Re-sending differently, as somehow my MUA messed this sending in some
weird way.
Original Message
Subject: Bug#839226: [PATCH] cups : SSL is vulnerable to POODLE
[Jessie]
Date: 2016-10-10 10:13
From: Didier 'OdyX' Raboud
To: 839...@bugs.debian.org, debian-release@lists.debian.org
Cc: Frederic Bonnard
Hi again,
(dropping debian-lts from the loop, as this'd be for stable)
Le samedi, 1 octobre 2016, 06.34:28 h CEST Moritz Mühlenhoff a écrit :
> Have we removed protocols' support in {old,}stable before?.
We have done that on a case-by-case basis via point updates in the
past,
seems also fine here.
Here come:
- patch;
str4476-disable-sslv3-and-rc4-by-default.patch
- git commit series;
0001-Disable-SSLv3-and-RC4-by-default-to-address-POODLE-v.patch
0002-Refresh-patches.patch
0003-cups-1.7.5-11-deb8u2-Debian-release.patch
- and debdiff
cups_1.7.5-11+deb8u2.debdiff
Can I upload to jessie-security ?
--
Cheers,
OdyXDescription: Disable SSLv3 and RC4; implement SSLOptions.
This disables SSLv3 in cups. It also provides 2 configuration
options to reenable by specifying SSLOptions in the cupsd.conf
file. AllowSSL3 turns SSLv3 back on and AllowRC4 turns on just
the RC4 cypers.
.
---
Origin: vendor, https://bugzilla.redhat.com/show_bug.cgi?id=1161172
Bug: https://www.cups.org/str.php?L4476
Bug-Ubuntu: https://launchpad.net/bugs/1505328
Bug-Debian: https://bugs.debian.org/839226
--- a/cups/http-private.h
+++ b/cups/http-private.h
@@ -147,6 +147,10 @@
#define _HTTP_RESOLVE_FQDN 2 /* Resolve to a FQDN */
#define _HTTP_RESOLVE_FAXOUT 4 /* Resolve FaxOut service? */
+/* care - these should be the same values as the CUPSD_SSL_* equivalents */
+#define _HTTP_TLS_ALLOW_RC4 2
+#define _HTTP_TLS_ALLOW_SSL3 4
+
/*
* Types and functions for SSL support...
@@ -425,6 +429,8 @@
extern int _httpUpdate(http_t *http, http_status_t *status);
extern int _httpWait(http_t *http, int msec, int usessl);
+extern void _httpTLSSetOptions(int options);
+
/*
* C++ magic...
--- a/cups/http.c
+++ b/cups/http.c
@@ -87,6 +87,8 @@
* Local globals...
*/
+static int tls_options = 0; /* Options for TLS connections */
+
static const char * const http_fields[] =
{
"Accept-Language",
@@ -5094,6 +5096,10 @@
context = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_set_options(context, SSL_OP_NO_SSLv2); /* Only use SSLv3 or TLS */
+ if (!(tls_options & _HTTP_TLS_ALLOW_SSL3))
+SSL_CTX_set_options(context, SSL_OP_NO_SSLv3); /* Don't use SSLv3 */
+ if (!(tls_options & _HTTP_TLS_ALLOW_RC4))
+SSL_CTX_set_cipher_list(context, "DEFAULT:-RC4");
bio = BIO_new(_httpBIOMethods());
BIO_ctrl(bio, BIO_C_SET_FILE_PTR, 0, (char *)http);
@@ -5151,7 +5157,16 @@
gnutls_certificate_allocate_credentials(credentials);
gnutls_init(&http->tls, GNUTLS_CLIENT);
- gnutls_set_default_priority(http->tls);
+ if (!tls_options)
+gnutls_priority_set_direct(http->tls, "NORMAL:-ARCFOUR-128:-VERS-SSL3.0", NULL);
+ else if ((tls_options & _HTTP_TLS_ALLOW_SSL3) &&
+ (tls_options & _HTTP_TLS_ALLOW_RC4))
+gnutls_priority_set_direct(http->tls, "NORMAL", NULL);
+ else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
+gnutls_priority_set_direct(http->tls, "NORMAL:-ARCFOUR-128", NULL);
+ else
+gnutls_priority_set_direct(http->tls, "NORMAL:-VERS-SSL3.0", NULL);
+
gnutls_server_name_set(http->tls, GNUTLS_NAME_DNS, hostname,
strlen(hostname));
gnutls_credentials_set(http->tls, GNUTLS_CRD_CERTIFICATE, *credentials);
@@ -5904,6 +5919,16 @@
}
#endif /* HAVE_SSL */
+/*
+ * '_httpTLSSetOptions()' - Set TLS/SSL options.
+ */
+
+void
+_httpTLSSetOptions(int options)
+{
+ tls_options = options;
+}
+
/*
* End of "$Id: http.c 11761 2014-03-28 13:04:33Z msweet $".
--- a/cups/usersys.c
+++ b/cups/usersys.c
@@ -52,7 +52,8 @@
#endif /* HAVE_GSSAPI */
const char *cups_anyroot,
const char *cups_expiredroot,
- const char *cups_expiredcerts);
+ const char *cups_expiredcerts,
+ int ssl_options);
/*
@@ -237,6 +238,9 @@
_cups_globals_t *cg = _cupsGlobals(); /* Pointer to library globals */
+ if (cg->encryption == (http_encryption_t)-1)
+_cupsSetDefaults();
+
cg->encryption = e;
if (cg->http)
@@ -861,6 +865,29 @@
if (cg->encryption == (http_encryption_t)-1 || !cg->server[0] ||
!cg->user[0] || !cg->ipp_port)
{
+ /*
+* Look for CUPS_SERVERROOT/client.conf...
+*/
+
+snprintf(filename, sizeof(filename), "%s/client.conf",
+ cg->cups_serverroot);
+fp = cupsFileOpen(filename, "r");
+ /*
+* Read the configuration file and apply any environment variables; both
+* functions handle NULL cups_file_t pointers...
+*/
+
+cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user,
+#ifdef HAVE_GSSAPI
+ cups_gssservicename,
+#endif /* HAVE_GSSAPI */
+ cups_anyroot, cups_expiredroot,
+