Bug#1073519: bullseye-pu: cups/2.3.3op2-3+deb11u7

Sun, 16 Jun 2024 11:33:17 -0700 

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
The attached debdiff for cups fixes CVE-2024-35235 in Bullseye. The CVE has been marked as no-dsa by the security team. The same patch has been already uploaded to unstable. 

  Thorsten

diff -Nru cups-2.3.3op2/debian/changelog cups-2.3.3op2/debian/changelog
--- cups-2.3.3op2/debian/changelog      2023-10-05 16:35:27.000000000 +0200
+++ cups-2.3.3op2/debian/changelog      2024-06-11 19:33:32.000000000 +0200
@@ -1,3 +1,10 @@
+cups (2.3.3op2-3+deb11u7) bullseye; urgency=medium
+
+  * CVE-2024-35235 (Closes: #1073002)
+    fix domain socket handling
+
+ -- Thorsten Alteholz <deb...@alteholz.de>  Tue, 11 Jun 2024 22:16:49 +0200
+
 cups (2.3.3op2-3+deb11u6) bullseye; urgency=medium
 
   * remove debian/NEWS again to avoid too much information when only
diff -Nru cups-2.3.3op2/debian/patches/0021-CVE-2024-35235.patch 
cups-2.3.3op2/debian/patches/0021-CVE-2024-35235.patch
--- cups-2.3.3op2/debian/patches/0021-CVE-2024-35235.patch      1970-01-01 
01:00:00.000000000 +0100
+++ cups-2.3.3op2/debian/patches/0021-CVE-2024-35235.patch      2024-06-11 
13:16:28.000000000 +0200
@@ -0,0 +1,108 @@
+commit 2f87c46b719e6edf0b6900e5eb307b7154e183e8
+Author: Zdenek Dohnal <zdoh...@redhat.com>
+Date:   Mon Jun 3 18:53:58 2024 +0200
+
+    Fix domain socket handling
+    
+    - Check status of unlink and bind system calls.
+    - Don't allow extra domain sockets when running from launchd/systemd.
+    - Validate length of domain socket path (< sizeof(sun_path))
+    
+    Fixes CVE-2024-35235, written by Mike Sweet
+
+Index: cups-2.3.3op2/cups/http-addr.c
+===================================================================
+--- cups-2.3.3op2.orig/cups/http-addr.c        2024-06-11 13:15:45.109860935 
+0200
++++ cups-2.3.3op2/cups/http-addr.c     2024-06-11 13:16:25.961881895 +0200
+@@ -1,6 +1,7 @@
+ /*
+  * HTTP address routines for CUPS.
+  *
++ * Copyright 2024 by OpenPrinting
+  * Copyright 2007-2019 by Apple Inc.
+  * Copyright 1997-2006 by Easy Software Products, all rights reserved.
+  *
+@@ -200,27 +201,31 @@
+     * Remove any existing domain socket file...
+     */
+ 
+-    unlink(addr->un.sun_path);
+-
+-   /*
+-    * Save the current umask and set it to 0 so that all users can access
+-    * the domain socket...
+-    */
+-
+-    mask = umask(0);
+-
+-   /*
+-    * Bind the domain socket...
+-    */
+-
+-    status = bind(fd, (struct sockaddr *)addr, 
(socklen_t)httpAddrLength(addr));
+-
+-   /*
+-    * Restore the umask and fix permissions...
+-    */
+-
+-    umask(mask);
+-    chmod(addr->un.sun_path, 0140777);
++    if ((status = unlink(addr->un.sun_path)) < 0)
++    {
++      DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", 
addr->un.sun_path, strerror(errno)));
++
++      if (errno == ENOENT)
++       status = 0;
++    }
++
++
++    if (!status)
++    {
++      // Save the current umask and set it to 0 so that all users can access
++      // the domain socket...
++      mask = umask(0);
++
++
++      // Bind the domain socket...
++      if ((status = bind(fd, (struct sockaddr *)addr, 
(socklen_t)httpAddrLength(addr))) < 0)
++      {
++       DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": 
%s", addr->un.sun_path, strerror(errno)));
++      }
++
++      // Restore the umask...
++      umask(mask);
++    }
+   }
+   else
+ #endif /* AF_LOCAL */
+Index: cups-2.3.3op2/scheduler/conf.c
+===================================================================
+--- cups-2.3.3op2.orig/scheduler/conf.c        2024-06-11 13:15:45.109860935 
+0200
++++ cups-2.3.3op2/scheduler/conf.c     2024-06-11 13:15:45.109860935 +0200
+@@ -3074,6 +3074,26 @@
+ 
+ 
+      /*
++      * If we are launched on-demand, do not use domain sockets from the 
config
++      * file.  Also check that the domain socket path is not too long...
++      */
++
++#ifdef HAVE_ONDEMAND
++      if (*value == '/' && OnDemand)
++      {
++        if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
++          cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d 
- only using domain socket from launchd/systemd.", line, value, linenum);
++        continue;
++      }
++#endif // HAVE_ONDEMAND
++
++      if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 
1))
++      {
++        cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - 
too long.", line, value, linenum);
++        continue;
++      }
++
++     /*
+       * Get the address list...
+       */
+ 
diff -Nru cups-2.3.3op2/debian/patches/series 
cups-2.3.3op2/debian/patches/series
--- cups-2.3.3op2/debian/patches/series 2023-10-05 16:35:27.000000000 +0200
+++ cups-2.3.3op2/debian/patches/series 2024-06-11 13:15:04.000000000 +0200
@@ -18,3 +18,4 @@
 0018-CVE-2023-34241.patch
 0019-CVE-2023-32360.patch
 0020-CVE-2023-4504.patch
+0021-CVE-2024-35235.patch

Reply via email to