@@ -19,6 +19,7 @@ SRC_URI = "https://github.com/OpenPrinting/cups/releases/download/v${PV}/cups-${
file://CVE-2023-34241.patch \
file://CVE-2023-32360.patch \
file://CVE-2023-4504.patch \
+ file://CVE-2024-35235.patch \
"
UPSTREAM_CHECK_URI = "https://github.com/OpenPrinting/cups/releases"
new file mode 100644
@@ -0,0 +1,121 @@
+From a436956f374b0fd7f5da9df482e4f5840fa1c0d2 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Mon, 3 Jun 2024 18:53:58 +0200
+Subject: [PATCH] CVE-2024-35235: Fix domain socket handling
+
+- Check status of unlink and bind system calls.
+- Don't allow extra domain sockets when running from launchd/systemd.
+- Validate length of domain socket path (< sizeof(sun_path))
+
+Upstream-Status: Backport from https://github.com/OpenPrinting/cups/commit/a436956f374b0fd7f5da9df482e4f5840fa1c0d2, https://github.com/OpenPrinting/cups/commit/e3952d3ecd231588bb382529281a294124db9348#diff-6fc0a5ba57f83c8177d28f44729276fe35fcaaceae8b774481e6973fcbdf733d
+CVE: CVE-2024-35235
+
+Signed-off-by: Rohini Sangam <rsangam@mvista.com>
+---
+ cups/debug-internal.h | 4 +--
+ cups/http-addr.c | 36 ++++++++++---------
+ scheduler/conf.c | 20 +++++++++++
+ 3 files changed, 41 insertions(+), 19 deletions(-)
+
+diff --git a/cups/debug-internal.h b/cups/debug-internal.h
+index 2b57854..2e1a56a 100644
+--- a/cups/debug-internal.h
++++ b/cups/debug-internal.h
+@@ -59,10 +59,10 @@ extern "C" {
+
+ # ifdef DEBUG
+ # define DEBUG_puts(x) _cups_debug_puts(x)
+-# define DEBUG_printf(x) _cups_debug_printf x
++# define DEBUG_printf(...) _cups_debug_printf(__VA_ARGS__)
+ # else
+ # define DEBUG_puts(x)
+-# define DEBUG_printf(x)
++# define DEBUG_printf(...)
+ # endif /* DEBUG */
+
+
+diff --git a/cups/http-addr.c b/cups/http-addr.c
+index 114a644..610e9db 100644
+--- a/cups/http-addr.c
++++ b/cups/http-addr.c
+@@ -206,27 +206,29 @@ httpAddrListen(http_addr_t *addr, /* I - Address to bind to */
+ * Remove any existing domain socket file...
+ */
+
+- unlink(addr->un.sun_path);
+-
+- /*
+- * Save the current umask and set it to 0 so that all users can access
+- * the domain socket...
+- */
+-
+- mask = umask(0);
++ if ((status = unlink(addr->un.sun_path)) < 0)
++ {
++ DEBUG_printf("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno));
+
+- /*
+- * Bind the domain socket...
+- */
++ if (errno == ENOENT)
++ status = 0;
++ }
+
+- status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr));
++ if (!status)
++ {
++ // Save the current umask and set it to 0 so that all users can access
++ // the domain socket...
++ mask = umask(0);
+
+- /*
+- * Restore the umask and fix permissions...
+- */
++ // Bind the domain socket...
++ if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0)
++ {
++ DEBUG_printf("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno));
++ }
+
+- umask(mask);
+- chmod(addr->un.sun_path, 0140777);
++ // Restore the umask...
++ umask(mask);
++ }
+ }
+ else
+ #endif /* AF_LOCAL */
+diff --git a/scheduler/conf.c b/scheduler/conf.c
+index 535d40f..3a2eec2 100644
+--- a/scheduler/conf.c
++++ b/scheduler/conf.c
+@@ -3074,6 +3074,26 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */
+ cupsd_listener_t *lis; /* New listeners array */
+
+
++ /*
++ * If we are launched on-demand, do not use domain sockets from the config
++ * file. Also check that the domain socket path is not too long...
++ */
++
++#ifdef HAVE_ONDEMAND
++ if (*value == '/' && OnDemand)
++ {
++ if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
++ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum);
++ continue;
++ }
++#endif // HAVE_ONDEMAND
++
++ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1))
++ {
++ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum);
++ continue;
++ }
++
+ /*
+ * Get the address list...
+ */
+--
+2.35.7
+