diff --git a/cups-2.4.8-CVE-2024-35235.patch b/cups-2.4.8-CVE-2024-35235.patch new file mode 100644 index 0000000..5529ad0 --- /dev/null +++ b/cups-2.4.8-CVE-2024-35235.patch @@ -0,0 +1,87 @@ +--- cups/http-addr.c.orig 2024-04-26 13:38:21.000000000 +0200 ++++ cups/http-addr.c 2024-06-11 10:20:21.866920900 +0200 +@@ -202,31 +202,30 @@ httpAddrListen(http_addr_t *addr, /* I - + { + mode_t mask; /* Umask setting */ + +- /* +- * Remove any existing domain socket file... +- */ +- +- unlink(addr->un.sun_path); +- +- /* +- * Save the current umask and set it to 0 so that all users can access +- * the domain socket... +- */ +- +- mask = umask(0); +- +- /* +- * Bind the domain socket... +- */ +- +- status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr)); +- +- /* +- * Restore the umask and fix permissions... +- */ +- +- umask(mask); +- chmod(addr->un.sun_path, 0140777); ++ // Remove any existing domain socket file... ++ if ((status = unlink(addr->un.sun_path)) < 0) ++ { ++ DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno))); ++ ++ if (errno == ENOENT) ++ status = 0; ++ } ++ ++ if (!status) ++ { ++ // Save the current umask and set it to 0 so that all users can access ++ // the domain socket... ++ mask = umask(0); ++ ++ // Bind the domain socket... ++ if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0) ++ { ++ DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno))); ++ } ++ ++ // Restore the umask... ++ umask(mask); ++ } + } + else + #endif /* AF_LOCAL */ +--- scheduler/conf.c.orig 2024-04-26 13:38:21.000000000 +0200 ++++ scheduler/conf.c 2024-06-11 10:14:06.091882607 +0200 +@@ -3084,6 +3084,26 @@ read_cupsd_conf(cups_file_t *fp) /* I - + + + /* ++ * If we are launched on-demand, do not use domain sockets from the config ++ * file. Also check that the domain socket path is not too long... ++ */ ++ ++#ifdef HAVE_ONDEMAND ++ if (*value == '/' && OnDemand) ++ { ++ if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET)) ++ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum); ++ continue; ++ } ++#endif // HAVE_ONDEMAND ++ ++ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1)) ++ { ++ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum); ++ continue; ++ } ++ ++ /* + * Get the address list... + */ + diff --git a/cups.changes b/cups.changes index 25639e7..ba077a2 100644 --- a/cups.changes +++ b/cups.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Tue Jun 11 08:28:32 UTC 2024 - Johannes Meixner + +- cups-2.4.8-CVE-2024-35235.patch is derived + from the upstream patch against master (CUPS 2.5) + to apply to CUPS 2.4.8 in openSUSE Factory to fix CVE-2024-35235 + "cupsd Listen port arbitrary chmod 0140777" + https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f + bsc#1225365 + ------------------------------------------------------------------- Wed May 29 12:29:38 UTC 2024 - Dominique Leuenberger diff --git a/cups.spec b/cups.spec index 400fc66..c0784f8 100644 --- a/cups.spec +++ b/cups.spec @@ -103,6 +103,13 @@ Patch108: downgrade-autoconf-requirement.patch # Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf # see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309 Patch112: cups-2.4.2-additional_policies.patch +# Patch113 cups-2.4.8-CVE-2024-35235.patch is derived from the upstream patch against master (CUPS 2.5) +# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f#advisory-comment-102901 +# to apply to CUPS 2.4.8 in openSUSE Factory +# to fix CVE-2024-35235 "cupsd Listen port arbitrary chmod 0140777" +# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f +# https://bugzilla.suse.com/show_bug.cgi?id=1225365 +Patch113: cups-2.4.8-CVE-2024-35235.patch # Build Requirements: BuildRequires: dbus-1-devel BuildRequires: fdupes @@ -330,6 +337,13 @@ printer drivers for CUPS. # Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf # see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309 %patch -P 112 -b cups-2.4.2-additional_policies.orig +# Patch113 cups-2.4.8-CVE-2024-35235.patch is derived from the upstream patch against master (CUPS 2.5) +# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f#advisory-comment-102901 +# to apply to CUPS 2.4.8 in openSUSE Factory +# to fix CVE-2024-35235 "cupsd Listen port arbitrary chmod 0140777" +# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f +# https://bugzilla.suse.com/show_bug.cgi?id=1225365 +%patch -P 113 -b cups-2.4.8-CVE-2024-35235.orig %build # Remove ".SILENT" rule for verbose build output