From fcd8771b7855d85b07ec31383dd2048ff81df10d Mon Sep 17 00:00:00 2001 From: xiusailong Date: Fri, 10 Jun 2022 16:56:36 +0800 Subject: [PATCH] fix CVE-2022-26691 --- backport-CVE-2022-26691.patch | 34 ++++++++++++++++++++++++++++++++++ cups.spec | 11 ++++++++--- 2 files changed, 42 insertions(+), 3 deletions(-) create mode 100644 backport-CVE-2022-26691.patch diff --git a/backport-CVE-2022-26691.patch b/backport-CVE-2022-26691.patch new file mode 100644 index 0000000..1152b2d --- /dev/null +++ b/backport-CVE-2022-26691.patch @@ -0,0 +1,34 @@ +From de4f8c196106033e4c372dce3e91b9d42b0b9444 Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal +Date: Thu, 26 May 2022 06:27:04 +0200 +Subject: [PATCH] scheduler/cert.c: Fix string comparison (fixes + CVE-2022-26691) + +The previous algorithm didn't expect the strings can have a different +length, so one string can be a substring of the other and such substring +was reported as equal to the longer string. + +Reference:https://github.com/OpenPrinting/cups/commit/de4f8c196106033e4c372dce3e91b9d42b0b9444 + +--- + scheduler/cert.c | 9 ++++++++- + 1 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/scheduler/cert.c b/scheduler/cert.c +index b268bf1b2..9b65b96c9 100644 +--- a/scheduler/cert.c ++++ b/scheduler/cert.c +@@ -444,5 +444,12 @@ ctcompare(const char *a, /* I - First string */ + b ++; + } + +- return (result); ++ /* ++ * The while loop finishes when *a == '\0' or *b == '\0' ++ * so after the while loop either both *a and *b == '\0', ++ * or one points inside a string, so when we apply logical OR on *a, ++ * *b and result, we get a non-zero return value if the compared strings don't match. ++ */ ++ ++ return (result | *a | *b); + } diff --git a/cups.spec b/cups.spec index f1cce6f..2ca0e6e 100644 --- a/cups.spec +++ b/cups.spec @@ -3,7 +3,7 @@ Name: cups Epoch: 1 Version: 2.4.0 -Release: 2 +Release: 3 Summary: CUPS is the standards-based, open source printing system for linux operating systems. License: GPLv2+ and LGPLv2+ with exceptions and AML Url: https://openprinting.github.io/cups/ @@ -24,6 +24,8 @@ Patch8: cups-freebind.patch Patch9: cups-ipp-multifile.patch Patch10: cups-web-devices-timeout.patch +Patch6000: backport-CVE-2022-26691.patch + BuildRequires: pam-devel pkgconf-pkg-config pkgconfig(gnutls) libacl-devel openldap-devel pkgconfig(libusb-1.0) BuildRequires: krb5-devel pkgconfig(avahi-client) systemd pkgconfig(libsystemd) pkgconfig(dbus-1) python3-cups BuildRequires: automake zlib-devel gcc gcc-c++ libselinux-devel audit-libs-devel make @@ -444,8 +446,11 @@ rm -f %{_exec_prefix}/lib/cups/backend/smb %doc %{_datadir}/%{name}/www/apple-touch-icon.png %changelog -* Thu May 6 2022 licihua - 2.4.0-2 -- DESC:fix Official website address +* Thu Jun 9 2022 hanhui - 2.4.0-3 +- fix CVE-2022-26691 + +* Thu May 12 2022 zhanzhimin - 2.4.0-2 +- fix official website address * Thu Dec 9 2021 hanhui - 2.4.0-1 - DESC:update to cups-2.4.0 -- Gitee