diff --git a/SOURCES/0001-prevent-ppd-generation-based-on-invalid-ipp-response.patch b/SOURCES/0001-prevent-ppd-generation-based-on-invalid-ipp-response.patch new file mode 100644 index 0000000..e0d0025 --- /dev/null +++ b/SOURCES/0001-prevent-ppd-generation-based-on-invalid-ipp-response.patch @@ -0,0 +1,435 @@ +diff --git a/ppd/ppd-cache.c b/ppd/ppd-cache.c +index 95fb553..7e4ac41 100644 +--- a/ppd/ppd-cache.c ++++ b/ppd/ppd-cache.c +@@ -4711,7 +4711,7 @@ ppdPwgPpdizeName(const char *ipp, // I - IPP keyword + *end; // End of name buffer + + +- if (!ipp) ++ if (!ipp || !_ppd_isalnum(*ipp)) + { + *name = '\0'; + return; +@@ -4721,13 +4721,19 @@ ppdPwgPpdizeName(const char *ipp, // I - IPP keyword + + for (ptr = name + 1, end = name + namesize - 1; *ipp && ptr < end;) + { +- if (*ipp == '-' && _ppd_isalnum(ipp[1])) ++ if (*ipp == '-' && isalnum(ipp[1])) + { + ipp ++; + *ptr++ = (char)toupper(*ipp++ & 255); + } +- else ++ else if (*ipp == '_' || *ipp == '.' || *ipp == '-' || isalnum(*ipp)) ++ { + *ptr++ = *ipp++; ++ } ++ else ++ { ++ ipp ++; ++ } + } + + *ptr = '\0'; +diff --git a/ppd/ppd-generator.c b/ppd/ppd-generator.c +index 637e7b5..2a2b53b 100644 +--- a/ppd/ppd-generator.c ++++ b/ppd/ppd-generator.c +@@ -51,6 +51,7 @@ + + static int http_connect(http_t **http, const char *url, char *resource, + size_t ressize); ++static void ppd_put_string(cups_file_t *fp, cups_lang_t *lang, const char *ppd_option, const char *ppd_choice, const char *pwg_msgid); + + + // +@@ -187,6 +188,7 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + size_t status_msg_size) // I - Size of status + // message buffer + { ++ cups_lang_t *lang; // Localization language + cups_file_t *fp; // PPD file + cups_array_t *printer_sizes; // Media sizes we've added + cups_size_t *size; // Current media size +@@ -199,9 +201,10 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + ipp_t *media_col, // Media collection + *media_size; // Media size collection + char make[256], // Make and model +- *model, // Model name ++ *mptr, // Pointer into make and model + ppdname[PPD_MAX_NAME]; + // PPD keyword ++ const char *model; // Model name + int i, j, // Looping vars + count = 0, // Number of values + bottom, // Largest bottom margin +@@ -283,6 +286,68 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + return (NULL); + } + ++ // ++ // Get a sanitized make and model... ++ // ++ ++ if ((attr = ippFindAttribute(supported, "printer-make-and-model", IPP_TAG_TEXT)) != NULL && ippValidateAttribute(attr)) ++ { ++ // Sanitize the model name to only contain PPD-safe characters. ++ strlcpy(make, ippGetString(attr, 0, NULL), sizeof(make)); ++ ++ for (mptr = make; *mptr; mptr ++) ++ { ++ if (*mptr < ' ' || *mptr >= 127 || *mptr == '\"') ++ { ++ // Truncate the make and model on the first bad character... ++ *mptr = '\0'; ++ break; ++ } ++ } ++ ++ while (mptr > make) ++ { ++ // Strip trailing whitespace... ++ mptr --; ++ if (*mptr == ' ') ++ *mptr = '\0'; ++ } ++ ++ if (!make[0]) ++ { ++ // Use a default make and model if nothing remains... ++ strlcpy(make, "Unknown", sizeof(make)); ++ } ++ } ++ else ++ { ++ // Use a default make and model... ++ strlcpy(make, "Unknown", sizeof(make)); ++ } ++ ++ if (!strncasecmp(make, "Hewlett Packard ", 16) || !strncasecmp(make, "Hewlett-Packard ", 16)) ++ { ++ // Normalize HP printer make and model... ++ model = make + 16; ++ strlcpy(make, "HP", sizeof(make)); ++ ++ if (!strncasecmp(model, "HP ", 3)) ++ model += 3; ++ } ++ else if ((mptr = strchr(make, ' ')) != NULL) ++ { ++ // Separate "MAKE MODEL"... ++ while (*mptr && *mptr == ' ') ++ *mptr++ = '\0'; ++ ++ model = mptr; ++ } ++ else ++ { ++ // No separate model name... ++ model = "Printer"; ++ } ++ + // + // Standard stuff for PPD file... + // +@@ -311,25 +376,6 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + } + } + +- if ((attr = ippFindAttribute(supported, "printer-make-and-model", +- IPP_TAG_TEXT)) != NULL) +- strlcpy(make, ippGetString(attr, 0, NULL), sizeof(make)); +- else if (make_model && make_model[0] != '\0') +- strlcpy(make, make_model, sizeof(make)); +- else +- strlcpy(make, "Unknown Printer", sizeof(make)); +- +- if (!strncasecmp(make, "Hewlett Packard ", 16) || +- !strncasecmp(make, "Hewlett-Packard ", 16)) +- { +- model = make + 16; +- strlcpy(make, "HP", sizeof(make)); +- } +- else if ((model = strchr(make, ' ')) != NULL) +- *model++ = '\0'; +- else +- model = make; +- + cupsFilePrintf(fp, "*Manufacturer: \"%s\"\n", make); + cupsFilePrintf(fp, "*ModelName: \"%s %s\"\n", make, model); + cupsFilePrintf(fp, "*Product: \"(%s %s)\"\n", make, model); +@@ -425,21 +471,19 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + } + cupsFilePuts(fp, "\"\n"); + +- if ((attr = ippFindAttribute(supported, "printer-more-info", IPP_TAG_URI)) != +- NULL) ++ if ((attr = ippFindAttribute(supported, "printer-more-info", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr)) + cupsFilePrintf(fp, "*APSupplies: \"%s\"\n", ippGetString(attr, 0, NULL)); + +- if ((attr = ippFindAttribute(supported, "printer-charge-info-uri", +- IPP_TAG_URI)) != NULL) +- cupsFilePrintf(fp, "*cupsChargeInfoURI: \"%s\"\n", ippGetString(attr, 0, +- NULL)); ++ if ((attr = ippFindAttribute(supported, "printer-charge-info-uri", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr)) ++ cupsFilePrintf(fp, "*cupsChargeInfoURI: \"%s\"\n", ippGetString(attr, 0, NULL)); + + // Message catalogs for UI strings ++ lang = cupsLangDefault(); + opt_strings_catalog = cfCatalogOptionArrayNew(); + cfCatalogLoad(NULL, NULL, opt_strings_catalog); + + if ((attr = ippFindAttribute(supported, "printer-strings-uri", +- IPP_TAG_URI)) != NULL) ++ IPP_TAG_URI)) != NULL && ippValidateAttribute(attr)) + { + printer_opt_strings_catalog = cfCatalogOptionArrayNew(); + cfCatalogLoad(ippGetString(attr, 0, NULL), NULL, +@@ -492,7 +536,7 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + response = cupsDoRequest(http, request, resource); + + if ((attr = ippFindAttribute(response, "printer-strings-uri", +- IPP_TAG_URI)) != NULL) ++ IPP_TAG_URI)) != NULL && ippValidateAttribute(attr)) + cupsFilePrintf(fp, "*cupsStringsURI %s: \"%s\"\n", keyword, + ippGetString(attr, 0, NULL)); + +@@ -518,13 +562,10 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + IPP_TAG_BOOLEAN), 0)) + cupsFilePuts(fp, "*cupsJobAccountingUserId: True\n"); + +- if ((attr = ippFindAttribute(supported, "printer-privacy-policy-uri", +- IPP_TAG_URI)) != NULL) +- cupsFilePrintf(fp, "*cupsPrivacyURI: \"%s\"\n", +- ippGetString(attr, 0, NULL)); ++ if ((attr = ippFindAttribute(supported, "printer-privacy-policy-uri", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr)) ++ cupsFilePrintf(fp, "*cupsPrivacyURI: \"%s\"\n", ippGetString(attr, 0, NULL)); + +- if ((attr = ippFindAttribute(supported, "printer-mandatory-job-attributes", +- IPP_TAG_KEYWORD)) != NULL) ++ if ((attr = ippFindAttribute(supported, "printer-mandatory-job-attributes", IPP_TAG_KEYWORD)) != NULL && ippValidateAttribute(attr)) + { + char prefix = '\"'; // Prefix for string + +@@ -544,8 +585,7 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + cupsFilePuts(fp, "\"\n"); + } + +- if ((attr = ippFindAttribute(supported, "printer-requested-job-attributes", +- IPP_TAG_KEYWORD)) != NULL) ++ if ((attr = ippFindAttribute(supported, "printer-requested-job-attributes", IPP_TAG_KEYWORD)) != NULL && ippValidateAttribute(attr)) + { + char prefix = '\"'; // Prefix for string + +@@ -1401,15 +1441,15 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + if (!strcmp(sources[j], keyword)) + break; + if (j >= 0) +- cupsFilePrintf(fp, "*InputSlot %s%s%s: \"<>setpagedevice\"\n", +- ppdname, +- (human_readable ? "/" : ""), +- (human_readable ? human_readable : ""), j); ++ { ++ cupsFilePrintf(fp, "*InputSlot %s: \"<>setpagedevice\"\n", ppdname, j); ++ ppd_put_string(fp, lang, "InputSlot", ppdname, human_readable); ++ } + else +- cupsFilePrintf(fp, "*InputSlot %s%s%s: \"\"\n", +- ppdname, +- (human_readable ? "/" : ""), +- (human_readable ? human_readable : "")); ++ { ++ cupsFilePrintf(fp, "*InputSlot %s%s%s:\"\"\n", ppdname, human_readable ? "/" : "", human_readable ? human_readable : ""); ++ ppd_put_string(fp, lang, "InputSlot", ppdname, human_readable); ++ } + } + cupsFilePuts(fp, "*CloseUI: *InputSlot\n"); + } +@@ -1444,11 +1484,8 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + human_readable = cfCatalogLookUpChoice((char *)keyword, "media-type", + opt_strings_catalog, + printer_opt_strings_catalog); +- cupsFilePrintf(fp, "*MediaType %s%s%s: \"<>setpagedevice\"\n", +- ppdname, +- (human_readable ? "/" : ""), +- (human_readable ? human_readable : ""), +- ppdname); ++ cupsFilePrintf(fp, "*MediaType %s: \"<>setpagedevice\"\n", ppdname, ppdname); ++ ppd_put_string(fp, lang, "MediaType", ppdname, human_readable); + } + cupsFilePuts(fp, "*CloseUI: *MediaType\n"); + } +@@ -1771,10 +1808,8 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + human_readable = cfCatalogLookUpChoice((char *)keyword, "output-bin", + opt_strings_catalog, + printer_opt_strings_catalog); +- cupsFilePrintf(fp, "*OutputBin %s%s%s: \"\"\n", +- ppdname, +- (human_readable ? "/" : ""), +- (human_readable ? human_readable : "")); ++ cupsFilePrintf(fp, "*OutputBin %s: \"\"\n", ppdname); ++ ppd_put_string(fp, lang, "OutputBin", ppdname, human_readable); + outputorderinfofound = 0; + faceupdown = 1; + firsttolast = 1; +@@ -1953,9 +1988,8 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + human_readable = cfCatalogLookUpChoice(buf, "finishings", + opt_strings_catalog, + printer_opt_strings_catalog); +- cupsFilePrintf(fp, "*StapleLocation %s%s%s: \"\"\n", ppd_keyword, +- (human_readable ? "/" : ""), +- (human_readable ? human_readable : "")); ++ cupsFilePrintf(fp, "*StapleLocation %s: \"\"\n", ppd_keyword); ++ ppd_put_string(fp, lang, "StapleLocation", ppd_keyword, human_readable); + cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*StapleLocation %s\"\n", + value, keyword, ppd_keyword); + } +@@ -2045,9 +2079,8 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + human_readable = cfCatalogLookUpChoice(buf, "finishings", + opt_strings_catalog, + printer_opt_strings_catalog); +- cupsFilePrintf(fp, "*FoldType %s%s%s: \"\"\n", ppd_keyword, +- (human_readable ? "/" : ""), +- (human_readable ? human_readable : "")); ++ cupsFilePrintf(fp, "*FoldType %s: \"\"\n", ppd_keyword); ++ ppd_put_string(fp, lang, "FoldType", ppd_keyword, human_readable); + cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*FoldType %s\"\n", + value, keyword, ppd_keyword); + } +@@ -2144,9 +2177,8 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + human_readable = cfCatalogLookUpChoice(buf, "finishings", + opt_strings_catalog, + printer_opt_strings_catalog); +- cupsFilePrintf(fp, "*PunchMedia %s%s%s: \"\"\n", ppd_keyword, +- (human_readable ? "/" : ""), +- (human_readable ? human_readable : "")); ++ cupsFilePrintf(fp, "*PunchMedia %s: \"\"\n", ppd_keyword); ++ ppd_put_string(fp, lang, "PunchMedia", ppd_keyword, human_readable); + cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*PunchMedia %s\"\n", + value, keyword, ppd_keyword); + } +@@ -2237,9 +2269,8 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + human_readable = cfCatalogLookUpChoice(buf, "finishings", + opt_strings_catalog, + printer_opt_strings_catalog); +- cupsFilePrintf(fp, "*CutMedia %s%s%s: \"\"\n", ppd_keyword, +- (human_readable ? "/" : ""), +- (human_readable ? human_readable : "")); ++ cupsFilePrintf(fp, "*CutMedia %s: \"\"\n", ppd_keyword); ++ ppd_put_string(fp, lang, "CutMedia", ppd_keyword, human_readable); + cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*CutMedia %s\"\n", + value, keyword, ppd_keyword); + } +@@ -2263,7 +2294,7 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + cupsFilePrintf(fp, "*OpenUI *cupsFinishingTemplate/%s: PickOne\n", + (human_readable ? human_readable : "Finishing Template")); + cupsFilePuts(fp, "*OrderDependency: 10 AnySetup *cupsFinishingTemplate\n"); +- cupsFilePuts(fp, "*DefaultcupsFinishingTemplate: none\n"); ++ cupsFilePuts(fp, "*DefaultcupsFinishingTemplate: None\n"); + human_readable = cfCatalogLookUpChoice("3", "finishings", + opt_strings_catalog, + printer_opt_strings_catalog); +@@ -2294,8 +2325,9 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + printer_opt_strings_catalog); + if (human_readable == NULL) + human_readable = (char *)keyword; +- cupsFilePrintf(fp, "*cupsFinishingTemplate %s/%s: \"\n", keyword, +- human_readable); ++ ppdPwgPpdizeName(keyword, ppdname, sizeof(ppdname)); ++ cupsFilePrintf(fp, "*cupsFinishingTemplate %s: \"\n", ppdname); ++ ppd_put_string(fp, lang, "cupsFinishingTemplate", ppdname, human_readable); + for (finishing_attr = ippFirstAttribute(finishing_col); finishing_attr; + finishing_attr = ippNextAttribute(finishing_col)) { + if (ippGetValueTag(finishing_attr) == IPP_TAG_BEGIN_COLLECTION) { +@@ -2559,14 +2591,14 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + if (!preset || !preset_name) + continue; + +- if ((localized_name = ++ ppdPwgPpdizeName(preset_name, ppdname, sizeof(ppdname)); ++ ++ localized_name = + cfCatalogLookUpOption((char *)preset_name, + opt_strings_catalog, +- printer_opt_strings_catalog)) == NULL) +- cupsFilePrintf(fp, "*APPrinterPreset %s: \"\n", preset_name); +- else +- cupsFilePrintf(fp, "*APPrinterPreset %s/%s: \"\n", preset_name, +- localized_name); ++ printer_opt_strings_catalog); ++ cupsFilePrintf(fp, "*APPrinterPreset %s: \"\n", ppdname); ++ ppd_put_string(fp, lang, "APPrinterPreset", ppdname, localized_name); + + for (member = ippFirstAttribute(preset); member; + member = ippNextAttribute(preset)) +@@ -2615,7 +2647,10 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + ippGetString(ippFindAttribute(fin_col, + "finishing-template", + IPP_TAG_ZERO), 0, NULL)) != NULL) +- cupsFilePrintf(fp, "*cupsFinishingTemplate %s\n", keyword); ++ { ++ ppdPwgPpdizeName(keyword, ppdname, sizeof(ppdname)); ++ cupsFilePrintf(fp, "*cupsFinishingTemplate %s\n", ppdname); ++ } + } + } + else if (!strcmp(member_name, "media")) +@@ -2654,7 +2689,7 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + NULL)) != NULL) + { + ppdPwgPpdizeName(keyword, ppdname, sizeof(ppdname)); +- cupsFilePrintf(fp, "*InputSlot %s\n", keyword); ++ cupsFilePrintf(fp, "*InputSlot %s\n", ppdname); + } + + if ((keyword = ippGetString(ippFindAttribute(media_col, "media-type", +@@ -2662,7 +2697,7 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + NULL)) != NULL) + { + ppdPwgPpdizeName(keyword, ppdname, sizeof(ppdname)); +- cupsFilePrintf(fp, "*MediaType %s\n", keyword); ++ cupsFilePrintf(fp, "*MediaType %s\n", ppdname); + } + } + else if (!strcmp(member_name, "print-quality")) +@@ -2812,3 +2847,38 @@ http_connect(http_t **http, // IO - Current HTTP connection + + return (*http != NULL); + } ++ ++ ++/* ++ * 'ppd_put_strings()' - Write localization attributes to a PPD file. ++ */ ++ ++static void ++ppd_put_string(cups_file_t *fp, /* I - PPD file */ ++ cups_lang_t *lang, /* I - Language */ ++ const char *ppd_option,/* I - PPD option */ ++ const char *ppd_choice,/* I - PPD choice */ ++ const char *text) /* I - Localized text */ ++{ ++ if (!text) ++ return; ++ ++ // Add the first line of localized text... ++#if CUPS_VERSION_MAJOR > 2 ++ cupsFilePrintf(fp, "*%s.%s %s/", cupsLangGetName(lang), ppd_option, ppd_choice); ++#else ++ cupsFilePrintf(fp, "*%s.%s %s/", lang->language, ppd_option, ppd_choice); ++#endif // CUPS_VERSION_MAJOR > 2 ++ ++ while (*text && *text != '\n') ++ { ++ // Escape ":" and "<"... ++ if (*text == ':' || *text == '<') ++ cupsFilePrintf(fp, "<%02X>", *text); ++ else ++ cupsFilePutChar(fp, *text); ++ ++ text ++; ++ } ++ cupsFilePuts(fp, ": \"\"\n"); ++} diff --git a/SPECS/libppd.spec b/SPECS/libppd.spec index 7d04749..e85b758 100644 --- a/SPECS/libppd.spec +++ b/SPECS/libppd.spec @@ -6,7 +6,7 @@ Name: libppd Epoch: 1 Version: 2.0.0 -Release: 7%{?dist} +Release: 9%{?dist} Summary: Library for retro-fitting legacy printer drivers # the CUPS exception text is the same as LLVM exception, so using that name with @@ -26,6 +26,8 @@ Patch001: libppd-check-required-attrs.patch # https://github.com/OpenPrinting/libppd/commit/d53abd9 # https://github.com/OpenPrinting/libppd/commit/c9f3e8fc0 Patch002: libppd-fix-delta-for-sizes.patch +# RHEL-60335 CVE-2024-47175 libppd: remote command injection via attacker controlled data in PPD file +Patch003: 0001-prevent-ppd-generation-based-on-invalid-ipp-response.patch # for autogen.sh @@ -198,6 +200,9 @@ rm -rf %{buildroot}%{_datadir}/ppdc %endif %changelog +* Thu Nov 21 2024 Zdenek Dohnal - 1:2.0.0-9 +- RHEL-60335 CVE-2024-47175 libppd: remote command injection via attacker controlled data in PPD file + * Tue Oct 29 2024 Troy Dawson - 1:2.0.0-7 - Bump release for October 2024 mass rebuild: Resolves: RHEL-64018