2 files changed, 122 insertions, 0 deletions
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index 047ab33898..6d5cf3b588 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -19,6 +19,7 @@ SRC_URI = "https://github.com/OpenPrinting/cups/releases/download/v${PV}/cups-${
           file://CVE-2023-34241.patch \
           file://CVE-2023-32360.patch \
           file://CVE-2023-4504.patch \
+           file://CVE-2024-35235.patch \
           "
 UPSTREAM_CHECK_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2024-35235.patch b/meta/recipes-extended/cups/cups/CVE-2024-35235.patch
new file mode 100644
index 0000000000..d7a2d426af
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2024-35235.patch
@@ -0,0 +1,121 @@
+From a436956f374b0fd7f5da9df482e4f5840fa1c0d2 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Mon, 3 Jun 2024 18:53:58 +0200
+Subject: [PATCH] CVE-2024-35235: Fix domain socket handling
+- Check status of unlink and bind system calls.
+- Don't allow extra domain sockets when running from launchd/systemd.
+- Validate length of domain socket path (< sizeof(sun_path))
+Upstream-Status: Backport from https://github.com/OpenPrinting/cups/commit/a436956f374b0fd7f5da9df482e4f5840fa1c0d2, https://github.com/OpenPrinting/cups/commit/e3952d3ecd231588bb382529281a294124db9348#diff-6fc0a5ba57f83c8177d28f44729276fe35fcaaceae8b774481e6973fcbdf733d
+CVE: CVE-2024-35235
+Signed-off-by: Rohini Sangam <rsangam@mvista.com>
+---
+ cups/debug-internal.h |  4 +--
+ cups/http-addr.c      | 36 ++++++++++---------
+ scheduler/conf.c      | 20 +++++++++++
+ 3 files changed, 41 insertions(+), 19 deletions(-)
+diff --git a/cups/debug-internal.h b/cups/debug-internal.h
+index 2b57854..2e1a56a 100644
+--- a/cups/debug-internal.h
+++ b/cups/debug-internal.h
+@@ -59,10 +59,10 @@ extern "C" {
+ 
+ #  ifdef DEBUG
+ #    define DEBUG_puts(x) _cups_debug_puts(x)
+-#    define DEBUG_printf(x) _cups_debug_printf x
+#    define DEBUG_printf(...) _cups_debug_printf(__VA_ARGS__)
+ #  else
+ #    define DEBUG_puts(x)
+-#    define DEBUG_printf(x)
+#    define DEBUG_printf(...)
+ #  endif /* DEBUG */
+ 
+ 
+diff --git a/cups/http-addr.c b/cups/http-addr.c
+index 114a644..610e9db 100644
+--- a/cups/http-addr.c
+++ b/cups/http-addr.c
+@@ -206,27 +206,29 @@ httpAddrListen(http_addr_t *addr, /* I - Address to bind to */
+     * Remove any existing domain socket file...
+     */
+ 
+-    unlink(addr->un.sun_path);
+-
+-   /*
+-    * Save the current umask and set it to 0 so that all users can access
+-    * the domain socket...
+-    */
+-
+-    mask = umask(0);
+    if ((status = unlink(addr->un.sun_path)) < 0)
+    {
+      DEBUG_printf("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno));
+ 
+-   /*
+-    * Bind the domain socket...
+-    */
+      if (errno == ENOENT)
+       status = 0;
+    }
+ 
+-    status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr));
+    if (!status)
+    {
+      // Save the current umask and set it to 0 so that all users can access
+      // the domain socket...
+      mask = umask(0);
+ 
+-   /*
+-    * Restore the umask and fix permissions...
+-    */
+      // Bind the domain socket...
+      if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0)
+      {
+       DEBUG_printf("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno));
+      }
+ 
+-    umask(mask);
+-    chmod(addr->un.sun_path, 0140777);
+      // Restore the umask...
+      umask(mask);
+    }
+   }
+   else
+ #endif /* AF_LOCAL */
+diff --git a/scheduler/conf.c b/scheduler/conf.c
+index 535d40f..3a2eec2 100644
+--- a/scheduler/conf.c
+++ b/scheduler/conf.c
+@@ -3074,6 +3074,26 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */
+       cupsd_listener_t *lis;           /* New listeners array */
+ 
+ 
+      /*
+      * If we are launched on-demand, do not use domain sockets from the config
+      * file.  Also check that the domain socket path is not too long...
+      */
+
+#ifdef HAVE_ONDEMAND
+      if (*value == '/' && OnDemand)
+      {
+        if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
+          cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum);
+        continue;
+      }
+#endif // HAVE_ONDEMAND
+
+      if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1))
+      {
+        cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum);
+        continue;
+      }
+
+      /*
+       * Get the address list...
+       */
+-- 
+2.35.7

diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index 047ab33898..6d5cf3b588 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc
@@ -19,6 +19,7 @@ SRC_URI = "https://github.com/OpenPrinting/cups/releases/download/v${PV}/cups-${
19	file://CVE-2023-34241.patch \	19	file://CVE-2023-34241.patch \
20	file://CVE-2023-32360.patch \	20	file://CVE-2023-32360.patch \
21	file://CVE-2023-4504.patch \	21	file://CVE-2023-4504.patch \
		22	file://CVE-2024-35235.patch \
22	"	23	"
23		24
24	UPSTREAM_CHECK_URI = "https://github.com/OpenPrinting/cups/releases"	25	UPSTREAM_CHECK_URI = "https://github.com/OpenPrinting/cups/releases"


diff --git a/meta/recipes-extended/cups/cups/CVE-2024-35235.patch b/meta/recipes-extended/cups/cups/CVE-2024-35235.patch new file mode 100644 index 0000000000..d7a2d426af --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2024-35235.patch
@@ -0,0 +1,121 @@
		1	From a436956f374b0fd7f5da9df482e4f5840fa1c0d2 Mon Sep 17 00:00:00 2001
		2	From: Zdenek Dohnal <zdohnal@redhat.com>
		3	Date: Mon, 3 Jun 2024 18:53:58 +0200
		4	Subject: [PATCH] CVE-2024-35235: Fix domain socket handling
		5
		6	- Check status of unlink and bind system calls.
		7	- Don't allow extra domain sockets when running from launchd/systemd.
		8	- Validate length of domain socket path (< sizeof(sun_path))
		9
		10	Upstream-Status: Backport from https://github.com/OpenPrinting/cups/commit/a436956f374b0fd7f5da9df482e4f5840fa1c0d2, https://github.com/OpenPrinting/cups/commit/e3952d3ecd231588bb382529281a294124db9348#diff-6fc0a5ba57f83c8177d28f44729276fe35fcaaceae8b774481e6973fcbdf733d
		11	CVE: CVE-2024-35235
		12
		13	Signed-off-by: Rohini Sangam <rsangam@mvista.com>
		14	---
		15	cups/debug-internal.h \| 4 +--
		16	cups/http-addr.c \| 36 ++++++++++---------
		17	scheduler/conf.c \| 20 +++++++++++
		18	3 files changed, 41 insertions(+), 19 deletions(-)
		19
		20	diff --git a/cups/debug-internal.h b/cups/debug-internal.h
		21	index 2b57854..2e1a56a 100644
		22	--- a/cups/debug-internal.h
		23	+++ b/cups/debug-internal.h
		24	@@ -59,10 +59,10 @@ extern "C" {
		25
		26	# ifdef DEBUG
		27	# define DEBUG_puts(x) _cups_debug_puts(x)
		28	-# define DEBUG_printf(x) _cups_debug_printf x
		29	+# define DEBUG_printf(...) _cups_debug_printf(__VA_ARGS__)
		30	# else
		31	# define DEBUG_puts(x)
		32	-# define DEBUG_printf(x)
		33	+# define DEBUG_printf(...)
		34	# endif /* DEBUG */
		35
		36
		37	diff --git a/cups/http-addr.c b/cups/http-addr.c
		38	index 114a644..610e9db 100644
		39	--- a/cups/http-addr.c
		40	+++ b/cups/http-addr.c
		41	@@ -206,27 +206,29 @@ httpAddrListen(http_addr_t addr, / I - Address to bind to */
		42	* Remove any existing domain socket file...
		43	*/
		44
		45	- unlink(addr->un.sun_path);
		46	-
		47	- /*
		48	- * Save the current umask and set it to 0 so that all users can access
		49	- * the domain socket...
		50	- */
		51	-
		52	- mask = umask(0);
		53	+ if ((status = unlink(addr->un.sun_path)) < 0)
		54	+ {
		55	+ DEBUG_printf("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno));
		56
		57	- /*
		58	- * Bind the domain socket...
		59	- */
		60	+ if (errno == ENOENT)
		61	+ status = 0;
		62	+ }
		63
		64	- status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr));
		65	+ if (!status)
		66	+ {
		67	+ // Save the current umask and set it to 0 so that all users can access
		68	+ // the domain socket...
		69	+ mask = umask(0);
		70
		71	- /*
		72	- * Restore the umask and fix permissions...
		73	- */
		74	+ // Bind the domain socket...
		75	+ if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0)
		76	+ {
		77	+ DEBUG_printf("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno));
		78	+ }
		79
		80	- umask(mask);
		81	- chmod(addr->un.sun_path, 0140777);
		82	+ // Restore the umask...
		83	+ umask(mask);
		84	+ }
		85	}
		86	else
		87	#endif /* AF_LOCAL */
		88	diff --git a/scheduler/conf.c b/scheduler/conf.c
		89	index 535d40f..3a2eec2 100644
		90	--- a/scheduler/conf.c
		91	+++ b/scheduler/conf.c
		92	@@ -3074,6 +3074,26 @@ read_cupsd_conf(cups_file_t fp) / I - File to read from */
		93	cupsd_listener_t lis; / New listeners array */
		94
		95
		96	+ /*
		97	+ * If we are launched on-demand, do not use domain sockets from the config
		98	+ * file. Also check that the domain socket path is not too long...
		99	+ */
		100	+
		101	+#ifdef HAVE_ONDEMAND
		102	+ if (*value == '/' && OnDemand)
		103	+ {
		104	+ if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
		105	+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum);
		106	+ continue;
		107	+ }
		108	+#endif // HAVE_ONDEMAND
		109	+
		110	+ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1))
		111	+ {
		112	+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum);
		113	+ continue;
		114	+ }
		115	+
		116	/*
		117	* Get the address list...
		118	*/
		119	--
		120	2.35.7
		121