!32 [sync] PR-28: fix CVE-2024-47175 CVE-2024-47076 CVE-2024-47176

From: @openeuler-sync-bot Reviewed-by: @compile_success Signed-off-by: @compile_success
2024-09-30 06:35:11 +00:00 · 2024-09-30 06:35:11 +00:00 · f892ed27d5
commit f892ed27d5
parent f7084b4431 ba946da0c0
4 changed files with 466 additions and 1 deletions
--- a/backport-CVE-2024-47076.patch
+++ b/backport-CVE-2024-47076.patch
@ -0,0 +1,36 @@
+From 95576ec3d20c109332d14672a807353cdc551018 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Thu, 26 Sep 2024 23:09:29 +0200
+Subject: [PATCH] cfGetPrinterAttributes5(): Validate response attributes
+ before return
+
+The destination can be corrupted or forged, so validate the response
+to strenghten security measures.
+
+Fixes CVE-2024-47076
+---
+ cupsfilters/ipp.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/cupsfilters/ipp.c b/cupsfilters/ipp.c
+index d703327..88f66b5 100644
+--- a/cupsfilters/ipp.c
+++ b/cupsfilters/ipp.c
+@@ -402,6 +402,14 @@ get_printer_attributes5(http_t *http_printer,
+ 		     total_attrs);
+ 	ippDelete(response);
+       } else {
+
+	// Check if the response is valid
+	if (!ippValidateAttributes(response))
+	{
+	  ippDelete(response);
+	  response = NULL;
+	}
+
+ 	/* Suitable response, we are done */
+ 	if (have_http == 0) httpClose(http_printer);
+ 	if (uri) free(uri);
+-- 
+2.43.0
+
--- a/backport-CVE-2024-47175.patch
+++ b/backport-CVE-2024-47175.patch
@ -0,0 +1,392 @@
+From d681747ebf12602cb426725eb8ce2753211e2477 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Thu, 26 Sep 2024 23:12:14 +0200
+Subject: [PATCH] Prevent PPD generation based on invalid IPP response
+
+Author: Mike Sweet
+Minor fixes: Zdenek Dohnal
+
+Fixes CVE-2024-47175
+---
+ cupsfilters/ppdgenerator.c | 225 +++++++++++++++++++++++++------------
+ 1 file changed, 156 insertions(+), 69 deletions(-)
+
+diff --git a/cupsfilters/ppdgenerator.c b/cupsfilters/ppdgenerator.c
+index 23d519d..1bfcc8a 100644
+--- a/cupsfilters/ppdgenerator.c
+++ b/cupsfilters/ppdgenerator.c
+@@ -92,6 +92,7 @@ typedef struct _pwg_finishings_s	/**** PWG finishings mapping data ****/
+ static void	pwg_ppdize_name(const char *ipp, char *name, size_t namesize);
+ static void	pwg_ppdize_resolution(ipp_attribute_t *attr, int element,
+                                  int *xres, int *yres, char *name, size_t namesize);
+static void	ppd_put_string(cups_file_t *fp, cups_lang_t *lang, const char *ppd_option, const char *ppd_choice, const char *pwg_msgid);
+ 
+ /*
+  * '_cupsSetError()' - Set the last PPD generator status-message.
+@@ -1581,9 +1582,10 @@ ppdCreateFromIPP2(char         *buffer,          /* I - Filename buffer */
+   ipp_t			*media_col,	/* Media collection */
+ 			*media_size;	/* Media size collection */
+   char			make[256],	/* Make and model */
+-			*model,		/* Model name */
+			*mptr,		// Pointer into make and model
+ 			ppdname[PPD_MAX_NAME];
+ 		    			/* PPD keyword */
+  const char            *model;         /* Model name */
+   int			i, j,		/* Looping vars */
+ 			count = 0,	/* Number of values */
+ 			bottom,		/* Largest bottom margin */
+@@ -1663,6 +1665,68 @@ ppdCreateFromIPP2(char         *buffer,          /* I - Filename buffer */
+     return (NULL);
+   }
+ 
+  //
+  // Get a sanitized make and model...
+  //
+
+  if ((attr = ippFindAttribute(response, "printer-make-and-model", IPP_TAG_TEXT)) != NULL && ippValidateAttribute(attr))
+  {
+    // Sanitize the model name to only contain PPD-safe characters.
+    strlcpy(make, ippGetString(attr, 0, NULL), sizeof(make));
+
+    for (mptr = make; *mptr; mptr ++)
+    {
+      if (*mptr < ' ' || *mptr >= 127 || *mptr == '\"')
+      {
+        // Truncate the make and model on the first bad character...
+	*mptr = '\0';
+	break;
+      }
+    }
+
+    while (mptr > make)
+    {
+      // Strip trailing whitespace...
+      mptr --;
+      if (*mptr == ' ')
+	*mptr = '\0';
+    }
+
+    if (!make[0])
+    {
+      // Use a default make and model if nothing remains...
+      strlcpy(make, "Unknown", sizeof(make));
+    }
+  }
+  else
+  {
+    // Use a default make and model...
+    strlcpy(make, "Unknown", sizeof(make));
+  }
+
+  if (!strncasecmp(make, "Hewlett Packard ", 16) || !strncasecmp(make, "Hewlett-Packard ", 16))
+  {
+    // Normalize HP printer make and model...
+    model = make + 16;
+    strlcpy(make, "HP", sizeof(make));
+
+    if (!strncasecmp(model, "HP ", 3))
+      model += 3;
+  }
+  else if ((mptr = strchr(make, ' ')) != NULL)
+  {
+    // Separate "MAKE MODEL"...
+    while (*mptr && *mptr == ' ')
+      *mptr++ = '\0';
+
+    model = mptr;
+  }
+  else
+  {
+    // No separate model name...
+    model = "Printer";
+  }
+
+  /*
+   * Standard stuff for PPD file...
+   */
+@@ -1691,24 +1755,6 @@ ppdCreateFromIPP2(char         *buffer,          /* I - Filename buffer */
+     }
+   }
+ 
+-  if ((attr = ippFindAttribute(response, "printer-make-and-model",
+-			       IPP_TAG_TEXT)) != NULL)
+-    strlcpy(make, ippGetString(attr, 0, NULL), sizeof(make));
+-  else if (make_model && make_model[0] != '\0')
+-    strlcpy(make, make_model, sizeof(make));
+-  else
+-    strlcpy(make, "Unknown Printer", sizeof(make));
+-
+-  if (!_cups_strncasecmp(make, "Hewlett Packard ", 16) ||
+-      !_cups_strncasecmp(make, "Hewlett-Packard ", 16)) {
+-    model = make + 16;
+-    strlcpy(make, "HP", sizeof(make));
+-  }
+-  else if ((model = strchr(make, ' ')) != NULL)
+-    *model++ = '\0';
+-  else
+-    model = make;
+-
+   cupsFilePrintf(fp, "*Manufacturer: \"%s\"\n", make);
+   cupsFilePrintf(fp, "*ModelName: \"%s %s\"\n", make, model);
+   cupsFilePrintf(fp, "*Product: \"(%s %s)\"\n", make, model);
+@@ -1805,14 +1851,11 @@ ppdCreateFromIPP2(char         *buffer,          /* I - Filename buffer */
+   cupsFilePuts(fp, "*cupsSNMPSupplies: False\n");
+   cupsFilePuts(fp, "*cupsLanguages: \"en\"\n");
+ 
+-  if ((attr = ippFindAttribute(response, "printer-more-info", IPP_TAG_URI)) !=
+-      NULL)
+  if ((attr = ippFindAttribute(response, "printer-more-info", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr))
+     cupsFilePrintf(fp, "*APSupplies: \"%s\"\n", ippGetString(attr, 0, NULL));
+ 
+-  if ((attr = ippFindAttribute(response, "printer-charge-info-uri",
+-			       IPP_TAG_URI)) != NULL)
+-    cupsFilePrintf(fp, "*cupsChargeInfoURI: \"%s\"\n", ippGetString(attr, 0,
+-								    NULL));
+  if ((attr = ippFindAttribute(response, "printer-charge-info-uri", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr))
+    cupsFilePrintf(fp, "*cupsChargeInfoURI: \"%s\"\n", ippGetString(attr, 0, NULL));
+ 
+   /* Message catalogs for UI strings */
+   if (opt_strings_catalog == NULL) {
+@@ -1820,7 +1863,8 @@ ppdCreateFromIPP2(char         *buffer,          /* I - Filename buffer */
+     load_opt_strings_catalog(NULL, opt_strings_catalog);
+   }
+   if ((attr = ippFindAttribute(response, "printer-strings-uri",
+-			       IPP_TAG_URI)) != NULL) {
+			       IPP_TAG_URI)) != NULL && ippValidateAttribute(attr))
+  {
+     printer_opt_strings_catalog = optArrayNew();
+     load_opt_strings_catalog(ippGetString(attr, 0, NULL),
+ 			     printer_opt_strings_catalog);
+@@ -2565,13 +2609,15 @@ ppdCreateFromIPP2(char         *buffer,          /* I - Filename buffer */
+ 	  break;
+ 	}
+       if (j >= 0)
+-	cupsFilePrintf(fp, "*InputSlot %s/%s: \"<</MediaPosition %d>>setpagedevice\"\n",
+-		       ppdname, human_readable, j);
+      {
+	cupsFilePrintf(fp, "*InputSlot %s: \"<</MediaPosition %d>>setpagedevice\"\n", ppdname, j);
+	ppd_put_string(fp, lang, "InputSlot", ppdname, human_readable);
+      }
+       else
+-	cupsFilePrintf(fp, "*InputSlot %s%s%s: \"\"\n",
+-		       ppdname,
+-		       (human_readable ? "/" : ""),
+-		       (human_readable ? human_readable : ""));
+      {
+	cupsFilePrintf(fp, "*InputSlot %s%s%s:\"\"\n", ppdname, human_readable ? "/" : "", human_readable ? human_readable : "");
+	ppd_put_string(fp, lang, "InputSlot", ppdname, human_readable);
+      }
+     }
+     cupsFilePuts(fp, "*CloseUI: *InputSlot\n");
+   }
+@@ -2755,11 +2801,8 @@ ppdCreateFromIPP2(char         *buffer,          /* I - Filename buffer */
+ 	    human_readable = (char *)_cupsLangString(lang, media_types[j][1]);
+ 	    break;
+ 	  }
+-      cupsFilePrintf(fp, "*MediaType %s%s%s: \"<</MediaType(%s)>>setpagedevice\"\n",
+-		     ppdname,
+-		     (human_readable ? "/" : ""),
+-		     (human_readable ? human_readable : ""),
+-		     ppdname);
+      cupsFilePrintf(fp, "*MediaType %s: \"<</MediaType(%s)>>setpagedevice\"\n", ppdname, ppdname);
+      ppd_put_string(fp, lang, "MediaType", ppdname, human_readable);
+     }
+     cupsFilePuts(fp, "*CloseUI: *MediaType\n");
+   }
+@@ -3213,10 +3256,8 @@ ppdCreateFromIPP2(char         *buffer,          /* I - Filename buffer */
+ 	    human_readable = (char *)_cupsLangString(lang, output_bins[j][1]);
+ 	    break;
+ 	  }
+-      cupsFilePrintf(fp, "*OutputBin %s%s%s: \"\"\n",
+-		     ppdname,
+-		     (human_readable ? "/" : ""),
+-		     (human_readable ? human_readable : ""));
+      cupsFilePrintf(fp, "*OutputBin %s: \"\"\n", ppdname);
+      ppd_put_string(fp, lang, "OutputBin", ppdname, human_readable);
+       outputorderinfofound = 0;
+       faceupdown = 1;
+       firsttolast = 1;
+@@ -3454,9 +3495,8 @@ ppdCreateFromIPP2(char         *buffer,          /* I - Filename buffer */
+ 	      human_readable = (char *)_cupsLangString(lang, finishings[j][1]);
+ 	      break;
+ 	    }
+-	cupsFilePrintf(fp, "*StapleLocation %s%s%s: \"\"\n", ppd_keyword,
+-		       (human_readable ? "/" : ""),
+-		       (human_readable ? human_readable : ""));
+	cupsFilePrintf(fp, "*StapleLocation %s: \"\"\n", ppd_keyword);
+	ppd_put_string(fp, lang, "StapleLocation", ppd_keyword, human_readable);
+ 	cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*StapleLocation %s\"\n",
+ 		       value, keyword, ppd_keyword);
+       }
+@@ -3547,9 +3587,8 @@ ppdCreateFromIPP2(char         *buffer,          /* I - Filename buffer */
+ 	      human_readable = (char *)_cupsLangString(lang, finishings[j][1]);
+ 	      break;
+ 	    }
+-	cupsFilePrintf(fp, "*FoldType %s%s%s: \"\"\n", ppd_keyword,
+-		       (human_readable ? "/" : ""),
+-		       (human_readable ? human_readable : ""));
+	cupsFilePrintf(fp, "*FoldType %s: \"\"\n", ppd_keyword);
+	ppd_put_string(fp, lang, "FoldType", ppd_keyword, human_readable);
+ 	cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*FoldType %s\"\n",
+ 		       value, keyword, ppd_keyword);
+       }
+@@ -3647,9 +3686,8 @@ ppdCreateFromIPP2(char         *buffer,          /* I - Filename buffer */
+ 	      human_readable = (char *)_cupsLangString(lang, finishings[j][1]);
+ 	      break;
+ 	    }
+-	cupsFilePrintf(fp, "*PunchMedia %s%s%s: \"\"\n", ppd_keyword,
+-		       (human_readable ? "/" : ""),
+-		       (human_readable ? human_readable : ""));
+	cupsFilePrintf(fp, "*PunchMedia %s: \"\"\n", ppd_keyword);
+	ppd_put_string(fp, lang, "PunchMedia", ppd_keyword, human_readable);
+ 	cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*PunchMedia %s\"\n",
+ 		       value, keyword, ppd_keyword);
+       }
+@@ -3740,9 +3778,8 @@ ppdCreateFromIPP2(char         *buffer,          /* I - Filename buffer */
+ 	      human_readable = (char *)_cupsLangString(lang, finishings[j][1]);
+ 	      break;
+ 	    }
+-	cupsFilePrintf(fp, "*CutMedia %s%s%s: \"\"\n", ppd_keyword,
+-		       (human_readable ? "/" : ""),
+-		       (human_readable ? human_readable : ""));
+	cupsFilePrintf(fp, "*CutMedia %s: \"\"\n", ppd_keyword);
+	ppd_put_string(fp, lang, "CutMedia", ppd_keyword, human_readable);
+ 	cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*CutMedia %s\"\n",
+ 		       value, keyword, ppd_keyword);
+       }
+@@ -3788,8 +3825,9 @@ ppdCreateFromIPP2(char         *buffer,          /* I - Filename buffer */
+ 				     printer_opt_strings_catalog);
+       if (human_readable == NULL)
+ 	human_readable = (char *)keyword;
+-      cupsFilePrintf(fp, "*cupsFinishingTemplate %s/%s: \"\n", keyword,
+-		     human_readable);
+      pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
+      cupsFilePrintf(fp, "*cupsFinishingTemplate %s: \"\n", ppdname);
+      ppd_put_string(fp, lang, "cupsFinishingTemplate", ppdname, human_readable);
+       for (finishing_attr = ippFirstAttribute(finishing_col); finishing_attr;
+ 	   finishing_attr = ippNextAttribute(finishing_col)) {
+         if (ippGetValueTag(finishing_attr) == IPP_TAG_BEGIN_COLLECTION) {
+@@ -4101,13 +4139,11 @@ ppdCreateFromIPP2(char         *buffer,          /* I - Filename buffer */
+       if (!preset || !preset_name)
+         continue;
+ 
+-      if ((localized_name = lookup_option((char *)preset_name,
+-					  opt_strings_catalog,
+-					  printer_opt_strings_catalog)) == NULL)
+-        cupsFilePrintf(fp, "*APPrinterPreset %s: \"\n", preset_name);
+-      else
+-        cupsFilePrintf(fp, "*APPrinterPreset %s/%s: \"\n", preset_name,
+-		       localized_name);
+      pwg_ppdize_name(preset_name, ppdname, sizeof(ppdname));
+
+      localized_name = lookup_option((char *)preset_name, opt_strings_catalog, printer_opt_strings_catalog);
+      cupsFilePrintf(fp, "*APPrinterPreset %s: \"\n", ppdname);
+      ppd_put_string(fp, lang, "APPrinterPreset", ppdname, localized_name);
+ 
+       for (member = ippFirstAttribute(preset); member;
+ 	   member = ippNextAttribute(preset)) {
+@@ -4148,7 +4184,10 @@ ppdCreateFromIPP2(char         *buffer,          /* I - Filename buffer */
+ 		 ippGetString(ippFindAttribute(fin_col,
+ 					       "finishing-template",
+ 					       IPP_TAG_ZERO), 0, NULL)) != NULL)
+-              cupsFilePrintf(fp, "*cupsFinishingTemplate %s\n", keyword);
+            {
+	      pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
+              cupsFilePrintf(fp, "*cupsFinishingTemplate %s\n", ppdname);
+            }
+           }
+         } else if (!strcmp(member_name, "media")) {
+          /*
+@@ -4181,14 +4220,14 @@ ppdCreateFromIPP2(char         *buffer,          /* I - Filename buffer */
+ 						       IPP_TAG_ZERO), 0,
+ 				      NULL)) != NULL) {
+             pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
+-            cupsFilePrintf(fp, "*InputSlot %s\n", keyword);
+            cupsFilePrintf(fp, "*InputSlot %s\n", ppdname);
+ 	  }
+ 
+           if ((keyword = ippGetString(ippFindAttribute(media_col, "media-type",
+ 						       IPP_TAG_ZERO), 0,
+ 				      NULL)) != NULL) {
+             pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
+-            cupsFilePrintf(fp, "*MediaType %s\n", keyword);
+            cupsFilePrintf(fp, "*MediaType %s\n", ppdname);
+ 	  }
+         } else if (!strcmp(member_name, "print-quality")) {
+ 	 /*
+@@ -4452,15 +4491,28 @@ pwg_ppdize_name(const char *ipp,	/* I - IPP keyword */
+ 	*end;				/* End of name buffer */
+ 
+ 
+  if (!ipp || !_cups_isalnum(*ipp))
+  {
+    *name = '\0';
+    return;
+  }
+
+   *name = (char)toupper(*ipp++);
+ 
+   for (ptr = name + 1, end = name + namesize - 1; *ipp && ptr < end;) {
+-    if (*ipp == '-') {
+    if (*ipp == '-' && isalnum(ipp[1]))
+    {
+       ipp ++;
+-      if (_cups_isalpha(*ipp))
+-	*ptr++ = (char)toupper(*ipp++ & 255);
+-    } else
+      *ptr++ = (char)toupper(*ipp++ & 255);
+    }
+    else if (*ipp == '_' || *ipp == '.' || *ipp == '-' || isalnum(*ipp))
+    {
+       *ptr++ = *ipp++;
+    }
+    else
+    {
+      ipp ++;
+    }
+   }
+ 
+   *ptr = '\0';
+@@ -4497,4 +4549,39 @@ pwg_ppdize_resolution(
+       snprintf(name, namesize, "%dx%ddpi", *xres, *yres);
+   }
+ }
+
+
+/*
+ * 'ppd_put_strings()' - Write localization attributes to a PPD file.
+ */
+
+static void
+ppd_put_string(cups_file_t  *fp,	/* I - PPD file */
+               cups_lang_t  *lang,	/* I - Language */
+	       const char   *ppd_option,/* I - PPD option */
+	       const char   *ppd_choice,/* I - PPD choice */
+	       const char   *text)	/* I - Localized text */
+{
+  if (!text)
+    return;
+
+  // Add the first line of localized text...
+#if CUPS_VERSION_MAJOR > 2
+  cupsFilePrintf(fp, "*%s.%s %s/", cupsLangGetName(lang), ppd_option, ppd_choice);
+#else
+  cupsFilePrintf(fp, "*%s.%s %s/", lang->language, ppd_option, ppd_choice);
+#endif // CUPS_VERSION_MAJOR > 2
+
+  while (*text && *text != '\n')
+  {
+    // Escape ":" and "<"...
+    if (*text == ':' || *text == '<')
+      cupsFilePrintf(fp, "<%02X>", *text);
+    else
+      cupsFilePutChar(fp, *text);
+
+    text ++;
+  }
+  cupsFilePuts(fp, ": \"\"\n");
+}
+ #endif /* HAVE_CUPS_1_6 */
+-- 
+2.43.0
+
--- a/backport-CVE-2024-47176.patch
+++ b/backport-CVE-2024-47176.patch
@ -0,0 +1,31 @@
+From 1debe6b140c37e0aa928559add4abcc95ce54aa2 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Thu, 26 Sep 2024 23:03:32 +0200
+Subject: [PATCH] Default BrowseRemoteProtocols should not include "cups"
+ protocol
+
+Works around CVE-2024-47176, the fix will be complete removal of CUPS
+Browsing functionality
+---
+ configure.ac | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 32f9a4e..65c0d01 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -402,9 +402,9 @@ AC_SUBST(GIO_UNIX_CFLAGS)
+ AC_SUBST(GIO_UNIX_LIBS)
+ 
+ AC_ARG_WITH([browseremoteprotocols],
+-	[AS_HELP_STRING([--with-browseremoteprotocols=value], [Set which protocols to listen for in cups-browsed (default: dnssd cups)])],
+	[AS_HELP_STRING([--with-browseremoteprotocols=value], [Set which protocols to listen for in cups-browsed (default: dnssd)])],
+ 	[with_browseremoteprotocols="$withval"],
+-	[with_browseremoteprotocols="dnssd cups"]
+	[with_browseremoteprotocols="dnssd"]
+ )
+ BROWSEREMOTEPROTOCOLS="$with_browseremoteprotocols"
+ AC_SUBST(BROWSEREMOTEPROTOCOLS)
+-- 
+2.43.0
+
--- a/cups-filters.spec
+++ b/cups-filters.spec
@ -2,12 +2,15 @@
 Summary: OpenPrinting CUPS filters, backends, and cups-browsed
 Name:    cups-filters
 Version: 1.28.15
-Release: 2
+Release: 3
 License: GPLv2 and GPLv2+ and GPLv3 and GPLv3+ and LGPLv2+ and MIT and BSD with advertising
 Url:     http://www.linuxfoundation.org/collaborate/workgroups/openprinting/cups-filters
 Source0: http://www.openprinting.org/download/cups-filters/cups-filters-%{version}.tar.xz

 Patch6000: backport-CVE-2023-24805.patch
+Patch6001: backport-CVE-2024-47175.patch
+Patch6002: backport-CVE-2024-47076.patch
+Patch6003: backport-CVE-2024-47176.patch

 BuildRequires: pkgconf-pkg-config pkgconfig(libqpdf) pkgconfig(libpng) pkgconfig(dbus-1)
 BuildRequires: poppler-cpp-devel libtiff-devel avahi-devel libjpeg-turbo-devel pkgconfig(zlib)
@ -160,6 +163,9 @@ fi
 %{_mandir}/man8/cups-browsed.8.gz

 %changelog
+* Sun Sep 29 2024 zhangxianting <zhangxianting@uniontech.com> - 1.28.15-3
+- fix CVE-2024-47175 CVE-2024-47076 CVE-2024-47176
+
 * Fri May 26 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 1.28.15-2
 - fix CVE-2023-24805