Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package cups-filters for openSUSE:Factory checked in at 2023-05-18 15:18:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cups-filters (Old) and /work/SRC/openSUSE:Factory/.cups-filters.new.1533 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cups-filters" Thu May 18 15:18:17 2023 rev:55 rq:1087538 version:1.28.15 Changes: -------- --- /work/SRC/openSUSE:Factory/cups-filters/cups-filters.changes 2023-03-03 22:24:17.446483325 +0100 +++ /work/SRC/openSUSE:Factory/.cups-filters.new.1533/cups-filters.changes 2023-05-18 15:18:22.349563053 +0200 @@ -1,0 +2,15 @@ +Wed May 17 07:54:03 UTC 2023 - Johannes Meixner <jsm...@suse.com> + +- cups-filters-1.28.15-0001-beh-backend-Use-execv-instead-of-system-CVE-2023-24805.patch + cups-filters-1.28.15-0002-beh-backend-Extra-checks-against-odd-forged-input-CVE-2023-24805.patch + cups-filters-1.28.15-0003-beh-backend-Further-improvements-CVE-2023-24805.patch + are the upstream + 0001-beh-backend-Use-execv-instead-of-system-CVE-2023-24805.patch + 0002-beh-backend-Extra-checks-against-odd-forged-input-CVE-2023-24805.patch + 0003-beh-backend-Further-improvements-CVE-2023-24805.patch + backported to cups-filters-1.28.15 + to fix CVE-2023-24805: RCE in cups-filters, beh CUPS backend + (bsc#1211340) and + https://github.com/OpenPrinting/cups-filters/commit/8f274035756c04efeb77eb654e9d4c4447287d65 + +------------------------------------------------------------------- New: ---- cups-filters-1.28.15-0001-beh-backend-Use-execv-instead-of-system-CVE-2023-24805.patch cups-filters-1.28.15-0002-beh-backend-Extra-checks-against-odd-forged-input-CVE-2023-24805.patch cups-filters-1.28.15-0003-beh-backend-Further-improvements-CVE-2023-24805.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cups-filters.spec ++++++ --- /var/tmp/diff_new_pack.kbtqmT/_old 2023-05-18 15:18:23.069566715 +0200 +++ /var/tmp/diff_new_pack.kbtqmT/_new 2023-05-18 15:18:23.073566734 +0200 @@ -58,6 +58,21 @@ # zypper vcmp '4.0.17.257' '4.0.17.256.1' -> 4.0.17.257 is newer than 4.0.17.256.1 %define foomatic_rip_version 4.0.17.256.1 Patch1: require_cxx17.patch +# Patch2 cups-filters-1.28.15-0001-beh-backend-Use-execv-instead-of-system-CVE-2023-24805.patch +# is the upstream 0001-beh-backend-Use-execv-instead-of-system-CVE-2023-24805.patch +# backported to cups-filters-1.28.15 +# Patch3 cups-filters-1.28.15-0002-beh-backend-Extra-checks-against-odd-forged-input-CVE-2023-24805.patch +# is the upstream 0002-beh-backend-Extra-checks-against-odd-forged-input-CVE-2023-24805.patch +# backported to cups-filters-1.28.15 +# Patch4 cups-filters-1.28.15-0003-beh-backend-Further-improvements-CVE-2023-24805.patch +# is the upstream 0003-beh-backend-Further-improvements-CVE-2023-24805.patch +# backported to cups-filters-1.28.15 +# Patch2 Patch3 Patch4 fix CVE-2023-24805: RCE in cups-filters, beh CUPS backend +# https://bugzilla.suse.com/show_bug.cgi?id=1211340 +# https://github.com/OpenPrinting/cups-filters/commit/8f274035756c04efeb77eb654e9d4c4447287d65 +Patch2: cups-filters-1.28.15-0001-beh-backend-Use-execv-instead-of-system-CVE-2023-24805.patch +Patch3: cups-filters-1.28.15-0002-beh-backend-Extra-checks-against-odd-forged-input-CVE-2023-24805.patch +Patch4: cups-filters-1.28.15-0003-beh-backend-Further-improvements-CVE-2023-24805.patch # Support for cups154 in the SLE12 legacy module is abandoned (by default SLE12 has CUPS 1.7.5) # because newer cups-filters versions use stuff that is provided since CUPS > 1.5.4 so that it does # no longer build with CUPS 1.5.4 so that cups-filters does not work with CUPS 1.5.4: ++++++ cups-filters-1.28.15-0001-beh-backend-Use-execv-instead-of-system-CVE-2023-24805.patch ++++++ --- a/backend/beh.c 2019-06-06 15:17:11.000000000 +0200 +++ b/backend/beh.c 2023-05-15 16:06:14.493385265 +0200 @@ -22,6 +22,7 @@ #include "backend-private.h" #include <cups/array.h> #include <ctype.h> +#include <sys/wait.h> /* * Local globals... @@ -213,10 +214,14 @@ call_backend(char *uri, char **argv, /* I - Command-line arguments */ char *filename) { /* I - File name of input data */ const char *cups_serverbin; /* Location of programs */ + char *backend_argv[8]; // Arguments for called CUPS backend char scheme[1024], /* Scheme from URI */ *ptr, /* Pointer into scheme */ - cmdline[65536]; /* Backend command line */ - int retval; + backend_path[2048]; // Backend path + int pid, + wait_pid, + wait_status, + retval = 0; /* * Build the backend command line... @@ -235,16 +240,19 @@ call_backend(char *uri, fprintf(stderr, "ERROR: beh: Direct output into a file not supported.\n"); exit (CUPS_BACKEND_FAILED); - } else - snprintf(cmdline, sizeof(cmdline), - "%s/backend/%s '%s' '%s' '%s' '%s' '%s' %s", - cups_serverbin, scheme, argv[1], argv[2], argv[3], - /* Apply number of copies only if beh was called with a - file name and not with the print data in stdin, as - backends should handle copies only if they are called - with a file name */ - (argc == 6 ? "1" : argv[4]), - argv[5], filename); + } + + backend_argv[0] = uri; + backend_argv[1] = argv[1]; + backend_argv[2] = argv[2]; + backend_argv[3] = argv[3]; + backend_argv[4] = (argc == 6 ? "1" : argv[4]); + backend_argv[5] = argv[5]; + backend_argv[6] = filename; + backend_argv[7] = NULL; + + snprintf(backend_path, sizeof(backend_path), + "%s/backend/%s", cups_serverbin, scheme); /* * Overwrite the device URI and run the actual backend... @@ -253,17 +261,41 @@ call_backend(char *uri, setenv("DEVICE_URI", uri, 1); fprintf(stderr, - "DEBUG: beh: Executing backend command line \"%s\"...\n", - cmdline); + "DEBUG: beh: Executing backend command line \"%s '%s' '%s' '%s' '%s' '%s'%s%s\"...\n", + backend_path, backend_argv[1], backend_argv[2], backend_argv[3], + backend_argv[4], backend_argv[5], + (backend_argv[6] && backend_argv[6][0] ? " " : ""), + (backend_argv[6] && backend_argv[6][0] ? backend_argv[6] : "")); fprintf(stderr, "DEBUG: beh: Using device URI: %s\n", uri); - retval = system(cmdline) >> 8; + if ((pid = fork()) == 0) + { + retval = execv(backend_path, backend_argv); - if (retval == -1) - fprintf(stderr, "ERROR: Unable to execute backend command line: %s\n", - strerror(errno)); + if (retval == -1) + fprintf(stderr, "ERROR: Unable to execute backend: %s\n", + strerror(errno)); + exit (CUPS_BACKEND_FAILED); + } + else if (pid < 0) + { + fprintf(stderr, "ERROR: Unable to fork for backend\n"); + return (CUPS_BACKEND_FAILED); + } + + while ((wait_pid = wait(&wait_status)) < 0 && errno == EINTR); + + if (wait_pid >= 0 && wait_status) + { + if (WIFEXITED(wait_status)) + retval = WEXITSTATUS(wait_status); + else if (WTERMSIG(wait_status) != SIGTERM) + retval = WTERMSIG(wait_status); + else + retval = 0; + } return (retval); } ++++++ cups-filters-1.28.15-0002-beh-backend-Extra-checks-against-odd-forged-input-CVE-2023-24805.patch ++++++ --- a/backend/beh.c 2023-05-15 16:06:14.493385265 +0200 +++ b/backend/beh.c 2023-05-15 16:32:17.990249265 +0200 @@ -222,16 +222,30 @@ call_backend(char *uri, wait_pid, wait_status, retval = 0; + int bytes; /* * Build the backend command line... */ + scheme[0] = '\0'; strncpy(scheme, uri, sizeof(scheme) - 1); - if (strlen(uri) > 1023) - scheme[1023] = '\0'; + if (strlen(uri) > sizeof(scheme) - 1) + scheme[sizeof(scheme) - 1] = '\0'; if ((ptr = strchr(scheme, ':')) != NULL) *ptr = '\0'; + else + { + fprintf(stderr, + "ERROR: beh: Invalid URI, no colon (':') to mark end of scheme part.\n"); + exit (CUPS_BACKEND_FAILED); + } + if (strchr(scheme, '/')) + { + fprintf(stderr, + "ERROR: beh: Invalid URI, scheme contains a slash ('/').\n"); + exit (CUPS_BACKEND_FAILED); + } if ((cups_serverbin = getenv("CUPS_SERVERBIN")) == NULL) cups_serverbin = CUPS_SERVERBIN; @@ -251,8 +265,15 @@ call_backend(char *uri, backend_argv[6] = filename; backend_argv[7] = NULL; - snprintf(backend_path, sizeof(backend_path), - "%s/backend/%s", cups_serverbin, scheme); + bytes = snprintf(backend_path, sizeof(backend_path), + "%s/backend/%s", cups_serverbin, scheme); + if (bytes < 0 || bytes >= sizeof(backend_path)) + { + fprintf(stderr, + "ERROR: beh: Invalid scheme (\"%s\"), could not determing backend path.\n", + scheme); + exit (CUPS_BACKEND_FAILED); + } /* * Overwrite the device URI and run the actual backend... ++++++ cups-filters-1.28.15-0003-beh-backend-Further-improvements-CVE-2023-24805.patch ++++++ --- a/backend/beh.c 2023-05-15 16:32:17.990249265 +0200 +++ b/backend/beh.c 2023-05-15 16:44:07.347708805 +0200 @@ -28,7 +28,7 @@ * Local globals... */ -static int job_canceled = 0; /* Set to 1 on SIGTERM */ +static volatile int job_canceled = 0; /* Set to 1 on SIGTERM */ /* * Local functions... @@ -229,9 +229,7 @@ call_backend(char *uri, */ scheme[0] = '\0'; - strncpy(scheme, uri, sizeof(scheme) - 1); - if (strlen(uri) > sizeof(scheme) - 1) - scheme[sizeof(scheme) - 1] = '\0'; + strncat(scheme, uri, sizeof(scheme) - 1); if ((ptr = strchr(scheme, ':')) != NULL) *ptr = '\0'; else @@ -246,7 +244,13 @@ call_backend(char *uri, "ERROR: beh: Invalid URI, scheme contains a slash ('/').\n"); exit (CUPS_BACKEND_FAILED); } - + if (!strcmp(scheme, ".") || !strcmp(scheme, "..")) + { + fprintf(stderr, + "ERROR: beh: Invalid URI, scheme (\"%s\") is a directory.\n", + scheme); + exit (CUPS_BACKEND_FAILED); + } if ((cups_serverbin = getenv("CUPS_SERVERBIN")) == NULL) cups_serverbin = CUPS_SERVERBIN; @@ -330,8 +334,10 @@ static void sigterm_handler(int sig) { /* I - Signal number (unused) */ (void)sig; - fprintf(stderr, - "DEBUG: beh: Job canceled.\n"); + const char * const msg = "DEBUG: beh: Job canceled.\n"; + // The if() is to eliminate the return value and silence the warning + // about an unused return value. + if (write(2, msg, strlen(msg))); if (job_canceled) _exit(CUPS_BACKEND_OK);
