pool/cups
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 880107 from Printing

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/880107
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cups?expand=0&rev=153
This commit is contained in:
Dominique Leuenberger 2021-03-24 15:10:07 +00:00 committed by Git OBS Bridge
commit f45e783ca4
3 changed files with 253 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
cups.changes
View File

@ -1,3 +1,14 @@
-------------------------------------------------------------------
Fri Mar 19 12:02:38 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
- fix-negotiate-authentication-between-CGIs-and-scheduler.patch
fixes web UI Kerberos authentication (bsc#1175960)
-------------------------------------------------------------------
Thu Mar 18 18:18:18 UTC 2021 - olaf@aepfle.de
- Remove code comments from expanded scriptlets to reduce size
-------------------------------------------------------------------
Tue Feb 2 14:22:38 CET 2021 - jsmeix@suse.de

24
cups.spec
View File

@ -78,6 +78,8 @@ Patch104: cups-config-libs.patch
# Patch105 CVE-2020-10001.patch fixes CVE-2020-10001 (bsc#1180520)
# access to uninitialized buffer in ipp.c
Patch105: CVE-2020-10001.patch
# Patch106 Fixes web UI Kerberos authentication (bsc#1175960)
Patch106: fix-negotiate-authentication-between-CGIs-and-scheduler.patch
# Build Requirements:
BuildRequires: dbus-1-devel
BuildRequires: fdupes
@ -189,8 +191,8 @@ printers drivers.
Summary: CUPS library configuration files
Group: Hardware/Printing
%if 0%{?suse_version} >= 1330
Requires(pre): user(lp)
Requires(pre): group(lp)
Requires(pre): user(lp)
Requires(pre): group(lp)
%endif
%description config
@ -302,6 +304,8 @@ printer drivers for CUPS.
# Patch105 CVE-2020-10001.patch fixes CVE-2020-10001 (bsc#1180520)
# access to uninitialized buffer in ipp.c
%patch105 -b CVE-2020-10001.orig
# Patch106 Fixes web UI Kerberos authentication (bsc#1175960)
%patch106 -p1
%build
# Remove ".SILENT" rule for verbose build output
@ -437,9 +441,11 @@ getent group ntadmin >/dev/null || %{_sbindir}/groupadd -g 71 -o -r ntadmin
%service_add_pre cups.service cups-lpd.socket cups.socket
%post -p /bin/bash
%service_add_post cups.service cups-lpd.socket cups.socket
%if 0
# Use %%tmpfiles_create when 13.2 is oldest in support scope
%endif
/usr/bin/systemd-tmpfiles --create %{_tmpfilesdir}/cups.conf || :
%service_add_post cups.service cups-lpd.socket cups.socket
%preun -p /bin/bash
%service_del_preun cups.service cups-lpd.socket cups.socket
@ -448,6 +454,7 @@ getent group ntadmin >/dev/null || %{_sbindir}/groupadd -g 71 -o -r ntadmin
%service_del_postun cups.service cups-lpd.socket cups.socket
%posttrans -p /bin/bash
%if 0
# Use a real bash script with an explicit "exit 0" at the end to be by default fail safe
# an explicit "exit 1" must be use to enforce package install/upgrade/erase failure where needed
# see the "Shared_libraries" section in http://en.opensuse.org/openSUSE:Packaging_scriptlet_snippets
@ -466,17 +473,23 @@ getent group ntadmin >/dev/null || %{_sbindir}/groupadd -g 71 -o -r ntadmin
# and http://fedoraproject.org/wiki/Packaging:ScriptletSnippets#Scriptlet_Ordering
# from the new package only "posttrans of new package" is run after "removal of old package"
# so that the new package must do the clean up as RPM posttrans scriptlet.
%endif
for u in cups.service cups.socket cups.path; do
if systemctl --quiet is-enabled $u 2>/dev/null
then # Refresh still valid enabled systemd units and clean up possibly obsoleted systemd units:
then
%if 0
# Refresh still valid enabled systemd units and clean up possibly obsoleted systemd units:
# Enforce systemd to use the current unit file which is usually the unit file of the new package
# but also in case of custom units (that use other unit files) a "reenable" won't hurt because
# "reenable" does not implicitly stop a running service which is "the right thing" because
# a RPM package installation must not automatically disrupt (restart) a running service.
# Using "--force reenable" is essential to clean up possibly conflicting/broken symlinks.
# (without "|| :" build fails with "Failed to get D-Bus connection: No connection to service manager. posttrans script ... failed"):
%endif
systemctl --quiet --force reenable $u 2>/dev/null || :
else # Refresh still valid disabled systemd units and clean up possibly obsoleted systemd units:
else
%if 0
# Refresh still valid disabled systemd units and clean up possibly obsoleted systemd units:
# First using "--force reenable" is essential to clean up possibly conflicting/broken symlinks
# because there is no "--force disable" that would clean up possibly conflicting/broken symlinks
# see https://bugzilla.opensuse.org/show_bug.cgi?id=904215#c34
@ -484,6 +497,7 @@ for u in cups.service cups.socket cups.path; do
# If a disabled systemd unit has become obsoleted, "systemctl --force reenable" will clean it up
# which means the unit gets removed and the subsequent "systemctl disable" will do nothing.
# (without "|| :" build fails with "Failed to get D-Bus connection: No connection to service manager. posttrans script ... failed"):
%endif
systemctl --quiet --force reenable $u 2>/dev/null || :
systemctl --quiet disable $u 2>/dev/null || :
fi

223
fix-negotiate-authentication-between-CGIs-and-scheduler.patch Normal file
View File

@ -0,0 +1,223 @@
From d4521ed0df7e625ccf2bc079bab6f48c46ef9bf9 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 26 Oct 2020 17:35:22 +0100
Subject: [PATCH 1/4] Avoid infinite loop in admin.cgi when negotiate is used
SetAuthorizationString with NULL argument sets an empty string.
Related: #5596
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
---
cups/auth.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cups/auth.c b/cups/auth.c
index db45bbba6..f2409350a 100644
--- a/cups/auth.c
+++ b/cups/auth.c
@@ -295,7 +295,7 @@ cupsDoAuthentication(
}
}
- if (http->authstring)
+ if (http->authstring && http->authstring[0])
{
DEBUG_printf(("1cupsDoAuthentication: authstring=\"%s\".", http->authstring));
--
2.30.2
From 61ad7780bc7d0593e3225d088ac6dff31badf801 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Tue, 27 Oct 2020 16:11:41 +0100
Subject: [PATCH 2/4] Add cups_is_local_connection() to check if connection is
to localhost
Related: #5596
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
---
cups/auth.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/cups/auth.c b/cups/auth.c
index f2409350a..d2956438d 100644
--- a/cups/auth.c
+++ b/cups/auth.c
@@ -90,6 +90,7 @@ static void cups_gss_printf(OM_uint32 major_status, OM_uint32 minor_status,
# define cups_gss_printf(major, minor, message)
# endif /* DEBUG */
#endif /* HAVE_GSSAPI */
+static int cups_is_local_connection(http_t *http);
static int cups_local_auth(http_t *http);
@@ -916,6 +917,14 @@ cups_gss_printf(OM_uint32 major_status,/* I - Major status code */
# endif /* DEBUG */
#endif /* HAVE_GSSAPI */
+static int /* O - 0 if not a local connection */
+ /* 1 if local connection */
+cups_is_local_connection(http_t *http) /* I - HTTP connection to server */
+{
+ if (!httpAddrLocalhost(http->hostaddr) && _cups_strcasecmp(http->hostname, "localhost") != 0)
+ return 0;
+ return 1;
+}
/*
* 'cups_local_auth()' - Get the local authorization certificate if
@@ -958,7 +967,7 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */
* See if we are accessing localhost...
*/
- if (!httpAddrLocalhost(http->hostaddr) && _cups_strcasecmp(http->hostname, "localhost") != 0)
+ if (!cups_is_local_connection(http))
{
DEBUG_puts("8cups_local_auth: Not a local connection!");
return (1);
--
2.30.2
From f629d079750a86b1b605c285f99c0dea3933ca50 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Tue, 27 Oct 2020 16:23:30 +0100
Subject: [PATCH 3/4] Try local kerberos ccache credentials only for remote
servers
If connecting to localhost then proceed to ask the client for the
authorization using cupsGetPassword2. The get password callback will
return 401 to the client with WWW-Authenticate: Negotiate.
Fixes: #5596
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
---
cups/auth.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/cups/auth.c b/cups/auth.c
index d2956438d..9661657fc 100644
--- a/cups/auth.c
+++ b/cups/auth.c
@@ -175,10 +175,10 @@ cupsDoAuthentication(
DEBUG_printf(("2cupsDoAuthentication: Trying scheme \"%s\"...", scheme));
#ifdef HAVE_GSSAPI
- if (!_cups_strcasecmp(scheme, "Negotiate"))
+ if (!_cups_strcasecmp(scheme, "Negotiate") && !cups_is_local_connection(http))
{
/*
- * Kerberos authentication...
+ * Kerberos authentication to remote server...
*/
int gss_status; /* Auth status */
@@ -202,7 +202,9 @@ cupsDoAuthentication(
}
else
#endif /* HAVE_GSSAPI */
- if (_cups_strcasecmp(scheme, "Basic") && _cups_strcasecmp(scheme, "Digest"))
+ if (_cups_strcasecmp(scheme, "Basic") &&
+ _cups_strcasecmp(scheme, "Digest") &&
+ _cups_strcasecmp(scheme, "Negotiate"))
{
/*
* Other schemes not yet supported...
@@ -216,7 +218,7 @@ cupsDoAuthentication(
* See if we should retry the current username:password...
*/
- if ((http->digest_tries > 1 || !http->userpass[0]) && (!_cups_strcasecmp(scheme, "Basic") || (!_cups_strcasecmp(scheme, "Digest"))))
+ if (http->digest_tries > 1 || !http->userpass[0])
{
/*
* Nope - get a new password from the user...
--
2.30.2
From 0563a28b18b21d5574a5e0e38b74246146074bbf Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Tue, 27 Oct 2020 16:18:03 +0100
Subject: [PATCH 4/4] Allow Local authentication for Negotiate
PeerCred is also possible if address family is AF_LOCAL. This will allow
the CGI programs to generate the authorization from the local
certificates based on PID also when Negotiate is used for local
connections:
Client CGI
Browser <- Remote conn -> admin.cgi <--- Localhost conn ---> Scheduler
| | |
+ --- HTTP/POST /admin/ --> | |
| + --- CUPS-Get-Devices ------------> |
| | |
| | <-- 401 Unauthorized --------------+
| | WWW-Authenticate: |
| | Negotiate, (PeerCred,) Local |
| | |
| <-- 401 Unauthorized -----+ |
| WWW-Authenticate: | |
| Negotiate | |
| | |
| --- HTTP/POST /admin/ --> | |
| Authorization: + --- IPP CUPS-GetDevices ---------> |
| Negotiate | Authorization: Local <cert> |
| | |
Fixes: #5596
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
---
cups/auth.c | 5 -----
scheduler/client.c | 9 ++-------
2 files changed, 2 insertions(+), 12 deletions(-)
diff --git a/cups/auth.c b/cups/auth.c
index 9661657fc..b6fec6b98 100644
--- a/cups/auth.c
+++ b/cups/auth.c
@@ -1043,11 +1043,6 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */
}
# endif /* HAVE_AUTHORIZATION_H */
-# ifdef HAVE_GSSAPI
- if (cups_auth_find(www_auth, "Negotiate"))
- return (1);
-# endif /* HAVE_GSSAPI */
-
# if defined(SO_PEERCRED) && defined(AF_LOCAL)
/*
* See if we can authenticate using the peer credentials provided over a
diff --git a/scheduler/client.c b/scheduler/client.c
index c2ee8f12a..56797d58d 100644
--- a/scheduler/client.c
+++ b/scheduler/client.c
@@ -2109,18 +2109,13 @@ cupsdSendHeader(
}
else if (auth_type == CUPSD_AUTH_NEGOTIATE)
{
-#if defined(SO_PEERCRED) && defined(AF_LOCAL)
- if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
- strlcpy(auth_str, "PeerCred", sizeof(auth_str));
- else
-#endif /* SO_PEERCRED && AF_LOCAL */
strlcpy(auth_str, "Negotiate", sizeof(auth_str));
}
- if (con->best && auth_type != CUPSD_AUTH_NEGOTIATE && !con->is_browser && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost"))
+ if (con->best && !con->is_browser && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost"))
{
/*
- * Add a "trc" (try root certification) parameter for local non-Kerberos
+ * Add a "trc" (try root certification) parameter for local
* requests when the request requires system group membership - then the
* client knows the root certificate can/should be used.
*
--
2.30.2