diff --git a/0001-Fix-various-issues-in-cupsd.patch b/0001-Fix-various-issues-in-cupsd.patch new file mode 100644 index 0000000000000000000000000000000000000000..92c5878baefb4deb180a57900f9471642376f440 --- /dev/null +++ b/0001-Fix-various-issues-in-cupsd.patch @@ -0,0 +1,460 @@ +From db8d560262c22a21ee1e55dfd62fa98d9359bcb0 Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal +Date: Fri, 21 Nov 2025 07:36:36 +0100 +Subject: [PATCH] Fix various issues in cupsd + +Various issues were found by @SilverPlate3, recognized as CVE-2025-61915: + +- out of bound write when handling IPv6 addresses, +- cupsd crash caused by null dereference when ErrorPolicy value is empty, + +On the top of that, Mike Sweet noticed vulnerability via domain socket, +exploitable locally if attacker has access to domain socket and knows username +of user within a group which is present in CUPS system groups: + +- rewrite of cupsd.conf via PeerCred authorization via domain socket + +The last vulnerability is fixed by introducing PeerCred directive for cups-files.conf, +which controls whether PeerCred is enabled/disabled for user in CUPS system groups. + +Fixes CVE-2025-61915 +--- + conf/cups-files.conf.in | 3 ++ + config-scripts/cups-defaults.m4 | 9 +++++ + config.h.in | 7 ++++ + configure | 22 ++++++++++ + doc/help/man-cups-files.conf.html | 9 ++++- + man/cups-files.conf.5 | 17 ++++++-- + scheduler/auth.c | 8 +++- + scheduler/auth.h | 7 ++++ + scheduler/client.c | 2 +- + scheduler/conf.c | 60 ++++++++++++++++++++++++---- + test/run-stp-tests.sh | 2 +- + vcnet/config.h | 7 ++++ + xcode/CUPS.xcodeproj/project.pbxproj | 2 - + xcode/config.h | 7 ++++ + 14 files changed, 145 insertions(+), 17 deletions(-) + +diff --git a/conf/cups-files.conf.in b/conf/cups-files.conf.in +index f96f745ae..6db139297 100644 +--- a/conf/cups-files.conf.in ++++ b/conf/cups-files.conf.in +@@ -22,6 +22,9 @@ + SystemGroup @CUPS_SYSTEM_GROUPS@ + @CUPS_SYSTEM_AUTHKEY@ + ++# Are Unix domain socket peer credentials used for authorization? ++PeerCred @CUPS_PEER_CRED@ ++ + # User that is substituted for unauthenticated (remote) root accesses... + #RemoteRoot remroot + +diff --git a/config-scripts/cups-defaults.m4 b/config-scripts/cups-defaults.m4 +index 999a8849d..fc9ba4a02 100644 +--- a/config-scripts/cups-defaults.m4 ++++ b/config-scripts/cups-defaults.m4 +@@ -95,6 +95,15 @@ AC_ARG_WITH([log_level], AS_HELP_STRING([--with-log-level], [set default LogLeve + AC_SUBST([CUPS_LOG_LEVEL]) + AC_DEFINE_UNQUOTED([CUPS_DEFAULT_LOG_LEVEL], ["$CUPS_LOG_LEVEL"], [Default LogLevel value.]) + ++dnl Default PeerCred ++AC_ARG_WITH([peer_cred], AS_HELP_STRING([--with-peer-cred], [set default PeerCred value (on/off/root-only), default=on]), [ ++ CUPS_PEER_CRED="$withval" ++], [ ++ CUPS_PEER_CRED="on" ++]) ++AC_SUBST([CUPS_PEER_CRED]) ++AC_DEFINE_UNQUOTED([CUPS_DEFAULT_PEER_CRED], ["$CUPS_PEER_CRED"], [Default PeerCred value.]) ++ + dnl Default AccessLogLevel + AC_ARG_WITH(access_log_level, [ --with-access-log-level set default AccessLogLevel value, default=none], + CUPS_ACCESS_LOG_LEVEL="$withval", +diff --git a/config.h.in b/config.h.in +index 207df66a7..37c279088 100644 +--- a/config.h.in ++++ b/config.h.in +@@ -86,6 +86,13 @@ + #define CUPS_DEFAULT_ERROR_POLICY "stop-printer" + + ++/* ++ * Default PeerCred value... ++ */ ++ ++#define CUPS_DEFAULT_PEER_CRED "on" ++ ++ + /* + * Default MaxCopies value... + */ +diff --git a/configure b/configure +index a38ebded9..1721634ba 100755 +--- a/configure ++++ b/configure +@@ -670,6 +670,7 @@ CUPS_BROWSING + CUPS_SYNC_ON_CLOSE + CUPS_PAGE_LOG_FORMAT + CUPS_ACCESS_LOG_LEVEL ++CUPS_PEER_CRED + CUPS_LOG_LEVEL + CUPS_FATAL_ERRORS + CUPS_ERROR_POLICY +@@ -919,6 +920,7 @@ with_max_log_size + with_error_policy + with_fatal_errors + with_log_level ++with_peer_cred + with_access_log_level + enable_page_logging + enable_sync_on_close +@@ -1652,6 +1654,8 @@ Optional Packages: + --with-error-policy set default ErrorPolicy value, default=stop-printer + --with-fatal-errors set default FatalErrors value, default=config + --with-log-level set default LogLevel value, default=warn ++ --with-peer-cred set default PeerCred value (on/off/root-only), ++ default=on + --with-access-log-level set default AccessLogLevel value, default=none + --with-local-protocols set default BrowseLocalProtocols, default="" + --with-cups-user set default user for CUPS +@@ -11651,6 +11655,24 @@ printf "%s\n" "#define CUPS_DEFAULT_LOG_LEVEL \"$CUPS_LOG_LEVEL\"" >>confdefs.h + + + ++# Check whether --with-peer_cred was given. ++if test ${with_peer_cred+y} ++then : ++ withval=$with_peer_cred; ++ CUPS_PEER_CRED="$withval" ++ ++else $as_nop ++ ++ CUPS_PEER_CRED="on" ++ ++fi ++ ++ ++ ++printf "%s\n" "#define CUPS_DEFAULT_PEER_CRED \"$CUPS_PEER_CRED\"" >>confdefs.h ++ ++ ++ + # Check whether --with-access_log_level was given. + if test ${with_access_log_level+y} + then : +diff --git a/doc/help/man-cups-files.conf.html b/doc/help/man-cups-files.conf.html +index 440f033d5..5a9ddefeb 100644 +--- a/doc/help/man-cups-files.conf.html ++++ b/doc/help/man-cups-files.conf.html +@@ -119,6 +119,13 @@ The default is "/var/log/cups/page_log". +
PassEnv variable [ ... variable ] +
Passes the specified environment variable(s) to child processes. + Note: the standard CUPS filter and backend environment variables cannot be overridden using this directive. ++
PeerCred off ++
PeerCred on ++
PeerCred root-only ++
Specifies whether peer credentials are used for authorization when communicating over the UNIX domain socket. ++When on, the peer credentials of any user are accepted for authorization. ++The value off disables the use of peer credentials entirely, while the value root-only allows peer credentials only for the root user. ++Note: for security reasons, the on setting is reduced to root-only for authorization of PUT requests. +
RemoteRoot username +
Specifies the username that is associated with unauthenticated accesses by clients claiming to be the root user. + The default is "remroot". +diff --git a/man/cups-files.conf.5 b/man/cups-files.conf.5 +index ec16c9e13..18ce2be00 100644 +--- a/man/cups-files.conf.5 ++++ b/man/cups-files.conf.5 +@@ -166,6 +166,17 @@ The default is "/var/log/cups/page_log". + \fBPassEnv \fIvariable \fR[ ... \fIvariable \fR] + Passes the specified environment variable(s) to child processes. + Note: the standard CUPS filter and backend environment variables cannot be overridden using this directive. ++.\"#PeerCred ++.TP 5 ++\fBPeerCred off\fR ++.TP 5 ++\fBPeerCred on\fR ++.TP 5 ++\fBPeerCred root-only\fR ++Specifies whether peer credentials are used for authorization when communicating over the UNIX domain socket. ++When \fBon\fR, the peer credentials of any user are accepted for authorization. ++The value \fBoff\fR disables the use of peer credentials entirely, while the value \fBroot-only\fR allows peer credentials only for the root user. ++Note: for security reasons, the \fBon\fR setting is reduced to \fBroot-only\fR for authorization of PUT requests. + .\"#RemoteRoot + .TP 5 + \fBRemoteRoot \fIusername\fR +@@ -289,4 +300,4 @@ command is used instead. + .BR subscriptions.conf (5), + CUPS Online Help (http://localhost:631/help) + .SH COPYRIGHT +-Copyright \[co] 2020-2024 by OpenPrinting. ++Copyright \[co] 2020-2025 by OpenPrinting. +diff --git a/scheduler/auth.c b/scheduler/auth.c +index 3c9aa72aa..bd0d28a0e 100644 +--- a/scheduler/auth.c ++++ b/scheduler/auth.c +@@ -398,7 +398,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ + } + #endif /* HAVE_AUTHORIZATION_H */ + #if defined(SO_PEERCRED) && defined(AF_LOCAL) +- else if (!strncmp(authorization, "PeerCred ", 9) && ++ else if (PeerCred != CUPSD_PEERCRED_OFF && !strncmp(authorization, "PeerCred ", 9) && + con->http->hostaddr->addr.sa_family == AF_LOCAL && con->best) + { + /* +@@ -441,6 +441,12 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ + } + #endif /* HAVE_AUTHORIZATION_H */ + ++ if ((PeerCred == CUPSD_PEERCRED_ROOTONLY || httpGetState(con->http) == HTTP_STATE_PUT_RECV) && strcmp(authorization + 9, "root")) ++ { ++ cupsdLogClient(con, CUPSD_LOG_INFO, "User \"%s\" is not allowed to use peer credentials.", authorization + 9); ++ return; ++ } ++ + if ((pwd = getpwnam(authorization + 9)) == NULL) + { + cupsdLogClient(con, CUPSD_LOG_ERROR, "User \"%s\" does not exist.", authorization + 9); +diff --git a/scheduler/auth.h b/scheduler/auth.h +index ee98e92c7..fdf71213f 100644 +--- a/scheduler/auth.h ++++ b/scheduler/auth.h +@@ -50,6 +50,10 @@ + #define CUPSD_AUTH_LIMIT_ALL 127 /* Limit all requests */ + #define CUPSD_AUTH_LIMIT_IPP 128 /* Limit IPP requests */ + ++#define CUPSD_PEERCRED_OFF 0 /* Don't allow PeerCred authorization */ ++#define CUPSD_PEERCRED_ON 1 /* Allow PeerCred authorization for all users */ ++#define CUPSD_PEERCRED_ROOTONLY 2 /* Allow PeerCred authorization for root user */ ++ + #define IPP_ANY_OPERATION (ipp_op_t)0 + /* Any IPP operation */ + #define IPP_BAD_OPERATION (ipp_op_t)-1 +@@ -105,6 +109,9 @@ typedef struct + + VAR cups_array_t *Locations VALUE(NULL); + /* Authorization locations */ ++VAR int PeerCred VALUE(CUPSD_PEERCRED_ON); ++ /* Allow PeerCred authorization? */ ++ + #ifdef HAVE_TLS + VAR http_encryption_t DefaultEncryption VALUE(HTTP_ENCRYPT_REQUIRED); + /* Default encryption for authentication */ +diff --git a/scheduler/client.c b/scheduler/client.c +index 9593c9138..d961c15db 100644 +--- a/scheduler/client.c ++++ b/scheduler/client.c +@@ -2208,7 +2208,7 @@ cupsdSendHeader( + auth_size = sizeof(auth_str) - (size_t)(auth_key - auth_str); + + #if defined(SO_PEERCRED) && defined(AF_LOCAL) +- if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL) ++ if (PeerCred != CUPSD_PEERCRED_OFF && httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL) + { + strlcpy(auth_key, ", PeerCred", auth_size); + auth_key += 10; +diff --git a/scheduler/conf.c b/scheduler/conf.c +index db4104ec5..7d6da0252 100644 +--- a/scheduler/conf.c ++++ b/scheduler/conf.c +@@ -47,6 +47,7 @@ typedef enum + { + CUPSD_VARTYPE_INTEGER, /* Integer option */ + CUPSD_VARTYPE_TIME, /* Time interval option */ ++ CUPSD_VARTYPE_NULLSTRING, /* String option or NULL/empty string */ + CUPSD_VARTYPE_STRING, /* String option */ + CUPSD_VARTYPE_BOOLEAN, /* Boolean option */ + CUPSD_VARTYPE_PATHNAME, /* File/directory name option */ +@@ -69,7 +70,7 @@ static const cupsd_var_t cupsd_vars[] = + { + { "AutoPurgeJobs", &JobAutoPurge, CUPSD_VARTYPE_BOOLEAN }, + #ifdef HAVE_DNSSD +- { "BrowseDNSSDSubTypes", &DNSSDSubTypes, CUPSD_VARTYPE_STRING }, ++ { "BrowseDNSSDSubTypes", &DNSSDSubTypes, CUPSD_VARTYPE_NULLSTRING }, + #endif /* HAVE_DNSSD */ + { "BrowseWebIF", &BrowseWebIF, CUPSD_VARTYPE_BOOLEAN }, + { "Browsing", &Browsing, CUPSD_VARTYPE_BOOLEAN }, +@@ -120,7 +121,7 @@ static const cupsd_var_t cupsd_vars[] = + { "MaxSubscriptionsPerPrinter",&MaxSubscriptionsPerPrinter, CUPSD_VARTYPE_INTEGER }, + { "MaxSubscriptionsPerUser", &MaxSubscriptionsPerUser, CUPSD_VARTYPE_INTEGER }, + { "MultipleOperationTimeout", &MultipleOperationTimeout, CUPSD_VARTYPE_TIME }, +- { "PageLogFormat", &PageLogFormat, CUPSD_VARTYPE_STRING }, ++ { "PageLogFormat", &PageLogFormat, CUPSD_VARTYPE_NULLSTRING }, + { "PreserveJobFiles", &JobFiles, CUPSD_VARTYPE_TIME }, + { "PreserveJobHistory", &JobHistory, CUPSD_VARTYPE_TIME }, + { "ReloadTimeout", &ReloadTimeout, CUPSD_VARTYPE_TIME }, +@@ -791,6 +792,13 @@ cupsdReadConfiguration(void) + IdleExitTimeout = 60; + #endif /* HAVE_ONDEMAND */ + ++ if (!strcmp(CUPS_DEFAULT_PEER_CRED, "off")) ++ PeerCred = CUPSD_PEERCRED_OFF; ++ else if (!strcmp(CUPS_DEFAULT_PEER_CRED, "root-only")) ++ PeerCred = CUPSD_PEERCRED_ROOTONLY; ++ else ++ PeerCred = CUPSD_PEERCRED_ON; ++ + /* + * Setup environment variables... + */ +@@ -1842,7 +1850,7 @@ get_addr_and_mask(const char *value, /* I - String from config file */ + + family = AF_INET6; + +- for (i = 0, ptr = value + 1; *ptr && i < 8; i ++) ++ for (i = 0, ptr = value + 1; *ptr && i >= 0 && i < 8; i ++) + { + if (*ptr == ']') + break; +@@ -1988,7 +1996,7 @@ get_addr_and_mask(const char *value, /* I - String from config file */ + #ifdef AF_INET6 + if (family == AF_INET6) + { +- if (i > 128) ++ if (i < 0 || i > 128) + return (0); + + i = 128 - i; +@@ -2022,7 +2030,7 @@ get_addr_and_mask(const char *value, /* I - String from config file */ + else + #endif /* AF_INET6 */ + { +- if (i > 32) ++ if (i < 0 || i > 32) + return (0); + + mask[0] = 0xffffffff; +@@ -2932,7 +2940,17 @@ parse_variable( + cupsdSetString((char **)var->ptr, temp); + break; + ++ case CUPSD_VARTYPE_NULLSTRING : ++ cupsdSetString((char **)var->ptr, value); ++ break; ++ + case CUPSD_VARTYPE_STRING : ++ if (!value) ++ { ++ cupsdLogMessage(CUPSD_LOG_ERROR, "Missing value for %s on line %d of %s.", line, linenum, filename); ++ return (0); ++ } ++ + cupsdSetString((char **)var->ptr, value); + break; + } +@@ -3449,9 +3467,10 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */ + line, value ? " " : "", value ? value : "", linenum, + ConfigurationFile, CupsFilesFile); + } +- else +- parse_variable(ConfigurationFile, linenum, line, value, +- sizeof(cupsd_vars) / sizeof(cupsd_vars[0]), cupsd_vars); ++ else if (!parse_variable(ConfigurationFile, linenum, line, value, ++ sizeof(cupsd_vars) / sizeof(cupsd_vars[0]), cupsd_vars) && ++ (FatalErrors & CUPSD_FATAL_CONFIG)) ++ return (0); + } + + return (1); +@@ -3610,6 +3629,31 @@ read_cups_files_conf(cups_file_t *fp) /* I - File to read from */ + break; + } + } ++ else if (!_cups_strcasecmp(line, "PeerCred") && value) ++ { ++ /* ++ * PeerCred {off,on,root-only} ++ */ ++ ++ if (!_cups_strcasecmp(value, "off")) ++ { ++ PeerCred = CUPSD_PEERCRED_OFF; ++ } ++ else if (!_cups_strcasecmp(value, "on")) ++ { ++ PeerCred = CUPSD_PEERCRED_ON; ++ } ++ else if (!_cups_strcasecmp(value, "root-only")) ++ { ++ PeerCred = CUPSD_PEERCRED_ROOTONLY; ++ } ++ else ++ { ++ cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown PeerCred \"%s\" on line %d of %s.", value, linenum, CupsFilesFile); ++ if (FatalErrors & CUPSD_FATAL_CONFIG) ++ return (0); ++ } ++ } + else if (!_cups_strcasecmp(line, "PrintcapFormat") && value) + { + /* +diff --git a/test/run-stp-tests.sh b/test/run-stp-tests.sh +index 1c447edd7..8d677db71 100755 +--- a/test/run-stp-tests.sh ++++ b/test/run-stp-tests.sh +@@ -512,7 +512,7 @@ fi + + cat >$BASE/cups-files.conf < +Date: Thu, 4 Dec 2025 09:04:37 +0100 +Subject: [PATCH] conf.c: Fix stopping scheduler on unknown directive + +Change the return value to do not trigger stopping the scheduler in case +of unknown directive, because stopping the scheduler on config errors +should only happen in case of syntax errors. +--- + scheduler/conf.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/scheduler/conf.c b/scheduler/conf.c +index 7d6da0252..0e7be0ef4 100644 +--- a/scheduler/conf.c ++++ b/scheduler/conf.c +@@ -2708,16 +2708,16 @@ parse_variable( + { + /* + * Unknown directive! Output an error message and continue... ++ * ++ * Return value 1 is on purpose - we ignore unknown directives to log ++ * error, but do not stop the scheduler in case error in configuration ++ * is set to be fatal. + */ + +- if (!value) +- cupsdLogMessage(CUPSD_LOG_ERROR, "Missing value for %s on line %d of %s.", +- line, linenum, filename); +- else +- cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown directive %s on line %d of %s.", +- line, linenum, filename); ++ cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown directive %s on line %d of %s.", ++ line, linenum, filename); + +- return (0); ++ return (1); + } + + switch (var->type) +-- +2.52.0 + diff --git a/cups-upstream-dfe48aa4.patch b/cups-upstream-dfe48aa4.patch new file mode 100644 index 0000000000000000000000000000000000000000..294dacafc013643991c514728bb0feb6252f6b3a --- /dev/null +++ b/cups-upstream-dfe48aa4.patch @@ -0,0 +1,544 @@ +--- a/0001-Fix-various-issues-in-cupsd.patch ++++ b/0001-Fix-various-issues-in-cupsd.patch +@@ -0,0 +1,460 @@ ++From db8d560262c22a21ee1e55dfd62fa98d9359bcb0 Mon Sep 17 00:00:00 2001 ++From: Zdenek Dohnal ++Date: Fri, 21 Nov 2025 07:36:36 +0100 ++Subject: [PATCH] Fix various issues in cupsd ++ ++Various issues were found by @SilverPlate3, recognized as CVE-2025-61915: ++ ++- out of bound write when handling IPv6 addresses, ++- cupsd crash caused by null dereference when ErrorPolicy value is empty, ++ ++On the top of that, Mike Sweet noticed vulnerability via domain socket, ++exploitable locally if attacker has access to domain socket and knows username ++of user within a group which is present in CUPS system groups: ++ ++- rewrite of cupsd.conf via PeerCred authorization via domain socket ++ ++The last vulnerability is fixed by introducing PeerCred directive for cups-files.conf, ++which controls whether PeerCred is enabled/disabled for user in CUPS system groups. ++ ++Fixes CVE-2025-61915 ++--- ++ conf/cups-files.conf.in | 3 ++ ++ config-scripts/cups-defaults.m4 | 9 +++++ ++ config.h.in | 7 ++++ ++ configure | 22 ++++++++++ ++ doc/help/man-cups-files.conf.html | 9 ++++- ++ man/cups-files.conf.5 | 17 ++++++-- ++ scheduler/auth.c | 8 +++- ++ scheduler/auth.h | 7 ++++ ++ scheduler/client.c | 2 +- ++ scheduler/conf.c | 60 ++++++++++++++++++++++++---- ++ test/run-stp-tests.sh | 2 +- ++ vcnet/config.h | 7 ++++ ++ xcode/CUPS.xcodeproj/project.pbxproj | 2 - ++ xcode/config.h | 7 ++++ ++ 14 files changed, 145 insertions(+), 17 deletions(-) ++ ++diff --git a/conf/cups-files.conf.in b/conf/cups-files.conf.in ++index f96f745ae..6db139297 100644 ++--- a/conf/cups-files.conf.in +++++ b/conf/cups-files.conf.in ++@@ -22,6 +22,9 @@ ++ SystemGroup @CUPS_SYSTEM_GROUPS@ ++ @CUPS_SYSTEM_AUTHKEY@ ++ +++# Are Unix domain socket peer credentials used for authorization? +++PeerCred @CUPS_PEER_CRED@ +++ ++ # User that is substituted for unauthenticated (remote) root accesses... ++ #RemoteRoot remroot ++ ++diff --git a/config-scripts/cups-defaults.m4 b/config-scripts/cups-defaults.m4 ++index 999a8849d..fc9ba4a02 100644 ++--- a/config-scripts/cups-defaults.m4 +++++ b/config-scripts/cups-defaults.m4 ++@@ -95,6 +95,15 @@ AC_ARG_WITH([log_level], AS_HELP_STRING([--with-log-level], [set default LogLeve ++ AC_SUBST([CUPS_LOG_LEVEL]) ++ AC_DEFINE_UNQUOTED([CUPS_DEFAULT_LOG_LEVEL], ["$CUPS_LOG_LEVEL"], [Default LogLevel value.]) ++ +++dnl Default PeerCred +++AC_ARG_WITH([peer_cred], AS_HELP_STRING([--with-peer-cred], [set default PeerCred value (on/off/root-only), default=on]), [ +++ CUPS_PEER_CRED="$withval" +++], [ +++ CUPS_PEER_CRED="on" +++]) +++AC_SUBST([CUPS_PEER_CRED]) +++AC_DEFINE_UNQUOTED([CUPS_DEFAULT_PEER_CRED], ["$CUPS_PEER_CRED"], [Default PeerCred value.]) +++ ++ dnl Default AccessLogLevel ++ AC_ARG_WITH(access_log_level, [ --with-access-log-level set default AccessLogLevel value, default=none], ++ CUPS_ACCESS_LOG_LEVEL="$withval", ++diff --git a/config.h.in b/config.h.in ++index 207df66a7..37c279088 100644 ++--- a/config.h.in +++++ b/config.h.in ++@@ -86,6 +86,13 @@ ++ #define CUPS_DEFAULT_ERROR_POLICY "stop-printer" ++ ++ +++/* +++ * Default PeerCred value... +++ */ +++ +++#define CUPS_DEFAULT_PEER_CRED "on" +++ +++ ++ /* ++ * Default MaxCopies value... ++ */ ++diff --git a/configure b/configure ++index a38ebded9..1721634ba 100755 ++--- a/configure +++++ b/configure ++@@ -670,6 +670,7 @@ CUPS_BROWSING ++ CUPS_SYNC_ON_CLOSE ++ CUPS_PAGE_LOG_FORMAT ++ CUPS_ACCESS_LOG_LEVEL +++CUPS_PEER_CRED ++ CUPS_LOG_LEVEL ++ CUPS_FATAL_ERRORS ++ CUPS_ERROR_POLICY ++@@ -919,6 +920,7 @@ with_max_log_size ++ with_error_policy ++ with_fatal_errors ++ with_log_level +++with_peer_cred ++ with_access_log_level ++ enable_page_logging ++ enable_sync_on_close ++@@ -1652,6 +1654,8 @@ Optional Packages: ++ --with-error-policy set default ErrorPolicy value, default=stop-printer ++ --with-fatal-errors set default FatalErrors value, default=config ++ --with-log-level set default LogLevel value, default=warn +++ --with-peer-cred set default PeerCred value (on/off/root-only), +++ default=on ++ --with-access-log-level set default AccessLogLevel value, default=none ++ --with-local-protocols set default BrowseLocalProtocols, default="" ++ --with-cups-user set default user for CUPS ++@@ -11651,6 +11655,24 @@ printf "%s\n" "#define CUPS_DEFAULT_LOG_LEVEL \"$CUPS_LOG_LEVEL\"" >>confdefs.h ++ ++ ++ +++# Check whether --with-peer_cred was given. +++if test ${with_peer_cred+y} +++then : +++ withval=$with_peer_cred; +++ CUPS_PEER_CRED="$withval" +++ +++else $as_nop +++ +++ CUPS_PEER_CRED="on" +++ +++fi +++ +++ +++ +++printf "%s\n" "#define CUPS_DEFAULT_PEER_CRED \"$CUPS_PEER_CRED\"" >>confdefs.h +++ +++ +++ ++ # Check whether --with-access_log_level was given. ++ if test ${with_access_log_level+y} ++ then : ++diff --git a/doc/help/man-cups-files.conf.html b/doc/help/man-cups-files.conf.html ++index 440f033d5..5a9ddefeb 100644 ++--- a/doc/help/man-cups-files.conf.html +++++ b/doc/help/man-cups-files.conf.html ++@@ -119,6 +119,13 @@ The default is "/var/log/cups/page_log". ++
PassEnv variable [ ... variable ] ++
Passes the specified environment variable(s) to child processes. ++ Note: the standard CUPS filter and backend environment variables cannot be overridden using this directive. +++
PeerCred off +++
PeerCred on +++
PeerCred root-only +++
Specifies whether peer credentials are used for authorization when communicating over the UNIX domain socket. +++When on, the peer credentials of any user are accepted for authorization. +++The value off disables the use of peer credentials entirely, while the value root-only allows peer credentials only for the root user. +++Note: for security reasons, the on setting is reduced to root-only for authorization of PUT requests. ++
RemoteRoot username ++
Specifies the username that is associated with unauthenticated accesses by clients claiming to be the root user. ++ The default is "remroot". ++diff --git a/man/cups-files.conf.5 b/man/cups-files.conf.5 ++index ec16c9e13..18ce2be00 100644 ++--- a/man/cups-files.conf.5 +++++ b/man/cups-files.conf.5 ++@@ -166,6 +166,17 @@ The default is "/var/log/cups/page_log". ++ \fBPassEnv \fIvariable \fR[ ... \fIvariable \fR] ++ Passes the specified environment variable(s) to child processes. ++ Note: the standard CUPS filter and backend environment variables cannot be overridden using this directive. +++.\"#PeerCred +++.TP 5 +++\fBPeerCred off\fR +++.TP 5 +++\fBPeerCred on\fR +++.TP 5 +++\fBPeerCred root-only\fR +++Specifies whether peer credentials are used for authorization when communicating over the UNIX domain socket. +++When \fBon\fR, the peer credentials of any user are accepted for authorization. +++The value \fBoff\fR disables the use of peer credentials entirely, while the value \fBroot-only\fR allows peer credentials only for the root user. +++Note: for security reasons, the \fBon\fR setting is reduced to \fBroot-only\fR for authorization of PUT requests. ++ .\"#RemoteRoot ++ .TP 5 ++ \fBRemoteRoot \fIusername\fR ++@@ -289,4 +300,4 @@ command is used instead. ++ .BR subscriptions.conf (5), ++ CUPS Online Help (http://localhost:631/help) ++ .SH COPYRIGHT ++-Copyright \[co] 2020-2024 by OpenPrinting. +++Copyright \[co] 2020-2025 by OpenPrinting. ++diff --git a/scheduler/auth.c b/scheduler/auth.c ++index 3c9aa72aa..bd0d28a0e 100644 ++--- a/scheduler/auth.c +++++ b/scheduler/auth.c ++@@ -398,7 +398,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ ++ } ++ #endif /* HAVE_AUTHORIZATION_H */ ++ #if defined(SO_PEERCRED) && defined(AF_LOCAL) ++- else if (!strncmp(authorization, "PeerCred ", 9) && +++ else if (PeerCred != CUPSD_PEERCRED_OFF && !strncmp(authorization, "PeerCred ", 9) && ++ con->http->hostaddr->addr.sa_family == AF_LOCAL && con->best) ++ { ++ /* ++@@ -441,6 +441,12 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ ++ } ++ #endif /* HAVE_AUTHORIZATION_H */ ++ +++ if ((PeerCred == CUPSD_PEERCRED_ROOTONLY || httpGetState(con->http) == HTTP_STATE_PUT_RECV) && strcmp(authorization + 9, "root")) +++ { +++ cupsdLogClient(con, CUPSD_LOG_INFO, "User \"%s\" is not allowed to use peer credentials.", authorization + 9); +++ return; +++ } +++ ++ if ((pwd = getpwnam(authorization + 9)) == NULL) ++ { ++ cupsdLogClient(con, CUPSD_LOG_ERROR, "User \"%s\" does not exist.", authorization + 9); ++diff --git a/scheduler/auth.h b/scheduler/auth.h ++index ee98e92c7..fdf71213f 100644 ++--- a/scheduler/auth.h +++++ b/scheduler/auth.h ++@@ -50,6 +50,10 @@ ++ #define CUPSD_AUTH_LIMIT_ALL 127 /* Limit all requests */ ++ #define CUPSD_AUTH_LIMIT_IPP 128 /* Limit IPP requests */ ++ +++#define CUPSD_PEERCRED_OFF 0 /* Don't allow PeerCred authorization */ +++#define CUPSD_PEERCRED_ON 1 /* Allow PeerCred authorization for all users */ +++#define CUPSD_PEERCRED_ROOTONLY 2 /* Allow PeerCred authorization for root user */ +++ ++ #define IPP_ANY_OPERATION (ipp_op_t)0 ++ /* Any IPP operation */ ++ #define IPP_BAD_OPERATION (ipp_op_t)-1 ++@@ -105,6 +109,9 @@ typedef struct ++ ++ VAR cups_array_t *Locations VALUE(NULL); ++ /* Authorization locations */ +++VAR int PeerCred VALUE(CUPSD_PEERCRED_ON); +++ /* Allow PeerCred authorization? */ +++ ++ #ifdef HAVE_TLS ++ VAR http_encryption_t DefaultEncryption VALUE(HTTP_ENCRYPT_REQUIRED); ++ /* Default encryption for authentication */ ++diff --git a/scheduler/client.c b/scheduler/client.c ++index 9593c9138..d961c15db 100644 ++--- a/scheduler/client.c +++++ b/scheduler/client.c ++@@ -2208,7 +2208,7 @@ cupsdSendHeader( ++ auth_size = sizeof(auth_str) - (size_t)(auth_key - auth_str); ++ ++ #if defined(SO_PEERCRED) && defined(AF_LOCAL) ++- if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL) +++ if (PeerCred != CUPSD_PEERCRED_OFF && httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL) ++ { ++ strlcpy(auth_key, ", PeerCred", auth_size); ++ auth_key += 10; ++diff --git a/scheduler/conf.c b/scheduler/conf.c ++index db4104ec5..7d6da0252 100644 ++--- a/scheduler/conf.c +++++ b/scheduler/conf.c ++@@ -47,6 +47,7 @@ typedef enum ++ { ++ CUPSD_VARTYPE_INTEGER, /* Integer option */ ++ CUPSD_VARTYPE_TIME, /* Time interval option */ +++ CUPSD_VARTYPE_NULLSTRING, /* String option or NULL/empty string */ ++ CUPSD_VARTYPE_STRING, /* String option */ ++ CUPSD_VARTYPE_BOOLEAN, /* Boolean option */ ++ CUPSD_VARTYPE_PATHNAME, /* File/directory name option */ ++@@ -69,7 +70,7 @@ static const cupsd_var_t cupsd_vars[] = ++ { ++ { "AutoPurgeJobs", &JobAutoPurge, CUPSD_VARTYPE_BOOLEAN }, ++ #ifdef HAVE_DNSSD ++- { "BrowseDNSSDSubTypes", &DNSSDSubTypes, CUPSD_VARTYPE_STRING }, +++ { "BrowseDNSSDSubTypes", &DNSSDSubTypes, CUPSD_VARTYPE_NULLSTRING }, ++ #endif /* HAVE_DNSSD */ ++ { "BrowseWebIF", &BrowseWebIF, CUPSD_VARTYPE_BOOLEAN }, ++ { "Browsing", &Browsing, CUPSD_VARTYPE_BOOLEAN }, ++@@ -120,7 +121,7 @@ static const cupsd_var_t cupsd_vars[] = ++ { "MaxSubscriptionsPerPrinter",&MaxSubscriptionsPerPrinter, CUPSD_VARTYPE_INTEGER }, ++ { "MaxSubscriptionsPerUser", &MaxSubscriptionsPerUser, CUPSD_VARTYPE_INTEGER }, ++ { "MultipleOperationTimeout", &MultipleOperationTimeout, CUPSD_VARTYPE_TIME }, ++- { "PageLogFormat", &PageLogFormat, CUPSD_VARTYPE_STRING }, +++ { "PageLogFormat", &PageLogFormat, CUPSD_VARTYPE_NULLSTRING }, ++ { "PreserveJobFiles", &JobFiles, CUPSD_VARTYPE_TIME }, ++ { "PreserveJobHistory", &JobHistory, CUPSD_VARTYPE_TIME }, ++ { "ReloadTimeout", &ReloadTimeout, CUPSD_VARTYPE_TIME }, ++@@ -791,6 +792,13 @@ cupsdReadConfiguration(void) ++ IdleExitTimeout = 60; ++ #endif /* HAVE_ONDEMAND */ ++ +++ if (!strcmp(CUPS_DEFAULT_PEER_CRED, "off")) +++ PeerCred = CUPSD_PEERCRED_OFF; +++ else if (!strcmp(CUPS_DEFAULT_PEER_CRED, "root-only")) +++ PeerCred = CUPSD_PEERCRED_ROOTONLY; +++ else +++ PeerCred = CUPSD_PEERCRED_ON; +++ ++ /* ++ * Setup environment variables... ++ */ ++@@ -1842,7 +1850,7 @@ get_addr_and_mask(const char *value, /* I - String from config file */ ++ ++ family = AF_INET6; ++ ++- for (i = 0, ptr = value + 1; *ptr && i < 8; i ++) +++ for (i = 0, ptr = value + 1; *ptr && i >= 0 && i < 8; i ++) ++ { ++ if (*ptr == ']') ++ break; ++@@ -1988,7 +1996,7 @@ get_addr_and_mask(const char *value, /* I - String from config file */ ++ #ifdef AF_INET6 ++ if (family == AF_INET6) ++ { ++- if (i > 128) +++ if (i < 0 || i > 128) ++ return (0); ++ ++ i = 128 - i; ++@@ -2022,7 +2030,7 @@ get_addr_and_mask(const char *value, /* I - String from config file */ ++ else ++ #endif /* AF_INET6 */ ++ { ++- if (i > 32) +++ if (i < 0 || i > 32) ++ return (0); ++ ++ mask[0] = 0xffffffff; ++@@ -2932,7 +2940,17 @@ parse_variable( ++ cupsdSetString((char **)var->ptr, temp); ++ break; ++ +++ case CUPSD_VARTYPE_NULLSTRING : +++ cupsdSetString((char **)var->ptr, value); +++ break; +++ ++ case CUPSD_VARTYPE_STRING : +++ if (!value) +++ { +++ cupsdLogMessage(CUPSD_LOG_ERROR, "Missing value for %s on line %d of %s.", line, linenum, filename); +++ return (0); +++ } +++ ++ cupsdSetString((char **)var->ptr, value); ++ break; ++ } ++@@ -3449,9 +3467,10 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */ ++ line, value ? " " : "", value ? value : "", linenum, ++ ConfigurationFile, CupsFilesFile); ++ } ++- else ++- parse_variable(ConfigurationFile, linenum, line, value, ++- sizeof(cupsd_vars) / sizeof(cupsd_vars[0]), cupsd_vars); +++ else if (!parse_variable(ConfigurationFile, linenum, line, value, +++ sizeof(cupsd_vars) / sizeof(cupsd_vars[0]), cupsd_vars) && +++ (FatalErrors & CUPSD_FATAL_CONFIG)) +++ return (0); ++ } ++ ++ return (1); ++@@ -3610,6 +3629,31 @@ read_cups_files_conf(cups_file_t *fp) /* I - File to read from */ ++ break; ++ } ++ } +++ else if (!_cups_strcasecmp(line, "PeerCred") && value) +++ { +++ /* +++ * PeerCred {off,on,root-only} +++ */ +++ +++ if (!_cups_strcasecmp(value, "off")) +++ { +++ PeerCred = CUPSD_PEERCRED_OFF; +++ } +++ else if (!_cups_strcasecmp(value, "on")) +++ { +++ PeerCred = CUPSD_PEERCRED_ON; +++ } +++ else if (!_cups_strcasecmp(value, "root-only")) +++ { +++ PeerCred = CUPSD_PEERCRED_ROOTONLY; +++ } +++ else +++ { +++ cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown PeerCred \"%s\" on line %d of %s.", value, linenum, CupsFilesFile); +++ if (FatalErrors & CUPSD_FATAL_CONFIG) +++ return (0); +++ } +++ } ++ else if (!_cups_strcasecmp(line, "PrintcapFormat") && value) ++ { ++ /* ++diff --git a/test/run-stp-tests.sh b/test/run-stp-tests.sh ++index 1c447edd7..8d677db71 100755 ++--- a/test/run-stp-tests.sh +++++ b/test/run-stp-tests.sh ++@@ -512,7 +512,7 @@ fi ++ ++ cat >$BASE/cups-files.conf < ++Date: Thu, 4 Dec 2025 09:04:37 +0100 ++Subject: [PATCH] conf.c: Fix stopping scheduler on unknown directive ++ ++Change the return value to do not trigger stopping the scheduler in case ++of unknown directive, because stopping the scheduler on config errors ++should only happen in case of syntax errors. ++--- ++ scheduler/conf.c | 14 +++++++------- ++ 1 file changed, 7 insertions(+), 7 deletions(-) ++ ++diff --git a/scheduler/conf.c b/scheduler/conf.c ++index 7d6da0252..0e7be0ef4 100644 ++--- a/scheduler/conf.c +++++ b/scheduler/conf.c ++@@ -2708,16 +2708,16 @@ parse_variable( ++ { ++ /* ++ * Unknown directive! Output an error message and continue... +++ * +++ * Return value 1 is on purpose - we ignore unknown directives to log +++ * error, but do not stop the scheduler in case error in configuration +++ * is set to be fatal. ++ */ ++ ++- if (!value) ++- cupsdLogMessage(CUPSD_LOG_ERROR, "Missing value for %s on line %d of %s.", ++- line, linenum, filename); ++- else ++- cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown directive %s on line %d of %s.", ++- line, linenum, filename); +++ cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown directive %s on line %d of %s.", +++ line, linenum, filename); ++ ++- return (0); +++ return (1); ++ } ++ ++ switch (var->type) ++-- ++2.52.0 ++ + +--- a/cups.spec ++++ b/cups.spec +@@ -119,6 +119,11 @@ Patch1016: 0001-Drop-non-keyword-characters-from-PPD-names-Issue-111.patch + Patch1017: 0001-_httpWait-s-usessl-parameter-wasn-t-being-used.patch + Patch1018: cups-CVE-2025-58436.patch + Patch1019: 0001-Fix-an-infinite-loop-issue-in-GTK-Issue-1439.patch ++# RHEL-129716 CVE-2025-61915 cups: Local denial-of-service via cupsd.conf update and related issues ++# 0001-Fix-various-issues-in-cupsd.patch ++# 0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch ++Patch1020: 0001-Fix-various-issues-in-cupsd.patch ++Patch1021: 0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch + + + ##### Patches removed because IMHO they aren't no longer needed +@@ -388,6 +393,9 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in + %patch -P 1017 -p1 -b .use-usessl + %patch -P 1018 -p1 -b .slow-client + %patch -P 1019 -p1 -b .gtk-infinite-loop ++# RHEL-129716 CVE-2025-61915 cups: Local denial-of-service via cupsd.conf update and related issues ++%patch -P 1020 -p1 -b .config-issues ++%patch -P 1021 -p1 -b .ignore-unknown + + + # Log to the system journal by default (bug #1078781, bug #1519331). +@@ -861,6 +869,7 @@ rm -f %{cups_serverbin}/backend/smb + %changelog + * Thu Nov 27 2025 Zdenek Dohnal - 1:2.4.10-15 + - RHEL-129723 CVE-2025-58436 cups: Slow client communication leads to a possible DoS attack ++- RHEL-129716 CVE-2025-61915 cups: Local denial-of-service via cupsd.conf update and related issues + + * Tue Nov 18 2025 Zdenek Dohnal - 1:2.4.10-14 + - RHEL-122293 [image-mode] Missing /var/log/cups + diff --git a/cups.spec b/cups.spec index 2eb6f4ba2f098471fc0e0cdc1633a2e727700f30..74db477c4fcf7ff812feb94dde0b4411de130584 100644 --- a/cups.spec +++ b/cups.spec @@ -1,4 +1,4 @@ -%define anolis_release 2 +%define anolis_release 3 %global use_alternatives 1 %global lspp 1 @@ -90,6 +90,11 @@ Patch25: Fix-CVE-2025-58060.patch # https://github.com/OpenPrinting/cups/commit/e58cba9d6fceed4242980e51dbd1302cf638ab1d Patch26: Fix-CVE-2025-58364.patch +# Fix CVE-2025-61915 - Various issues in cupsd +# RHEL-129716 CVE-2025-61915 cups: Local denial-of-service via cupsd.conf update and related issues +Patch27: 0001-Fix-various-issues-in-cupsd.patch +Patch28: 0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch + %if %{lspp} # selinux and audit enablement for CUPS - needs work and CUPS upstream wants # to have these features implemented their way in the future @@ -353,6 +358,9 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in %patch -P 25 -p1 -b .cve-2025-58060 # CVE-2025-58364 %patch -P 26 -p1 -b .cve-2025-58364 +# CVE-2025-61915 - Various issues in cupsd +%patch -P 27 -p1 -b .fix-various-issues-cupsd +%patch -P 28 -p1 -b .fix-stopping-scheduler # Log to the system journal by default (bug #1078781, bug #1519331). sed -i -e 's,^ErrorLog .*$,ErrorLog syslog,' conf/cups-files.conf.in @@ -833,11 +841,17 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man7/ippeveps.7.* %changelog +* Thu Jan 29 2026 wenjie2025 - 1:2.4.10-3 +- Add patch for CVE-2025-61915 - Fix various issues in cupsd + - Fix out of bound write when handling IPv6 addresses + - Fix cupsd crash caused by null dereference when ErrorPolicy value is empty + - Fix rewrite of cupsd.conf via PeerCred authorization via domain socket + * Thu Sep 18 2025 zhoujiajia111 - 1:2.4.10-2 - add patches to fix CVE-2024-47175,CVE-2025-58060,CVE-2025-58364 - add patches to fix some bugs [Patches cherry-picked from c10s. Original changelog: - - RHEL-113073 CVE-2025-58364 cups: Null Pointer Dereference in CUPS + - RHEL-113073 CVE-2025-58364 cups: Null Pointer Dereference in CUPS ipp_read_io() Leading to Remote DoS (1:2.4.10-12)] * Thu Jul 04 2024 mgb01105731 - 1:2.4.10-1