commit: d8827cf3d0bb159273e683698824d4572882af9e Author: Matthias Maier <tamiko <AT> gentoo <DOT> org> AuthorDate: Wed May 24 08:00:01 2023 +0000 Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org> CommitDate: Wed May 24 08:04:46 2023 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d8827cf3
net-print/cups-filters: apply patch for CVE-2023-24805 Bug: https://bugs.gentoo.org/906944 Signed-off-by: Matthias Maier <tamiko <AT> gentoo.org> .../cups-filters/cups-filters-1.28.17-r2.ebuild | 150 ++++++++++++++ .../cups-filters-1.28.17-CVE-2023-24805.patch | 225 +++++++++++++++++++++ 2 files changed, 375 insertions(+) diff --git a/net-print/cups-filters/cups-filters-1.28.17-r2.ebuild b/net-print/cups-filters/cups-filters-1.28.17-r2.ebuild new file mode 100644 index 000000000000..95c9acf0f386 --- /dev/null +++ b/net-print/cups-filters/cups-filters-1.28.17-r2.ebuild @@ -0,0 +1,150 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +GENTOO_DEPEND_ON_PERL=no +inherit perl-module systemd flag-o-matic + +DESCRIPTION="Cups filters" +HOMEPAGE="https://wiki.linuxfoundation.org/openprinting/cups-filters"; +SRC_URI=" + https://github.com/OpenPrinting/cups-filters/releases/download/${PV}/${P}.tar.xz + https://www.openprinting.org/download/${PN}/${P}.tar.xz +" + +LICENSE="MIT GPL-2" +SLOT="0" +IUSE="dbus exif +foomatic jpeg ldap pclm pdf perl png +postscript test tiff zeroconf" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" + +RESTRICT="!test? ( test )" + +RDEPEND=" + >=app-text/poppler-0.32[cxx,jpeg?,lcms,tiff?,utils] + >=app-text/qpdf-8.3.0:= + dev-libs/glib:2 + media-libs/fontconfig + media-libs/freetype:2 + media-libs/lcms:2 + >=net-print/cups-1.7.3 + !<=net-print/cups-1.5.9999 + sys-devel/bc + sys-libs/zlib + exif? ( media-libs/libexif ) + dbus? ( sys-apps/dbus ) + foomatic? ( !net-print/foomatic-filters ) + jpeg? ( media-libs/libjpeg-turbo:= ) + ldap? ( net-nds/openldap:= ) + pdf? ( app-text/mupdf:= ) + perl? ( dev-lang/perl:= ) + png? ( media-libs/libpng:= ) + postscript? ( >=app-text/ghostscript-gpl-9.09[cups] ) + tiff? ( media-libs/tiff:= ) + zeroconf? ( net-dns/avahi[dbus] ) +" +DEPEND="${RDEPEND}" +BDEPEND=" + dev-util/gdbus-codegen + >=sys-devel/gettext-0.18.3 + virtual/pkgconfig + test? ( media-fonts/dejavu ) +" + +PATCHES=( + "${FILESDIR}"/${PN}-1.28.17-c++17.patch + "${FILESDIR}"/${PN}-1.28.17-CVE-2023-24805.patch +) + +src_configure() { + # Bug #898156 + append-cxxflags -std=c++17 + + local myeconfargs=( + --enable-imagefilters + --localstatedir="${EPREFIX}"/var + --with-browseremoteprotocols=DNSSD,CUPS + --with-cups-rundir="${EPREFIX}"/run/cups + --with-fontdir="fonts/conf.avail" + --with-pdftops=pdftops + --with-rcdir=no + --without-php + + $(use_enable exif) + $(use_enable dbus) + $(use_enable foomatic) + $(use_enable ldap) + $(use_enable pclm) + $(use_enable pdf mutool) + $(use_enable postscript ghostscript) + $(use_enable zeroconf avahi) + $(use_with jpeg) + $(use_with png) + $(use_with tiff) + ) + + econf "${myeconfargs[@]}" + + if use perl; then + pushd "${S}"/scripting/perl > /dev/null || die + perl-module_src_configure + popd > /dev/null || die + fi +} + +src_compile() { + default + + if use perl; then + pushd "${S}"/scripting/perl > /dev/null || die + perl-module_src_compile + popd > /dev/null || die + fi +} + +src_test() { + # Avoid perl-module_src_test + default + + if use perl; then + pushd "${S}/scripting/perl" > /dev/null || die + perl-module_src_test + popd > /dev/null || die + fi +} + +src_install() { + default + + if use perl; then + pushd "${S}"/scripting/perl > /dev/null || die + perl-module_src_install + perl_delete_localpod + popd > /dev/null || die + fi + + if use postscript; then + # workaround: some printer drivers still require pstoraster and pstopxl, bug #383831 + dosym gstoraster /usr/libexec/cups/filter/pstoraster + dosym gstopxl /usr/libexec/cups/filter/pstopxl + fi + + find "${ED}" \( -name "*.a" -o -name "*.la" \) -delete || die + + cp "${FILESDIR}"/cups-browsed.init.d-r2 "${T}"/cups-browsed || die + + if ! use zeroconf ; then + sed -i -e 's:need cupsd avahi-daemon:need cupsd:g' "${T}"/cups-browsed || die + sed -i -e 's:cups\.service avahi-daemon\.service:cups.service:g' "${S}"/utils/cups-browsed.service || die + fi + + doinitd "${T}"/cups-browsed + systemd_dounit "${S}"/utils/cups-browsed.service +} + +pkg_postinst() { + if ! use foomatic ; then + ewarn "You are disabling the foomatic code in cups-filters. Please do that ONLY if absolutely" + ewarn "necessary. net-print/foomatic-filters as a replacement is deprecated and unmaintained." + fi +} diff --git a/net-print/cups-filters/files/cups-filters-1.28.17-CVE-2023-24805.patch b/net-print/cups-filters/files/cups-filters-1.28.17-CVE-2023-24805.patch new file mode 100644 index 000000000000..58b562504d0d --- /dev/null +++ b/net-print/cups-filters/files/cups-filters-1.28.17-CVE-2023-24805.patch @@ -0,0 +1,225 @@ +Modified version from: + + https://packages.debian.org/de/sid/cups-filters + + From: Thorsten Alteholz <deb...@alteholz.de> + Date: Fri, 19 May 2023 10:49:35 +0200 + Subject: fix CVE-2023-24805 + +Original patch: + +https://github.com/OpenPrinting/cups-filters/commit/8f274035756c04efeb77eb654e9d4c4447287d65 + +From 8f274035756c04efeb77eb654e9d4c4447287d65 Mon Sep 17 00:00:00 2001 +From: Till Kamppeter <till.kamppe...@gmail.com> +Date: Wed, 17 May 2023 11:12:37 +0200 +Subject: [PATCH] Merge pull request from GHSA-gpxc-v2m8-fr3x + +* beh backend: Use execv() instead of system() - CVE-2023-24805 + +With execv() command line arguments are passed as separate strings and +not the full command line in a single string. This prevents arbitrary +command execution by escaping the quoting of the arguments in a job +with forged job title. + +* beh backend: Extra checks against odd/forged input - CVE-2023-24805 + +- Do not allow '/' in the scheme of the URI (= backend executable + name), to assure that only backends inside /usr/lib/cups/backend/ + are used. + +- Pre-define scheme buffer to empty string, to be defined for case of + uri being NULL. + +- URI must have ':', to split off scheme, otherwise error. + +- Check return value of snprintf() to create call path for backend, to + error out on truncation of a too long scheme or on complete failure + due to a completely odd scheme. + +* beh backend: Further improvements - CVE-2023-24805 + +- Use strncat() instead of strncpy() for getting scheme from URI, the latter + does not require setting terminating zero byte in case of truncation. + +- Also exclude "." or ".." as scheme, as directories are not valid CUPS + backends. + +- Do not use fprintf() in sigterm_handler(), to not interfere with a + fprintf() which could be running in the main process when + sigterm_handler() is triggered. + +- Use "static volatile int" for global variable job_canceled. + +--- + backend/beh.c | 107 +++++++++++++++++++++++++++++++++++++++++++++------------- + 1 file changed, 84 insertions(+), 23 deletions(-) + +diff --git a/backend/beh.c b/backend/beh.c +index 225fd27..8d51235 100644 +--- a/backend/beh.c ++++ b/backend/beh.c +@@ -22,12 +22,13 @@ + #include "backend-private.h" + #include <cups/array.h> + #include <ctype.h> ++#include <sys/wait.h> + + /* + * Local globals... + */ + +-static int job_canceled = 0; /* Set to 1 on SIGTERM */ ++static volatile int job_canceled = 0; /* Set to 1 on SIGTERM */ + + /* + * Local functions... +@@ -213,21 +214,40 @@ call_backend(char *uri, /* I - URI of final destination */ + char **argv, /* I - Command-line arguments */ + char *filename) { /* I - File name of input data */ + const char *cups_serverbin; /* Location of programs */ ++ char *backend_argv[8]; /* Arguments for backend */ + char scheme[1024], /* Scheme from URI */ + *ptr, /* Pointer into scheme */ +- cmdline[65536]; /* Backend command line */ +- int retval; ++ backend_path[2048]; /* Backend path */ ++ int pid = 0, /* Process ID of backend */ ++ wait_pid, /* Process ID from wait() */ ++ wait_status, /* Status from child */ ++ retval = 0; ++ int bytes; + + /* + * Build the backend command line... + */ + +- strncpy(scheme, uri, sizeof(scheme) - 1); +- if (strlen(uri) > 1023) +- scheme[1023] = '\0'; ++ scheme[0] = '\0'; ++ strncat(scheme, uri, sizeof(scheme) - 1); + if ((ptr = strchr(scheme, ':')) != NULL) + *ptr = '\0'; +- ++ else { ++ fprintf(stderr, ++ "ERROR: beh: Invalid URI, no colon (':') to mark end of scheme part.\n"); ++ exit (CUPS_BACKEND_FAILED); ++ } ++ if (strchr(scheme, '/')) { ++ fprintf(stderr, ++ "ERROR: beh: Invalid URI, scheme contains a slash ('/').\n"); ++ exit (CUPS_BACKEND_FAILED); ++ } ++ if (!strcmp(scheme, ".") || !strcmp(scheme, "..")) { ++ fprintf(stderr, ++ "ERROR: beh: Invalid URI, scheme (\"%s\") is a directory.\n", ++ scheme); ++ exit (CUPS_BACKEND_FAILED); ++ } + if ((cups_serverbin = getenv("CUPS_SERVERBIN")) == NULL) + cups_serverbin = CUPS_SERVERBIN; + +@@ -235,16 +255,29 @@ call_backend(char *uri, /* I - URI of final destination */ + fprintf(stderr, + "ERROR: beh: Direct output into a file not supported.\n"); + exit (CUPS_BACKEND_FAILED); +- } else +- snprintf(cmdline, sizeof(cmdline), +- "%s/backend/%s '%s' '%s' '%s' '%s' '%s' %s", +- cups_serverbin, scheme, argv[1], argv[2], argv[3], +- /* Apply number of copies only if beh was called with a +- file name and not with the print data in stdin, as +- backends should handle copies only if they are called +- with a file name */ +- (argc == 6 ? "1" : argv[4]), +- argv[5], filename); ++ } ++ ++ backend_argv[0] = uri; ++ backend_argv[1] = argv[1]; ++ backend_argv[2] = argv[2]; ++ backend_argv[3] = argv[3]; ++ /* Apply number of copies only if beh was called with a file name ++ and not with the print data in stdin, as backends should handle ++ copies only if they are called with a file name */ ++ backend_argv[4] = (argc == 6 ? "1" : argv[4]); ++ backend_argv[5] = argv[5]; ++ backend_argv[6] = filename; ++ backend_argv[7] = NULL; ++ ++ bytes = snprintf(backend_path, sizeof(backend_path), ++ "%s/backend/%s", cups_serverbin, scheme); ++ if (bytes < 0 || bytes >= sizeof(backend_path)) ++ { ++ fprintf(stderr, ++ "ERROR: beh: Invalid scheme (\"%s\"), could not determing backend path.\n", ++ scheme); ++ return (CUPS_BACKEND_FAILED); ++ } + + /* + * Overwrite the device URI and run the actual backend... +@@ -253,18 +286,44 @@ call_backend(char *uri, /* I - URI of final destination */ + setenv("DEVICE_URI", uri, 1); + + fprintf(stderr, +- "DEBUG: beh: Executing backend command line \"%s\"...\n", +- cmdline); ++ "DEBUG: beh: Executing backend command line \"%s '%s' '%s' '%s' '%s' '%s' %s\"...\n", ++ backend_path, backend_argv[1], backend_argv[2], backend_argv[3], ++ backend_argv[4], backend_argv[5], backend_argv[6]); + fprintf(stderr, + "DEBUG: beh: Using device URI: %s\n", + uri); + +- retval = system(cmdline) >> 8; ++ if ((pid = fork()) == 0) { ++ /* ++ * Child comes here... ++ */ ++ ++ /* Run the backend */ ++ execv(backend_path, backend_argv); + +- if (retval == -1) + fprintf(stderr, "ERROR: Unable to execute backend command line: %s\n", + strerror(errno)); + ++ exit(1); ++ } else if (pid < 0) { ++ /* ++ * Unable to fork! ++ */ ++ ++ return (CUPS_BACKEND_FAILED); ++ } ++ ++ while ((wait_pid = wait(&wait_status)) < 0 && errno == EINTR); ++ ++ if (wait_pid >= 0 && wait_status) { ++ if (WIFEXITED(wait_status)) ++ retval = WEXITSTATUS(wait_status); ++ else if (WTERMSIG(wait_status) != SIGTERM) ++ retval = WTERMSIG(wait_status); ++ else ++ retval = 0; ++ } ++ + return (retval); + } + +@@ -277,8 +336,10 @@ static void + sigterm_handler(int sig) { /* I - Signal number (unused) */ + (void)sig; + +- fprintf(stderr, +- "DEBUG: beh: Job canceled.\n"); ++ const char * const msg = "DEBUG: beh: Job canceled.\n"; ++ /* The if() is to eliminate the return value and silence the warning ++ about an unused return value. */ ++ if (write(2, msg, strlen(msg))); + + if (job_canceled) + _exit(CUPS_BACKEND_OK);
