6 files changed, 218 insertions, 1 deletions
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index f6d54c7cf2..6cfe314f20 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -13,6 +13,11 @@ SRC_URI = "https://github.com/apple/cups/releases/download/v${PV}/${BP}-source.t
           file://0002-don-t-try-to-run-generated-binaries.patch \
           file://0003-cups_1.4.6.bb-Fix-build-on-ppc64.patch \
           file://0004-cups-fix-multilib-install-file-conflicts.patch\
+           file://CVE-2022-26691.patch \
+           file://CVE-2023-32324.patch \
+           file://CVE-2023-34241.patch \
+           file://CVE-2023-32360.patch \
+           file://CVE-2023-4504.patch \
           "
 UPSTREAM_CHECK_URI = "https://github.com/apple/cups/releases"
@@ -41,7 +46,7 @@ PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'zeroconf', 'avahi',
 PACKAGECONFIG[avahi] = "--enable-avahi,--disable-avahi,avahi"
 PACKAGECONFIG[acl] = "--enable-acl,--disable-acl,acl"
 PACKAGECONFIG[pam] = "--enable-pam --with-pam-module=unix, --disable-pam, libpam"
-PACKAGECONFIG[systemd] = "--with-systemd=${systemd_system_unitdir},--without-systemd,systemd"
+PACKAGECONFIG[systemd] = "--with-systemd=${systemd_system_unitdir},--disable-systemd,systemd"
 PACKAGECONFIG[xinetd] = "--with-xinetd=${sysconfdir}/xinetd.d,--without-xinetd,xinetd"
 EXTRA_OECONF = " \
@@ -52,6 +57,9 @@ EXTRA_OECONF = " \
               --enable-debug \
               --disable-relro \
               --enable-libusb \
+               --with-system-groups=lpadmin \
+               --with-cups-group=lp \
+               --with-domainsocket=/run/cups/cups.sock \
               DSOFLAGS='${LDFLAGS}' \
               "
@@ -113,3 +121,7 @@ SYSROOT_PREPROCESS_FUNCS += "cups_sysroot_preprocess"
 cups_sysroot_preprocess () {
        sed -i ${SYSROOT_DESTDIR}${bindir_crossscripts}/cups-config -e 's:cups_datadir=.*:cups_datadir=${datadir}/cups:' -e 's:cups_serverbin=.*:cups_serverbin=${libexecdir}/cups:'
 }
+# -25317 concerns /var/log/cups having lp ownership.  Our /var/log/cups is
+# root:root, so this doesn't apply.
+CVE_CHECK_WHITELIST += "CVE-2021-25317"
diff --git a/meta/recipes-extended/cups/cups/CVE-2022-26691.patch b/meta/recipes-extended/cups/cups/CVE-2022-26691.patch
new file mode 100644
index 0000000000..1fa5a54c70
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2022-26691.patch
@@ -0,0 +1,33 @@
+From de4f8c196106033e4c372dce3e91b9d42b0b9444 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Thu, 26 May 2022 06:27:04 +0200
+Subject: [PATCH] scheduler/cert.c: Fix string comparison (fixes
+ CVE-2022-26691)
+The previous algorithm didn't expect the strings can have a different
+length, so one string can be a substring of the other and such substring
+was reported as equal to the longer string.
+CVE: CVE-2022-26691
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/de4f8c196106033e4c372dce3e91b9d42b0b9444]
+Signed-off-by: Steve Sakoman
+---
+diff --git a/scheduler/cert.c b/scheduler/cert.c
+index b268bf1b2..9b65b96c9 100644
+--- a/scheduler/cert.c
+++ b/scheduler/cert.c
+@@ -434,5 +434,12 @@ ctcompare(const char *a,           /* I - First string */
+     b ++;
+   }
+ 
+-  return (result);
+ /*
+  * The while loop finishes when *a == '\0' or *b == '\0'
+  * so after the while loop either both *a and *b == '\0',
+  * or one points inside a string, so when we apply logical OR on *a,
+  * *b and result, we get a non-zero return value if the compared strings don't match.
+  */
+
+  return (result | *a | *b);
+ }
diff --git a/meta/recipes-extended/cups/cups/CVE-2023-32324.patch b/meta/recipes-extended/cups/cups/CVE-2023-32324.patch
new file mode 100644
index 0000000000..40b89c9899
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2023-32324.patch
@@ -0,0 +1,36 @@
+From 07cbffd11107eed3aaf1c64e35552aec20f792da Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Thu, 1 Jun 2023 12:04:00 +0200
+Subject: [PATCH] cups/string.c: Return if `size` is 0 (fixes CVE-2023-32324)
+CVE: CVE-2023-32324
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/fd8bc2d32589]
+(cherry picked from commit fd8bc2d32589d1fd91fe1c0521be2a7c0462109e)
+Signed-off-by: Sanjay Chitroda <schitrod@cisco.com>
+---
+ cups/string.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/cups/string.c b/cups/string.c
+index 93cdad19..6ef58515 100644
+--- a/cups/string.c
+++ b/cups/string.c
+@@ -1,6 +1,7 @@
+ /*
+  * String functions for CUPS.
+  *
+ * Copyright © 2023 by OpenPrinting.
+  * Copyright © 2007-2019 by Apple Inc.
+  * Copyright © 1997-2007 by Easy Software Products.
+  *
+@@ -730,6 +731,9 @@ _cups_strlcpy(char       *dst,              /* O - Destination string */
+   size_t       srclen;                 /* Length of source string */
+ 
+ 
+  if (size == 0)
+    return (0);
+
+  /*
+   * Figure out how much room is needed...
+   */
diff --git a/meta/recipes-extended/cups/cups/CVE-2023-32360.patch b/meta/recipes-extended/cups/cups/CVE-2023-32360.patch
new file mode 100644
index 0000000000..4d39e1e57f
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2023-32360.patch
@@ -0,0 +1,31 @@
+From a0c8b9c9556882f00c68b9727a95a1b6d1452913 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Tue, 6 Dec 2022 09:04:01 -0500
+Subject: [PATCH] Require authentication for CUPS-Get-Document.
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913]
+CVE: CVE-2023-32360
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ conf/cupsd.conf.in | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in
+index b258849078..a07536f3e4 100644
+--- a/conf/cupsd.conf.in
+++ b/conf/cupsd.conf.in
+@@ -68,7 +68,13 @@ IdleExitTimeout @EXIT_TIMEOUT@
+     Order deny,allow
+   </Limit>
+ 
+-  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job>
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  <Limit CUPS-Get-Document>
+    AuthType Default
+     Require user @OWNER @SYSTEM
+     Order deny,allow
+   </Limit>
diff --git a/meta/recipes-extended/cups/cups/CVE-2023-34241.patch b/meta/recipes-extended/cups/cups/CVE-2023-34241.patch
new file mode 100644
index 0000000000..816efc2946
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2023-34241.patch
@@ -0,0 +1,65 @@
+From ffd290b4ab247f82722927ba9b21358daa16dbf1 Mon Sep 17 00:00:00 2001
+From: Rose <83477269+AtariDreams@users.noreply.github.com>
+Date: Thu, 1 Jun 2023 11:33:39 -0400
+Subject: [PATCH] Log result of httpGetHostname BEFORE closing the connection
+httpClose frees the memory of con->http. This is problematic because httpGetHostname then tries to access the memory it points to.
+We have to log the hostname first.
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/9809947a959e18409dcf562a3466ef246cb90cb2]
+CVE: CVE-2023-34241
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ scheduler/client.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+diff --git a/scheduler/client.c b/scheduler/client.c
+index 91e441188c..327473a4d1 100644
+--- a/scheduler/client.c
+++ b/scheduler/client.c
+@@ -193,13 +193,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
+    /*
+     * Can't have an unresolved IP address with double-lookups enabled...
+     */
+-
+-    httpClose(con->http);
+-
+     cupsdLogClient(con, CUPSD_LOG_WARN,
+-                    "Name lookup failed - connection from %s closed!",
+                    "Name lookup failed - closing connection from %s!",
+                     httpGetHostname(con->http, NULL, 0));
+ 
+    httpClose(con->http);
+     free(con);
+     return;
+   }
+@@ -235,11 +233,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
+       * with double-lookups enabled...
+       */
+ 
+-      httpClose(con->http);
+-
+       cupsdLogClient(con, CUPSD_LOG_WARN,
+-                      "IP lookup failed - connection from %s closed!",
+                      "IP lookup failed - closing connection from %s!",
+                       httpGetHostname(con->http, NULL, 0));
+
+      httpClose(con->http);
+       free(con);
+       return;
+     }
+@@ -256,11 +254,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
+ 
+   if (!hosts_access(&wrap_req))
+   {
+-    httpClose(con->http);
+-
+     cupsdLogClient(con, CUPSD_LOG_WARN,
+                     "Connection from %s refused by /etc/hosts.allow and "
+                    "/etc/hosts.deny rules.", httpGetHostname(con->http, NULL, 0));
+
+    httpClose(con->http);
+     free(con);
+     return;
+   }
diff --git a/meta/recipes-extended/cups/cups/CVE-2023-4504.patch b/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
new file mode 100644
index 0000000000..be0db1fbd4
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
@@ -0,0 +1,40 @@
+From a9a7daa77699bd58001c25df8a61a8029a217ddf Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Fri, 1 Sep 2023 16:47:29 +0200
+Subject: [PATCH] raster-interpret.c: Fix CVE-2023-4504
+We didn't check for end of buffer if it looks there is an escaped
+character - check for NULL terminator there and if found, return NULL
+as return value and in `ptr`, because a lone backslash is not
+a valid PostScript character.
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31]
+CVE: CVE-2023-4504
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ cups/raster-interpret.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+--- a/cups/raster-interpret.c
+++ b/cups/raster-interpret.c
+@@ -1113,7 +1113,19 @@ scan_ps(_cups_ps_stack_t *st,            /* I  - S
+ 
+            cur ++;
+ 
+-            if (*cur == 'b')
+          /*
+           * Return NULL if we reached NULL terminator, a lone backslash
+            * is not a valid character in PostScript.
+           */
+
+           if (!*cur)
+           {
+             *ptr = NULL;
+
+             return (NULL);
+           }
+
+           if (*cur == 'b')
+              *valptr++ = '\b';
+            else if (*cur == 'f')
+              *valptr++ = '\f';

diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index f6d54c7cf2..6cfe314f20 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc
@@ -13,6 +13,11 @@ SRC_URI = "https://github.com/apple/cups/releases/download/v${PV}/${BP}-source.t
13	file://0002-don-t-try-to-run-generated-binaries.patch \	13	file://0002-don-t-try-to-run-generated-binaries.patch \
14	file://0003-cups_1.4.6.bb-Fix-build-on-ppc64.patch \	14	file://0003-cups_1.4.6.bb-Fix-build-on-ppc64.patch \
15	file://0004-cups-fix-multilib-install-file-conflicts.patch\	15	file://0004-cups-fix-multilib-install-file-conflicts.patch\
		16	file://CVE-2022-26691.patch \
		17	file://CVE-2023-32324.patch \
		18	file://CVE-2023-34241.patch \
		19	file://CVE-2023-32360.patch \
		20	file://CVE-2023-4504.patch \
16	"	21	"
17		22
18	UPSTREAM_CHECK_URI = "https://github.com/apple/cups/releases"	23	UPSTREAM_CHECK_URI = "https://github.com/apple/cups/releases"
@@ -41,7 +46,7 @@ PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'zeroconf', 'avahi',
41	PACKAGECONFIG[avahi] = "--enable-avahi,--disable-avahi,avahi"	46	PACKAGECONFIG[avahi] = "--enable-avahi,--disable-avahi,avahi"
42	PACKAGECONFIG[acl] = "--enable-acl,--disable-acl,acl"	47	PACKAGECONFIG[acl] = "--enable-acl,--disable-acl,acl"
43	PACKAGECONFIG[pam] = "--enable-pam --with-pam-module=unix, --disable-pam, libpam"	48	PACKAGECONFIG[pam] = "--enable-pam --with-pam-module=unix, --disable-pam, libpam"
44	PACKAGECONFIG[systemd] = "--with-systemd=${systemd_system_unitdir},--without-systemd,systemd"	49	PACKAGECONFIG[systemd] = "--with-systemd=${systemd_system_unitdir},--disable-systemd,systemd"
45	PACKAGECONFIG[xinetd] = "--with-xinetd=${sysconfdir}/xinetd.d,--without-xinetd,xinetd"	50	PACKAGECONFIG[xinetd] = "--with-xinetd=${sysconfdir}/xinetd.d,--without-xinetd,xinetd"
46		51
47	EXTRA_OECONF = " \	52	EXTRA_OECONF = " \
@@ -52,6 +57,9 @@ EXTRA_OECONF = " \
52	--enable-debug \	57	--enable-debug \
53	--disable-relro \	58	--disable-relro \
54	--enable-libusb \	59	--enable-libusb \
		60	--with-system-groups=lpadmin \
		61	--with-cups-group=lp \
		62	--with-domainsocket=/run/cups/cups.sock \
55	DSOFLAGS='${LDFLAGS}' \	63	DSOFLAGS='${LDFLAGS}' \
56	"	64	"
57		65
@@ -113,3 +121,7 @@ SYSROOT_PREPROCESS_FUNCS += "cups_sysroot_preprocess"
113	cups_sysroot_preprocess () {	121	cups_sysroot_preprocess () {
114	sed -i ${SYSROOT_DESTDIR}${bindir_crossscripts}/cups-config -e 's:cups_datadir=.:cups_datadir=${datadir}/cups:' -e 's:cups_serverbin=.:cups_serverbin=${libexecdir}/cups:'	122	sed -i ${SYSROOT_DESTDIR}${bindir_crossscripts}/cups-config -e 's:cups_datadir=.:cups_datadir=${datadir}/cups:' -e 's:cups_serverbin=.:cups_serverbin=${libexecdir}/cups:'
115	}	123	}
		124
		125	# -25317 concerns /var/log/cups having lp ownership. Our /var/log/cups is
		126	# root:root, so this doesn't apply.
		127	CVE_CHECK_WHITELIST += "CVE-2021-25317"


diff --git a/meta/recipes-extended/cups/cups/CVE-2022-26691.patch b/meta/recipes-extended/cups/cups/CVE-2022-26691.patch new file mode 100644 index 0000000000..1fa5a54c70 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2022-26691.patch
@@ -0,0 +1,33 @@
		1	From de4f8c196106033e4c372dce3e91b9d42b0b9444 Mon Sep 17 00:00:00 2001
		2	From: Zdenek Dohnal <zdohnal@redhat.com>
		3	Date: Thu, 26 May 2022 06:27:04 +0200
		4	Subject: [PATCH] scheduler/cert.c: Fix string comparison (fixes
		5	CVE-2022-26691)
		6
		7	The previous algorithm didn't expect the strings can have a different
		8	length, so one string can be a substring of the other and such substring
		9	was reported as equal to the longer string.
		10
		11	CVE: CVE-2022-26691
		12	Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/de4f8c196106033e4c372dce3e91b9d42b0b9444]
		13	Signed-off-by: Steve Sakoman
		14
		15	---
		16	diff --git a/scheduler/cert.c b/scheduler/cert.c
		17	index b268bf1b2..9b65b96c9 100644
		18	--- a/scheduler/cert.c
		19	+++ b/scheduler/cert.c
		20	@@ -434,5 +434,12 @@ ctcompare(const char a, / I - First string */
		21	b ++;
		22	}
		23
		24	- return (result);
		25	+ /*
		26	+ * The while loop finishes when a == '\0' or b == '\0'
		27	+ * so after the while loop either both a and b == '\0',
		28	+ * or one points inside a string, so when we apply logical OR on *a,
		29	+ * *b and result, we get a non-zero return value if the compared strings don't match.
		30	+ */
		31	+
		32	+ return (result \| a \| b);
		33	}


diff --git a/meta/recipes-extended/cups/cups/CVE-2023-32324.patch b/meta/recipes-extended/cups/cups/CVE-2023-32324.patch new file mode 100644 index 0000000000..40b89c9899 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2023-32324.patch
@@ -0,0 +1,36 @@
		1	From 07cbffd11107eed3aaf1c64e35552aec20f792da Mon Sep 17 00:00:00 2001
		2	From: Zdenek Dohnal <zdohnal@redhat.com>
		3	Date: Thu, 1 Jun 2023 12:04:00 +0200
		4	Subject: [PATCH] cups/string.c: Return if `size` is 0 (fixes CVE-2023-32324)
		5
		6	CVE: CVE-2023-32324
		7	Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/fd8bc2d32589]
		8
		9	(cherry picked from commit fd8bc2d32589d1fd91fe1c0521be2a7c0462109e)
		10	Signed-off-by: Sanjay Chitroda <schitrod@cisco.com>
		11	---
		12	cups/string.c \| 4 ++++
		13	1 file changed, 4 insertions(+)
		14
		15	diff --git a/cups/string.c b/cups/string.c
		16	index 93cdad19..6ef58515 100644
		17	--- a/cups/string.c
		18	+++ b/cups/string.c
		19	@@ -1,6 +1,7 @@
		20	/*
		21	* String functions for CUPS.
		22	*
		23	+ * Copyright © 2023 by OpenPrinting.
		24	* Copyright © 2007-2019 by Apple Inc.
		25	* Copyright © 1997-2007 by Easy Software Products.
		26	*
		27	@@ -730,6 +731,9 @@ _cups_strlcpy(char dst, / O - Destination string */
		28	size_t srclen; /* Length of source string */
		29
		30
		31	+ if (size == 0)
		32	+ return (0);
		33	+
		34	/*
		35	* Figure out how much room is needed...
		36	*/


diff --git a/meta/recipes-extended/cups/cups/CVE-2023-32360.patch b/meta/recipes-extended/cups/cups/CVE-2023-32360.patch new file mode 100644 index 0000000000..4d39e1e57f --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2023-32360.patch
@@ -0,0 +1,31 @@
		1	From a0c8b9c9556882f00c68b9727a95a1b6d1452913 Mon Sep 17 00:00:00 2001
		2	From: Michael R Sweet <michael.r.sweet@gmail.com>
		3	Date: Tue, 6 Dec 2022 09:04:01 -0500
		4	Subject: [PATCH] Require authentication for CUPS-Get-Document.
		5
		6	Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913]
		7	CVE: CVE-2023-32360
		8	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		9	---
		10	conf/cupsd.conf.in \| 8 +++++++-
		11	1 file changed, 7 insertions(+), 1 deletion(-)
		12
		13	diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in
		14	index b258849078..a07536f3e4 100644
		15	--- a/conf/cupsd.conf.in
		16	+++ b/conf/cupsd.conf.in
		17	@@ -68,7 +68,13 @@ IdleExitTimeout @EXIT_TIMEOUT@
		18	Order deny,allow
		19	</Limit>
		20
		21	- <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
		22	+ <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job>
		23	+ Require user @OWNER @SYSTEM
		24	+ Order deny,allow
		25	+ </Limit>
		26	+
		27	+ <Limit CUPS-Get-Document>
		28	+ AuthType Default
		29	Require user @OWNER @SYSTEM
		30	Order deny,allow
		31	</Limit>


diff --git a/meta/recipes-extended/cups/cups/CVE-2023-34241.patch b/meta/recipes-extended/cups/cups/CVE-2023-34241.patch new file mode 100644 index 0000000000..816efc2946 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2023-34241.patch
@@ -0,0 +1,65 @@
		1	From ffd290b4ab247f82722927ba9b21358daa16dbf1 Mon Sep 17 00:00:00 2001
		2	From: Rose <83477269+AtariDreams@users.noreply.github.com>
		3	Date: Thu, 1 Jun 2023 11:33:39 -0400
		4	Subject: [PATCH] Log result of httpGetHostname BEFORE closing the connection
		5
		6	httpClose frees the memory of con->http. This is problematic because httpGetHostname then tries to access the memory it points to.
		7
		8	We have to log the hostname first.
		9
		10	Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/9809947a959e18409dcf562a3466ef246cb90cb2]
		11	CVE: CVE-2023-34241
		12	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		13	---
		14	scheduler/client.c \| 16 +++++++---------
		15	1 file changed, 7 insertions(+), 9 deletions(-)
		16
		17	diff --git a/scheduler/client.c b/scheduler/client.c
		18	index 91e441188c..327473a4d1 100644
		19	--- a/scheduler/client.c
		20	+++ b/scheduler/client.c
		21	@@ -193,13 +193,11 @@ cupsdAcceptClient(cupsd_listener_t lis)/ I - Listener socket */
		22	/*
		23	* Can't have an unresolved IP address with double-lookups enabled...
		24	*/
		25	-
		26	- httpClose(con->http);
		27	-
		28	cupsdLogClient(con, CUPSD_LOG_WARN,
		29	- "Name lookup failed - connection from %s closed!",
		30	+ "Name lookup failed - closing connection from %s!",
		31	httpGetHostname(con->http, NULL, 0));
		32
		33	+ httpClose(con->http);
		34	free(con);
		35	return;
		36	}
		37	@@ -235,11 +233,11 @@ cupsdAcceptClient(cupsd_listener_t lis)/ I - Listener socket */
		38	* with double-lookups enabled...
		39	*/
		40
		41	- httpClose(con->http);
		42	-
		43	cupsdLogClient(con, CUPSD_LOG_WARN,
		44	- "IP lookup failed - connection from %s closed!",
		45	+ "IP lookup failed - closing connection from %s!",
		46	httpGetHostname(con->http, NULL, 0));
		47	+
		48	+ httpClose(con->http);
		49	free(con);
		50	return;
		51	}
		52	@@ -256,11 +254,11 @@ cupsdAcceptClient(cupsd_listener_t lis)/ I - Listener socket */
		53
		54	if (!hosts_access(&wrap_req))
		55	{
		56	- httpClose(con->http);
		57	-
		58	cupsdLogClient(con, CUPSD_LOG_WARN,
		59	"Connection from %s refused by /etc/hosts.allow and "
		60	"/etc/hosts.deny rules.", httpGetHostname(con->http, NULL, 0));
		61	+
		62	+ httpClose(con->http);
		63	free(con);
		64	return;
		65	}


diff --git a/meta/recipes-extended/cups/cups/CVE-2023-4504.patch b/meta/recipes-extended/cups/cups/CVE-2023-4504.patch new file mode 100644 index 0000000000..be0db1fbd4 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
@@ -0,0 +1,40 @@
		1	From a9a7daa77699bd58001c25df8a61a8029a217ddf Mon Sep 17 00:00:00 2001
		2	From: Zdenek Dohnal <zdohnal@redhat.com>
		3	Date: Fri, 1 Sep 2023 16:47:29 +0200
		4	Subject: [PATCH] raster-interpret.c: Fix CVE-2023-4504
		5
		6	We didn't check for end of buffer if it looks there is an escaped
		7	character - check for NULL terminator there and if found, return NULL
		8	as return value and in `ptr`, because a lone backslash is not
		9	a valid PostScript character.
		10
		11	Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31]
		12	CVE: CVE-2023-4504
		13	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		14	---
		15	cups/raster-interpret.c \| 14 +++++++++++++-
		16	1 file changed, 13 insertions(+), 1 deletion(-)
		17
		18	--- a/cups/raster-interpret.c
		19	+++ b/cups/raster-interpret.c
		20	@@ -1113,7 +1113,19 @@ scan_ps(_cups_ps_stack_t st, / I - S
		21
		22	cur ++;
		23
		24	- if (*cur == 'b')
		25	+ /*
		26	+ * Return NULL if we reached NULL terminator, a lone backslash
		27	+ * is not a valid character in PostScript.
		28	+ */
		29	+
		30	+ if (!*cur)
		31	+ {
		32	+ *ptr = NULL;
		33	+
		34	+ return (NULL);
		35	+ }
		36	+
		37	+ if (*cur == 'b')
		38	*valptr++ = '\b';
		39	else if (*cur == 'f')
		40	*valptr++ = '\f';