diff --git a/cups-CVE-2014-3537.patch b/cups-CVE-2014-3537.patch new file mode 100644 index 0000000..7bf7b0b --- /dev/null +++ b/cups-CVE-2014-3537.patch @@ -0,0 +1,58 @@ +From 031f71f0a807444f9ca6c4b549090624f57b4cd5 Mon Sep 17 00:00:00 2001 +From: msweet +Date: Thu, 3 Jul 2014 14:38:52 +0000 +Subject: [PATCH 2/6] Mirror fix from trunk. + +git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/branches/branch-1.7@11995 a1ca3aef-8c08-0410-bb20-df032aa958be +diff --git a/scheduler/client.c b/scheduler/client.c +index 6f40585..8037b49 100644 +--- a/scheduler/client.c ++++ b/scheduler/client.c +@@ -3327,7 +3327,7 @@ get_file(cupsd_client_t *con, /* I - Client connection */ + if ((ptr = strchr(filename, '?')) != NULL) + *ptr = '\0'; + +- if ((status = stat(filename, filestats)) != 0) ++ if ((status = lstat(filename, filestats)) != 0) + { + /* + * Drop the language prefix and try the root directory... +@@ -3339,12 +3339,33 @@ get_file(cupsd_client_t *con, /* I - Client connection */ + if ((ptr = strchr(filename, '?')) != NULL) + *ptr = '\0'; + +- status = stat(filename, filestats); ++ status = lstat(filename, filestats); + } + } + + /* +- * If we're found a directory, get the index.html file instead... ++ * If we've found a symlink, 404 the sucker to avoid disclosing information. ++ */ ++ ++ if (!status && S_ISLNK(filestats->st_mode)) ++ { ++ cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Symlinks such as \"%s\" are not allowed.", con->http.fd, filename); ++ return (NULL); ++ } ++ ++ /* ++ * Similarly, if the file/directory does not have world read permissions, do ++ * not allow access... ++ */ ++ ++ if (!status && !(filestats->st_mode & S_IROTH)) ++ { ++ cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Files/directories such as \"%s\" must be world-readable.", con->http.fd, filename); ++ return (NULL); ++ } ++ ++ /* ++ * If we've found a directory, get the index.html file instead... + */ + + if (!status && S_ISDIR(filestats->st_mode)) +-- +1.9.3 + diff --git a/cups.spec b/cups.spec index 8ff2104..3bc0243 100644 --- a/cups.spec +++ b/cups.spec @@ -11,7 +11,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 1.6.4 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2 Group: System Environment/Daemons Url: http://www.cups.org/ @@ -74,6 +74,7 @@ Patch43: cups-str4380.patch Patch44: cups-str4366.patch Patch45: cups-str4332.patch Patch46: cups-str4356.patch +Patch47: cups-CVE-2014-3537.patch Patch100: cups-lspp.patch @@ -282,6 +283,8 @@ Sends IPP requests to the specified URI and tests and/or displays the results. %patch45 -p1 -b .str4332 # Scheduler now blocks URLs containing embedded HTML (bug #1087123, STR #4356) %patch46 -p1 -b .str4356 +# CVE-2014-3537, STR #4450 (#1119303) +%patch47 -p1 -b .CVE-2014-3537 %if %lspp # LSPP support. @@ -670,6 +673,9 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man5/ipptoolfile.5.gz %changelog +* Mon Jul 14 2014 Jiri Popelka - 1:1.6.4-6 +- CVE-2014-3537 (#1119303) + * Mon Apr 14 2014 Jiri Popelka - 1:1.6.4-5 - Scheduler now blocks URLs containing embedded HTML (bug #1087123, STR #4356).