rpms / cups

Clone
Source Code
GIT

Files

  1.   5e704158657f7e31e3871077034d1393a782dd0b
  2.   SOURCES
  3.   cups-CVE-2014-5029-5030-5031.patch
Blob Blame History Raw 
diff -up cups-1.6.3/scheduler/client.c.CVE-2014-5029-5030-5031 cups-1.6.3/scheduler/client.c
--- cups-1.6.3/scheduler/client.c.CVE-2014-5029-5030-5031	2014-09-02 11:42:02.465900694 +0100
+++ cups-1.6.3/scheduler/client.c	2014-09-02 11:42:44.383119863 +0100
@@ -3180,7 +3180,7 @@ get_file(cupsd_client_t *con,		/* I  - C
   * then fallback to the default one...
   */
 
-  if ((status = stat(filename, filestats)) != 0 && language[0] &&
+  if ((status = lstat(filename, filestats)) != 0 && language[0] &&
       strncmp(con->uri, "/icons/", 7) &&
       strncmp(con->uri, "/ppd/", 5) &&
       strncmp(con->uri, "/rss/", 5) &&
@@ -3278,13 +3278,13 @@ get_file(cupsd_client_t *con,		/* I  - C
       plen = len - (ptr - filename);
 
       strlcpy(ptr, "index.html", plen);
-      status = stat(filename, filestats);
+      status = lstat(filename, filestats);
 
 #ifdef HAVE_JAVA
       if (status)
       {
 	strlcpy(ptr, "index.class", plen);
-	status = stat(filename, filestats);
+	status = lstat(filename, filestats);
       }
 #endif /* HAVE_JAVA */
 
@@ -3292,7 +3292,7 @@ get_file(cupsd_client_t *con,		/* I  - C
       if (status)
       {
 	strlcpy(ptr, "index.pl", plen);
-	status = stat(filename, filestats);
+	status = lstat(filename, filestats);
       }
 #endif /* HAVE_PERL */
 
@@ -3300,7 +3300,7 @@ get_file(cupsd_client_t *con,		/* I  - C
       if (status)
       {
 	strlcpy(ptr, "index.php", plen);
-	status = stat(filename, filestats);
+	status = lstat(filename, filestats);
       }
 #endif /* HAVE_PHP */
 
@@ -3308,18 +3308,39 @@ get_file(cupsd_client_t *con,		/* I  - C
       if (status)
       {
 	strlcpy(ptr, "index.pyc", plen);
-	status = stat(filename, filestats);
+	status = lstat(filename, filestats);
       }
 
       if (status)
       {
 	strlcpy(ptr, "index.py", plen);
-	status = stat(filename, filestats);
+	status = lstat(filename, filestats);
       }
 #endif /* HAVE_PYTHON */
 
     }
     while (status && language[0]);
+
+   /*
+    * If we've found a symlink, 404 the sucker to avoid disclosing information.
+    */
+
+    if (!status && S_ISLNK(filestats->st_mode))
+    {
+      cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Symlinks such as \"%s\" are not allowed.", con->http.fd, filename);
+      return (NULL);
+    }
+
+   /*
+    * Similarly, if the file/directory does not have world read permissions, do
+    * not allow access...
+    */
+
+    if (!status && !(filestats->st_mode & S_IROTH))
+    {
+      cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Files/directories such as \"%s\" must be world-readable.", con->http.fd, filename);
+      return (NULL);
+    }
   }
 
   cupsdLogMessage(CUPSD_LOG_DEBUG2,

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation