cups: fix CVE-2023-34241 use-after-free in cupsdAcceptClient() in scheduler/client.c

(From OE-Core rev: 9a6c7442ac2fc2ce668d0c931696d39288ee3d4a) Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vivek Kumbhar <vkumbhar@mvista.com> 2023-07-05 20:17:57 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-07-12 05:11:38 -1000
commit: acca9233b2282bbb2bcc0cbaf20fa36076ed2264 (patch)
tree: 27b72f064e0b2fa4664fc73ac1e6f4f4f0218149
parent: c4d91873aff004267b75913572d7f3c2ba104636 (diff)
download: poky-acca9233b2282bbb2bcc0cbaf20fa36076ed2264.tar.gz
2 files changed, 69 insertions, 0 deletions
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index 1b87d47a49..87f220590f 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -16,6 +16,7 @@ SRC_URI = "https://github.com/OpenPrinting/cups/releases/download/v${PV}/cups-${
           file://volatiles.99_cups \
           file://cups-volatiles.conf \
           file://CVE-2023-32324.patch \
+           file://CVE-2023-34241.patch \
           "
 UPSTREAM_CHECK_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2023-34241.patch b/meta/recipes-extended/cups/cups/CVE-2023-34241.patch
new file mode 100644
index 0000000000..95b3925b36
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2023-34241.patch
@@ -0,0 +1,68 @@
+From ffd290b4ab247f82722927ba9b21358daa16dbf1 Mon Sep 17 00:00:00 2001
+From: Rose <83477269+AtariDreams@users.noreply.github.com>
+Date: Thu, 1 Jun 2023 11:33:39 -0400
+Subject: [PATCH] Log result of httpGetHostname BEFORE closing the connection
+httpClose frees the memory of con->http. This is problematic because httpGetHostname then tries to access the memory it points to.
+We have to log the hostname first.
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/9809947a959e18409dcf562a3466ef246cb90cb2]
+CVE: CVE-2023-34241
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ scheduler/client.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+diff --git a/scheduler/client.c b/scheduler/client.c
+index e7e419f..441c1d7 100644
+--- a/scheduler/client.c
+++ b/scheduler/client.c
+@@ -193,13 +193,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
+    /*
+     * Can't have an unresolved IP address with double-lookups enabled...
+     */
+-
+-    httpClose(con->http);
+-
+     cupsdLogClient(con, CUPSD_LOG_WARN,
+-                    "Name lookup failed - connection from %s closed!",
+                    "Name lookup failed - closing connection from %s!",
+                     httpGetHostname(con->http, NULL, 0));
+ 
+    httpClose(con->http);
+     free(con);
+     return;
+   }
+@@ -235,11 +233,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
+       * with double-lookups enabled...
+       */
+ 
+-      httpClose(con->http);
+-
+       cupsdLogClient(con, CUPSD_LOG_WARN,
+-                      "IP lookup failed - connection from %s closed!",
+                      "IP lookup failed - closing connection from %s!",
+                       httpGetHostname(con->http, NULL, 0));
+
+      httpClose(con->http);
+       free(con);
+       return;
+     }
+@@ -256,11 +254,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
+ 
+   if (!hosts_access(&wrap_req))
+   {
+-    httpClose(con->http);
+-
+     cupsdLogClient(con, CUPSD_LOG_WARN,
+                     "Connection from %s refused by /etc/hosts.allow and "
+                    "/etc/hosts.deny rules.", httpGetHostname(con->http, NULL, 0));
+
+    httpClose(con->http);
+     free(con);
+     return;
+   }
+-- 
+2.25.1
author	Vivek Kumbhar <vkumbhar@mvista.com>	2023-07-05 20:17:57 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-07-12 05:11:38 -1000
commit	acca9233b2282bbb2bcc0cbaf20fa36076ed2264 (patch)
tree	27b72f064e0b2fa4664fc73ac1e6f4f4f0218149
parent	c4d91873aff004267b75913572d7f3c2ba104636 (diff)
download	poky-acca9233b2282bbb2bcc0cbaf20fa36076ed2264.tar.gz

diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index 1b87d47a49..87f220590f 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc
@@ -16,6 +16,7 @@ SRC_URI = "https://github.com/OpenPrinting/cups/releases/download/v${PV}/cups-${
16	file://volatiles.99_cups \	16	file://volatiles.99_cups \
17	file://cups-volatiles.conf \	17	file://cups-volatiles.conf \
18	file://CVE-2023-32324.patch \	18	file://CVE-2023-32324.patch \
		19	file://CVE-2023-34241.patch \
19	"	20	"
20		21
21	UPSTREAM_CHECK_URI = "https://github.com/OpenPrinting/cups/releases"	22	UPSTREAM_CHECK_URI = "https://github.com/OpenPrinting/cups/releases"


diff --git a/meta/recipes-extended/cups/cups/CVE-2023-34241.patch b/meta/recipes-extended/cups/cups/CVE-2023-34241.patch new file mode 100644 index 0000000000..95b3925b36 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2023-34241.patch
@@ -0,0 +1,68 @@
		1	From ffd290b4ab247f82722927ba9b21358daa16dbf1 Mon Sep 17 00:00:00 2001
		2	From: Rose <83477269+AtariDreams@users.noreply.github.com>
		3	Date: Thu, 1 Jun 2023 11:33:39 -0400
		4	Subject: [PATCH] Log result of httpGetHostname BEFORE closing the connection
		5
		6	httpClose frees the memory of con->http. This is problematic because httpGetHostname then tries to access the memory it points to.
		7
		8	We have to log the hostname first.
		9
		10	Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/9809947a959e18409dcf562a3466ef246cb90cb2]
		11	CVE: CVE-2023-34241
		12	Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
		13	---
		14	scheduler/client.c \| 16 +++++++---------
		15	1 file changed, 7 insertions(+), 9 deletions(-)
		16
		17	diff --git a/scheduler/client.c b/scheduler/client.c
		18	index e7e419f..441c1d7 100644
		19	--- a/scheduler/client.c
		20	+++ b/scheduler/client.c
		21	@@ -193,13 +193,11 @@ cupsdAcceptClient(cupsd_listener_t lis)/ I - Listener socket */
		22	/*
		23	* Can't have an unresolved IP address with double-lookups enabled...
		24	*/
		25	-
		26	- httpClose(con->http);
		27	-
		28	cupsdLogClient(con, CUPSD_LOG_WARN,
		29	- "Name lookup failed - connection from %s closed!",
		30	+ "Name lookup failed - closing connection from %s!",
		31	httpGetHostname(con->http, NULL, 0));
		32
		33	+ httpClose(con->http);
		34	free(con);
		35	return;
		36	}
		37	@@ -235,11 +233,11 @@ cupsdAcceptClient(cupsd_listener_t lis)/ I - Listener socket */
		38	* with double-lookups enabled...
		39	*/
		40
		41	- httpClose(con->http);
		42	-
		43	cupsdLogClient(con, CUPSD_LOG_WARN,
		44	- "IP lookup failed - connection from %s closed!",
		45	+ "IP lookup failed - closing connection from %s!",
		46	httpGetHostname(con->http, NULL, 0));
		47	+
		48	+ httpClose(con->http);
		49	free(con);
		50	return;
		51	}
		52	@@ -256,11 +254,11 @@ cupsdAcceptClient(cupsd_listener_t lis)/ I - Listener socket */
		53
		54	if (!hosts_access(&wrap_req))
		55	{
		56	- httpClose(con->http);
		57	-
		58	cupsdLogClient(con, CUPSD_LOG_WARN,
		59	"Connection from %s refused by /etc/hosts.allow and "
		60	"/etc/hosts.deny rules.", httpGetHostname(con->http, NULL, 0));
		61	+
		62	+ httpClose(con->http);
		63	free(con);
		64	return;
		65	}
		66	--
		67	2.25.1
		68