From f813aa745770b4505bc57670cc8a17cfe196f5a9 Mon Sep 17 00:00:00 2001 From: Jiri Popelka Date: Apr 02 2014 08:03:19 +0000 Subject: Remote command injection in cups-browsed (bug #1083327). --- diff --git a/cups-filters-bug1083327.patch b/cups-filters-bug1083327.patch new file mode 100644 index 0000000..62e3b4a --- /dev/null +++ b/cups-filters-bug1083327.patch @@ -0,0 +1,79 @@ +From 1e2b77cd1661f2fb2565e21a558295e631763baa Mon Sep 17 00:00:00 2001 +From: Jiri Popelka +Date: Wed, 2 Apr 2014 09:57:32 +0200 +Subject: [PATCH] cups-browsed: SECURITY FIX to prevent arbitrary code + injection (RHBZ#1083327) + +into the System V interface scripts generated for +queues for discovered native IPP printers by a malicious IPP +print service with forged make/model and/or PDL string. +--- + utils/cups-browsed.c | 31 +++++++++++++++++++++++++++---- + 1 file changed, 27 insertions(+), 4 deletions(-) + +diff --git a/utils/cups-browsed.c b/utils/cups-browsed.c +index c312804..ec64a4d 100644 +--- a/utils/cups-browsed.c ++++ b/utils/cups-browsed.c +@@ -563,7 +563,28 @@ create_local_queue (const char *name, + return NULL; + } + +-char *generate_queue_name(const char *str_orig) ++/* ++ * Remove all illegal characters and replace each group of such characters ++ * by a single dash ++ * ++ * mode = 0: Only allow letters, numbers, and dashes, for turning make/model ++ * info into a valid print queue name or inro a string which can ++ * be supplied as option value in a filter command line without ++ * need of quoting ++ * mode = 1: Allow also '/', '.', ',', '_', for cleaning up MIME type ++ * strings (here available Page Description Languages, PDLs) to ++ * supply them on a filter command line without quoting ++ * ++ * Especially this prevents from arbitrary code execution by interface scripts ++ * generated for print queues to native IPP printers when a malicious IPP ++ * print service with forged PDL and/or make/model info gets broadcasted into ++ * the local network. ++ */ ++ ++char * /* O - Cleaned string */ ++remove_bad_chars(const char *str_orig, /* I - Original string */ ++ int mode) /* I - 0: Make/Model, queue name */ ++ /* 1: MIME types/PDLs */ + { + int i, j; + int havedash = 0; +@@ -576,7 +597,9 @@ char *generate_queue_name(const char *str_orig) + for (i = 0, j = 0; i < strlen(str); i++, j++) { + if (((str[i] >= 'A') && (str[i] <= 'Z')) || + ((str[i] >= 'a') && (str[i] <= 'z')) || +- ((str[i] >= '0') && (str[i] <= '9'))) { ++ ((str[i] >= '0') && (str[i] <= '9')) || ++ (mode == 1 && (str[i] == '/' || str[i] == '_' || ++ str[i] == '.' || str[i] == ','))) { + /* Letter or number, keep it */ + havedash = 0; + } else { +@@ -950,7 +973,7 @@ void generate_local_queue(const char *host, + if (entry) { + avahi_string_list_get_pair(entry, &key, &value, NULL); + if (key && value && !strcmp(key, *f) && strlen(value) >= 3) { +- remote_queue = generate_queue_name(value); ++ remote_queue = remove_bad_chars(value, 0); + break; + } + } +@@ -959,7 +982,7 @@ void generate_local_queue(const char *host, + if (entry) { + avahi_string_list_get_pair(entry, &key, &value, NULL); + if (key && value && !strcmp(key, "pdl") && strlen(value) >= 3) { +- pdl = strdup(value); ++ pdl = remove_bad_chars(value, 1); + } + } + } +-- +1.9.0 + diff --git a/cups-filters.spec b/cups-filters.spec index b552d16..998e862 100644 --- a/cups-filters.spec +++ b/cups-filters.spec @@ -4,7 +4,7 @@ Summary: OpenPrinting CUPS filters and backends Name: cups-filters Version: 1.0.41 -Release: 5%{?dist} +Release: 6%{?dist} # For a breakdown of the licensing, see COPYING file # GPLv2: filters: commandto*, imagetoraster, pdftops, rasterto*, @@ -27,6 +27,7 @@ Patch3: cups-filters-memory-leaks.patch Patch4: cups-filters-filter-costs.patch Patch5: cups-filters-urftopdf.patch Patch6: cups-filters-pdftoopvp.patch +Patch7: cups-filters-bug1083327.patch Requires: cups-filters-libs%{?_isa} = %{version}-%{release} @@ -129,6 +130,9 @@ This is the development package for OpenPrinting CUPS filters and backends. # Don't ship pdftoopvp for now (bug #1027557). %patch6 -p1 -b .pdftoopvp +# Remote command injection in cups-browsed (bug #1083327). +%patch7 -p1 -b .bug1083327 + %build # work-around Rpath ./autogen.sh @@ -242,6 +246,9 @@ fi %{_libdir}/libfontembed.so %changelog +* Wed Apr 02 2014 Jiri Popelka - 1.0.41-6 +- Remote command injection in cups-browsed (bug #1083327). + * Tue Mar 11 2014 Jiri Popelka - 1.0.41-5 - Don't ship pdftoopvp (#1027557) and urftopdf (#1002947).