Accepting request 247228 from home:jsmeix:branches:Printing

CUPS security fix for CVE-2014-3537 STR#4450 plus the subsequent CVE-2014-5029 CVE-2014-5030 CVE-2014-5031 STR#4455 all in bnc#887240. All those CVEs are actually only one single issue. Regarding multiple CVEs for one single issue see in particular comment#25 in bnc#887240 OBS-URL: https://build.opensuse.org/request/show/247228 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=285
2014-09-02 13:39:36 +00:00 · 2014-09-02 13:39:36 +00:00 · dd0e9ee7fb
commit dd0e9ee7fb
parent 6d9ce19146
3 changed files with 184 additions and 0 deletions
--- a/cups.changes
+++ b/cups.changes
@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Tue Sep  2 15:26:36 CEST 2014 - jsmeix@suse.de
+
+- str4450.CVE-2014-3537.str4455.CVE-2014-5029.CVE-2014-5030.CVE-2014-5031.CUPS-1.5.4.patch
+  fixes that the web interface incorrectly served symlinked files
+  and files that were not world-readable, potentially leading to
+  a disclosure of information (CVE-2014-3537 STR #4450 plus the
+  subsequent CVE-2014-5029 CVE-2014-5030 CVE-2014-5031 STR #4455
+  all in bnc#887240).
+
 -------------------------------------------------------------------
 Thu May 22 10:16:17 UTC 2014 - werner@suse.de

--- a/cups.spec
+++ b/cups.spec
@ -222,6 +222,11 @@ Patch113:       cups-1.5.4-CVE-2012-5519.patch
 Patch114:       str4351.patch
 # Patch115 fixes STR #4388: no or malformed output from lpstat in charset other than utf-8
 Patch115:       cups-1.5.4-strftime.patch
+# Patch116 fixes that the web interface incorrectly served symlinked files
+# and files that were not world-readable, potentially leading to
+# a disclosure of information (CVE-2014-3537 STR #4450 bnc#887240
+# plus the subsequent CVE-2014-5029 CVE-2014-5030 CVE-2014-5031 STR #4455):
+Patch116:       str4450.CVE-2014-3537.str4455.CVE-2014-5029.CVE-2014-5030.CVE-2014-5031.CUPS-1.5.4.patch
 # Install into this non-root directory (required when norootforbuild is used):
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

@ -386,6 +391,11 @@ printer drivers for CUPS.
 %patch114
 # Patch115 fixes STR #4388: no or malformed output from lpstat in charset other than utf-8
 %patch115 -p1
+# Patch116 fixes that the web interface incorrectly served symlinked files
+# and files that were not world-readable, potentially leading to
+# a disclosure of information (CVE-2014-3537 STR #4450 bnc#887240
+# plus the subsequent CVE-2014-5029 CVE-2014-5030 CVE-2014-5031 STR #4455):
+%patch116

 %build
 # Disable SILENT run of make so that make runs verbose as usual:
--- a/str4450.CVE-2014-3537.str4455.CVE-2014-5029.CVE-2014-5030.CVE-2014-5031.CUPS-1.5.4.patch
+++ b/str4450.CVE-2014-3537.str4455.CVE-2014-5029.CVE-2014-5030.CVE-2014-5031.CUPS-1.5.4.patch
@ -0,0 +1,164 @@
+--- scheduler/client.c.orig	2014-09-02 11:26:57.000000000 +0200
+++ scheduler/client.c	2014-09-02 12:35:05.000000000 +0200
+@@ -3672,51 +3672,72 @@ get_file(cupsd_client_t *con,		/* I  - C
+   if ((ptr = strchr(filename, '?')) != NULL)
+     *ptr = '\0';
+ 
+  /*
+   * Grab the status for this language; if there isn't a language-specific file
+   * then fallback to the default one...
+   */
+ 
+-  if ((status = stat(filename, filestats)) != 0 && language[0] &&
+  if ((status = lstat(filename, filestats)) != 0 && language[0] &&
+       strncmp(con->uri, "/icons/", 7) &&
+       strncmp(con->uri, "/ppd/", 5) &&
+       strncmp(con->uri, "/rss/", 5) &&
+       strncmp(con->uri, "/admin/conf/", 12) &&
+       strncmp(con->uri, "/admin/log/", 11))
+   {
+    /*
+     * Drop the country code...
+     */
+ 
+     language[3] = '\0';
+     snprintf(filename, len, "%s%s%s", DocumentRoot, language, con->uri);
+ 
+     if ((ptr = strchr(filename, '?')) != NULL)
+       *ptr = '\0';
+ 
+-    if ((status = stat(filename, filestats)) != 0)
+    if ((status = lstat(filename, filestats)) != 0)
+     {
+      /*
+       * Drop the language prefix and try the root directory...
+       */
+ 
+       language[0] = '\0';
+       snprintf(filename, len, "%s%s", DocumentRoot, con->uri);
+ 
+       if ((ptr = strchr(filename, '?')) != NULL)
+ 	*ptr = '\0';
+ 
+-      status = stat(filename, filestats);
+      status = lstat(filename, filestats);
+     }
+   }
+ 
+  /*
+-  * If we're found a directory, get the index.html file instead...
+  * If we've found a symlink, 404 the sucker to avoid disclosing information.
+  */
+
+  if (!status && S_ISLNK(filestats->st_mode))
+  {
+    cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Symlinks such as \"%s\" are not allowed.", con->http.fd, filename);
+    return (NULL);
+  }
+
+ /*
+  * Similarly, if the file/directory does not have world read permissions, do
+  * not allow access...
+  */
+
+  if (!status && !(filestats->st_mode & S_IROTH))
+  {
+    cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Files/directories such as \"%s\" must be world-readable.", con->http.fd, filename);
+    return (NULL);
+  }
+
+ /*
+  * If we've found a directory, get the index.html file instead...
+   */
+ 
+   if (!status && S_ISDIR(filestats->st_mode))
+   {
+    /*
+     * Make sure the URI ends with a slash...
+     */
+ 
+@@ -3749,58 +3770,79 @@ get_file(cupsd_client_t *con,		/* I  - C
+ 
+       if ((ptr = strchr(filename, '?')) != NULL)
+ 	*ptr = '\0';
+ 
+       ptr  = filename + strlen(filename);
+       plen = len - (ptr - filename);
+ 
+       strlcpy(ptr, "index.html", plen);
+-      status = stat(filename, filestats);
+      status = lstat(filename, filestats);
+ 
+ #ifdef HAVE_JAVA
+       if (status)
+       {
+ 	strlcpy(ptr, "index.class", plen);
+-	status = stat(filename, filestats);
+	status = lstat(filename, filestats);
+       }
+ #endif /* HAVE_JAVA */
+ 
+ #ifdef HAVE_PERL
+       if (status)
+       {
+ 	strlcpy(ptr, "index.pl", plen);
+-	status = stat(filename, filestats);
+	status = lstat(filename, filestats);
+       }
+ #endif /* HAVE_PERL */
+ 
+ #ifdef HAVE_PHP
+       if (status)
+       {
+ 	strlcpy(ptr, "index.php", plen);
+-	status = stat(filename, filestats);
+	status = lstat(filename, filestats);
+       }
+ #endif /* HAVE_PHP */
+ 
+ #ifdef HAVE_PYTHON
+       if (status)
+       {
+ 	strlcpy(ptr, "index.pyc", plen);
+-	status = stat(filename, filestats);
+	status = lstat(filename, filestats);
+       }
+ 
+       if (status)
+       {
+ 	strlcpy(ptr, "index.py", plen);
+ 	status = stat(filename, filestats);
+       }
+ #endif /* HAVE_PYTHON */
+ 
+     }
+     while (status && language[0]);
+
+   /*
+    * If we've found a symlink, 404 the sucker to avoid disclosing information.
+    */
+
+    if (!status && S_ISLNK(filestats->st_mode))
+    {
+      cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Symlinks such as \"%s\" are not allowed.", con->http.fd, filename);
+      return (NULL);
+    }
+
+   /*
+    * Similarly, if the file/directory does not have world read permissions, do
+    * not allow access...
+    */
+
+    if (!status && !(filestats->st_mode & S_IROTH))
+    {
+      cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Files/directories such as \"%s\" must be world-readable.", con->http.fd, filename);
+      return (NULL);
+    }
+   }
+ 
+   cupsdLogMessage(CUPSD_LOG_DEBUG2,
+                   "get_file(con=%p(%d), filestats=%p, filename=%p, len=%d) = "
+ 		  "%s", con, con->http.fd, filestats, filename, len,
+ 		  status ? "(null)" : filename);
+ 
+   if (status)