Bug#1073518: bookworm-pu: cups/2.4.2-3+deb12u6

Sun, 16 Jun 2024 11:33:26 -0700 

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
The attached debdiff for cups fixes CVE-2024-35235 in Bookworm. The CVE has been marked as no-dsa by the security team. The same patch has been already uploaded to unstable. 

  Thorsten
diff -Nru cups-2.4.2/debian/changelog cups-2.4.2/debian/changelog
--- cups-2.4.2/debian/changelog 2023-12-01 20:35:27.000000000 +0100
+++ cups-2.4.2/debian/changelog 2024-06-11 19:32:57.000000000 +0200
@@ -1,3 +1,10 @@
+cups (2.4.2-3+deb12u6) bookworm; urgency=medium
+
+  * CVE-2024-35235 (Closes: #1073002)
+    fix domain socket handling
+
+ -- Thorsten Alteholz <deb...@alteholz.de>  Tue, 11 Jun 2024 22:16:49 +0200
+
 cups (2.4.2-3+deb12u5) bookworm; urgency=medium
 
   * 0017-check-colormodel-also-for-CMYK.patch
diff -Nru cups-2.4.2/debian/patches/0019-CVE-2024-35235.patch 
cups-2.4.2/debian/patches/0019-CVE-2024-35235.patch
--- cups-2.4.2/debian/patches/0019-CVE-2024-35235.patch 1970-01-01 
01:00:00.000000000 +0100
+++ cups-2.4.2/debian/patches/0019-CVE-2024-35235.patch 2024-06-11 
13:11:25.000000000 +0200
@@ -0,0 +1,108 @@
+commit 2f87c46b719e6edf0b6900e5eb307b7154e183e8
+Author: Zdenek Dohnal <zdoh...@redhat.com>
+Date:   Mon Jun 3 18:53:58 2024 +0200
+
+    Fix domain socket handling
+    
+    - Check status of unlink and bind system calls.
+    - Don't allow extra domain sockets when running from launchd/systemd.
+    - Validate length of domain socket path (< sizeof(sun_path))
+    
+    Fixes CVE-2024-35235, written by Mike Sweet
+
+Index: cups-2.4.2/cups/http-addr.c
+===================================================================
+--- cups-2.4.2.orig/cups/http-addr.c   2024-06-11 13:11:20.465733904 +0200
++++ cups-2.4.2/cups/http-addr.c        2024-06-11 13:11:20.465733904 +0200
+@@ -1,6 +1,7 @@
+ /*
+  * HTTP address routines for CUPS.
+  *
++ * Copyright © 2023-2024 by OpenPrinting
+  * Copyright © 2007-2021 by Apple Inc.
+  * Copyright © 1997-2006 by Easy Software Products, all rights reserved.
+  *
+@@ -206,27 +207,31 @@
+     * Remove any existing domain socket file...
+     */
+ 
+-    unlink(addr->un.sun_path);
+-
+-   /*
+-    * Save the current umask and set it to 0 so that all users can access
+-    * the domain socket...
+-    */
+-
+-    mask = umask(0);
+-
+-   /*
+-    * Bind the domain socket...
+-    */
+-
+-    status = bind(fd, (struct sockaddr *)addr, 
(socklen_t)httpAddrLength(addr));
+-
+-   /*
+-    * Restore the umask and fix permissions...
+-    */
+-
+-    umask(mask);
+-    chmod(addr->un.sun_path, 0140777);
++    if ((status = unlink(addr->un.sun_path)) < 0)
++    {
++      DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", 
addr->un.sun_path, strerror(errno)));
++
++      if (errno == ENOENT)
++       status = 0;
++    }
++
++
++    if (!status)
++    {
++      // Save the current umask and set it to 0 so that all users can access
++      // the domain socket...
++      mask = umask(0);
++
++
++      // Bind the domain socket...
++      if ((status = bind(fd, (struct sockaddr *)addr, 
(socklen_t)httpAddrLength(addr))) < 0)
++      {
++       DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": 
%s", addr->un.sun_path, strerror(errno)));
++      }
++
++      // Restore the umask...
++      umask(mask);
++    }
+   }
+   else
+ #endif /* AF_LOCAL */
+Index: cups-2.4.2/scheduler/conf.c
+===================================================================
+--- cups-2.4.2.orig/scheduler/conf.c   2024-06-11 13:11:20.465733904 +0200
++++ cups-2.4.2/scheduler/conf.c        2024-06-11 13:11:20.465733904 +0200
+@@ -3077,6 +3077,26 @@
+ 
+ 
+      /*
++      * If we are launched on-demand, do not use domain sockets from the 
config
++      * file.  Also check that the domain socket path is not too long...
++      */
++
++#ifdef HAVE_ONDEMAND
++      if (*value == '/' && OnDemand)
++      {
++        if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
++          cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d 
- only using domain socket from launchd/systemd.", line, value, linenum);
++        continue;
++      }
++#endif // HAVE_ONDEMAND
++
++      if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 
1))
++      {
++        cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - 
too long.", line, value, linenum);
++        continue;
++      }
++
++     /*
+       * Get the address list...
+       */
+ 
diff -Nru cups-2.4.2/debian/patches/series cups-2.4.2/debian/patches/series
--- cups-2.4.2/debian/patches/series    2023-12-01 20:35:27.000000000 +0100
+++ cups-2.4.2/debian/patches/series    2024-06-11 13:11:18.000000000 +0200
@@ -16,3 +16,4 @@
 0016-CVE-2023-32360.patch
 0017-check-colormodel-also-for-CMYK.patch
 0018-dont-override-color-settings-from-print-dialoag.patch
+0019-CVE-2024-35235.patch

Reply via email to