From 85f0cfd44f2d8cd91ac4b555f6197d268e35476f Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Wed, 20 Nov 2024 00:47:32 +0300 Subject: [PATCH] import pappl-1.4.6-5.el10 --- ...-password-hash-comparisons-Issue-373.patch | 151 ++++++++++++++++++ SPECS/pappl.spec | 8 +- 2 files changed, 158 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0001-Fix-password-hash-comparisons-Issue-373.patch diff --git a/SOURCES/0001-Fix-password-hash-comparisons-Issue-373.patch b/SOURCES/0001-Fix-password-hash-comparisons-Issue-373.patch new file mode 100644 index 0000000..7e13453 --- /dev/null +++ b/SOURCES/0001-Fix-password-hash-comparisons-Issue-373.patch @@ -0,0 +1,151 @@ +From f4d0039a1f5c62a3b998dc26f90a8f5568749a16 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Wed, 13 Nov 2024 14:29:24 -0500 +Subject: [PATCH] Fix password hash comparisons (Issue #373) + +--- + CHANGES.md | 1 + + pappl/client-webif.c | 33 ++++++++++++++++++++++++++++++--- + pappl/system-accessors.c | 2 +- + 3 files changed, 32 insertions(+), 4 deletions(-) + +diff --git a/pappl/client-webif.c b/pappl/client-webif.c +index 8ae7d25..48714be 100644 +--- a/pappl/client-webif.c ++++ b/pappl/client-webif.c +@@ -1,7 +1,7 @@ + // + // Core client web interface functions for the Printer Application Framework + // +-// Copyright © 2019-2023 by Michael R Sweet. ++// Copyright © 2019-2024 by Michael R Sweet. + // Copyright © 2010-2019 by Apple Inc. + // + // Licensed under Apache License v2.0. See the file "LICENSE" for more +@@ -451,34 +451,49 @@ papplClientHTMLAuthorize( + + // Don't authorize if we have no auth service or we don't have a password set. + if (!client || (!client->system->auth_service && !client->system->auth_cb && !client->system->password_hash[0])) ++ { ++ _PAPPL_DEBUG("papplClientHTMLAuthorize: auth_service='%s', auth_cb=%s, password_hash=%s\n", client->system->auth_service, client->system->auth_cb != NULL ? "set" : "unset", client->system->password_hash[0] ? "set" : "unset"); ++ _PAPPL_DEBUG("papplClientHTMLAuthorize: Returning true."); + return (true); ++ } + + // When using an auth service, use HTTP Basic authentication... + if (client->system->auth_service || client->system->auth_cb) + { + http_status_t code = papplClientIsAuthorized(client); ++ // Authorization status code ++ ++ _PAPPL_DEBUG("papplClientHTMLAuthorize: code=%d.\n", code); + + if (code != HTTP_STATUS_CONTINUE) + { ++ _PAPPL_DEBUG("papplClientHTMLAuthorize: Returning false.\n"); + papplClientRespond(client, code, NULL, NULL, 0, 0); + return (false); + } + else ++ { ++ _PAPPL_DEBUG("papplClientHTMLAuthorize: Returning true.\n"); + return (true); ++ } + } + + // Otherwise look for the authorization cookie... + if (papplClientGetCookie(client, "auth", auth_cookie, sizeof(auth_cookie))) + { ++ _PAPPL_DEBUG("papplClientHTMLAuthorize: Got auth cookie '%s'.\n", auth_cookie); + snprintf(auth_text, sizeof(auth_text), "%s:%s", papplSystemGetSessionKey(client->system, session_key, sizeof(session_key)), papplSystemGetPassword(client->system, password_hash, sizeof(password_hash))); + cupsHashData("sha2-256", (unsigned char *)auth_text, strlen(auth_text), auth_hash, sizeof(auth_hash)); + cupsHashString(auth_hash, sizeof(auth_hash), auth_text, sizeof(auth_text)); + ++ _PAPPL_DEBUG("papplClientHTMLAuthorize: Expect auth cookie '%s'.\n", auth_text); ++ + if (_papplIsEqual(auth_cookie, auth_text)) + { + // Hashes match so we are authorized. Use "web-admin" as the username. + papplCopyString(client->username, "web-admin", sizeof(client->username)); + ++ _PAPPL_DEBUG("papplClientHTMLAuthorize: Returning true.\n"); + return (true); + } + } +@@ -491,6 +506,8 @@ papplClientHTMLAuthorize( + cups_option_t *form = NULL; // Form variables + const char *password; // Password from user + ++ _PAPPL_DEBUG("papplClientHTMLAuthorize: POST.\n"); ++ + if ((num_form = (cups_len_t)papplClientGetForm(client, &form)) == 0) + { + status = "Invalid form data."; +@@ -509,7 +526,10 @@ papplClientHTMLAuthorize( + papplSystemGetPassword(client->system, password_hash, sizeof(password_hash)); + papplSystemHashPassword(client->system, password_hash, password, auth_text, sizeof(auth_text)); + +- if (!strncmp(password_hash, auth_text, strlen(password_hash))) ++ _PAPPL_DEBUG("papplClientHTMLAuthorize: Saved password_hash is '%s'.\n", password_hash); ++ _PAPPL_DEBUG("papplClientHTMLAuthorize: Hashed form password is '%s'.\n", auth_text); ++ ++ if (_papplIsEqual(password_hash, auth_text)) + { + // Password hashes match, generate the cookie from the session key and + // password hash... +@@ -518,7 +538,8 @@ papplClientHTMLAuthorize( + cupsHashData("sha2-256", (unsigned char *)auth_text, strlen(auth_text), auth_hash, sizeof(auth_hash)); + cupsHashString(auth_hash, sizeof(auth_hash), auth_text, sizeof(auth_text)); + +- papplClientSetCookie(client, "auth", auth_text, 3600); ++ papplClientSetCookie(client, "auth", auth_text, 3600); ++ _PAPPL_DEBUG("papplClientHTMLAuthorize: Setting 'auth' cookie to '%s'.\n", auth_text); + } + else + { +@@ -531,16 +552,21 @@ papplClientHTMLAuthorize( + // Make the caller think this is a GET request... + client->operation = HTTP_STATE_GET; + ++ _PAPPL_DEBUG("papplClientHTMLAuthorize: Status message is '%s'.\n", status); ++ + if (!status) + { + // Hashes match so we are authorized. Use "web-admin" as the username. + papplCopyString(client->username, "web-admin", sizeof(client->username)); + ++ _PAPPL_DEBUG("papplClientHTMLAuthorize: Returning true.\n"); + return (true); + } + } + + // If we get this far, show the standard login form... ++ _PAPPL_DEBUG("papplClientHTMLAuthorize: Showing login form.\n"); ++ + papplClientRespond(client, HTTP_STATUS_OK, NULL, "text/html", 0, 0); + papplClientHTMLHeader(client, "Login", 0); + papplClientHTMLPuts(client, +@@ -560,6 +586,7 @@ papplClientHTMLAuthorize( + " \n"); + papplClientHTMLFooter(client); + ++ _PAPPL_DEBUG("papplClientHTMLAuthorize: Returning false.\n"); + return (false); + } + +diff --git a/pappl/system-accessors.c b/pappl/system-accessors.c +index ed52aa6..bcde6aa 100644 +--- a/pappl/system-accessors.c ++++ b/pappl/system-accessors.c +@@ -1289,7 +1289,7 @@ papplSystemHashPassword( + { + // Copy existing nonce from the salt string... + papplCopyString(nonce, salt, sizeof(nonce)); +- if ((ptr = strchr(nonce, ':')) != NULL) ++ if ((ptr = strchr(nonce, '~')) != NULL) + *ptr = '\0'; + } + else +-- +2.47.0 + diff --git a/SPECS/pappl.spec b/SPECS/pappl.spec index 0266187..a4eb984 100644 --- a/SPECS/pappl.spec +++ b/SPECS/pappl.spec @@ -10,7 +10,7 @@ Summary: Printer Application Framework (PAPPL) Name: pappl Version: 1.4.6 -Release: 4%{?dist} +Release: 5%{?dist} License: Apache-2.0 WITH LLVM-exception Source: https://github.com/michaelrsweet/pappl/releases/download/v%{version}/pappl-%{version}.tar.gz Url: https://www.msweet.org/pappl @@ -23,6 +23,9 @@ Patch002: 0001-Fix-port-number-user-input-when-adding-a-printer-Iss.patch # raise MAX_VENDOR https://sourceforge.net/p/gimp-print/mailman/gimp-print-devel/thread/e24b2385-6576-a949-a40d-3786c8067520%40gmail.com/#msg37353830 # downstream only, Mike does not want to merge the change Patch003: pappl-max-vendors.patch +# RHEL-67571 password is ignored when set in web ui +# https://github.com/michaelrsweet/pappl/commit/f4d0039a +Patch007: 0001-Fix-password-hash-comparisons-Issue-373.patch BuildRequires: avahi-devel @@ -112,6 +115,9 @@ make test %{_mandir}/man3/pappl-system.3.gz %changelog +* Thu Nov 14 2024 Zdenek Dohnal - 1.4.6-5 +- RHEL-67571 password is ignored when set in web ui + * Tue Oct 29 2024 Troy Dawson - 1.4.6-4 - Bump release for October 2024 mass rebuild: Resolves: RHEL-64018