From 86ced0c193ab7864f475d355d50929abb4d97417 Mon Sep 17 00:00:00 2001 From: Pavel Zhukov Date: Mar 28 2018 15:36:13 +0000 Subject: Fix for CVE-2017-18248 (#1561296) --- diff --git a/cups-delete_invalid_attrs.patch b/cups-delete_invalid_attrs.patch new file mode 100644 index 0000000..574537e --- /dev/null +++ b/cups-delete_invalid_attrs.patch @@ -0,0 +1,54 @@ +diff --git a/scheduler/ipp.c b/scheduler/ipp.c +index 02dc392..0fc2d07 100644 +--- a/scheduler/ipp.c ++++ b/scheduler/ipp.c +@@ -1615,15 +1615,30 @@ + _("Bad job-name value: Wrong type or count.")); + if ((attr = ippCopyAttribute(con->response, attr, 0)) != NULL) + attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP; ++ ++ if (StrictConformance) + return (NULL); ++ ++ /* Don't use invalid attribute */ ++ ippDeleteAttribute(con->request, attr); ++ ++ ippAddString(con->request, IPP_TAG_JOB, IPP_TAG_NAME, "job-name", NULL, "Untitled"); + } + else if (!ippValidateAttribute(attr)) + { + send_ipp_status(con, IPP_ATTRIBUTES, _("Bad job-name value: %s"), + cupsLastErrorString()); ++ + if ((attr = ippCopyAttribute(con->response, attr, 0)) != NULL) + attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP; ++ ++ if (StrictConformance) + return (NULL); ++ ++ /* Don't use invalid attribute */ ++ ippDeleteAttribute(con->request, attr); ++ ++ ippAddString(con->request, IPP_TAG_JOB, IPP_TAG_NAME, "job-name", NULL, "Untitled"); + } + + attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME); +@@ -1631,9 +1646,17 @@ add_job(cupsd_client_t *con, /* I - Client connection */ + if (attr && !ippValidateAttribute(attr)) + { + send_ipp_status(con, IPP_ATTRIBUTES, _("Bad requesting-user-name value: %s"), cupsLastErrorString()); ++ + if ((attr = ippCopyAttribute(con->response, attr, 0)) != NULL) + attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP; +- return (NULL); ++ ++ if (StrictConformance) ++ return (NULL); ++ ++ /* Don't use invalid attribute */ ++ ippDeleteAttribute(con->request, attr); ++ ++ attr = ippAddString(con->request, IPP_TAG_JOB, IPP_TAG_NAME, "reqeusting-user-name", NULL, "anonymous"); + } + + #ifdef WITH_LSPP diff --git a/cups.spec b/cups.spec index b700a23..888a61f 100644 --- a/cups.spec +++ b/cups.spec @@ -15,7 +15,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 2.2.6 -Release: 11%{?dist} +Release: 12%{?dist} License: GPLv2 Url: http://www.cups.org/ Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz @@ -62,6 +62,7 @@ Patch36: cups-web-devices-timeout.patch Patch37: cups-synconclose.patch Patch38: cups-ypbind.patch Patch39: cups-moved-logs.patch +Patch40: cups-delete_invalid_attrs.patch Patch100: cups-lspp.patch @@ -267,6 +268,8 @@ Sends IPP requests to the specified URI and tests and/or displays the results. # Move log files into journal (bug #1519331) %patch39 -p1 -b .moved-logs +%patch40 -p1 -b .dbus_notify + sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in # Log to the system journal by default (bug #1078781, bug #1519331). @@ -657,6 +660,9 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man5/ipptoolfile.5.gz %changelog +* Wed Mar 28 2018 Pavel Zhukov - 1:2.2.6-12 +- Fix for CVE-2017-18248 + * Wed Feb 28 2018 Zdenek Dohnal - 1:2.2.6-11 - remake of 1499261