Accepting request 1180031 from home:jsmeix:branches:Printing
Fix for CVE-2024-35235 bsc#1225365 OBS-URL: https://build.opensuse.org/request/show/1180031 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=411
This commit is contained in:
Johannes Meixner
Git OBS Bridge
parent
6eb4ff1738
commit
9c2057097a
87
cups-2.4.8-CVE-2024-35235.patch
Normal file
87
cups-2.4.8-CVE-2024-35235.patch
Normal file
@ -0,0 +1,87 @@
|
||||
--- cups/http-addr.c.orig 2024-04-26 13:38:21.000000000 +0200
|
||||
+++ cups/http-addr.c 2024-06-11 10:20:21.866920900 +0200
|
||||
@@ -202,31 +202,30 @@ httpAddrListen(http_addr_t *addr, /* I -
|
||||
{
|
||||
mode_t mask; /* Umask setting */
|
||||
|
||||
- /*
|
||||
- * Remove any existing domain socket file...
|
||||
- */
|
||||
-
|
||||
- unlink(addr->un.sun_path);
|
||||
-
|
||||
- /*
|
||||
- * Save the current umask and set it to 0 so that all users can access
|
||||
- * the domain socket...
|
||||
- */
|
||||
-
|
||||
- mask = umask(0);
|
||||
-
|
||||
- /*
|
||||
- * Bind the domain socket...
|
||||
- */
|
||||
-
|
||||
- status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr));
|
||||
-
|
||||
- /*
|
||||
- * Restore the umask and fix permissions...
|
||||
- */
|
||||
-
|
||||
- umask(mask);
|
||||
- chmod(addr->un.sun_path, 0140777);
|
||||
+ // Remove any existing domain socket file...
|
||||
+ if ((status = unlink(addr->un.sun_path)) < 0)
|
||||
+ {
|
||||
+ DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno)));
|
||||
+
|
||||
+ if (errno == ENOENT)
|
||||
+ status = 0;
|
||||
+ }
|
||||
+
|
||||
+ if (!status)
|
||||
+ {
|
||||
+ // Save the current umask and set it to 0 so that all users can access
|
||||
+ // the domain socket...
|
||||
+ mask = umask(0);
|
||||
+
|
||||
+ // Bind the domain socket...
|
||||
+ if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0)
|
||||
+ {
|
||||
+ DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno)));
|
||||
+ }
|
||||
+
|
||||
+ // Restore the umask...
|
||||
+ umask(mask);
|
||||
+ }
|
||||
}
|
||||
else
|
||||
#endif /* AF_LOCAL */
|
||||
--- scheduler/conf.c.orig 2024-04-26 13:38:21.000000000 +0200
|
||||
+++ scheduler/conf.c 2024-06-11 10:14:06.091882607 +0200
|
||||
@@ -3084,6 +3084,26 @@ read_cupsd_conf(cups_file_t *fp) /* I -
|
||||
|
||||
|
||||
/*
|
||||
+ * If we are launched on-demand, do not use domain sockets from the config
|
||||
+ * file. Also check that the domain socket path is not too long...
|
||||
+ */
|
||||
+
|
||||
+#ifdef HAVE_ONDEMAND
|
||||
+ if (*value == '/' && OnDemand)
|
||||
+ {
|
||||
+ if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
|
||||
+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum);
|
||||
+ continue;
|
||||
+ }
|
||||
+#endif // HAVE_ONDEMAND
|
||||
+
|
||||
+ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1))
|
||||
+ {
|
||||
+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum);
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
* Get the address list...
|
||||
*/
|
||||
|
||||
10
cups.changes
10
cups.changes
@ -1,3 +1,13 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Jun 11 08:28:32 UTC 2024 - Johannes Meixner <jsmeix@suse.com>
|
||||
|
||||
- cups-2.4.8-CVE-2024-35235.patch is derived
|
||||
from the upstream patch against master (CUPS 2.5)
|
||||
to apply to CUPS 2.4.8 in openSUSE Factory to fix CVE-2024-35235
|
||||
"cupsd Listen port arbitrary chmod 0140777"
|
||||
https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f
|
||||
bsc#1225365
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed May 29 12:29:38 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
|
||||
|
||||
|
||||
14
cups.spec
14
cups.spec
@ -103,6 +103,13 @@ Patch108: downgrade-autoconf-requirement.patch
|
||||
# Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
|
||||
# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
|
||||
Patch112: cups-2.4.2-additional_policies.patch
|
||||
# Patch113 cups-2.4.8-CVE-2024-35235.patch is derived from the upstream patch against master (CUPS 2.5)
|
||||
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f#advisory-comment-102901
|
||||
# to apply to CUPS 2.4.8 in openSUSE Factory
|
||||
# to fix CVE-2024-35235 "cupsd Listen port arbitrary chmod 0140777"
|
||||
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f
|
||||
# https://bugzilla.suse.com/show_bug.cgi?id=1225365
|
||||
Patch113: cups-2.4.8-CVE-2024-35235.patch
|
||||
# Build Requirements:
|
||||
BuildRequires: dbus-1-devel
|
||||
BuildRequires: fdupes
|
||||
@ -330,6 +337,13 @@ printer drivers for CUPS.
|
||||
# Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
|
||||
# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
|
||||
%patch -P 112 -b cups-2.4.2-additional_policies.orig
|
||||
# Patch113 cups-2.4.8-CVE-2024-35235.patch is derived from the upstream patch against master (CUPS 2.5)
|
||||
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f#advisory-comment-102901
|
||||
# to apply to CUPS 2.4.8 in openSUSE Factory
|
||||
# to fix CVE-2024-35235 "cupsd Listen port arbitrary chmod 0140777"
|
||||
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f
|
||||
# https://bugzilla.suse.com/show_bug.cgi?id=1225365
|
||||
%patch -P 113 -b cups-2.4.8-CVE-2024-35235.orig
|
||||
|
||||
%build
|
||||
# Remove ".SILENT" rule for verbose build output
|
||||
|
||||
Loading…
Reference in New Issue
Block a user