diff --git a/SOURCES/0001-Fix-make-and-model-whitespace-trimming-Issue-1096.patch b/SOURCES/0001-Fix-make-and-model-whitespace-trimming-Issue-1096.patch new file mode 100644 index 0000000..d9e7dcf --- /dev/null +++ b/SOURCES/0001-Fix-make-and-model-whitespace-trimming-Issue-1096.patch @@ -0,0 +1,26 @@ +From 5cc470c8d95df40f32e8a401b2946886c91b03d1 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Fri, 15 Nov 2024 11:55:07 -0500 +Subject: [PATCH] Fix make-and-model whitespace trimming (Issue #1096) + +--- + CHANGES.md | 1 + + cups/ppd-cache.c | 2 ++ + 2 files changed, 3 insertions(+) + +diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c +index a6163a0e1..a3198a795 100644 +--- a/cups/ppd-cache.c ++++ b/cups/ppd-cache.c +@@ -3293,6 +3293,8 @@ _ppdCreateFromIPP2( + mptr --; + if (*mptr == ' ') + *mptr = '\0'; ++ else ++ break; + } + + if (!make[0]) +-- +2.47.0 + diff --git a/SOURCES/0001-mirror-ipp-everywhere-printer-changes-from-master.patch b/SOURCES/0001-mirror-ipp-everywhere-printer-changes-from-master.patch new file mode 100644 index 0000000..20b090e --- /dev/null +++ b/SOURCES/0001-mirror-ipp-everywhere-printer-changes-from-master.patch @@ -0,0 +1,40 @@ +diff --git a/scheduler/ipp.c b/scheduler/ipp.c +index 728d164..5089172 100644 +--- a/scheduler/ipp.c ++++ b/scheduler/ipp.c +@@ -5773,6 +5773,18 @@ create_local_bg_thread( + cupsdLogMessage(CUPSD_LOG_DEBUG, "%s: IPP/1.1 Get-Printer-Attributes returned %s (%s)", printer->name, ippErrorString(cupsLastError()), cupsLastErrorString()); + } + ++ // Validate response from printer... ++ if (!ippValidateAttributes(response)) ++ { ++ cupsdLogMessage(CUPSD_LOG_ERROR, "%s: The printer contains invalid attributes.", printer->name); ++ ++ if (response) ++ ippDelete(response); ++ ++ httpClose(http); ++ return (NULL); ++ } ++ + // TODO: Grab printer icon file... + httpClose(http); + +diff --git a/systemv/lpadmin.c b/systemv/lpadmin.c +index daf24d5..eba7551 100644 +--- a/systemv/lpadmin.c ++++ b/systemv/lpadmin.c +@@ -1226,6 +1226,12 @@ get_printer_ppd( + ippAddStrings(request, IPP_TAG_OPERATION, IPP_TAG_KEYWORD, "requested-attributes", sizeof(pattrs) / sizeof(pattrs[0]), NULL, pattrs); + response = cupsDoRequest(http, request, resource); + ++ if (response && !ippValidateAttributes(response)) ++ { ++ _cupsLangPrintf(stderr, _("%s: The printer \"%s\" contains invalid IPP attributes."), "lpadmin", uri); ++ return (NULL); ++ } ++ + if (cupsLastError() >= IPP_STATUS_REDIRECTION_OTHER_SITE) + { + _cupsLangPrintf(stderr, _("%s: Unable to query printer: %s"), "lpadmin", cupsLastErrorString()); diff --git a/SOURCES/0001-ppdize-preset-and-template-names.patch b/SOURCES/0001-ppdize-preset-and-template-names.patch new file mode 100644 index 0000000..cf327ba --- /dev/null +++ b/SOURCES/0001-ppdize-preset-and-template-names.patch @@ -0,0 +1,41 @@ +From e0630cd18f76340d302000f2bf6516e99602b844 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Mon, 9 Sep 2024 15:59:57 -0400 +Subject: [PATCH] PPDize preset and template names. + +--- + cups/ppd-cache.c | 33 ++++++++++++++++++++++++--------- + 1 file changed, 24 insertions(+), 9 deletions(-) + +diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c +index 986c64f73..18c38d0ee 100644 +--- a/cups/ppd-cache.c ++++ b/cups/ppd-cache.c +@@ -5543,7 +5552,7 @@ pwg_ppdize_name(const char *ipp, /* I - IPP keyword */ + *end; /* End of name buffer */ + + +- if (!ipp) ++ if (!ipp || !_cups_isalnum(*ipp)) + { + *name = '\0'; + return; +@@ -5558,8 +5567,14 @@ pwg_ppdize_name(const char *ipp, /* I - IPP keyword */ + ipp ++; + *ptr++ = (char)toupper(*ipp++ & 255); + } +- else ++ else if (*ipp == '_' || *ipp == '.' || *ipp == '-' || _cups_isalnum(*ipp)) ++ { + *ptr++ = *ipp++; ++ } ++ else ++ { ++ ipp ++; ++ } + } + + *ptr = '\0'; +-- +2.46.1 + diff --git a/SOURCES/0001-refactor-make-and-model-code.patch b/SOURCES/0001-refactor-make-and-model-code.patch new file mode 100644 index 0000000..d1667b3 --- /dev/null +++ b/SOURCES/0001-refactor-make-and-model-code.patch @@ -0,0 +1,136 @@ +diff -up cups-2.2.6/cups/ppd-cache.c.make-model-refact cups-2.2.6/cups/ppd-cache.c +--- cups-2.2.6/cups/ppd-cache.c.make-model-refact 2024-10-25 09:50:04.894056025 +0200 ++++ cups-2.2.6/cups/ppd-cache.c 2024-10-25 09:51:15.832552712 +0200 +@@ -2937,9 +2937,10 @@ _ppdCreateFromIPP(char *buffer, /* I - + *x_dim, *y_dim; /* Media dimensions */ + ipp_t *media_size; /* Media size collection */ + char make[256], /* Make and model */ +- *model, /* Model name */ ++ *mptr, /* Pointer into make and model */ + ppdname[PPD_MAX_NAME]; + /* PPD keyword */ ++ const char *model; /* Model name */ + int i, j, /* Looping vars */ + count, /* Number of values */ + bottom, /* Largest bottom margin */ +@@ -3057,35 +3058,105 @@ _ppdCreateFromIPP(char *buffer, /* I - + } + + /* +- * Standard stuff for PPD file... ++ * Get a sanitized make and model... + */ + +- cupsFilePuts(fp, "*PPD-Adobe: \"4.3\"\n"); +- cupsFilePuts(fp, "*FormatVersion: \"4.3\"\n"); +- cupsFilePrintf(fp, "*FileVersion: \"%d.%d\"\n", CUPS_VERSION_MAJOR, CUPS_VERSION_MINOR); +- cupsFilePuts(fp, "*LanguageVersion: English\n"); +- cupsFilePuts(fp, "*LanguageEncoding: ISOLatin1\n"); +- cupsFilePuts(fp, "*PSVersion: \"(3010.000) 0\"\n"); +- cupsFilePuts(fp, "*LanguageLevel: \"3\"\n"); +- cupsFilePuts(fp, "*FileSystem: False\n"); +- cupsFilePuts(fp, "*PCFileName: \"ippeve.ppd\"\n"); ++ if ((attr = ippFindAttribute(response, "printer-make-and-model", IPP_TAG_TEXT)) != NULL && ippValidateAttribute(attr)) ++ { ++ /* ++ * Sanitize the model name to only contain PPD-safe characters. ++ */ + +- if ((attr = ippFindAttribute(response, "printer-make-and-model", IPP_TAG_TEXT)) != NULL) + strlcpy(make, ippGetString(attr, 0, NULL), sizeof(make)); ++ ++ for (mptr = make; *mptr; mptr ++) ++ { ++ if (*mptr < ' ' || *mptr >= 127 || *mptr == '\"') ++ { ++ /* ++ * Truncate the make and model on the first bad character... ++ */ ++ ++ *mptr = '\0'; ++ break; ++ } ++ } ++ ++ while (mptr > make) ++ { ++ /* ++ * Strip trailing whitespace... ++ */ ++ ++ mptr --; ++ if (*mptr == ' ') ++ *mptr = '\0'; ++ } ++ ++ if (!make[0]) ++ { ++ /* ++ * Use a default make and model if nothing remains... ++ */ ++ ++ strlcpy(make, "Unknown", sizeof(make)); ++ } ++ } + else +- strlcpy(make, "Unknown Printer", sizeof(make)); ++ { ++ /* ++ * Use a default make and model... ++ */ ++ ++ strlcpy(make, "Unknown", sizeof(make)); ++ } + + if (!_cups_strncasecmp(make, "Hewlett Packard ", 16) || + !_cups_strncasecmp(make, "Hewlett-Packard ", 16)) + { ++ /* ++ * Normalize HP printer make and model... ++ */ ++ + model = make + 16; + strlcpy(make, "HP", sizeof(make)); ++ ++ if (!_cups_strncasecmp(model, "HP ", 3)) ++ model += 3; ++ } ++ else if ((mptr = strchr(make, ' ')) != NULL) ++ { ++ /* ++ * Separate "MAKE MODEL"... ++ */ ++ ++ while (*mptr && *mptr == ' ') ++ *mptr++ = '\0'; ++ ++ model = mptr; + } +- else if ((model = strchr(make, ' ')) != NULL) +- *model++ = '\0'; + else +- model = make; ++ { ++ /* ++ * No separate model name... ++ */ ++ ++ model = "Printer"; ++ } ++ ++ /* ++ * Standard stuff for PPD file... ++ */ + ++ cupsFilePuts(fp, "*PPD-Adobe: \"4.3\"\n"); ++ cupsFilePuts(fp, "*FormatVersion: \"4.3\"\n"); ++ cupsFilePrintf(fp, "*FileVersion: \"%d.%d\"\n", CUPS_VERSION_MAJOR, CUPS_VERSION_MINOR); ++ cupsFilePuts(fp, "*LanguageVersion: English\n"); ++ cupsFilePuts(fp, "*LanguageEncoding: ISOLatin1\n"); ++ cupsFilePuts(fp, "*PSVersion: \"(3010.000) 0\"\n"); ++ cupsFilePuts(fp, "*LanguageLevel: \"3\"\n"); ++ cupsFilePuts(fp, "*FileSystem: False\n"); ++ cupsFilePuts(fp, "*PCFileName: \"ippeve.ppd\"\n"); + cupsFilePrintf(fp, "*Manufacturer: \"%s\"\n", make); + cupsFilePrintf(fp, "*ModelName: \"%s\"\n", model); + cupsFilePrintf(fp, "*Product: \"(%s)\"\n", model); diff --git a/SPECS/cups.spec b/SPECS/cups.spec index 568452e..cc759fa 100644 --- a/SPECS/cups.spec +++ b/SPECS/cups.spec @@ -22,7 +22,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 2.2.6 -Release: 61%{?dist} +Release: 62%{?dist} License: GPLv2+ and LGPLv2 with exceptions and AML Url: http://www.cups.org/ Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz @@ -186,6 +186,11 @@ Patch91: cups-socket-remove-on-stop.patch # https://github.com/OpenPrinting/cups/commit/74f437b # https://github.com/OpenPrinting/cups/commit/fb0c914 Patch92: cups-check-for-listeners.patch +# RHEL-60338 CVE-2024-47175 cups: remote command injection via attacker controlled data in PPD file +Patch93: 0001-mirror-ipp-everywhere-printer-changes-from-master.patch +Patch94: 0001-refactor-make-and-model-code.patch +Patch95: 0001-ppdize-preset-and-template-names.patch +Patch96: 0001-Fix-make-and-model-whitespace-trimming-Issue-1096.patch Patch1000: cups-lspp.patch @@ -509,6 +514,12 @@ Sends IPP requests to the specified URI and tests and/or displays the results. # https://github.com/OpenPrinting/cups/commit/74f437b # https://github.com/OpenPrinting/cups/commit/fb0c914 %patch92 -p1 -b .cups-check-for-listeners +# RHEL-60338 CVE-2024-47175 cups: remote command injection via attacker controlled data in PPD file +%patch93 -p1 -b .ippeve-validate +%patch94 -p1 -b .make-model-refact +%patch95 -p1 -b .ppdize-presets +%patch96 -p1 -b .make-model-trim + sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in @@ -935,6 +946,9 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man5/ipptoolfile.5.gz %changelog +* Fri Oct 25 2024 Zdenek Dohnal - 1:2.2.6-62 +- RHEL-60338 CVE-2024-47175 cups: remote command injection via attacker controlled data in PPD file + * Thu Aug 15 2024 Zdenek Dohnal - 1:2.2.6-61 - RHEL-54038 cups source rpm doesn't actually build lspp support - fix memory leaks caused by lspp