From d0ef3d9e0a4857b3a6aaa3eb5d733431da966b48 Mon Sep 17 00:00:00 2001 From: baiguo Date: Thu, 20 Jun 2024 17:39:47 +0800 Subject: [PATCH] fix CVE-2024-35235 --- backport-Fix-CVE-2024-35235.patch | 99 +++++++++++++++++++++++++++++++ cups.spec | 6 +- 2 files changed, 104 insertions(+), 1 deletion(-) create mode 100644 backport-Fix-CVE-2024-35235.patch diff --git a/backport-Fix-CVE-2024-35235.patch b/backport-Fix-CVE-2024-35235.patch new file mode 100644 index 0000000..f6d3786 --- /dev/null +++ b/backport-Fix-CVE-2024-35235.patch @@ -0,0 +1,99 @@ +From a436956f374b0fd7f5da9df482e4f5840fa1c0d2 Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal +Date: Mon, 3 Jun 2024 18:53:58 +020 +Subject: [PATCH] Fix domain socket handling +Reference: https://github.com/OpenPrinting/cups/commit/a436956f374b0fd7f5da9df482e4f5840fa1c0d2 +--- + cups/http-addr.c | 44 ++++++++++++++++++++------------------------ + scheduler/conf.c | 18 ++++++++++++++++++ + 2 files changed, 38 insertions(+), 24 deletions(-) + +diff --git a/cups/http-addr.c b/cups/http-addr.c +index 71e61f5..4ff072b 100644 +--- a/cups/http-addr.c ++++ b/cups/http-addr.c +@@ -202,31 +202,27 @@ httpAddrListen(http_addr_t *addr, /* I - Address to bind to */ + { + mode_t mask; /* Umask setting */ + +- /* +- * Remove any existing domain socket file... +- */ +- +- unlink(addr->un.sun_path); +- +- /* +- * Save the current umask and set it to 0 so that all users can access +- * the domain socket... +- */ +- +- mask = umask(0); +- +- /* +- * Bind the domain socket... +- */ +- +- status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr)); +- +- /* +- * Restore the umask and fix permissions... +- */ ++ if ((status = unlink(addr->un.sun_path)) < 0) ++ { ++ DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno))); ++ if (errno == ENOENT) ++ status = 0; ++ } ++ ++ if (!status) ++ { ++ // Save the current umask and set it to 0 so that all users can access ++ // the domain socket... ++ mask = umask(0); + +- umask(mask); +- chmod(addr->un.sun_path, 0140777); ++ // Bind the domain socket... ++ if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0) ++ { ++ DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno))); ++ } ++ // Restore the umask... ++ umask(mask); ++ } + } + else + #endif /* AF_LOCAL */ +diff --git a/scheduler/conf.c b/scheduler/conf.c +index 4200b57..4643d70 100644 +--- a/scheduler/conf.c ++++ b/scheduler/conf.c +@@ -3103,7 +3103,25 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */ + + cupsd_listener_t *lis; /* New listeners array */ + ++ /* ++ * If we are launched on-demand, do not use domain sockets from the config ++ * file. Also check that the domain socket path is not too long... ++ */ ++ ++#ifdef HAVE_ONDEMAND ++ if (*value == '/' && OnDemand) ++ { ++ if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET)) ++ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum); ++ continue; ++ } ++#endif // HAVE_ONDEMAND + ++ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1)) ++ { ++ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum); ++ continue; ++ } + /* + * Get the address list... + */ +-- +2.27.0 + diff --git a/cups.spec b/cups.spec index d6f53bb..4db4c50 100644 --- a/cups.spec +++ b/cups.spec @@ -1,7 +1,7 @@ Name: cups Epoch: 1 Version: 2.2.13 -Release: 18 +Release: 19 Summary: CUPS is the standards-based, open source printing system for linux operating systems. License: GPLv2+ and LGPLv2+ with exceptions and AML Url: http://www.cups.org/ @@ -43,6 +43,7 @@ Patch6005: fix-httpAddrGetList-test-case-fail.patch Patch6006: fix-verifying-that-history-still-exists-test-case-fail.patch Patch6007: backport-CVE-2023-34241.patch Patch6008: backport-CVE-2023-4504.patch +Patch6009: backport-Fix-CVE-2024-35235.patch Provides: cupsddk cupsddk-drivers cups-filesystem cups-client cups-ipptool cups-lpd Provides: lpd lpr /usr/bin/lpq /usr/bin/lpr /usr/bin/lp /usr/bin/cancel /usr/bin/lprm /usr/bin/lpstat @@ -337,6 +338,9 @@ rm -f %{_exec_prefix}/lib/cups/backend/smb %doc %{_datadir}/%{name}/www/apple-touch-icon.png %changelog +* Thu Jun 20 2024 baiguo - 1:2.2.13-19 +- fix CVE-2024-35235 + * Fri Sep 22 2023 zhouwenpei - 1:2.2.13-18 - fix CVE-2023-4504 -- Gitee