From a13d711d601debaad33b98fbd2ff34003fe2d08220c96125ef4fea0a575bb63f Mon Sep 17 00:00:00 2001 From: Martin Wilck Date: Fri, 17 Nov 2023 10:13:06 +0000 Subject: [PATCH 1/2] - hppsfilter: booklet printing: change insecure fixed /tmp file paths (bsc#1214399) * add hppsfilter-booklet-printing-change-insecure-fixed-tm.patch OBS-URL: https://build.opensuse.org/package/show/Printing/hplip?expand=0&rev=243 --- hplip.changes | 7 + hplip.spec | 3 + ...et-printing-change-insecure-fixed-tm.patch | 203 ++++++++++++++++++ 3 files changed, 213 insertions(+) create mode 100644 hppsfilter-booklet-printing-change-insecure-fixed-tm.patch diff --git a/hplip.changes b/hplip.changes index d10acbe..01f76dc 100644 --- a/hplip.changes +++ b/hplip.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Nov 15 20:21:30 UTC 2023 - Martin Wilck + +- hppsfilter: booklet printing: change insecure fixed /tmp file paths + (bsc#1214399) + * add hppsfilter-booklet-printing-change-insecure-fixed-tm.patch + ------------------------------------------------------------------- Mon Oct 9 17:56:07 UTC 2023 - Martin Wilck diff --git a/hplip.spec b/hplip.spec index ceb9e3a..e3c6aee 100644 --- a/hplip.spec +++ b/hplip.spec @@ -88,6 +88,8 @@ Patch404: hplip-3.20.6-python-includes.patch Patch500: hplip-missing-drivers.patch # PATCH-FIX-UPSTREAM boo#1209866 lp#2013185 Patch501: fix-printer-attributes-parsing.patch +# PATCH-FIX-SUSE bsc#1214399 +Patch502: hppsfilter-booklet-printing-change-insecure-fixed-tm.patch BuildRequires: %{pymod devel} BuildRequires: %{pymod qt5-devel} BuildRequires: %{pymod xml} @@ -334,6 +336,7 @@ This sub-package is only required by developers. %patch404 -p1 %patch500 -p1 %patch501 -p1 +%patch502 -p1 # replace "env" shebang and "/usr/bin/python" with real executable find . -name '*.py' -o -name pstotiff | \ xargs -n 1 sed -i '1s,^#!\(%{_bindir}/env python\|%{_bindir}/python\),#!%{pyexe},' diff --git a/hppsfilter-booklet-printing-change-insecure-fixed-tm.patch b/hppsfilter-booklet-printing-change-insecure-fixed-tm.patch new file mode 100644 index 0000000..073dc78 --- /dev/null +++ b/hppsfilter-booklet-printing-change-insecure-fixed-tm.patch @@ -0,0 +1,203 @@ +From d12ed6cd01bef7765cdeee16f8f6e66f22e71fbd Mon Sep 17 00:00:00 2001 +From: Matthias Gerstner +Date: Fri, 8 Sep 2023 10:17:04 +0200 +Subject: [PATCH] hppsfilter: booklet printing: change insecure fixed /tmp file + paths + +Using the fixed /tmp file paths in booklet printing /tmp/booklet.ps, +/tmp/temp.ps and /tmp/NUP.ps is a local security issue and also prevents +potential parallel operation of hplip. + +Use proper `mkstemp()` for these files. Functions like `PS_Booklet()` +and `cupsFileOpen()` don't use the open file descriptor but open the +path by name again. This is safe, since the files have already been +safely created and have safe modes. I wanted to avoid changing a whole +series of function signatures for this. + +The purpose of the `chmod()` in `open_tempbookletfile()` is unclear, the +data should only be processed by our own process. Making the file world +readable is an information leak, though. Thus drop this line. +--- + prnt/hpps/hppsfilter.c | 124 ++++++++++++++++++++++++++++++++--------- + 1 file changed, 98 insertions(+), 26 deletions(-) + +diff --git a/prnt/hpps/hppsfilter.c b/prnt/hpps/hppsfilter.c +index d6721b1..711b8d8 100644 +--- a/prnt/hpps/hppsfilter.c ++++ b/prnt/hpps/hppsfilter.c +@@ -43,7 +43,9 @@ static FILE *g_fp_outdbgps = NULL; + static FILE *ptempbooklet_file = NULL; + static char temp_filename[FILE_NAME_SIZE] = {0}; + static char booklet_filename[FILE_NAME_SIZE] = {0}; ++static int booklet_fd = -1; + static char Nup_filename[FILE_NAME_SIZE] = {0}; ++static int Nup_fd = -1; + extern void PS_Booklet(char *tempfile, char *bookletfile, char *nupfile,int order, int nup, char* pagesize, int bookletMaker); + static const char *GetOptionValue(const char *iOptionValue); + +@@ -99,16 +101,78 @@ static int hpwrite (void *pBuffer, size_t size) + return ndata_written; + } + +-static void open_tempbookletfile(char *mode) ++static int open_tempbookletfile(char *mode) + { +- ptempbooklet_file= fopen(temp_filename, mode); ++ snprintf(temp_filename, FILE_NAME_SIZE, "/tmp/hppsfilter-temp.XXXXXX"); ++ int fd = mkstemp(temp_filename); ++ if (fd < 0) { ++ temp_filename[0] = '\0'; ++ fprintf(stderr, "ERROR: Unable to open temp file %s\n", temp_filename); ++ return 1; ++ } ++ ++ ptempbooklet_file = fdopen(fd, mode); + if(ptempbooklet_file == NULL) + { +- fprintf(stderr, "ERROR: Unable to open temp file %s\n", temp_filename); +- return 1; ++ close(fd); ++ fprintf(stderr, "ERROR: Unable to open temp file %s\n", temp_filename); ++ return 1; + } +- chmod(temp_filename, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); ++ return 0; ++} + ++static void clean_tempfiles() ++{ ++ if (booklet_fd != -1) ++ { ++ close(booklet_fd); ++ booklet_fd = -1; ++ } ++ ++ if (Nup_fd != -1) ++ { ++ close(Nup_fd); ++ Nup_fd = -1; ++ } ++ ++ if (ptempbooklet_file != NULL) ++ { ++ fclose(ptempbooklet_file); ++ ptempbooklet_file = NULL; ++ } ++ ++ if( booklet_filename[0] != '\0' ) ++ { ++ if ((unlink(booklet_filename)) == -1) ++ { ++ fprintf(stderr, "ERROR: Unable to remove temporary files in /tmp dir \"%s\" ",booklet_filename); ++ return 1; ++ } ++ ++ booklet_filename[0] = '\0'; ++ } ++ ++ if( temp_filename[0] != '\0' ) ++ { ++ if ((unlink(temp_filename)) == -1) ++ { ++ fprintf(stderr, "ERROR: Unable to remove temporary files in /tmp dir \"%s\" ",temp_filename); ++ return 1; ++ } ++ ++ temp_filename[0] = '\0'; ++ } ++ ++ if( Nup_filename[0] != '\0' ) ++ { ++ if ((unlink(Nup_filename)) == -1) ++ { ++ fprintf(stderr, "ERROR: Unable to remove temporary files in /tmp dir \"%s\" ",Nup_filename); ++ return 1; ++ } ++ ++ Nup_filename[0] = '\0'; ++ } + } + + static int Dump_tempbookletfile (void *pBuffer, size_t size) +@@ -921,6 +985,8 @@ int main (int argc, char **argv) + char buffer[MAX_BUFFER] = {0}; + int LfpSecurePin = 0; + ++ atexit(clean_tempfiles); ++ + get_LogLevel(); + setbuf (stderr, NULL); + +@@ -1024,13 +1090,32 @@ int main (int argc, char **argv) + if(booklet_enabled) + { + /* 1. dump the contents of the input file into temp file */ +- sprintf(booklet_filename, "/tmp/%s.ps","booklet"); +- sprintf(temp_filename, "/tmp/%s.ps","temp"); +- sprintf(Nup_filename, "/tmp/%s.ps","NUP"); +- open_tempbookletfile("w"); +- while( (numBytes = cupsFileGetLine(fp_input, line, sizeof(line))) > 0) ++ snprintf(booklet_filename, FILE_NAME_SIZE, "/tmp/hppsfilter-booklet.XXXXXX"); ++ booklet_fd = mkstemp(booklet_filename); ++ if( booklet_fd < 0 ) ++ { ++ booklet_filename[0] = '\0'; ++ fprintf(stderr, "ERROR: Unable to create booklet temporary file \"%s\"", booklet_filename); ++ return 1; ++ } ++ ++ snprintf(Nup_filename, FILE_NAME_SIZE, "/tmp/hppsfilter-nup.XXXXXX"); ++ Nup_fd = mkstemp(Nup_filename); ++ if( Nup_fd < 0 ) ++ { ++ Nup_filename[0] = '\0'; ++ clean_tempfiles(); ++ fprintf(stderr, "ERROR: Unable to create nup temporary file \"%s\"", Nup_filename); ++ return 1; ++ } ++ ++ if( open_tempbookletfile("w") != 0 ) ++ { ++ clean_tempfiles(); ++ return 1; ++ } ++ while( (numBytes = cupsFileGetLine(fp_input, line, sizeof(line))) > 0) + Dump_tempbookletfile (line, numBytes); +- fclose(ptempbooklet_file); + + /* 2. Perform the booklet operation on the PS file */ + PS_Booklet(temp_filename,booklet_filename,Nup_filename,order,nup,subString,bookletMaker); +@@ -1040,6 +1125,7 @@ int main (int argc, char **argv) + if ((fp_bookletinput = cupsFileOpen(Nup_filename, "r")) == NULL) + { + fprintf(stderr, "ERROR: Unable to open Nup_filename print file \"%s\"", Nup_filename); ++ clean_tempfiles(); + return 1; + } + while ( (numBytes = cupsFileGetLine(fp_bookletinput, line, sizeof(line))) > 0) +@@ -1047,21 +1133,7 @@ int main (int argc, char **argv) + cupsFileClose (fp_bookletinput); + + /* 4. Unlink function to remove the temp temporary files created */ +- if( (unlink(booklet_filename)) == -1) +- { +- fprintf(stderr, "ERROR: Unable to remove temporary files in /tmp dir \"%s\" ",booklet_filename); +- return 1; +- } +- if( (unlink(temp_filename)) == -1) +- { +- fprintf(stderr, "ERROR: Unable to remove temporary files in /tmp dir \"%s\" ",temp_filename); +- return 1; +- } +- if( (unlink(Nup_filename)) == -1) +- { +- fprintf(stderr, "ERROR: Unable to remove temporary files in /tmp dir \"%s\" ",Nup_filename); +- return 1; +- } ++ clean_tempfiles(); + booklet_enabled = 0; + bookletMaker=0; + } +-- +2.42.1 + From 2c19af6ac1f5bc5185f60801e6508c1b10ed91ebc99571543b6b0556a3017ec9 Mon Sep 17 00:00:00 2001 From: Martin Wilck Date: Fri, 17 Nov 2023 10:21:57 +0000 Subject: [PATCH 2/2] - add missing Jira ref jsc#PED-5846 OBS-URL: https://build.opensuse.org/package/show/Printing/hplip?expand=0&rev=244 --- hplip.changes | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hplip.changes b/hplip.changes index 01f76dc..42226f0 100644 --- a/hplip.changes +++ b/hplip.changes @@ -8,7 +8,7 @@ Wed Nov 15 20:21:30 UTC 2023 - Martin Wilck ------------------------------------------------------------------- Mon Oct 9 17:56:07 UTC 2023 - Martin Wilck -- Update to hplip 3.23.8 +- Update to hplip 3.23.8 (jsc#PED-5846) - Support for new printers: * HP Color LaserJet Pro MFP 4301fdne * HP Color LaserJet Pro MFP 4301fdwe