From: Rohini Sangam <[email protected]> CVE fixed: - CVE-2024-35235: cups: Cupsd Listen arbitrary chmod 0140777 Upstream-Status: Backport from https://github.com/OpenPrinting/cups/commit/a436956f374b0fd7f5da9df482e4f5840fa1c0d2, https://github.com/OpenPrinting/cups/commit/e3952d3ecd231588bb382529281a294124db9348#diff-6fc0a5ba57f83c8177d28f44729276fe35fcaaceae8b774481e6973fcbdf733d
Signed-off-by: Rohini Sangam <[email protected]> Signed-off-by: Siddharth Doshi <[email protected]> Signed-off-by: Steve Sakoman <[email protected]> --- meta/recipes-extended/cups/cups.inc | 1 + .../cups/cups/CVE-2024-35235.patch | 121 ++++++++++++++++++ 2 files changed, 122 insertions(+) create mode 100644 meta/recipes-extended/cups/cups/CVE-2024-35235.patch diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index 047ab33898..6d5cf3b588 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc @@ -19,6 +19,7 @@ SRC_URI = "https://github.com/OpenPrinting/cups/releases/download/v${PV}/cups-${ file://CVE-2023-34241.patch \ file://CVE-2023-32360.patch \ file://CVE-2023-4504.patch \ + file://CVE-2024-35235.patch \ " UPSTREAM_CHECK_URI = "https://github.com/OpenPrinting/cups/releases"; diff --git a/meta/recipes-extended/cups/cups/CVE-2024-35235.patch b/meta/recipes-extended/cups/cups/CVE-2024-35235.patch new file mode 100644 index 0000000000..d7a2d426af --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2024-35235.patch @@ -0,0 +1,121 @@ +From a436956f374b0fd7f5da9df482e4f5840fa1c0d2 Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal <[email protected]> +Date: Mon, 3 Jun 2024 18:53:58 +0200 +Subject: [PATCH] CVE-2024-35235: Fix domain socket handling + +- Check status of unlink and bind system calls. +- Don't allow extra domain sockets when running from launchd/systemd. +- Validate length of domain socket path (< sizeof(sun_path)) + +Upstream-Status: Backport from https://github.com/OpenPrinting/cups/commit/a436956f374b0fd7f5da9df482e4f5840fa1c0d2, https://github.com/OpenPrinting/cups/commit/e3952d3ecd231588bb382529281a294124db9348#diff-6fc0a5ba57f83c8177d28f44729276fe35fcaaceae8b774481e6973fcbdf733d +CVE: CVE-2024-35235 + +Signed-off-by: Rohini Sangam <[email protected]> +--- + cups/debug-internal.h | 4 +-- + cups/http-addr.c | 36 ++++++++++--------- + scheduler/conf.c | 20 +++++++++++ + 3 files changed, 41 insertions(+), 19 deletions(-) + +diff --git a/cups/debug-internal.h b/cups/debug-internal.h +index 2b57854..2e1a56a 100644 +--- a/cups/debug-internal.h ++++ b/cups/debug-internal.h +@@ -59,10 +59,10 @@ extern "C" { + + # ifdef DEBUG + # define DEBUG_puts(x) _cups_debug_puts(x) +-# define DEBUG_printf(x) _cups_debug_printf x ++# define DEBUG_printf(...) _cups_debug_printf(__VA_ARGS__) + # else + # define DEBUG_puts(x) +-# define DEBUG_printf(x) ++# define DEBUG_printf(...) + # endif /* DEBUG */ + + +diff --git a/cups/http-addr.c b/cups/http-addr.c +index 114a644..610e9db 100644 +--- a/cups/http-addr.c ++++ b/cups/http-addr.c +@@ -206,27 +206,29 @@ httpAddrListen(http_addr_t *addr, /* I - Address to bind to */ + * Remove any existing domain socket file... + */ + +- unlink(addr->un.sun_path); +- +- /* +- * Save the current umask and set it to 0 so that all users can access +- * the domain socket... +- */ +- +- mask = umask(0); ++ if ((status = unlink(addr->un.sun_path)) < 0) ++ { ++ DEBUG_printf("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno)); + +- /* +- * Bind the domain socket... +- */ ++ if (errno == ENOENT) ++ status = 0; ++ } + +- status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr)); ++ if (!status) ++ { ++ // Save the current umask and set it to 0 so that all users can access ++ // the domain socket... ++ mask = umask(0); + +- /* +- * Restore the umask and fix permissions... +- */ ++ // Bind the domain socket... ++ if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0) ++ { ++ DEBUG_printf("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno)); ++ } + +- umask(mask); +- chmod(addr->un.sun_path, 0140777); ++ // Restore the umask... ++ umask(mask); ++ } + } + else + #endif /* AF_LOCAL */ +diff --git a/scheduler/conf.c b/scheduler/conf.c +index 535d40f..3a2eec2 100644 +--- a/scheduler/conf.c ++++ b/scheduler/conf.c +@@ -3074,6 +3074,26 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */ + cupsd_listener_t *lis; /* New listeners array */ + + ++ /* ++ * If we are launched on-demand, do not use domain sockets from the config ++ * file. Also check that the domain socket path is not too long... ++ */ ++ ++#ifdef HAVE_ONDEMAND ++ if (*value == '/' && OnDemand) ++ { ++ if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET)) ++ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum); ++ continue; ++ } ++#endif // HAVE_ONDEMAND ++ ++ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1)) ++ { ++ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum); ++ continue; ++ } ++ + /* + * Get the address list... + */ +-- +2.35.7 + -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#204809): https://lists.openembedded.org/g/openembedded-core/message/204809 Mute This Topic: https://lists.openembedded.org/mt/108607222/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
