pool/cups
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 24139 from Printing

Browse Source 
Copy from Printing/cups based on submit request 24139 from user jsmeix

OBS-URL: https://build.opensuse.org/request/show/24139
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cups?expand=0&rev=65
This commit is contained in:
OBS User autobuild 2009-11-16 09:36:13 +00:00 committed by Git OBS Bridge
parent bb79efc73d
commit d94423f073
4 changed files with 481 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
cups-1.3.11-CVE-2009-2820-regression-fix.patch Normal file
View File

@ -0,0 +1,27 @@
--- cgi-bin/admin.c.after-cups-1.3.11-CVE-2009-2820-patch 2009-11-03 12:33:53.000000000 +0100
+++ cgi-bin/admin.c 2009-11-03 12:37:37.000000000 +0100
@@ -486,6 +486,7 @@ do_am_class(http_t *http, /* I - HTTP c
ipp_attribute_t *attr; /* member-uris attribute */
char uri[HTTP_MAX_URI]; /* Device or printer URI */
const char *name, /* Pointer to class name */
+ *op, /* Operation name */
*ptr; /* Pointer to CGI variable */
const char *title; /* Title of page */
static const char * const pattrs[] = /* Requested printer attributes */
@@ -497,6 +498,7 @@ do_am_class(http_t *http, /* I - HTTP c
title = cgiText(modify ? _("Modify Class") : _("Add Class"));
+ op = cgiGetVariable("OP");
name = cgiGetVariable("PRINTER_NAME");
if (cgiGetVariable("PRINTER_LOCATION") == NULL)
@@ -516,6 +518,8 @@ do_am_class(http_t *http, /* I - HTTP c
*/
cgiClearVariables();
+ if (op)
+ cgiSetVariable("OP", op);
if (name)
cgiSetVariable("PRINTER_NAME", name);

424
cups-1.3.11-CVE-2009-2820.patch Normal file
View File

@ -0,0 +1,424 @@
diff -upr cups-1.3.11.orig/cgi-bin/admin.c cups-1.3.11/cgi-bin/admin.c
--- cups-1.3.11.orig/cgi-bin/admin.c 2009-06-18 23:42:45.000000000 +0200
+++ cups-1.3.11/cgi-bin/admin.c 2009-10-21 11:43:02.000000000 +0200
@@ -104,6 +104,7 @@ main(int argc, /* I - Number of comm
*/
cgiSetVariable("SECTION", "admin");
+ cgiSetVariable("REFRESH_PAGE", "");
/*
* See if we have form data...
@@ -134,16 +135,61 @@ main(int argc, /* I - Number of comm
if (getenv("HTTPS"))
- snprintf(prefix, sizeof(prefix), "https://%s:%s",
- getenv("SERVER_NAME"), getenv("SERVER_PORT"));
+ snprintf(prefix, sizeof(prefix), "https://%s:%s",
+ getenv("SERVER_NAME"), getenv("SERVER_PORT"));
else
- snprintf(prefix, sizeof(prefix), "http://%s:%s",
- getenv("SERVER_NAME"), getenv("SERVER_PORT"));
+ snprintf(prefix, sizeof(prefix), "http://%s:%s",
+ getenv("SERVER_NAME"), getenv("SERVER_PORT"));
+
+ fprintf(stderr, "DEBUG: redirecting with prefix %s!\n", prefix);
if ((url = cgiGetVariable("URL")) != NULL)
- printf("Location: %s%s\n\n", prefix, url);
+ {
+ char encoded[1024], /* Encoded URL string */
+ *ptr; /* Pointer into encoded string */
+
+
+ ptr = encoded;
+ if (*url != '/')
+ *ptr++ = '/';
+
+ for (; *url && ptr < (encoded + sizeof(encoded) - 4); url ++)
+ {
+ if (strchr("%@&+ <>#=", *url) || *url < ' ' || *url & 128)
+ {
+ /*
+ * Percent-encode this character; safe because we have at least 4
+ * bytes left in the array...
+ */
+
+ sprintf(ptr, "%%%02X", *url & 255);
+ ptr += 3;
+ }
+ else
+ *ptr++ = *url;
+ }
+
+ *ptr = '\0';
+
+ if (*url)
+ {
+ /*
+ * URL was too long, just redirect to the admin page...
+ */
+
+ printf("Location: %s/admin\n\n", prefix);
+ }
+ else
+ {
+ /*
+ * URL is OK, redirect there...
+ */
+
+ printf("Location: %s%s\n\n", prefix, encoded);
+ }
+ }
else
- printf("Location: %s/admin\n\n", prefix);
+ printf("Location: %s/admin\n\n", prefix);
}
else if (!strcmp(op, "start-printer"))
do_printer_op(http, IPP_RESUME_PRINTER, cgiText(_("Start Printer")));
@@ -293,6 +339,31 @@ do_add_rss_subscription(http_t *http) /*
* and classes and (re)show the add page...
*/
+ if (cgiGetVariable("EVENT_JOB_CREATED"))
+ cgiSetVariable("EVENT_JOB_CREATED", "CHECKED");
+ if (cgiGetVariable("EVENT_JOB_COMPLETED"))
+ cgiSetVariable("EVENT_JOB_COMPLETED", "CHECKED");
+ if (cgiGetVariable("EVENT_JOB_STOPPED"))
+ cgiSetVariable("EVENT_JOB_STOPPED", "CHECKED");
+ if (cgiGetVariable("EVENT_JOB_CONFIG_CHANGED"))
+ cgiSetVariable("EVENT_JOB_CONFIG_CHANGED", "CHECKED");
+ if (cgiGetVariable("EVENT_PRINTER_STOPPED"))
+ cgiSetVariable("EVENT_PRINTER_STOPPED", "CHECKED");
+ if (cgiGetVariable("EVENT_PRINTER_ADDED"))
+ cgiSetVariable("EVENT_PRINTER_ADDED", "CHECKED");
+ if (cgiGetVariable("EVENT_PRINTER_MODIFIED"))
+ cgiSetVariable("EVENT_PRINTER_MODIFIED", "CHECKED");
+ if (cgiGetVariable("EVENT_PRINTER_DELETED"))
+ cgiSetVariable("EVENT_PRINTER_DELETED", "CHECKED");
+ if (cgiGetVariable("EVENT_SERVER_STARTED"))
+ cgiSetVariable("EVENT_SERVER_STARTED", "CHECKED");
+ if (cgiGetVariable("EVENT_SERVER_STOPPED"))
+ cgiSetVariable("EVENT_SERVER_STOPPED", "CHECKED");
+ if (cgiGetVariable("EVENT_SERVER_RESTARTED"))
+ cgiSetVariable("EVENT_SERVER_RESTARTED", "CHECKED");
+ if (cgiGetVariable("EVENT_SERVER_AUDIT"))
+ cgiSetVariable("EVENT_SERVER_AUDIT", "CHECKED");
+
request = ippNewRequest(CUPS_GET_PRINTERS);
response = cupsDoRequest(http, request, "/");
@@ -450,6 +521,10 @@ do_am_class(http_t *http, /* I - HTTP c
* Do the request and get back a response...
*/
+ cgiClearVariables();
+ if (name)
+ cgiSetVariable("PRINTER_NAME", name);
+
if ((response = cupsDoRequest(http, request, "/")) != NULL)
{
/*
@@ -2336,7 +2411,9 @@ do_menu(http_t *http) /* I - HTTP conn
if ((val = cupsGetOption("DefaultAuthType", num_settings,
settings)) != NULL && !strcasecmp(val, "Negotiate"))
cgiSetVariable("KERBEROS", "CHECKED");
+ else
#endif /* HAVE_GSSAPI */
+ cgiSetVariable("KERBEROS", "");
cupsFreeOptions(num_settings, settings);
diff -upr cups-1.3.11.orig/cgi-bin/cgi.h cups-1.3.11/cgi-bin/cgi.h
--- cups-1.3.11.orig/cgi-bin/cgi.h 2008-07-12 00:48:49.000000000 +0200
+++ cups-1.3.11/cgi-bin/cgi.h 2009-10-21 11:42:42.000000000 +0200
@@ -54,6 +54,7 @@ typedef struct cgi_file_s /**** Uploade
extern void cgiAbort(const char *title, const char *stylesheet,
const char *format, ...);
extern int cgiCheckVariables(const char *names);
+extern void cgiClearVariables(void);
extern void *cgiCompileSearch(const char *query);
extern void cgiCopyTemplateFile(FILE *out, const char *tmpl);
extern void cgiCopyTemplateLang(const char *tmpl);
diff -upr cups-1.3.11.orig/cgi-bin/classes.c cups-1.3.11/cgi-bin/classes.c
--- cups-1.3.11.orig/cgi-bin/classes.c 2008-07-12 00:48:49.000000000 +0200
+++ cups-1.3.11/cgi-bin/classes.c 2009-10-21 11:43:16.000000000 +0200
@@ -69,6 +69,7 @@ main(int argc, /* I - Number of comm
*/
cgiSetVariable("SECTION", "classes");
+ cgiSetVariable("REFRESH_PAGE", "");
/*
* See if we are displaying a printer or all classes...
diff -upr cups-1.3.11.orig/cgi-bin/help.c cups-1.3.11/cgi-bin/help.c
--- cups-1.3.11.orig/cgi-bin/help.c 2008-07-12 00:48:49.000000000 +0200
+++ cups-1.3.11/cgi-bin/help.c 2009-10-21 11:43:06.000000000 +0200
@@ -63,6 +63,7 @@ main(int argc, /* I - Number of comm
*/
cgiSetVariable("SECTION", "help");
+ cgiSetVariable("REFRESH_PAGE", "");
/*
* Load the help index...
@@ -102,7 +103,7 @@ main(int argc, /* I - Number of comm
*/
for (i = 0; i < argc; i ++)
- fprintf(stderr, "argv[%d]=\"%s\"\n", i, argv[i]);
+ fprintf(stderr, "DEBUG: argv[%d]=\"%s\"\n", i, argv[i]);
if ((helpfile = getenv("PATH_INFO")) != NULL)
{
@@ -179,6 +180,12 @@ main(int argc, /* I - Number of comm
topic = cgiGetVariable("TOPIC");
si = helpSearchIndex(hi, query, topic, helpfile);
+ cgiClearVariables();
+ if (query)
+ cgiSetVariable("QUERY", query);
+ if (topic)
+ cgiSetVariable("TOPIC", topic);
+
fprintf(stderr, "DEBUG: query=\"%s\", topic=\"%s\"\n",
query ? query : "(null)", topic ? topic : "(null)");
diff -upr cups-1.3.11.orig/cgi-bin/ipp-var.c cups-1.3.11/cgi-bin/ipp-var.c
--- cups-1.3.11.orig/cgi-bin/ipp-var.c 2009-03-05 19:44:14.000000000 +0100
+++ cups-1.3.11/cgi-bin/ipp-var.c 2009-10-21 11:42:57.000000000 +0200
@@ -1220,7 +1220,9 @@ cgiShowJobs(http_t *http, /* I - Co
int ascending, /* Order of jobs (0 = descending) */
first, /* First job to show */
count; /* Number of jobs */
- const char *var; /* Form variable */
+ const char *var, /* Form variable */
+ *query, /* Query string */
+ *section; /* Section in web interface */
void *search; /* Search data */
char url[1024], /* URL for prev/next/this */
*urlptr, /* Position in URL */
@@ -1265,10 +1267,13 @@ cgiShowJobs(http_t *http, /* I - Co
* Get a list of matching job objects.
*/
- if ((var = cgiGetVariable("QUERY")) != NULL)
- search = cgiCompileSearch(var);
+ if ((query = cgiGetVariable("QUERY")) != NULL)
+ search = cgiCompileSearch(query);
else
+ {
+ query = NULL;
search = NULL;
+ }
jobs = cgiGetIPPObjects(response, search);
count = cupsArrayCount(jobs);
@@ -1293,16 +1298,27 @@ cgiShowJobs(http_t *http, /* I - Co
if (first < 0)
first = 0;
- sprintf(url, "%d", count);
- cgiSetVariable("TOTAL", url);
-
if ((var = cgiGetVariable("ORDER")) != NULL)
ascending = !strcasecmp(var, "asc");
else
- {
ascending = !which_jobs || !strcasecmp(which_jobs, "not-completed");
- cgiSetVariable("ORDER", ascending ? "asc" : "dec");
- }
+
+ section = cgiGetVariable("SECTION");
+
+ cgiClearVariables();
+
+ if (query)
+ cgiSetVariable("QUERY", query);
+
+ cgiSetVariable("ORDER", ascending ? "asc" : "dec");
+
+ cgiSetVariable("SECTION", section);
+
+ sprintf(url, "%d", count);
+ cgiSetVariable("TOTAL", url);
+
+ if (which_jobs)
+ cgiSetVariable("WHICH_JOBS", which_jobs);
if (ascending)
{
@@ -1325,11 +1341,10 @@ cgiShowJobs(http_t *http, /* I - Co
urlend = url + sizeof(url);
- if ((var = cgiGetVariable("QUERY")) != NULL)
+ if (query != NULL)
{
if (dest)
- snprintf(url, sizeof(url), "/%s/%s?QUERY=", cgiGetVariable("SECTION"),
- dest);
+ snprintf(url, sizeof(url), "/%s/%s?QUERY=", section, dest);
else
strlcpy(url, "/jobs/?QUERY=", sizeof(url));
@@ -1344,7 +1359,7 @@ cgiShowJobs(http_t *http, /* I - Co
else
{
if (dest)
- snprintf(url, sizeof(url), "/%s/%s?", cgiGetVariable("SECTION"), dest);
+ snprintf(url, sizeof(url), "/%s/%s?", section, dest);
else
strlcpy(url, "/jobs/?", sizeof(url));
diff -upr cups-1.3.11.orig/cgi-bin/jobs.c cups-1.3.11/cgi-bin/jobs.c
--- cups-1.3.11.orig/cgi-bin/jobs.c 2008-07-12 00:48:49.000000000 +0200
+++ cups-1.3.11/cgi-bin/jobs.c 2009-10-21 11:43:13.000000000 +0200
@@ -57,6 +57,7 @@ main(int argc, /* I - Number of comm
*/
cgiSetVariable("SECTION", "jobs");
+ cgiSetVariable("REFRESH_PAGE", "");
/*
* Connect to the HTTP server...
diff -upr cups-1.3.11.orig/cgi-bin/printers.c cups-1.3.11/cgi-bin/printers.c
--- cups-1.3.11.orig/cgi-bin/printers.c 2008-07-12 00:48:49.000000000 +0200
+++ cups-1.3.11/cgi-bin/printers.c 2009-10-21 11:42:30.000000000 +0200
@@ -72,6 +72,7 @@ main(int argc, /* I - Number of comm
*/
cgiSetVariable("SECTION", "printers");
+ cgiSetVariable("REFRESH_PAGE", "");
/*
* See if we are displaying a printer or all printers...
diff -upr cups-1.3.11.orig/cgi-bin/template.c cups-1.3.11/cgi-bin/template.c
--- cups-1.3.11.orig/cgi-bin/template.c 2008-07-12 00:48:49.000000000 +0200
+++ cups-1.3.11/cgi-bin/template.c 2009-10-21 11:42:50.000000000 +0200
@@ -639,6 +639,8 @@ cgi_puts(const char *s, /* I - String
fputs("&gt;", out);
else if (*s == '\"')
fputs("&quot;", out);
+ else if (*s == '\'')
+ fputs("&#39;", out);
else if (*s == '&')
fputs("&amp;", out);
else
@@ -659,7 +661,7 @@ cgi_puturi(const char *s, /* I - String
{
while (*s)
{
- if (strchr("%&+ <>#=", *s) || *s & 128)
+ if (strchr("%@&+ <>#=", *s) || *s < ' ' || *s & 128)
fprintf(out, "%%%02X", *s & 255);
else
putc(*s, out);
diff -upr cups-1.3.11.orig/cgi-bin/var.c cups-1.3.11/cgi-bin/var.c
--- cups-1.3.11.orig/cgi-bin/var.c 2009-05-08 06:56:54.000000000 +0200
+++ cups-1.3.11/cgi-bin/var.c 2009-10-21 11:43:09.000000000 +0200
@@ -15,6 +15,7 @@
* Contents:
*
* cgiCheckVariables() - Check for the presence of "required" variables.
+ * cgiClearVariables() - Clear all form variables.
* cgiGetArray() - Get an element from a form array...
* cgiGetFile() - Get the file (if any) that was submitted in the form.
* cgiGetSize() - Get the size of a form array value.
@@ -135,6 +136,31 @@ cgiCheckVariables(const char *names) /*
/*
+ * 'cgiClearVariables()' - Clear all form variables.
+ */
+
+void
+cgiClearVariables(void)
+{
+ int i, j; /* Looping vars */
+ _cgi_var_t *v; /* Current variable */
+
+
+ for (v = form_vars, i = form_count; i > 0; v ++, i --)
+ {
+ _cupsStrFree(v->name);
+ for (j = 0; j < v->nvalues; j ++)
+ if (v->values[j])
+ _cupsStrFree(v->values[j]);
+ }
+
+ form_count = 0;
+
+ cgi_unlink_file();
+}
+
+
+/*
* 'cgiGetArray()' - Get an element from a form array...
*/
@@ -154,7 +180,7 @@ cgiGetArray(const char *name, /* I - Na
if (element < 0 || element >= var->nvalues)
return (NULL);
- return (var->values[element]);
+ return (_cupsStrAlloc(var->values[element]));
}
@@ -209,7 +235,7 @@ cgiGetVariable(const char *name) /* I -
var->values[var->nvalues - 1]);
#endif /* DEBUG */
- return ((var == NULL) ? NULL : var->values[var->nvalues - 1]);
+ return ((var == NULL) ? NULL : _cupsStrAlloc(var->values[var->nvalues - 1]));
}
@@ -341,9 +367,9 @@ cgiSetArray(const char *name, /* I - Na
var->nvalues = element + 1;
}
else if (var->values[element])
- free((char *)var->values[element]);
+ _cupsStrFree((char *)var->values[element]);
- var->values[element] = strdup(value);
+ var->values[element] = _cupsStrAlloc(value);
}
}
@@ -388,7 +414,7 @@ cgiSetSize(const char *name, /* I - Nam
{
for (i = size; i < var->nvalues; i ++)
if (var->values[i])
- free((void *)(var->values[i]));
+ _cupsStrFree((void *)(var->values[i]));
}
var->nvalues = size;
@@ -421,9 +447,9 @@ cgiSetVariable(const char *name, /* I -
{
for (i = 0; i < var->nvalues; i ++)
if (var->values[i])
- free((char *)var->values[i]);
+ _cupsStrFree((char *)var->values[i]);
- var->values[0] = strdup(value);
+ var->values[0] = _cupsStrAlloc(value);
var->nvalues = 1;
}
}
@@ -470,10 +496,10 @@ cgi_add_variable(const char *name, /* I
if ((var->values = calloc(element + 1, sizeof(char *))) == NULL)
return;
- var->name = strdup(name);
+ var->name = _cupsStrAlloc(name);
var->nvalues = element + 1;
var->avalues = element + 1;
- var->values[element] = strdup(value);
+ var->values[element] = _cupsStrAlloc(value);
form_count ++;
}

15
cups.changes
View File

@ -1,3 +1,18 @@
-------------------------------------------------------------------
Wed Nov 11 11:56:12 CET 2009 - jsmeix@suse.de
- cups-1.3.11-CVE-2009-2820-regression-fix.patch
fixes a regression which was introduced by
the previous cups-1.3.11-CVE-2009-2820.patch
which lets adding a class via CUPS Web Interface fail
with an 'Unknown operation "{op}"' error message
(CUPS STR #3401 and
Novell/Suse Bugzilla bnc#548317 starting at comment #24).
- cups-1.3.11-CVE-2009-2820.patch fixes CUPS Web Interface
Cross-Site Scripting (XSS) and CRLF injection in HTTP headers
(CVE-2009-2820 and CUPS STR #3367 and
Novell/Suse Bugzilla bnc#548317).
-------------------------------------------------------------------
Wed Aug 26 21:43:03 CEST 2009 - meissner@suse.de

16
cups.spec
View File

@ -30,7 +30,7 @@ License: GPL v2 or later
Group: Hardware/Printing
Summary: The Common UNIX Printing System
Version: 1.3.11
Release: 3
Release: 4
Requires: cups-libs = %{version}, cups-client = %{version}
Requires: ghostscript_any, ghostscript-fonts-std, foomatic-filters
Requires: util-linux /usr/bin/pdftops
@ -111,6 +111,13 @@ Patch22: cups-1.3.7-additional_policies.patch
# but would be only needed to satisfy 'AC_PATH_PROG(CUPS_PDFTOPS, pdftops)'
# in cups-pdf.m4 if only 'configure --with-pdftops=pdftops' was possible:
Patch29: full_path_to_configure_with-pdftops.patch
# Patch30 fixes CUPS Web Interface Cross-Site Scripting (XSS) and CRLF injection in HTTP headers,
# (CVE-2009-2820 and Novell/Suse Bugzilla bnc#548317):
Patch30: cups-1.3.11-CVE-2009-2820.patch
# Patch31 fixes a regression which was introduced by Patch30
# now adding a class via web interface fails with 'Unknown operation "{op}"'
# (Novell/Suse Bugzilla bnc#548317 starting at comment #24):
Patch31: cups-1.3.11-CVE-2009-2820-regression-fix.patch
# Patch100 cups-1.1.23-testpage.patch is finally removed
# since CUPS 1.3.10 because it was made for CUPS 1.1 and
# it was no longer applied since CUPS 1.2 in Suse Linux 10.3 and
@ -221,6 +228,13 @@ Authors:
# Patch29 full_path_to_configure_with-pdftops.patch adds support
# for 'configure --with-pdftops=/usr/bin/pdftops':
%patch29
# Patch30 fixes CUPS Web Interface Cross-Site Scripting (XSS) and CRLF injection in HTTP headers,
# (CVE-2009-2820 and Novell/Suse Bugzilla bnc#548317):
%patch30 -p1
# Patch31 fixes a regression which was introduced by Patch30
# now adding a class via web interface fails with 'Unknown operation "{op}"'
# (Novell/Suse Bugzilla bnc#548317 starting at comment #24):
%patch31
if [ -f /.buildenv ]; then
. /.buildenv
test -z "$BUILD_DISTRIBUTION_NAME" && BUILD_DISTRIBUTION_NAME="%{?distribution}"