From b7d926d961ee6e862f5ae55c44d31ff28af18556 Mon Sep 17 00:00:00 2001 From: Pavel Zhukov Date: Mar 29 2018 10:11:30 +0000 Subject: Fix for CVE-2017-18248 (#1561296) --- diff --git a/cups-dbus_crash.patch b/cups-dbus_crash.patch new file mode 100644 index 0000000..02a674f --- /dev/null +++ b/cups-dbus_crash.patch @@ -0,0 +1,38 @@ +commit 49fa4983f25b64ec29d548ffa3b9782426007df3 +Author: Michael Sweet +Date: Mon Oct 23 16:23:43 2017 -0400 + + DBUS notifications could crash the scheduler (Issue #5143) + + - scheduler/ipp.c: Make sure requesting-user-name string is valid UTF-8. + +diff --git a/scheduler/ipp.c b/scheduler/ipp.c +index e6743cdcb..5cf980ab3 100644 +--- a/scheduler/ipp.c ++++ b/scheduler/ipp.c +@@ -1597,6 +1597,16 @@ add_job(cupsd_client_t *con, /* I - Client connection */ + return (NULL); + } + ++ attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME); ++ ++ if (attr && !ippValidateAttribute(attr)) ++ { ++ send_ipp_status(con, IPP_ATTRIBUTES, _("Bad requesting-user-name value: %s"), cupsLastErrorString()); ++ if ((attr = ippCopyAttribute(con->response, attr, 0)) != NULL) ++ attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP; ++ return (NULL); ++ } ++ + if ((job = cupsdAddJob(priority, printer->name)) == NULL) + { + send_ipp_status(con, IPP_INTERNAL_ERROR, +@@ -1615,8 +1625,6 @@ add_job(cupsd_client_t *con, /* I - Client connection */ + add_job_uuid(job); + apply_printer_defaults(printer, job); + +- attr = ippFindAttribute(job->attrs, "requesting-user-name", IPP_TAG_NAME); +- + if (con->username[0]) + { + cupsdSetString(&job->username, con->username); diff --git a/cups.spec b/cups.spec index ce1d493..07b8fb7 100644 --- a/cups.spec +++ b/cups.spec @@ -15,7 +15,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 2.2.2 -Release: 8%{?dist} +Release: 9%{?dist} License: GPLv2 Url: http://www.cups.org/ Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz @@ -63,6 +63,7 @@ Patch35: cups-ipp-multifile.patch Patch36: cups-web-devices-timeout.patch Patch37: cups-synconclose.patch Patch39: cups-ypbind.patch +Patch40: cups-dbus_crash.patch Patch100: cups-lspp.patch @@ -258,12 +259,14 @@ Sends IPP requests to the specified URI and tests and/or displays the results. %patch37 -p1 -b .synconclose # CUPS may fail to start if NIS groups are used (bug #1494558) %patch39 -p1 -b .ypbind - +# https://bugzilla.redhat.com/show_bug.cgi?id=1561298 +%patch40 -p1 -b .dbus_notify %if %{lspp} # LSPP support. %patch100 -p1 -b .lspp %endif + sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in # Log to the system journal by default (bug #1078781). @@ -623,6 +626,9 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man5/ipptoolfile.5.gz %changelog +* Wed Mar 28 2018 Pavel Zhukov - 1:2.2.2-9 +- Fix for CVE-2017-18248 + * Fri Jan 12 2018 Zdenek Dohnal - 1:2.2.2-8 - 1437345 - Remove cups-resolv_reload.patch