mirror of
https://git.yoctoproject.org/poky
synced 2026-04-21 03:32:12 +02:00
cups: Security fix for CVE-2024-35235
CVE fixed: - CVE-2024-35235: cups: Cupsd Listen arbitrary chmod 0140777 Upstream-Status: Backport froma436956f37,e3952d3ecd (diff-6fc0a5ba57f83c8177d28f44729276fe35fcaaceae8b774481e6973fcbdf733d)(From OE-Core rev: 7fadda8f9605f826744438cefc35658047bbdb01) Signed-off-by: Rohini Sangam <rsangam@mvista.com> Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Rohini Sangam
committed by
Steve Sakoman
Steve Sakoman
parent
3e5256df66
commit
ee54170b3f
@@ -19,6 +19,7 @@ SRC_URI = "https://github.com/OpenPrinting/cups/releases/download/v${PV}/cups-${
|
||||
file://CVE-2023-34241.patch \
|
||||
file://CVE-2023-32360.patch \
|
||||
file://CVE-2023-4504.patch \
|
||||
file://CVE-2024-35235.patch \
|
||||
"
|
||||
|
||||
UPSTREAM_CHECK_URI = "https://github.com/OpenPrinting/cups/releases"
|
||||
|
||||
121
meta/recipes-extended/cups/cups/CVE-2024-35235.patch
Normal file
121
meta/recipes-extended/cups/cups/CVE-2024-35235.patch
Normal file
@@ -0,0 +1,121 @@
|
||||
From a436956f374b0fd7f5da9df482e4f5840fa1c0d2 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Dohnal <zdohnal@redhat.com>
|
||||
Date: Mon, 3 Jun 2024 18:53:58 +0200
|
||||
Subject: [PATCH] CVE-2024-35235: Fix domain socket handling
|
||||
|
||||
- Check status of unlink and bind system calls.
|
||||
- Don't allow extra domain sockets when running from launchd/systemd.
|
||||
- Validate length of domain socket path (< sizeof(sun_path))
|
||||
|
||||
Upstream-Status: Backport from https://github.com/OpenPrinting/cups/commit/a436956f374b0fd7f5da9df482e4f5840fa1c0d2, https://github.com/OpenPrinting/cups/commit/e3952d3ecd231588bb382529281a294124db9348#diff-6fc0a5ba57f83c8177d28f44729276fe35fcaaceae8b774481e6973fcbdf733d
|
||||
CVE: CVE-2024-35235
|
||||
|
||||
Signed-off-by: Rohini Sangam <rsangam@mvista.com>
|
||||
---
|
||||
cups/debug-internal.h | 4 +--
|
||||
cups/http-addr.c | 36 ++++++++++---------
|
||||
scheduler/conf.c | 20 +++++++++++
|
||||
3 files changed, 41 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/cups/debug-internal.h b/cups/debug-internal.h
|
||||
index 2b57854..2e1a56a 100644
|
||||
--- a/cups/debug-internal.h
|
||||
+++ b/cups/debug-internal.h
|
||||
@@ -59,10 +59,10 @@ extern "C" {
|
||||
|
||||
# ifdef DEBUG
|
||||
# define DEBUG_puts(x) _cups_debug_puts(x)
|
||||
-# define DEBUG_printf(x) _cups_debug_printf x
|
||||
+# define DEBUG_printf(...) _cups_debug_printf(__VA_ARGS__)
|
||||
# else
|
||||
# define DEBUG_puts(x)
|
||||
-# define DEBUG_printf(x)
|
||||
+# define DEBUG_printf(...)
|
||||
# endif /* DEBUG */
|
||||
|
||||
|
||||
diff --git a/cups/http-addr.c b/cups/http-addr.c
|
||||
index 114a644..610e9db 100644
|
||||
--- a/cups/http-addr.c
|
||||
+++ b/cups/http-addr.c
|
||||
@@ -206,27 +206,29 @@ httpAddrListen(http_addr_t *addr, /* I - Address to bind to */
|
||||
* Remove any existing domain socket file...
|
||||
*/
|
||||
|
||||
- unlink(addr->un.sun_path);
|
||||
-
|
||||
- /*
|
||||
- * Save the current umask and set it to 0 so that all users can access
|
||||
- * the domain socket...
|
||||
- */
|
||||
-
|
||||
- mask = umask(0);
|
||||
+ if ((status = unlink(addr->un.sun_path)) < 0)
|
||||
+ {
|
||||
+ DEBUG_printf("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno));
|
||||
|
||||
- /*
|
||||
- * Bind the domain socket...
|
||||
- */
|
||||
+ if (errno == ENOENT)
|
||||
+ status = 0;
|
||||
+ }
|
||||
|
||||
- status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr));
|
||||
+ if (!status)
|
||||
+ {
|
||||
+ // Save the current umask and set it to 0 so that all users can access
|
||||
+ // the domain socket...
|
||||
+ mask = umask(0);
|
||||
|
||||
- /*
|
||||
- * Restore the umask and fix permissions...
|
||||
- */
|
||||
+ // Bind the domain socket...
|
||||
+ if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0)
|
||||
+ {
|
||||
+ DEBUG_printf("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno));
|
||||
+ }
|
||||
|
||||
- umask(mask);
|
||||
- chmod(addr->un.sun_path, 0140777);
|
||||
+ // Restore the umask...
|
||||
+ umask(mask);
|
||||
+ }
|
||||
}
|
||||
else
|
||||
#endif /* AF_LOCAL */
|
||||
diff --git a/scheduler/conf.c b/scheduler/conf.c
|
||||
index 535d40f..3a2eec2 100644
|
||||
--- a/scheduler/conf.c
|
||||
+++ b/scheduler/conf.c
|
||||
@@ -3074,6 +3074,26 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */
|
||||
cupsd_listener_t *lis; /* New listeners array */
|
||||
|
||||
|
||||
+ /*
|
||||
+ * If we are launched on-demand, do not use domain sockets from the config
|
||||
+ * file. Also check that the domain socket path is not too long...
|
||||
+ */
|
||||
+
|
||||
+#ifdef HAVE_ONDEMAND
|
||||
+ if (*value == '/' && OnDemand)
|
||||
+ {
|
||||
+ if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
|
||||
+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum);
|
||||
+ continue;
|
||||
+ }
|
||||
+#endif // HAVE_ONDEMAND
|
||||
+
|
||||
+ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1))
|
||||
+ {
|
||||
+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum);
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* Get the address list...
|
||||
*/
|
||||
--
|
||||
2.35.7
|
||||
|
||||
Reference in New Issue
Block a user