pool/cups
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1180031 from home:jsmeix:branches:Printing

Browse Source 
Fix for CVE-2024-35235 bsc#1225365

OBS-URL: https://build.opensuse.org/request/show/1180031
OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=411
This commit is contained in:
Johannes Meixner 2024-06-11 14:28:04 +00:00 committed by Git OBS Bridge
parent 6eb4ff1738
commit 9c2057097a
3 changed files with 111 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
cups-2.4.8-CVE-2024-35235.patch Normal file
View File

@ -0,0 +1,87 @@
--- cups/http-addr.c.orig 2024-04-26 13:38:21.000000000 +0200
+++ cups/http-addr.c 2024-06-11 10:20:21.866920900 +0200
@@ -202,31 +202,30 @@ httpAddrListen(http_addr_t *addr, /* I -
{
mode_t mask; /* Umask setting */
- /*
- * Remove any existing domain socket file...
- */
-
- unlink(addr->un.sun_path);
-
- /*
- * Save the current umask and set it to 0 so that all users can access
- * the domain socket...
- */
-
- mask = umask(0);
-
- /*
- * Bind the domain socket...
- */
-
- status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr));
-
- /*
- * Restore the umask and fix permissions...
- */
-
- umask(mask);
- chmod(addr->un.sun_path, 0140777);
+ // Remove any existing domain socket file...
+ if ((status = unlink(addr->un.sun_path)) < 0)
+ {
+ DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno)));
+
+ if (errno == ENOENT)
+ status = 0;
+ }
+
+ if (!status)
+ {
+ // Save the current umask and set it to 0 so that all users can access
+ // the domain socket...
+ mask = umask(0);
+
+ // Bind the domain socket...
+ if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0)
+ {
+ DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno)));
+ }
+
+ // Restore the umask...
+ umask(mask);
+ }
}
else
#endif /* AF_LOCAL */
--- scheduler/conf.c.orig 2024-04-26 13:38:21.000000000 +0200
+++ scheduler/conf.c 2024-06-11 10:14:06.091882607 +0200
@@ -3084,6 +3084,26 @@ read_cupsd_conf(cups_file_t *fp) /* I -
/*
+ * If we are launched on-demand, do not use domain sockets from the config
+ * file. Also check that the domain socket path is not too long...
+ */
+
+#ifdef HAVE_ONDEMAND
+ if (*value == '/' && OnDemand)
+ {
+ if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum);
+ continue;
+ }
+#endif // HAVE_ONDEMAND
+
+ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1))
+ {
+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum);
+ continue;
+ }
+
+ /*
* Get the address list...
*/

10
cups.changes
View File

@ -1,3 +1,13 @@
-------------------------------------------------------------------
Tue Jun 11 08:28:32 UTC 2024 - Johannes Meixner <jsmeix@suse.com>
- cups-2.4.8-CVE-2024-35235.patch is derived
from the upstream patch against master (CUPS 2.5)
to apply to CUPS 2.4.8 in openSUSE Factory to fix CVE-2024-35235
"cupsd Listen port arbitrary chmod 0140777"
https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f
bsc#1225365
------------------------------------------------------------------- -------------------------------------------------------------------
Wed May 29 12:29:38 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org> Wed May 29 12:29:38 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>

14
cups.spec
View File

@ -103,6 +103,13 @@ Patch108: downgrade-autoconf-requirement.patch
# Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf # Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309 # see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
Patch112: cups-2.4.2-additional_policies.patch Patch112: cups-2.4.2-additional_policies.patch
# Patch113 cups-2.4.8-CVE-2024-35235.patch is derived from the upstream patch against master (CUPS 2.5)
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f#advisory-comment-102901
# to apply to CUPS 2.4.8 in openSUSE Factory
# to fix CVE-2024-35235 "cupsd Listen port arbitrary chmod 0140777"
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f
# https://bugzilla.suse.com/show_bug.cgi?id=1225365
Patch113: cups-2.4.8-CVE-2024-35235.patch
# Build Requirements: # Build Requirements:
BuildRequires: dbus-1-devel BuildRequires: dbus-1-devel
BuildRequires: fdupes BuildRequires: fdupes
@ -330,6 +337,13 @@ printer drivers for CUPS.
# Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf # Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309 # see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
%patch -P 112 -b cups-2.4.2-additional_policies.orig %patch -P 112 -b cups-2.4.2-additional_policies.orig
# Patch113 cups-2.4.8-CVE-2024-35235.patch is derived from the upstream patch against master (CUPS 2.5)
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f#advisory-comment-102901
# to apply to CUPS 2.4.8 in openSUSE Factory
# to fix CVE-2024-35235 "cupsd Listen port arbitrary chmod 0140777"
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f
# https://bugzilla.suse.com/show_bug.cgi?id=1225365
%patch -P 113 -b cups-2.4.8-CVE-2024-35235.orig
%build %build
# Remove ".SILENT" rule for verbose build output # Remove ".SILENT" rule for verbose build output