 +136,31 @@ cgiCheckVariables(const char *names) /* - - - /* -+ * 'cgiClearVariables()' - Clear all form variables. -+ */ -+ -+void -+cgiClearVariables(void) -+{ -+ int i, j; /* Looping vars */ -+ _cgi_var_t *v; /* Current variable */ -+ -+ -+ for (v = form_vars, i = form_count; i > 0; v ++, i --) -+ { -+ _cupsStrFree(v->name); -+ for (j = 0; j < v->nvalues; j ++) -+ if (v->values[j]) -+ _cupsStrFree(v->values[j]); -+ } -+ -+ form_count = 0; -+ -+ cgi_unlink_file(); -+} -+ -+ -+/* - * 'cgiGetArray()' - Get an element from a form array... - */ - -@@ -154,7 +180,7 @@ cgiGetArray(const char *name, /* I - Na - if (element < 0 || element >= var->nvalues) - return (NULL); - -- return (var->values[element]); -+ return (_cupsStrAlloc(var->values[element])); - } - - -@@ -209,7 +235,7 @@ cgiGetVariable(const char *name) /* I - - var->values[var->nvalues - 1]); - #endif /* DEBUG */ - -- return ((var == NULL) ? NULL : var->values[var->nvalues - 1]); -+ return ((var == NULL) ? NULL : _cupsStrAlloc(var->values[var->nvalues - 1])); - } - - -@@ -341,9 +367,9 @@ cgiSetArray(const char *name, /* I - Na - var->nvalues = element + 1; - } - else if (var->values[element]) -- free((char *)var->values[element]); -+ _cupsStrFree((char *)var->values[element]); - -- var->values[element] = strdup(value); -+ var->values[element] = _cupsStrAlloc(value); - } - } - -@@ -388,7 +414,7 @@ cgiSetSize(const char *name, /* I - Nam - { - for (i = size; i < var->nvalues; i ++) - if (var->values[i]) -- free((void *)(var->values[i])); -+ _cupsStrFree((void *)(var->values[i])); - } - - var->nvalues = size; -@@ -421,9 +447,9 @@ cgiSetVariable(const char *name, /* I - - { - for (i = 0; i < var->nvalues; i ++) - if (var->values[i]) -- free((char *)var->values[i]); -+ _cupsStrFree((char *)var->values[i]); - -- var->values[0] = strdup(value); -+ var->values[0] = _cupsStrAlloc(value); - var->nvalues = 1; - } - } -@@ -470,10 +496,10 @@ cgi_add_variable(const char *name, /* I - if ((var->values = calloc(element + 1, sizeof(char *))) == NULL) - return; - -- var->name = strdup(name); -+ var->name = _cupsStrAlloc(name); - var->nvalues = element + 1; - var->avalues = element + 1; -- var->values[element] = strdup(value); -+ var->values[element] = _cupsStrAlloc(value); - - form_count ++; - } diff --git a/cups.changes b/cups.changes index 4587e43..cb3e29e 100644 --- a/cups.changes +++ b/cups.changes @@ -1,18 +1,3 @@ -------------------------------------------------------------------- -Wed Nov 11 11:56:12 CET 2009 - jsmeix@suse.de - -- cups-1.3.11-CVE-2009-2820-regression-fix.patch - fixes a regression which was introduced by - the previous cups-1.3.11-CVE-2009-2820.patch - which lets adding a class via CUPS Web Interface fail - with an 'Unknown operation "{op}"' error message - (CUPS STR #3401 and - Novell/Suse Bugzilla bnc#548317 starting at comment #24). -- cups-1.3.11-CVE-2009-2820.patch fixes CUPS Web Interface - Cross-Site Scripting (XSS) and CRLF injection in HTTP headers - (CVE-2009-2820 and CUPS STR #3367 and - Novell/Suse Bugzilla bnc#548317). - ------------------------------------------------------------------- Wed Aug 26 21:43:03 CEST 2009 - meissner@suse.de diff --git a/cups.spec b/cups.spec index d53d040..459436f 100644 --- a/cups.spec +++ b/cups.spec @@ -111,13 +111,6 @@ Patch22: cups-1.3.7-additional_policies.patch # but would be only needed to satisfy 'AC_PATH_PROG(CUPS_PDFTOPS, pdftops)' # in cups-pdf.m4 if only 'configure --with-pdftops=pdftops' was possible: Patch29: full_path_to_configure_with-pdftops.patch -# Patch30 fixes CUPS Web Interface Cross-Site Scripting (XSS) and CRLF injection in HTTP headers, -# (CVE-2009-2820 and Novell/Suse Bugzilla bnc#548317): -Patch30: cups-1.3.11-CVE-2009-2820.patch -# Patch31 fixes a regression which was introduced by Patch30 -# now adding a class via web interface fails with 'Unknown operation "{op}"' -# (Novell/Suse Bugzilla bnc#548317 starting at comment #24): -Patch31: cups-1.3.11-CVE-2009-2820-regression-fix.patch # Patch100 cups-1.1.23-testpage.patch is finally removed # since CUPS 1.3.10 because it was made for CUPS 1.1 and # it was no longer applied since CUPS 1.2 in Suse Linux 10.3 and @@ -228,13 +221,6 @@ Authors: # Patch29 full_path_to_configure_with-pdftops.patch adds support # for 'configure --with-pdftops=/usr/bin/pdftops': %patch29 -# Patch30 fixes CUPS Web Interface Cross-Site Scripting (XSS) and CRLF injection in HTTP headers, -# (CVE-2009-2820 and Novell/Suse Bugzilla bnc#548317): -%patch30 -p1 -# Patch31 fixes a regression which was introduced by Patch30 -# now adding a class via web interface fails with 'Unknown operation "{op}"' -# (Novell/Suse Bugzilla bnc#548317 starting at comment #24): -%patch31 if [ -f /.buildenv ]; then . /.buildenv test -z "$BUILD_DISTRIBUTION_NAME" && BUILD_DISTRIBUTION_NAME="%{?distribution}"