diff --git a/SOURCES/beh-cve2023.patch b/SOURCES/beh-cve2023.patch new file mode 100644 index 0000000..6655f11 --- /dev/null +++ b/SOURCES/beh-cve2023.patch @@ -0,0 +1,107 @@ +diff --git a/backend/beh.c b/backend/beh.c +index 225fd27..5e9cee0 100644 +--- a/backend/beh.c ++++ b/backend/beh.c +@@ -22,6 +22,7 @@ + #include "backend-private.h" + #include + #include ++#include + + /* + * Local globals... +@@ -213,10 +214,14 @@ call_backend(char *uri, /* I - URI of final destination */ + char **argv, /* I - Command-line arguments */ + char *filename) { /* I - File name of input data */ + const char *cups_serverbin; /* Location of programs */ ++ char *backend_argv[8]; // Arguments for called CUPS backend + char scheme[1024], /* Scheme from URI */ + *ptr, /* Pointer into scheme */ +- cmdline[65536]; /* Backend command line */ +- int retval; ++ backend_path[2048]; // Backend path ++ int pid, ++ wait_pid, ++ wait_status, ++ retval = 0; + + /* + * Build the backend command line... +@@ -235,16 +240,19 @@ call_backend(char *uri, /* I - URI of final destination */ + fprintf(stderr, + "ERROR: beh: Direct output into a file not supported.\n"); + exit (CUPS_BACKEND_FAILED); +- } else +- snprintf(cmdline, sizeof(cmdline), +- "%s/backend/%s '%s' '%s' '%s' '%s' '%s' %s", +- cups_serverbin, scheme, argv[1], argv[2], argv[3], +- /* Apply number of copies only if beh was called with a +- file name and not with the print data in stdin, as +- backends should handle copies only if they are called +- with a file name */ +- (argc == 6 ? "1" : argv[4]), +- argv[5], filename); ++ } ++ ++ backend_argv[0] = uri; ++ backend_argv[1] = argv[1]; ++ backend_argv[2] = argv[2]; ++ backend_argv[3] = argv[3]; ++ backend_argv[4] = (argc == 6 ? "1" : argv[4]); ++ backend_argv[5] = argv[5]; ++ backend_argv[6] = filename; ++ backend_argv[7] = NULL; ++ ++ snprintf(backend_path, sizeof(backend_path), ++ "%s/backend/%s", cups_serverbin, scheme); + + /* + * Overwrite the device URI and run the actual backend... +@@ -253,17 +261,41 @@ call_backend(char *uri, /* I - URI of final destination */ + setenv("DEVICE_URI", uri, 1); + + fprintf(stderr, +- "DEBUG: beh: Executing backend command line \"%s\"...\n", +- cmdline); ++ "DEBUG: beh: Executing backend command line \"%s '%s' '%s' '%s' '%s' '%s'%s%s\"...\n", ++ backend_path, backend_argv[1], backend_argv[2], backend_argv[3], ++ backend_argv[4], backend_argv[5], ++ (backend_argv[6] && backend_argv[6][0] ? " " : ""), ++ (backend_argv[6] && backend_argv[6][0] ? backend_argv[6] : "")); + fprintf(stderr, + "DEBUG: beh: Using device URI: %s\n", + uri); + +- retval = system(cmdline) >> 8; ++ if ((pid = fork()) == 0) ++ { ++ retval = execv(backend_path, backend_argv); ++ ++ if (retval == -1) ++ fprintf(stderr, "ERROR: Unable to execute backend: %s\n", ++ strerror(errno)); ++ exit (CUPS_BACKEND_FAILED); ++ } ++ else if (pid < 0) ++ { ++ fprintf(stderr, "ERROR: Unable to fork for backend\n"); ++ return (CUPS_BACKEND_FAILED); ++ } ++ ++ while ((wait_pid = wait(&wait_status)) < 0 && errno == EINTR); + +- if (retval == -1) +- fprintf(stderr, "ERROR: Unable to execute backend command line: %s\n", +- strerror(errno)); ++ if (wait_pid >= 0 && wait_status) ++ { ++ if (WIFEXITED(wait_status)) ++ retval = WEXITSTATUS(wait_status); ++ else if (WTERMSIG(wait_status) != SIGTERM) ++ retval = WTERMSIG(wait_status); ++ else ++ retval = 0; ++ } + + return (retval); + } diff --git a/SPECS/cups-filters.spec b/SPECS/cups-filters.spec index 0ef7fff..42f1c41 100644 --- a/SPECS/cups-filters.spec +++ b/SPECS/cups-filters.spec @@ -11,7 +11,7 @@ Summary: OpenPrinting CUPS filters and backends Name: cups-filters Version: 1.28.7 -Release: 11%{?dist} +Release: 11%{?dist}.1 # For a breakdown of the licensing, see COPYING file # GPLv2: filters: commandto*, imagetoraster, pdftops, rasterto*, @@ -36,6 +36,8 @@ Patch01: 0001-cups-browsed-Always-save-.-default-option-entries-fr.patch Patch02: 0001-cups-browsed.c-Make-NotifLeaseDuration-configurable-.patch # 1982118 - [RHEL 9] pdftopdf doesn't handle "page-range=10-2147483647" correctly Patch03: 0001-libcupsfilters-Fix-page-range-like-10-in-pdftopdf-fi.patch +# CVE-2023-24805 cups-filters: remote code execution in cups-filters, beh CUPS backend +Patch04: beh-cve2023.patch # autogen.sh @@ -398,6 +400,9 @@ done %endif %changelog +* Mon May 15 2023 Zdenek Dohnal - 1.28.7-11.1 +- CVE-2023-24805 cups-filters: remote code execution in cups-filters, beh CUPS backend + * Thu Sep 22 2022 Zdenek Dohnal - 1.28.7-11 - 2129054 - build braille subpackage only on Fedora and CentOS Stream > 9