Accepting request 247228 from home:jsmeix:branches:Printing
CUPS security fix for CVE-2014-3537 STR#4450 plus the subsequent CVE-2014-5029 CVE-2014-5030 CVE-2014-5031 STR#4455 all in bnc#887240. All those CVEs are actually only one single issue. Regarding multiple CVEs for one single issue see in particular comment#25 in bnc#887240 OBS-URL: https://build.opensuse.org/request/show/247228 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=285
This commit is contained in:
parent
6d9ce19146
commit
dd0e9ee7fb
10
cups.changes
10
cups.changes
@ -1,3 +1,13 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 2 15:26:36 CEST 2014 - jsmeix@suse.de
|
||||
|
||||
- str4450.CVE-2014-3537.str4455.CVE-2014-5029.CVE-2014-5030.CVE-2014-5031.CUPS-1.5.4.patch
|
||||
fixes that the web interface incorrectly served symlinked files
|
||||
and files that were not world-readable, potentially leading to
|
||||
a disclosure of information (CVE-2014-3537 STR #4450 plus the
|
||||
subsequent CVE-2014-5029 CVE-2014-5030 CVE-2014-5031 STR #4455
|
||||
all in bnc#887240).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu May 22 10:16:17 UTC 2014 - werner@suse.de
|
||||
|
||||
|
10
cups.spec
10
cups.spec
@ -222,6 +222,11 @@ Patch113: cups-1.5.4-CVE-2012-5519.patch
|
||||
Patch114: str4351.patch
|
||||
# Patch115 fixes STR #4388: no or malformed output from lpstat in charset other than utf-8
|
||||
Patch115: cups-1.5.4-strftime.patch
|
||||
# Patch116 fixes that the web interface incorrectly served symlinked files
|
||||
# and files that were not world-readable, potentially leading to
|
||||
# a disclosure of information (CVE-2014-3537 STR #4450 bnc#887240
|
||||
# plus the subsequent CVE-2014-5029 CVE-2014-5030 CVE-2014-5031 STR #4455):
|
||||
Patch116: str4450.CVE-2014-3537.str4455.CVE-2014-5029.CVE-2014-5030.CVE-2014-5031.CUPS-1.5.4.patch
|
||||
# Install into this non-root directory (required when norootforbuild is used):
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
|
||||
@ -386,6 +391,11 @@ printer drivers for CUPS.
|
||||
%patch114
|
||||
# Patch115 fixes STR #4388: no or malformed output from lpstat in charset other than utf-8
|
||||
%patch115 -p1
|
||||
# Patch116 fixes that the web interface incorrectly served symlinked files
|
||||
# and files that were not world-readable, potentially leading to
|
||||
# a disclosure of information (CVE-2014-3537 STR #4450 bnc#887240
|
||||
# plus the subsequent CVE-2014-5029 CVE-2014-5030 CVE-2014-5031 STR #4455):
|
||||
%patch116
|
||||
|
||||
%build
|
||||
# Disable SILENT run of make so that make runs verbose as usual:
|
||||
|
@ -0,0 +1,164 @@
|
||||
--- scheduler/client.c.orig 2014-09-02 11:26:57.000000000 +0200
|
||||
+++ scheduler/client.c 2014-09-02 12:35:05.000000000 +0200
|
||||
@@ -3672,51 +3672,72 @@ get_file(cupsd_client_t *con, /* I - C
|
||||
if ((ptr = strchr(filename, '?')) != NULL)
|
||||
*ptr = '\0';
|
||||
|
||||
/*
|
||||
* Grab the status for this language; if there isn't a language-specific file
|
||||
* then fallback to the default one...
|
||||
*/
|
||||
|
||||
- if ((status = stat(filename, filestats)) != 0 && language[0] &&
|
||||
+ if ((status = lstat(filename, filestats)) != 0 && language[0] &&
|
||||
strncmp(con->uri, "/icons/", 7) &&
|
||||
strncmp(con->uri, "/ppd/", 5) &&
|
||||
strncmp(con->uri, "/rss/", 5) &&
|
||||
strncmp(con->uri, "/admin/conf/", 12) &&
|
||||
strncmp(con->uri, "/admin/log/", 11))
|
||||
{
|
||||
/*
|
||||
* Drop the country code...
|
||||
*/
|
||||
|
||||
language[3] = '\0';
|
||||
snprintf(filename, len, "%s%s%s", DocumentRoot, language, con->uri);
|
||||
|
||||
if ((ptr = strchr(filename, '?')) != NULL)
|
||||
*ptr = '\0';
|
||||
|
||||
- if ((status = stat(filename, filestats)) != 0)
|
||||
+ if ((status = lstat(filename, filestats)) != 0)
|
||||
{
|
||||
/*
|
||||
* Drop the language prefix and try the root directory...
|
||||
*/
|
||||
|
||||
language[0] = '\0';
|
||||
snprintf(filename, len, "%s%s", DocumentRoot, con->uri);
|
||||
|
||||
if ((ptr = strchr(filename, '?')) != NULL)
|
||||
*ptr = '\0';
|
||||
|
||||
- status = stat(filename, filestats);
|
||||
+ status = lstat(filename, filestats);
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
- * If we're found a directory, get the index.html file instead...
|
||||
+ * If we've found a symlink, 404 the sucker to avoid disclosing information.
|
||||
+ */
|
||||
+
|
||||
+ if (!status && S_ISLNK(filestats->st_mode))
|
||||
+ {
|
||||
+ cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Symlinks such as \"%s\" are not allowed.", con->http.fd, filename);
|
||||
+ return (NULL);
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * Similarly, if the file/directory does not have world read permissions, do
|
||||
+ * not allow access...
|
||||
+ */
|
||||
+
|
||||
+ if (!status && !(filestats->st_mode & S_IROTH))
|
||||
+ {
|
||||
+ cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Files/directories such as \"%s\" must be world-readable.", con->http.fd, filename);
|
||||
+ return (NULL);
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * If we've found a directory, get the index.html file instead...
|
||||
*/
|
||||
|
||||
if (!status && S_ISDIR(filestats->st_mode))
|
||||
{
|
||||
/*
|
||||
* Make sure the URI ends with a slash...
|
||||
*/
|
||||
|
||||
@@ -3749,58 +3770,79 @@ get_file(cupsd_client_t *con, /* I - C
|
||||
|
||||
if ((ptr = strchr(filename, '?')) != NULL)
|
||||
*ptr = '\0';
|
||||
|
||||
ptr = filename + strlen(filename);
|
||||
plen = len - (ptr - filename);
|
||||
|
||||
strlcpy(ptr, "index.html", plen);
|
||||
- status = stat(filename, filestats);
|
||||
+ status = lstat(filename, filestats);
|
||||
|
||||
#ifdef HAVE_JAVA
|
||||
if (status)
|
||||
{
|
||||
strlcpy(ptr, "index.class", plen);
|
||||
- status = stat(filename, filestats);
|
||||
+ status = lstat(filename, filestats);
|
||||
}
|
||||
#endif /* HAVE_JAVA */
|
||||
|
||||
#ifdef HAVE_PERL
|
||||
if (status)
|
||||
{
|
||||
strlcpy(ptr, "index.pl", plen);
|
||||
- status = stat(filename, filestats);
|
||||
+ status = lstat(filename, filestats);
|
||||
}
|
||||
#endif /* HAVE_PERL */
|
||||
|
||||
#ifdef HAVE_PHP
|
||||
if (status)
|
||||
{
|
||||
strlcpy(ptr, "index.php", plen);
|
||||
- status = stat(filename, filestats);
|
||||
+ status = lstat(filename, filestats);
|
||||
}
|
||||
#endif /* HAVE_PHP */
|
||||
|
||||
#ifdef HAVE_PYTHON
|
||||
if (status)
|
||||
{
|
||||
strlcpy(ptr, "index.pyc", plen);
|
||||
- status = stat(filename, filestats);
|
||||
+ status = lstat(filename, filestats);
|
||||
}
|
||||
|
||||
if (status)
|
||||
{
|
||||
strlcpy(ptr, "index.py", plen);
|
||||
status = stat(filename, filestats);
|
||||
}
|
||||
#endif /* HAVE_PYTHON */
|
||||
|
||||
}
|
||||
while (status && language[0]);
|
||||
+
|
||||
+ /*
|
||||
+ * If we've found a symlink, 404 the sucker to avoid disclosing information.
|
||||
+ */
|
||||
+
|
||||
+ if (!status && S_ISLNK(filestats->st_mode))
|
||||
+ {
|
||||
+ cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Symlinks such as \"%s\" are not allowed.", con->http.fd, filename);
|
||||
+ return (NULL);
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * Similarly, if the file/directory does not have world read permissions, do
|
||||
+ * not allow access...
|
||||
+ */
|
||||
+
|
||||
+ if (!status && !(filestats->st_mode & S_IROTH))
|
||||
+ {
|
||||
+ cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Files/directories such as \"%s\" must be world-readable.", con->http.fd, filename);
|
||||
+ return (NULL);
|
||||
+ }
|
||||
}
|
||||
|
||||
cupsdLogMessage(CUPSD_LOG_DEBUG2,
|
||||
"get_file(con=%p(%d), filestats=%p, filename=%p, len=%d) = "
|
||||
"%s", con, con->http.fd, filestats, filename, len,
|
||||
status ? "(null)" : filename);
|
||||
|
||||
if (status)
|
Loading…
Reference in New Issue
Block a user