From e97153e71876503cdd0d817d104933a62188b821 Mon Sep 17 00:00:00 2001 From: Jiri Popelka Date: Jul 23 2014 15:27:07 +0000 Subject: Merge branch 'f20' into f21 --- diff --git a/cups-CVE-2014-5029-5030-5031.patch b/cups-CVE-2014-5029-5030-5031.patch new file mode 100644 index 0000000..44c11b7 --- /dev/null +++ b/cups-CVE-2014-5029-5030-5031.patch @@ -0,0 +1,99 @@ +From d40220801eec992804cb728d51228d19496fffd9 Mon Sep 17 00:00:00 2001 +From: msweet +Date: Tue, 22 Jul 2014 14:03:19 +0000 +Subject: [PATCH] Mirror changes from trunk. + +git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/branches/branch-1.7@12057 a1ca3aef-8c08-0410-bb20-df032aa958be +--- +diff --git a/scheduler/client.c b/scheduler/client.c +index e5959fa..366b351 100644 +--- a/scheduler/client.c ++++ b/scheduler/client.c +@@ -3310,7 +3310,7 @@ get_file(cupsd_client_t *con, /* I - Client connection */ + * then fallback to the default one... + */ + +- if ((status = stat(filename, filestats)) != 0 && language[0] && ++ if ((status = lstat(filename, filestats)) != 0 && language[0] && + strncmp(con->uri, "/icons/", 7) && + strncmp(con->uri, "/ppd/", 5) && + strncmp(con->uri, "/rss/", 5) && +@@ -3408,13 +3408,13 @@ get_file(cupsd_client_t *con, /* I - Client connection */ + plen = len - (ptr - filename); + + strlcpy(ptr, "index.html", plen); +- status = stat(filename, filestats); ++ status = lstat(filename, filestats); + + #ifdef HAVE_JAVA + if (status) + { + strlcpy(ptr, "index.class", plen); +- status = stat(filename, filestats); ++ status = lstat(filename, filestats); + } + #endif /* HAVE_JAVA */ + +@@ -3422,7 +3422,7 @@ get_file(cupsd_client_t *con, /* I - Client connection */ + if (status) + { + strlcpy(ptr, "index.pl", plen); +- status = stat(filename, filestats); ++ status = lstat(filename, filestats); + } + #endif /* HAVE_PERL */ + +@@ -3430,7 +3430,7 @@ get_file(cupsd_client_t *con, /* I - Client connection */ + if (status) + { + strlcpy(ptr, "index.php", plen); +- status = stat(filename, filestats); ++ status = lstat(filename, filestats); + } + #endif /* HAVE_PHP */ + +@@ -3438,18 +3438,39 @@ get_file(cupsd_client_t *con, /* I - Client connection */ + if (status) + { + strlcpy(ptr, "index.pyc", plen); +- status = stat(filename, filestats); ++ status = lstat(filename, filestats); + } + + if (status) + { + strlcpy(ptr, "index.py", plen); +- status = stat(filename, filestats); ++ status = lstat(filename, filestats); + } + #endif /* HAVE_PYTHON */ + + } + while (status && language[0]); ++ ++ /* ++ * If we've found a symlink, 404 the sucker to avoid disclosing information. ++ */ ++ ++ if (!status && S_ISLNK(filestats->st_mode)) ++ { ++ cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Symlinks such as \"%s\" are not allowed.", con->http.fd, filename); ++ return (NULL); ++ } ++ ++ /* ++ * Similarly, if the file/directory does not have world read permissions, do ++ * not allow access... ++ */ ++ ++ if (!status && !(filestats->st_mode & S_IROTH)) ++ { ++ cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Files/directories such as \"%s\" must be world-readable.", con->http.fd, filename); ++ return (NULL); ++ } + } + + cupsdLogMessage(CUPSD_LOG_DEBUG2, +-- +1.9.3 + diff --git a/cups-cgi.patch b/cups-cgi.patch new file mode 100644 index 0000000..3e92757 --- /dev/null +++ b/cups-cgi.patch @@ -0,0 +1,17 @@ +diff -up cups-1.7.4/scheduler/client.c~ cups-1.7.4/scheduler/client.c +--- cups-1.7.4/scheduler/client.c~ 2014-07-18 13:34:25.243248601 +0100 ++++ cups-1.7.4/scheduler/client.c 2014-07-18 14:50:55.356614243 +0100 +@@ -3980,12 +3980,7 @@ pipe_command(cupsd_client_t *con, /* I - + argv[0] = command; + + if (options) +- { +- commptr = options; +- if (*commptr == ' ') +- commptr ++; +- strlcpy(argbuf, commptr, sizeof(argbuf)); +- } ++ strlcpy(argbuf, options, sizeof(argbuf)); + else + argbuf[0] = '\0'; + diff --git a/cups.spec b/cups.spec index 076b03c..6b4761b 100644 --- a/cups.spec +++ b/cups.spec @@ -11,7 +11,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 1.7.4 -Release: 1%{?dist} +Release: 3%{?dist} License: GPLv2 Url: http://www.cups.org/ Source: http://www.cups.org/software/%{version}/cups-%{version}-source.tar.bz2 @@ -65,6 +65,8 @@ Patch36: cups-web-devices-timeout.patch Patch37: cups-final-content-type.patch Patch38: cups-journal.patch Patch39: cups-synconclose.patch +Patch40: cups-cgi.patch +Patch41: cups-CVE-2014-5029-5030-5031.patch Patch100: cups-lspp.patch @@ -264,6 +266,10 @@ Sends IPP requests to the specified URI and tests and/or displays the results. %patch38 -p1 -b .journal # Set the default for SyncOnClose to Yes. %patch39 -p1 -b .synconclose +# Fix CGI handling (STR #4454). +%patch40 -p1 -b .cgi +# CVE-2014-5029, CVE-2014-5030, CVE-2014-5031 (#1122601) +%patch41 -p1 -b .CVE-2014-5029-5030-5031 %if %lspp # LSPP support. @@ -671,6 +677,12 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man5/ipptoolfile.5.gz %changelog +* Wed Jul 23 2014 Jiri Popelka - 1:1.7.4-3 +- CVE-2014-5029, CVE-2014-5030, CVE-2014-5031 (#1122601) + +* Wed Jul 23 2014 Tim Waugh - 1:1.7.4-2 +- Fix CGI handling (STR #4454). + * Mon Jul 14 2014 Jiri Popelka - 1:1.7.4-1 - 1.7.4: CVE-2014-3537