From 6929632c2cf322f0d6ba79e06e88df88e3ecdb6e Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jun 13 2022 11:18:32 +0000 Subject: import cups-2.3.3op2-13.el9_0.1 --- diff --git a/SOURCES/0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch b/SOURCES/0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch new file mode 100644 index 0000000..0aa9c99 --- /dev/null +++ b/SOURCES/0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch @@ -0,0 +1,35 @@ +From de4f8c196106033e4c372dce3e91b9d42b0b9444 Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal +Date: Thu, 26 May 2022 06:27:04 +0200 +Subject: [PATCH] scheduler/cert.c: Fix string comparison (fixes + CVE-2022-26691) + +The previous algorithm didn't expect the strings can have a different +length, so one string can be a substring of the other and such substring +was reported as equal to the longer string. +--- + CHANGES.md | 1 + + scheduler/cert.c | 9 ++++++++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/scheduler/cert.c b/scheduler/cert.c +index b268bf1b2..9b65b96c9 100644 +--- a/scheduler/cert.c ++++ b/scheduler/cert.c +@@ -444,5 +444,12 @@ ctcompare(const char *a, /* I - First string */ + b ++; + } + +- return (result); ++ /* ++ * The while loop finishes when *a == '\0' or *b == '\0' ++ * so after the while loop either both *a and *b == '\0', ++ * or one points inside a string, so when we apply bitwise OR on *a, ++ * *b and result, we get a non-zero return value if the compared strings don't match. ++ */ ++ ++ return (result | *a | *b); + } +-- +2.36.1 + diff --git a/SPECS/cups.spec b/SPECS/cups.spec index 8b0b442..a7acb64 100644 --- a/SPECS/cups.spec +++ b/SPECS/cups.spec @@ -17,7 +17,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 2.3.3%{OP_VER} -Release: 13%{?dist} +Release: 13%{?dist}.1 License: ASL 2.0 Url: http://www.cups.org/ # Apple stopped uploading the new versions into github, use OpenPrinting fork @@ -97,6 +97,8 @@ Patch25: cups-fips-restrict-md5.patch # Memory leak fixes (bug #1964975) # https://github.com/OpenPrinting/cups/pull/322 Patch26: 0001-cups-http-encode-memleaks-fixes-issue-322.patch +# CVE-2022-26691 cups: authorization bypass when using "local" authorization +Patch27: 0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch ##### Patches removed because IMHO they aren't no longer needed @@ -325,6 +327,8 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in %patch25 -p1 -b .restrict-md5 # 1964975 - Memory leak fixes %patch26 -p1 -b .memleak-fixes +# CVE-2022-26691 cups: authorization bypass when using "local" authorization +%patch27 -p1 -b .cve26691 %if %{lspp} @@ -749,6 +753,9 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man7/ippeveps.7.gz %changelog +* Thu May 26 2022 Zdenek Dohnal - 1:2.3.3op2-13.1 +- CVE-2022-26691 cups: authorization bypass when using "local" authorization + * Thu Feb 24 2022 Richard Lescak - 1:2.3.3op2-13 - 1964975 - added fix for uninit jump into the leaks patch