[cups/f19] CVE-2014-3537 (#1119303)
Jiří Popelka
jpopelka at fedoraproject.org
Mon Jul 14 14:33:41 UTC 2014
commit 3a8cb74448c6b0b540d08ec9c732529d69c06e07
Author: Jiri Popelka <jpopelka at redhat.com>
Date: Mon Jul 14 16:31:06 2014 +0200
CVE-2014-3537 (#1119303)
cups-CVE-2014-3537.patch | 58 ++++++++++++++++++++++++++++++++++++++++++++++
cups.spec | 8 +++++-
2 files changed, 65 insertions(+), 1 deletions(-)
---
diff --git a/cups-CVE-2014-3537.patch b/cups-CVE-2014-3537.patch
new file mode 100644
index 0000000..7bf7b0b
--- /dev/null
+++ b/cups-CVE-2014-3537.patch
@@ -0,0 +1,58 @@
+From 031f71f0a807444f9ca6c4b549090624f57b4cd5 Mon Sep 17 00:00:00 2001
+From: msweet <msweet at a1ca3aef-8c08-0410-bb20-df032aa958be>
+Date: Thu, 3 Jul 2014 14:38:52 +0000
+Subject: [PATCH 2/6] Mirror fix from trunk.
+
+git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/branches/branch-1.7@11995 a1ca3aef-8c08-0410-bb20-df032aa958be
+diff --git a/scheduler/client.c b/scheduler/client.c
+index 6f40585..8037b49 100644
+--- a/scheduler/client.c
++++ b/scheduler/client.c
+@@ -3327,7 +3327,7 @@ get_file(cupsd_client_t *con, /* I - Client connection */
+ if ((ptr = strchr(filename, '?')) != NULL)
+ *ptr = '\0';
+
+- if ((status = stat(filename, filestats)) != 0)
++ if ((status = lstat(filename, filestats)) != 0)
+ {
+ /*
+ * Drop the language prefix and try the root directory...
+@@ -3339,12 +3339,33 @@ get_file(cupsd_client_t *con, /* I - Client connection */
+ if ((ptr = strchr(filename, '?')) != NULL)
+ *ptr = '\0';
+
+- status = stat(filename, filestats);
++ status = lstat(filename, filestats);
+ }
+ }
+
+ /*
+- * If we're found a directory, get the index.html file instead...
++ * If we've found a symlink, 404 the sucker to avoid disclosing information.
++ */
++
++ if (!status && S_ISLNK(filestats->st_mode))
++ {
++ cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Symlinks such as \"%s\" are not allowed.", con->http.fd, filename);
++ return (NULL);
++ }
++
++ /*
++ * Similarly, if the file/directory does not have world read permissions, do
++ * not allow access...
++ */
++
++ if (!status && !(filestats->st_mode & S_IROTH))
++ {
++ cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Files/directories such as \"%s\" must be world-readable.", con->http.fd, filename);
++ return (NULL);
++ }
++
++ /*
++ * If we've found a directory, get the index.html file instead...
+ */
+
+ if (!status && S_ISDIR(filestats->st_mode))
+--
+1.9.3
+
diff --git a/cups.spec b/cups.spec
index 8ff2104..3bc0243 100644
--- a/cups.spec
+++ b/cups.spec
@@ -11,7 +11,7 @@ Summary: CUPS printing system
Name: cups
Epoch: 1
Version: 1.6.4
-Release: 5%{?dist}
+Release: 6%{?dist}
License: GPLv2
Group: System Environment/Daemons
Url: http://www.cups.org/
@@ -74,6 +74,7 @@ Patch43: cups-str4380.patch
Patch44: cups-str4366.patch
Patch45: cups-str4332.patch
Patch46: cups-str4356.patch
+Patch47: cups-CVE-2014-3537.patch
Patch100: cups-lspp.patch
@@ -282,6 +283,8 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
%patch45 -p1 -b .str4332
# Scheduler now blocks URLs containing embedded HTML (bug #1087123, STR #4356)
%patch46 -p1 -b .str4356
+# CVE-2014-3537, STR #4450 (#1119303)
+%patch47 -p1 -b .CVE-2014-3537
%if %lspp
# LSPP support.
@@ -670,6 +673,9 @@ rm -f %{cups_serverbin}/backend/smb
%{_mandir}/man5/ipptoolfile.5.gz
%changelog
+* Mon Jul 14 2014 Jiri Popelka <jpopelka at redhat.com> - 1:1.6.4-6
+- CVE-2014-3537 (#1119303)
+
* Mon Apr 14 2014 Jiri Popelka <jpopelka at redhat.com> - 1:1.6.4-5
- Scheduler now blocks URLs containing embedded HTML (bug #1087123, STR #4356).
More information about the scm-commits
mailing list