Accepting request 889939 from Printing
Fixed CVE-2021-25317 (bsc#1184161) (forwarded request 889938 from jsmeix) OBS-URL: https://build.opensuse.org/request/show/889939 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cups?expand=0&rev=156
This commit is contained in:
Dominique Leuenberger
Git OBS Bridge
commit
d28270ff6c
14
cups.changes
14
cups.changes
@ -1,3 +1,17 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon May 3 09:57:33 CEST 2021 - jsmeix@suse.de
|
||||
|
||||
- When cupsd creates directories with specific owner group
|
||||
and permissions (usually owner is 'root' and group matches
|
||||
"configure --with-cups-group=lp") specify same owner group and
|
||||
permissions in the RPM spec file to ensure those directories
|
||||
are installed by RPM with the right settings because if those
|
||||
directories were installed by RPM with different settings then
|
||||
cupsd would use them as is and not adjust its specific owner
|
||||
group and permissions which could lead to privilege escalation
|
||||
from 'lp' user to 'root' via symlink attacks e.g. if owner is
|
||||
falsely 'lp' instead of 'root' CVE-2021-25317 (bsc#1184161)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Apr 20 10:57:45 CEST 2021 - jsmeix@suse.de
|
||||
|
||||
|
||||
36
cups.spec
36
cups.spec
@ -528,6 +528,21 @@ exit 0
|
||||
# not build and install an executable when whatever condition
|
||||
# for configure's automated tests is not fulfilled in the build system.
|
||||
# See https://bugzilla.novell.com/show_bug.cgi?id=526847#c9
|
||||
# Regarding specific owner group and permission settings for directories
|
||||
# see https://bugzilla.suse.com/show_bug.cgi?id=1184161
|
||||
# When cupsd creates directories with specific owner group and permissions
|
||||
# (usually owner is 'root' and group matches "configure --with-cups-group=lp")
|
||||
# we must specify same owner group and permission settings here
|
||||
# to ensure those directories are installed by RPM with the right settings
|
||||
# because if those directories were installed by RPM with different settings then
|
||||
# cupsd would use them as is and not adjust its specific owner group and permissions.
|
||||
# How cupsd creates those directories:
|
||||
# drwxr-xr-x ... root lp ... /etc/cups/ppd
|
||||
# see https://bugzilla.suse.com/show_bug.cgi?id=1184161#c7
|
||||
# The /etc/cups/ssl directory is not created by cupsd (but needed by it)
|
||||
# and when needed (e.g. during the first run of "# lpstat -E -p")
|
||||
# cupsd creates files in /etc/cups/ssl like localhost.crt and localhost.key
|
||||
# so we specify secure owner group and permissions for /etc/cups/ssl
|
||||
%config(noreplace) %attr(640,root,lp) %{_sysconfdir}/cups/cups-files.conf
|
||||
%config(noreplace) %attr(640,root,lp) %{_sysconfdir}/cups/cupsd.conf
|
||||
%config(noreplace) %attr(640,root,lp) %{_sysconfdir}/cups/snmp.conf
|
||||
@ -537,7 +552,7 @@ exit 0
|
||||
%config %{_sysconfdir}/cups/cups-files.conf.default
|
||||
%config %{_sysconfdir}/cups/snmp.conf.default
|
||||
%dir %attr(755,root,lp) %{_sysconfdir}/cups/ppd
|
||||
%dir %attr(700,root,lp) %{_sysconfdir}/cups/ssl
|
||||
%dir %attr(700,root,root) %{_sysconfdir}/cups/ssl
|
||||
%{_unitdir}/cups.service
|
||||
%{_unitdir}/cups.socket
|
||||
%{_unitdir}/cups.path
|
||||
@ -693,6 +708,21 @@ exit 0
|
||||
%{_libdir}/libcupsimage.so.2
|
||||
|
||||
%files config
|
||||
# Regarding specific owner group and permission settings for directories
|
||||
# see the above comment in the files section of the main package.
|
||||
# How cupsd creates those directories:
|
||||
# drwx--x--- ... root lp ... /var/spool/cups
|
||||
# drwxrwx--T ... root lp ... /var/spool/cups/tmp
|
||||
# drwxr-xr-x ... root lp ... /var/log/cups
|
||||
# drwxrwx--- ... root lp ... /var/cache/cups
|
||||
# see https://bugzilla.suse.com/show_bug.cgi?id=1184161#c7
|
||||
# The 'lp' user does not need write permissions in /var/log/cups
|
||||
# regardless that filters and backends are usually run as user 'lp' because
|
||||
# filters and backends write log messages to the inherited stderr file descriptor
|
||||
# and do not append them directly to /var/log/cups/error_log (via fopen on their own).
|
||||
# The /etc/cups directory is not created by cupsd but needed by it
|
||||
# because cupsd cannot start if there is no /etc/cups/cupsd.conf file
|
||||
# (otherwise cupsd aborts with: "Unable to open /etc/cups/cupsd.conf").
|
||||
%defattr(-,root,root)
|
||||
%if 0%{?suse_version} >= 1330
|
||||
%dir %attr(0755,root,lp) /etc/cups
|
||||
@ -700,8 +730,8 @@ exit 0
|
||||
%config(noreplace) %{_sysconfdir}/cups/client.conf
|
||||
%dir %attr(0710,root,lp) %{_var}/spool/cups
|
||||
%dir %attr(1770,root,lp) %{_var}/spool/cups/tmp
|
||||
%dir %attr(0755,lp,lp) %{_var}/log/cups/
|
||||
%dir %attr(0775,lp,lp) %{_var}/cache/cups
|
||||
%dir %attr(0755,root,lp) %{_var}/log/cups
|
||||
%dir %attr(0770,root,lp) %{_var}/cache/cups
|
||||
%{_bindir}/cups-config
|
||||
%{_datadir}/locale/*/cups_*
|
||||
%doc %{_mandir}/man1/cups-config.1.gz
|
||||
|
||||
Loading…
Reference in New Issue
Block a user