Hello community, here is the log from the commit of package cups for openSUSE:Factory checked in at 2014-09-04 07:55:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cups (Old) and /work/SRC/openSUSE:Factory/.cups.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cups" Changes: -------- --- /work/SRC/openSUSE:Factory/cups/cups.changes 2014-05-27 07:09:12.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.cups.new/cups.changes 2014-09-04 07:55:53.000000000 +0200 @@ -1,0 +2,19 @@ +Tue Sep 2 15:48:23 CEST 2014 - [email protected] + +- Let fdupes only create symlinks in /usr/share/cups/templates/ to + avoid a symlink /usr/share/cups/webcontent/images/cups-icon.png + because the cupsd web server does no longer follow symlinks + to avoid the security issues mentioned in the previous entry + below (fixes bnc#892587 a regression of bnc#887240). + +------------------------------------------------------------------- +Tue Sep 2 15:26:36 CEST 2014 - [email protected] + +- str4450.CVE-2014-3537.str4455.CVE-2014-5029.CVE-2014-5030.CVE-2014-5031.CUPS-1.5.4.patch + fixes that the web interface incorrectly served symlinked files + and files that were not world-readable, potentially leading to + a disclosure of information (CVE-2014-3537 STR #4450 plus the + subsequent CVE-2014-5029 CVE-2014-5030 CVE-2014-5031 STR #4455 + all in bnc#887240). + +------------------------------------------------------------------- New: ---- str4450.CVE-2014-3537.str4455.CVE-2014-5029.CVE-2014-5030.CVE-2014-5031.CUPS-1.5.4.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cups.spec ++++++ --- /var/tmp/diff_new_pack.75vzNd/_old 2014-09-04 07:55:54.000000000 +0200 +++ /var/tmp/diff_new_pack.75vzNd/_new 2014-09-04 07:55:54.000000000 +0200 @@ -222,6 +222,11 @@ Patch114: str4351.patch # Patch115 fixes STR #4388: no or malformed output from lpstat in charset other than utf-8 Patch115: cups-1.5.4-strftime.patch +# Patch116 fixes that the web interface incorrectly served symlinked files +# and files that were not world-readable, potentially leading to +# a disclosure of information (CVE-2014-3537 STR #4450 bnc#887240 +# plus the subsequent CVE-2014-5029 CVE-2014-5030 CVE-2014-5031 STR #4455): +Patch116: str4450.CVE-2014-3537.str4455.CVE-2014-5029.CVE-2014-5030.CVE-2014-5031.CUPS-1.5.4.patch # Install into this non-root directory (required when norootforbuild is used): BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -386,6 +391,11 @@ %patch114 # Patch115 fixes STR #4388: no or malformed output from lpstat in charset other than utf-8 %patch115 -p1 +# Patch116 fixes that the web interface incorrectly served symlinked files +# and files that were not world-readable, potentially leading to +# a disclosure of information (CVE-2014-3537 STR #4450 bnc#887240 +# plus the subsequent CVE-2014-5029 CVE-2014-5030 CVE-2014-5031 STR #4455): +%patch116 %build # Disable SILENT run of make so that make runs verbose as usual: @@ -576,8 +586,14 @@ # compare https://bugzilla.novell.com/show_bug.cgi?id=784869 # so that fdupes can only run for specific directories where linking files is safe. # Using fdupes -s, which will create symlinks that are easier to grasp for rpm and -# rpmlint will give a "dangling symlink" error if the file and link ended up in different packages: -%fdupes -s %{buildroot}/%{_datadir}/cups +# rpmlint will give a "dangling symlink" error if the file and link ended up in different packages. +# All symlinks created by fdupes are in /usr/share/cups/templates/ +# except /usr/share/cups/webcontent/images/cups-icon.png -> /usr/share/cups/webcontent/images/cups.png +# but that one must not be a symlink because since CUPS 1.7.4/1.7.5 the cupsd web server does no longer +# follow symlink to avoid security issues (see bnc#892587 and bnc#887240 and and the upstream +# issues http://www.cups.org/str.php?L4450 and https://www.cups.org/str.php?L4455) +# so that fdupes should only create symlinks in /usr/share/cups/templates/: +%fdupes -s %{buildroot}/%{_datadir}/cups/templates %pre # Use a real bash script with an explicit "exit 0" at the end to be by default fail safe ++++++ str4450.CVE-2014-3537.str4455.CVE-2014-5029.CVE-2014-5030.CVE-2014-5031.CUPS-1.5.4.patch ++++++ --- scheduler/client.c.orig 2014-09-02 11:26:57.000000000 +0200 +++ scheduler/client.c 2014-09-02 12:35:05.000000000 +0200 @@ -3672,51 +3672,72 @@ get_file(cupsd_client_t *con, /* I - C if ((ptr = strchr(filename, '?')) != NULL) *ptr = '\0'; /* * Grab the status for this language; if there isn't a language-specific file * then fallback to the default one... */ - if ((status = stat(filename, filestats)) != 0 && language[0] && + if ((status = lstat(filename, filestats)) != 0 && language[0] && strncmp(con->uri, "/icons/", 7) && strncmp(con->uri, "/ppd/", 5) && strncmp(con->uri, "/rss/", 5) && strncmp(con->uri, "/admin/conf/", 12) && strncmp(con->uri, "/admin/log/", 11)) { /* * Drop the country code... */ language[3] = '\0'; snprintf(filename, len, "%s%s%s", DocumentRoot, language, con->uri); if ((ptr = strchr(filename, '?')) != NULL) *ptr = '\0'; - if ((status = stat(filename, filestats)) != 0) + if ((status = lstat(filename, filestats)) != 0) { /* * Drop the language prefix and try the root directory... */ language[0] = '\0'; snprintf(filename, len, "%s%s", DocumentRoot, con->uri); if ((ptr = strchr(filename, '?')) != NULL) *ptr = '\0'; - status = stat(filename, filestats); + status = lstat(filename, filestats); } } /* - * If we're found a directory, get the index.html file instead... + * If we've found a symlink, 404 the sucker to avoid disclosing information. + */ + + if (!status && S_ISLNK(filestats->st_mode)) + { + cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Symlinks such as \"%s\" are not allowed.", con->http.fd, filename); + return (NULL); + } + + /* + * Similarly, if the file/directory does not have world read permissions, do + * not allow access... + */ + + if (!status && !(filestats->st_mode & S_IROTH)) + { + cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Files/directories such as \"%s\" must be world-readable.", con->http.fd, filename); + return (NULL); + } + + /* + * If we've found a directory, get the index.html file instead... */ if (!status && S_ISDIR(filestats->st_mode)) { /* * Make sure the URI ends with a slash... */ @@ -3749,58 +3770,79 @@ get_file(cupsd_client_t *con, /* I - C if ((ptr = strchr(filename, '?')) != NULL) *ptr = '\0'; ptr = filename + strlen(filename); plen = len - (ptr - filename); strlcpy(ptr, "index.html", plen); - status = stat(filename, filestats); + status = lstat(filename, filestats); #ifdef HAVE_JAVA if (status) { strlcpy(ptr, "index.class", plen); - status = stat(filename, filestats); + status = lstat(filename, filestats); } #endif /* HAVE_JAVA */ #ifdef HAVE_PERL if (status) { strlcpy(ptr, "index.pl", plen); - status = stat(filename, filestats); + status = lstat(filename, filestats); } #endif /* HAVE_PERL */ #ifdef HAVE_PHP if (status) { strlcpy(ptr, "index.php", plen); - status = stat(filename, filestats); + status = lstat(filename, filestats); } #endif /* HAVE_PHP */ #ifdef HAVE_PYTHON if (status) { strlcpy(ptr, "index.pyc", plen); - status = stat(filename, filestats); + status = lstat(filename, filestats); } if (status) { strlcpy(ptr, "index.py", plen); status = stat(filename, filestats); } #endif /* HAVE_PYTHON */ } while (status && language[0]); + + /* + * If we've found a symlink, 404 the sucker to avoid disclosing information. + */ + + if (!status && S_ISLNK(filestats->st_mode)) + { + cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Symlinks such as \"%s\" are not allowed.", con->http.fd, filename); + return (NULL); + } + + /* + * Similarly, if the file/directory does not have world read permissions, do + * not allow access... + */ + + if (!status && !(filestats->st_mode & S_IROTH)) + { + cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Files/directories such as \"%s\" must be world-readable.", con->http.fd, filename); + return (NULL); + } } cupsdLogMessage(CUPSD_LOG_DEBUG2, "get_file(con=%p(%d), filestats=%p, filename=%p, len=%d) = " "%s", con, con->http.fd, filestats, filename, len, status ? "(null)" : filename); if (status) -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
