Compare commits

..

No commits in common. 'c9-beta' and 'c9' have entirely different histories.
c9-beta ... c9

@ -0,0 +1,19 @@
diff --git a/cupsfilters/ipp.c b/cupsfilters/ipp.c
index 2c3b740..6b2b784 100644
--- a/cupsfilters/ipp.c
+++ b/cupsfilters/ipp.c
@@ -377,6 +377,14 @@ get_printer_attributes5(http_t *http_printer,
total_attrs);
ippDelete(response);
} else {
+
+ // Check if the response is valid
+ if (!ippValidateAttributes(response))
+ {
+ ippDelete(response);
+ response = NULL;
+ }
+
/* Suitable response, we are done */
if (have_http == 0) httpClose(http_printer);
if (uri) free(uri);

@ -0,0 +1,31 @@
diff --git a/utils/cups-browsed.c b/utils/cups-browsed.c
index 6dba2ed..a5e5779 100644
--- a/utils/cups-browsed.c
+++ b/utils/cups-browsed.c
@@ -5641,6 +5641,12 @@ record_printer_options(const char *printer) {
printer);
attr = ippFirstAttribute(response);
while (attr) {
+ if (ippGetValueTag(attr) == IPP_TAG_NOVALUE)
+ {
+ attr = ippNextAttribute(response);
+ continue;
+ }
+
key = ippGetName(attr);
for (ptr = attrs_to_record; *ptr; ptr++)
if (strcasecmp(key, *ptr) == 0 ||
@@ -5657,6 +5663,13 @@ record_printer_options(const char *printer) {
memmove(c, c + 1, strlen(c));
if (*c) c ++;
}
+
+ if (strlen(buf) == 0)
+ {
+ attr = ippNextAttribute(response);
+ continue;
+ }
+
debug_printf(" %s=%s\n", key, buf);
p->num_options = cupsAddOption(key, buf, p->num_options,
&(p->options));

@ -0,0 +1,376 @@
diff --git a/cupsfilters/ppdgenerator.c b/cupsfilters/ppdgenerator.c
index 4e16383..1f3a7d8 100644
--- a/cupsfilters/ppdgenerator.c
+++ b/cupsfilters/ppdgenerator.c
@@ -92,6 +92,7 @@ typedef struct _pwg_finishings_s /**** PWG finishings mapping data ****/
static void pwg_ppdize_name(const char *ipp, char *name, size_t namesize);
static void pwg_ppdize_resolution(ipp_attribute_t *attr, int element,
int *xres, int *yres, char *name, size_t namesize);
+static void ppd_put_string(cups_file_t *fp, cups_lang_t *lang, const char *ppd_option, const char *ppd_choice, const char *pwg_msgid);
/*
* '_cupsSetError()' - Set the last PPD generator status-message.
@@ -1581,9 +1582,10 @@ ppdCreateFromIPP2(char *buffer, /* I - Filename buffer */
ipp_t *media_col, /* Media collection */
*media_size; /* Media size collection */
char make[256], /* Make and model */
- *model, /* Model name */
+ *mptr, // Pointer into make and model
ppdname[PPD_MAX_NAME];
/* PPD keyword */
+ const char *model; /* Model name */
int i, j, /* Looping vars */
count = 0, /* Number of values */
bottom, /* Largest bottom margin */
@@ -1663,6 +1665,68 @@ ppdCreateFromIPP2(char *buffer, /* I - Filename buffer */
return (NULL);
}
+ //
+ // Get a sanitized make and model...
+ //
+
+ if ((attr = ippFindAttribute(response, "printer-make-and-model", IPP_TAG_TEXT)) != NULL && ippValidateAttribute(attr))
+ {
+ // Sanitize the model name to only contain PPD-safe characters.
+ strlcpy(make, ippGetString(attr, 0, NULL), sizeof(make));
+
+ for (mptr = make; *mptr; mptr ++)
+ {
+ if (*mptr < ' ' || *mptr >= 127 || *mptr == '\"')
+ {
+ // Truncate the make and model on the first bad character...
+ *mptr = '\0';
+ break;
+ }
+ }
+
+ while (mptr > make)
+ {
+ // Strip trailing whitespace...
+ mptr --;
+ if (*mptr == ' ')
+ *mptr = '\0';
+ }
+
+ if (!make[0])
+ {
+ // Use a default make and model if nothing remains...
+ strlcpy(make, "Unknown", sizeof(make));
+ }
+ }
+ else
+ {
+ // Use a default make and model...
+ strlcpy(make, "Unknown", sizeof(make));
+ }
+
+ if (!strncasecmp(make, "Hewlett Packard ", 16) || !strncasecmp(make, "Hewlett-Packard ", 16))
+ {
+ // Normalize HP printer make and model...
+ model = make + 16;
+ strlcpy(make, "HP", sizeof(make));
+
+ if (!strncasecmp(model, "HP ", 3))
+ model += 3;
+ }
+ else if ((mptr = strchr(make, ' ')) != NULL)
+ {
+ // Separate "MAKE MODEL"...
+ while (*mptr && *mptr == ' ')
+ *mptr++ = '\0';
+
+ model = mptr;
+ }
+ else
+ {
+ // No separate model name...
+ model = "Printer";
+ }
+
/*
* Standard stuff for PPD file...
*/
@@ -1682,24 +1746,6 @@ ppdCreateFromIPP2(char *buffer, /* I - Filename buffer */
ippContainsString(attr, "faxout"))
is_fax = 1;
- if ((attr = ippFindAttribute(response, "printer-make-and-model",
- IPP_TAG_TEXT)) != NULL)
- strlcpy(make, ippGetString(attr, 0, NULL), sizeof(make));
- else if (make_model && make_model[0] != '\0')
- strlcpy(make, make_model, sizeof(make));
- else
- strlcpy(make, "Unknown Printer", sizeof(make));
-
- if (!_cups_strncasecmp(make, "Hewlett Packard ", 16) ||
- !_cups_strncasecmp(make, "Hewlett-Packard ", 16)) {
- model = make + 16;
- strlcpy(make, "HP", sizeof(make));
- }
- else if ((model = strchr(make, ' ')) != NULL)
- *model++ = '\0';
- else
- model = make;
-
cupsFilePrintf(fp, "*Manufacturer: \"%s\"\n", make);
cupsFilePrintf(fp, "*ModelName: \"%s %s\"\n", make, model);
cupsFilePrintf(fp, "*Product: \"(%s %s)\"\n", make, model);
@@ -1796,14 +1842,11 @@ ppdCreateFromIPP2(char *buffer, /* I - Filename buffer */
cupsFilePuts(fp, "*cupsSNMPSupplies: False\n");
cupsFilePuts(fp, "*cupsLanguages: \"en\"\n");
- if ((attr = ippFindAttribute(response, "printer-more-info", IPP_TAG_URI)) !=
- NULL)
+ if ((attr = ippFindAttribute(response, "printer-more-info", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr))
cupsFilePrintf(fp, "*APSupplies: \"%s\"\n", ippGetString(attr, 0, NULL));
- if ((attr = ippFindAttribute(response, "printer-charge-info-uri",
- IPP_TAG_URI)) != NULL)
- cupsFilePrintf(fp, "*cupsChargeInfoURI: \"%s\"\n", ippGetString(attr, 0,
- NULL));
+ if ((attr = ippFindAttribute(response, "printer-charge-info-uri", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr))
+ cupsFilePrintf(fp, "*cupsChargeInfoURI: \"%s\"\n", ippGetString(attr, 0, NULL));
/* Message catalogs for UI strings */
if (opt_strings_catalog == NULL) {
@@ -1811,7 +1854,8 @@ ppdCreateFromIPP2(char *buffer, /* I - Filename buffer */
load_opt_strings_catalog(NULL, opt_strings_catalog);
}
if ((attr = ippFindAttribute(response, "printer-strings-uri",
- IPP_TAG_URI)) != NULL) {
+ IPP_TAG_URI)) != NULL && ippValidateAttribute(attr))
+ {
printer_opt_strings_catalog = optArrayNew();
load_opt_strings_catalog(ippGetString(attr, 0, NULL),
printer_opt_strings_catalog);
@@ -2553,13 +2597,15 @@ ppdCreateFromIPP2(char *buffer, /* I - Filename buffer */
break;
}
if (j >= 0)
- cupsFilePrintf(fp, "*InputSlot %s/%s: \"<</MediaPosition %d>>setpagedevice\"\n",
- ppdname, human_readable, j);
+ {
+ cupsFilePrintf(fp, "*InputSlot %s: \"<</MediaPosition %d>>setpagedevice\"\n", ppdname, j);
+ ppd_put_string(fp, lang, "InputSlot", ppdname, human_readable);
+ }
else
- cupsFilePrintf(fp, "*InputSlot %s%s%s: \"\"\n",
- ppdname,
- (human_readable ? "/" : ""),
- (human_readable ? human_readable : ""));
+ {
+ cupsFilePrintf(fp, "*InputSlot %s%s%s:\"\"\n", ppdname, human_readable ? "/" : "", human_readable ? human_readable : "");
+ ppd_put_string(fp, lang, "InputSlot", ppdname, human_readable);
+ }
}
cupsFilePuts(fp, "*CloseUI: *InputSlot\n");
}
@@ -2743,11 +2789,8 @@ ppdCreateFromIPP2(char *buffer, /* I - Filename buffer */
human_readable = (char *)_cupsLangString(lang, media_types[j][1]);
break;
}
- cupsFilePrintf(fp, "*MediaType %s%s%s: \"<</MediaType(%s)>>setpagedevice\"\n",
- ppdname,
- (human_readable ? "/" : ""),
- (human_readable ? human_readable : ""),
- ppdname);
+ cupsFilePrintf(fp, "*MediaType %s: \"<</MediaType(%s)>>setpagedevice\"\n", ppdname, ppdname);
+ ppd_put_string(fp, lang, "MediaType", ppdname, human_readable);
}
cupsFilePuts(fp, "*CloseUI: *MediaType\n");
}
@@ -3184,10 +3227,8 @@ ppdCreateFromIPP2(char *buffer, /* I - Filename buffer */
human_readable = (char *)_cupsLangString(lang, output_bins[j][1]);
break;
}
- cupsFilePrintf(fp, "*OutputBin %s%s%s: \"\"\n",
- ppdname,
- (human_readable ? "/" : ""),
- (human_readable ? human_readable : ""));
+ cupsFilePrintf(fp, "*OutputBin %s: \"\"\n", ppdname);
+ ppd_put_string(fp, lang, "OutputBin", ppdname, human_readable);
outputorderinfofound = 0;
faceupdown = 1;
firsttolast = 1;
@@ -3425,9 +3466,8 @@ ppdCreateFromIPP2(char *buffer, /* I - Filename buffer */
human_readable = (char *)_cupsLangString(lang, finishings[j][1]);
break;
}
- cupsFilePrintf(fp, "*StapleLocation %s%s%s: \"\"\n", ppd_keyword,
- (human_readable ? "/" : ""),
- (human_readable ? human_readable : ""));
+ cupsFilePrintf(fp, "*StapleLocation %s: \"\"\n", ppd_keyword);
+ ppd_put_string(fp, lang, "StapleLocation", ppd_keyword, human_readable);
cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*StapleLocation %s\"\n",
value, keyword, ppd_keyword);
}
@@ -3518,9 +3558,8 @@ ppdCreateFromIPP2(char *buffer, /* I - Filename buffer */
human_readable = (char *)_cupsLangString(lang, finishings[j][1]);
break;
}
- cupsFilePrintf(fp, "*FoldType %s%s%s: \"\"\n", ppd_keyword,
- (human_readable ? "/" : ""),
- (human_readable ? human_readable : ""));
+ cupsFilePrintf(fp, "*FoldType %s: \"\"\n", ppd_keyword);
+ ppd_put_string(fp, lang, "FoldType", ppd_keyword, human_readable);
cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*FoldType %s\"\n",
value, keyword, ppd_keyword);
}
@@ -3618,9 +3657,8 @@ ppdCreateFromIPP2(char *buffer, /* I - Filename buffer */
human_readable = (char *)_cupsLangString(lang, finishings[j][1]);
break;
}
- cupsFilePrintf(fp, "*PunchMedia %s%s%s: \"\"\n", ppd_keyword,
- (human_readable ? "/" : ""),
- (human_readable ? human_readable : ""));
+ cupsFilePrintf(fp, "*PunchMedia %s: \"\"\n", ppd_keyword);
+ ppd_put_string(fp, lang, "PunchMedia", ppd_keyword, human_readable);
cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*PunchMedia %s\"\n",
value, keyword, ppd_keyword);
}
@@ -3711,9 +3749,8 @@ ppdCreateFromIPP2(char *buffer, /* I - Filename buffer */
human_readable = (char *)_cupsLangString(lang, finishings[j][1]);
break;
}
- cupsFilePrintf(fp, "*CutMedia %s%s%s: \"\"\n", ppd_keyword,
- (human_readable ? "/" : ""),
- (human_readable ? human_readable : ""));
+ cupsFilePrintf(fp, "*CutMedia %s: \"\"\n", ppd_keyword);
+ ppd_put_string(fp, lang, "CutMedia", ppd_keyword, human_readable);
cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*CutMedia %s\"\n",
value, keyword, ppd_keyword);
}
@@ -3759,8 +3796,9 @@ ppdCreateFromIPP2(char *buffer, /* I - Filename buffer */
printer_opt_strings_catalog);
if (human_readable == NULL)
human_readable = (char *)keyword;
- cupsFilePrintf(fp, "*cupsFinishingTemplate %s/%s: \"\n", keyword,
- human_readable);
+ pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
+ cupsFilePrintf(fp, "*cupsFinishingTemplate %s: \"\n", ppdname);
+ ppd_put_string(fp, lang, "cupsFinishingTemplate", ppdname, human_readable);
for (finishing_attr = ippFirstAttribute(finishing_col); finishing_attr;
finishing_attr = ippNextAttribute(finishing_col)) {
if (ippGetValueTag(finishing_attr) == IPP_TAG_BEGIN_COLLECTION) {
@@ -4072,13 +4110,11 @@ ppdCreateFromIPP2(char *buffer, /* I - Filename buffer */
if (!preset || !preset_name)
continue;
- if ((localized_name = lookup_option((char *)preset_name,
- opt_strings_catalog,
- printer_opt_strings_catalog)) == NULL)
- cupsFilePrintf(fp, "*APPrinterPreset %s: \"\n", preset_name);
- else
- cupsFilePrintf(fp, "*APPrinterPreset %s/%s: \"\n", preset_name,
- localized_name);
+ pwg_ppdize_name(preset_name, ppdname, sizeof(ppdname));
+
+ localized_name = lookup_option((char *)preset_name, opt_strings_catalog, printer_opt_strings_catalog);
+ cupsFilePrintf(fp, "*APPrinterPreset %s: \"\n", ppdname);
+ ppd_put_string(fp, lang, "APPrinterPreset", ppdname, localized_name);
for (member = ippFirstAttribute(preset); member;
member = ippNextAttribute(preset)) {
@@ -4119,7 +4155,10 @@ ppdCreateFromIPP2(char *buffer, /* I - Filename buffer */
ippGetString(ippFindAttribute(fin_col,
"finishing-template",
IPP_TAG_ZERO), 0, NULL)) != NULL)
- cupsFilePrintf(fp, "*cupsFinishingTemplate %s\n", keyword);
+ {
+ pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
+ cupsFilePrintf(fp, "*cupsFinishingTemplate %s\n", ppdname);
+ }
}
} else if (!strcmp(member_name, "media")) {
/*
@@ -4152,14 +4191,14 @@ ppdCreateFromIPP2(char *buffer, /* I - Filename buffer */
IPP_TAG_ZERO), 0,
NULL)) != NULL) {
pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
- cupsFilePrintf(fp, "*InputSlot %s\n", keyword);
+ cupsFilePrintf(fp, "*InputSlot %s\n", ppdname);
}
if ((keyword = ippGetString(ippFindAttribute(media_col, "media-type",
IPP_TAG_ZERO), 0,
NULL)) != NULL) {
pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
- cupsFilePrintf(fp, "*MediaType %s\n", keyword);
+ cupsFilePrintf(fp, "*MediaType %s\n", ppdname);
}
} else if (!strcmp(member_name, "print-quality")) {
/*
@@ -4422,15 +4461,28 @@ pwg_ppdize_name(const char *ipp, /* I - IPP keyword */
*end; /* End of name buffer */
+ if (!ipp || !_cups_isalnum(*ipp))
+ {
+ *name = '\0';
+ return;
+ }
+
*name = (char)toupper(*ipp++);
for (ptr = name + 1, end = name + namesize - 1; *ipp && ptr < end;) {
- if (*ipp == '-') {
+ if (*ipp == '-' && isalnum(ipp[1]))
+ {
ipp ++;
- if (_cups_isalpha(*ipp))
- *ptr++ = (char)toupper(*ipp++ & 255);
- } else
+ *ptr++ = (char)toupper(*ipp++ & 255);
+ }
+ else if (*ipp == '_' || *ipp == '.' || *ipp == '-' || isalnum(*ipp))
+ {
*ptr++ = *ipp++;
+ }
+ else
+ {
+ ipp ++;
+ }
}
*ptr = '\0';
@@ -4467,4 +4519,39 @@ pwg_ppdize_resolution(
snprintf(name, namesize, "%dx%ddpi", *xres, *yres);
}
}
+
+
+/*
+ * 'ppd_put_strings()' - Write localization attributes to a PPD file.
+ */
+
+static void
+ppd_put_string(cups_file_t *fp, /* I - PPD file */
+ cups_lang_t *lang, /* I - Language */
+ const char *ppd_option,/* I - PPD option */
+ const char *ppd_choice,/* I - PPD choice */
+ const char *text) /* I - Localized text */
+{
+ if (!text)
+ return;
+
+ // Add the first line of localized text...
+#if CUPS_VERSION_MAJOR > 2
+ cupsFilePrintf(fp, "*%s.%s %s/", cupsLangGetName(lang), ppd_option, ppd_choice);
+#else
+ cupsFilePrintf(fp, "*%s.%s %s/", lang->language, ppd_option, ppd_choice);
+#endif // CUPS_VERSION_MAJOR > 2
+
+ while (*text && *text != '\n')
+ {
+ // Escape ":" and "<"...
+ if (*text == ':' || *text == '<')
+ cupsFilePrintf(fp, "<%02X>", *text);
+ else
+ cupsFilePutChar(fp, *text);
+
+ text ++;
+ }
+ cupsFilePuts(fp, ": \"\"\n");
+}
#endif /* HAVE_CUPS_1_6 */

@ -11,7 +11,7 @@
Summary: OpenPrinting CUPS filters and backends
Name: cups-filters
Version: 1.28.7
Release: 15%{?dist}
Release: 18%{?dist}
# For a breakdown of the licensing, see COPYING file
# GPLv2: filters: commandto*, imagetoraster, pdftops, rasterto*,
@ -42,6 +42,12 @@ Patch03: 0001-libcupsfilters-Fix-page-range-like-10-in-pdftopdf-fi.patch
Patch04: beh-cve2023.patch
# RHEL-16026 Cups Browsed does not correctly pull printer location and description information from print server
Patch05: 0001-Use-description-location-from-server-if-available-ot.patch
# RHEL-46785 Cups browsing with 'Autoclustering on' in RHEL 9 cannot find printer clusters for HA
Patch06: browsed-ignore-NULL-attrs.patch
# CVE-2024-47175 cups-filters: remote command injection via attacker controlled data in PPD file
Patch07: cups-filters-CVE-2024-47175.patch
# CVE-2024-47076 cups-filters: `cfGetPrinterAttributes` API does not perform sanitization on returned IPP attributes
Patch08: 0001-cfGetPrinterAttributes5-Validate-response-attributes.patch
# autogen.sh
@ -222,6 +228,7 @@ The package provides filters and cups-brf backend needed for braille printing.
%else
--disable-braille \
%endif
--with-browseremoteprotocols=none\
--with-remote-cups-local-queue-naming=RemoteName
%make_build
@ -275,6 +282,14 @@ do
fi
done
# Set BrowseRemoteProtocols to none in light of CVE-2024-47176
if ! grep -Fxq "# added by post scriptlet" %{_sysconfdir}/cups/cups-browsed.conf
then
cp %{_sysconfdir}/cups/cups-browsed.conf %{_sysconfdir}/cups/cups-browsed.conf.rpmsave
sed -i "s/^\s*BrowseRemoteProtocols.*/# added by post scriptlet\nBrowseRemoteProtocols none/" %{_sysconfdir}/cups/cups-browsed.conf
fi
%preun
%systemd_preun cups-browsed.service
@ -283,6 +298,38 @@ done
%ldconfig_scriptlets libs
%posttrans
if ls -lah /var/cache/cups/cups-browsed* &> /dev/null
then
BROWSED_ACTIVE="0"
CUPSD_ACTIVE="0"
if systemctl is-active cups-browsed &> /dev/null
then
BROWSED_ACTIVE="1"
CUPSD_ACTIVE="1"
elif systemctl is-active cups &> /dev/null
then
CUPSD_ACTIVE="1"
fi
if test "x$CUPSD_ACTIVE" = "x1"
then
systemctl stop cups
fi
# RHEL-46785 - clean up recorded options to make the fix work
rm -rf /var/cache/cups/*.data /var/cache/cups/cups-browsed* &> /dev/null
if test "x$BROWSED_ACTIVE" = "x1"
then
systemctl start cups-browsed
elif test "x$CUPSD_ACTIVE" = "x1"
then
systemctl start cups
fi
fi
%files
%{_pkgdocdir}/README
@ -343,7 +390,7 @@ done
%{_mandir}/man1/driverless.1.gz
%{_mandir}/man5/cups-browsed.conf.5.gz
%{_mandir}/man8/cups-browsed.8.gz
%config(noreplace) %{_sysconfdir}/cups/cups-browsed.conf
%config(noreplace) %verify(not size filedigest mtime) %{_sysconfdir}/cups/cups-browsed.conf
%{_unitdir}/cups-browsed.service
%files libs
@ -407,6 +454,17 @@ done
%endif
%changelog
* Tue Oct 01 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1.28.7-18
- CVE-2024-47175 cups-filters: remote command injection via attacker controlled data in PPD file
- CVE-2024-47076 cups-filters: `cfGetPrinterAttributes` API does not perform sanitization on returned IPP attributes
- CVE-2024-47176 cups-filters: cups-browsed binds on UDP INADDR_ANY:631 trusting any packet from any source
* Tue Aug 06 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1.28.7-17
- RHEL-46785 - fix errors during installability tests about modified cups-browsed.conf
* Tue Jul 30 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1.28.7-16
- RHEL-46785 Cups browsing with 'Autoclustering on' in RHEL 9 cannot find printer clusters for HA
* Mon Feb 26 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1.28.7-15
- RHEL-19201 redhat-lsb unnecessary pulls in cups and avahi dependencies

Loading…
Cancel
Save