[cups/f19] CVE-2014-3537 (#1119303)

Mon Jul 14 14:33:41 UTC 2014

commit 3a8cb74448c6b0b540d08ec9c732529d69c06e07
Author: Jiri Popelka <jpopelka at redhat.com>
Date:   Mon Jul 14 16:31:06 2014 +0200

    CVE-2014-3537 (#1119303)

 cups-CVE-2014-3537.patch |   58 ++++++++++++++++++++++++++++++++++++++++++++++
 cups.spec                |    8 +++++-
 2 files changed, 65 insertions(+), 1 deletions(-)
---

diff --git a/cups-CVE-2014-3537.patch b/cups-CVE-2014-3537.patch
new file mode 100644
index 0000000..7bf7b0b
--- /dev/null
+++ b/cups-CVE-2014-3537.patch
@@ -0,0 +1,58 @@
+From 031f71f0a807444f9ca6c4b549090624f57b4cd5 Mon Sep 17 00:00:00 2001
+From: msweet <msweet at a1ca3aef-8c08-0410-bb20-df032aa958be>
+Date: Thu, 3 Jul 2014 14:38:52 +0000
+Subject: [PATCH 2/6] Mirror fix from trunk.
+
+git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/branches/branch-1.7@11995 a1ca3aef-8c08-0410-bb20-df032aa958be
+diff --git a/scheduler/client.c b/scheduler/client.c
+index 6f40585..8037b49 100644
+--- a/scheduler/client.c
++++ b/scheduler/client.c
+@@ -3327,7 +3327,7 @@ get_file(cupsd_client_t *con,		/* I  - Client connection */
+     if ((ptr = strchr(filename, '?')) != NULL)
+       *ptr = '\0';
+ 
+-    if ((status = stat(filename, filestats)) != 0)
++    if ((status = lstat(filename, filestats)) != 0)
+     {
+      /*
+       * Drop the language prefix and try the root directory...
+@@ -3339,12 +3339,33 @@ get_file(cupsd_client_t *con,		/* I  - Client connection */
+       if ((ptr = strchr(filename, '?')) != NULL)
+ 	*ptr = '\0';
+ 
+-      status = stat(filename, filestats);
++      status = lstat(filename, filestats);
+     }
+   }
+ 
+  /*
+-  * If we're found a directory, get the index.html file instead...
++  * If we've found a symlink, 404 the sucker to avoid disclosing information.
++  */
++
++  if (!status && S_ISLNK(filestats->st_mode))
++  {
++    cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Symlinks such as \"%s\" are not allowed.", con->http.fd, filename);
++    return (NULL);
++  }
++
++ /*
++  * Similarly, if the file/directory does not have world read permissions, do
++  * not allow access...
++  */
++
++  if (!status && !(filestats->st_mode & S_IROTH))
++  {
++    cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Files/directories such as \"%s\" must be world-readable.", con->http.fd, filename);
++    return (NULL);
++  }
++
++ /*
++  * If we've found a directory, get the index.html file instead...
+   */
+ 
+   if (!status && S_ISDIR(filestats->st_mode))
+-- 
+1.9.3
+
diff --git a/cups.spec b/cups.spec
index 8ff2104..3bc0243 100644
--- a/cups.spec
+++ b/cups.spec
@@ -11,7 +11,7 @@ Summary: CUPS printing system
 Name: cups
 Epoch: 1
 Version: 1.6.4
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: GPLv2
 Group: System Environment/Daemons
 Url: http://www.cups.org/
@@ -74,6 +74,7 @@ Patch43: cups-str4380.patch
 Patch44: cups-str4366.patch
 Patch45: cups-str4332.patch
 Patch46: cups-str4356.patch
+Patch47: cups-CVE-2014-3537.patch
 
 Patch100: cups-lspp.patch
 
@@ -282,6 +283,8 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
 %patch45 -p1 -b .str4332
 # Scheduler now blocks URLs containing embedded HTML (bug #1087123, STR #4356)
 %patch46 -p1 -b .str4356
+# CVE-2014-3537, STR #4450 (#1119303)
+%patch47 -p1 -b .CVE-2014-3537
 
 %if %lspp
 # LSPP support.
@@ -670,6 +673,9 @@ rm -f %{cups_serverbin}/backend/smb
 %{_mandir}/man5/ipptoolfile.5.gz
 
 %changelog
+* Mon Jul 14 2014 Jiri Popelka <jpopelka at redhat.com> - 1:1.6.4-6
+- CVE-2014-3537 (#1119303)
+
 * Mon Apr 14 2014 Jiri Popelka <jpopelka at redhat.com> - 1:1.6.4-5
 - Scheduler now blocks URLs containing embedded HTML (bug #1087123, STR #4356).
 
