@@ -12,6 +12,7 @@ DEPENDS:class-native = "poppler-native glib-2.0-native dbus-native pkgconfig-nat
SRC_URI = "http://openprinting.org/download/cups-filters/cups-filters-${PV}.tar.gz \
file://CVE-2025-57812.patch \
file://CVE-2025-64524.patch \
+ file://CVE-2023-24805.patch \
"
inherit autotools-brokensep gettext pkgconfig
new file mode 100644
@@ -0,0 +1,213 @@
+From c90dcbd2887c1221a1c298c7a194b1d93ed0e501 Mon Sep 17 00:00:00 2001
+From: Till Kamppeter <till.kamppeter@gmail.com>
+Date: Wed, 17 May 2023 11:12:37 +0200
+Subject: [PATCH] Merge pull request from GHSA-gpxc-v2m8-fr3x
+
+* beh backend: Use execv() instead of system() - CVE-2023-24805
+
+With execv() command line arguments are passed as separate strings and
+not the full command line in a single string. This prevents arbitrary
+command execution by escaping the quoting of the arguments in a job
+with forged job title.
+
+* beh backend: Extra checks against odd/forged input - CVE-2023-24805
+
+- Do not allow '/' in the scheme of the URI (= backend executable
+ name), to assure that only backends inside /usr/lib/cups/backend/
+ are used.
+
+- Pre-define scheme buffer to empty string, to be defined for case of
+ uri being NULL.
+
+- URI must have ':', to split off scheme, otherwise error.
+
+- Check return value of snprintf() to create call path for backend, to
+ error out on truncation of a too long scheme or on complete failure
+ due to a completely odd scheme.
+
+* beh backend: Further improvements - CVE-2023-24805
+
+- Use strncat() instead of strncpy() for getting scheme from URI, the latter
+ does not require setting terminating zero byte in case of truncation.
+
+- Also exclude "." or ".." as scheme, as directories are not valid CUPS
+ backends.
+
+- Do not use fprintf() in sigterm_handler(), to not interfere with a
+ fprintf() which could be running in the main process when
+ sigterm_handler() is triggered.
+
+- Use "static volatile int" for global variable job_canceled.
+
+CVE: CVE-2023-24805
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups-filters/commit/8f274035756c04efeb77eb654e9d4c4447287d65]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ backend/beh.c | 107 +++++++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 83 insertions(+), 24 deletions(-)
+
+diff --git a/backend/beh.c b/backend/beh.c
+index 225fd27..e864c22 100644
+--- a/backend/beh.c
++++ b/backend/beh.c
+@@ -22,12 +22,13 @@
+ #include "backend-private.h"
+ #include <cups/array.h>
+ #include <ctype.h>
++#include <sys/wait.h>
+
+ /*
+ * Local globals...
+ */
+
+-static int job_canceled = 0; /* Set to 1 on SIGTERM */
++static volatile int job_canceled = 0; /* Set to 1 on SIGTERM */
+
+ /*
+ * Local functions...
+@@ -213,20 +214,43 @@ call_backend(char *uri, /* I - URI of final destination */
+ char **argv, /* I - Command-line arguments */
+ char *filename) { /* I - File name of input data */
+ const char *cups_serverbin; /* Location of programs */
++ char *backend_argv[8]; /* Arguments for called CUPS backend */
+ char scheme[1024], /* Scheme from URI */
+ *ptr, /* Pointer into scheme */
+- cmdline[65536]; /* Backend command line */
+- int retval;
++ backend_path[2048]; /* Backend path */
++ int pid,
++ wait_pid,
++ wait_status,
++ retval = 0;
++ int bytes;
+
+ /*
+ * Build the backend command line...
+ */
+
+- strncpy(scheme, uri, sizeof(scheme) - 1);
+- if (strlen(uri) > 1023)
+- scheme[1023] = '\0';
++ scheme[0] = '\0';
++ strncat(scheme, uri, sizeof(scheme) - 1);
+ if ((ptr = strchr(scheme, ':')) != NULL)
+ *ptr = '\0';
++ else
++ {
++ fprintf(stderr,
++ "ERROR: beh: Invalid URI, no colon (':') to mark end of scheme part.\n");
++ exit (CUPS_BACKEND_FAILED);
++ }
++ if (strchr(scheme, '/'))
++ {
++ fprintf(stderr,
++ "ERROR: beh: Invalid URI, scheme contains a slash ('/').\n");
++ exit (CUPS_BACKEND_FAILED);
++ }
++ if (!strcmp(scheme, ".") || !strcmp(scheme, ".."))
++ {
++ fprintf(stderr,
++ "ERROR: beh: Invalid URI, scheme (\"%s\") is a directory.\n",
++ scheme);
++ exit (CUPS_BACKEND_FAILED);
++ }
+
+ if ((cups_serverbin = getenv("CUPS_SERVERBIN")) == NULL)
+ cups_serverbin = CUPS_SERVERBIN;
+@@ -235,16 +259,26 @@ call_backend(char *uri, /* I - URI of final destination */
+ fprintf(stderr,
+ "ERROR: beh: Direct output into a file not supported.\n");
+ exit (CUPS_BACKEND_FAILED);
+- } else
+- snprintf(cmdline, sizeof(cmdline),
+- "%s/backend/%s '%s' '%s' '%s' '%s' '%s' %s",
+- cups_serverbin, scheme, argv[1], argv[2], argv[3],
+- /* Apply number of copies only if beh was called with a
+- file name and not with the print data in stdin, as
+- backends should handle copies only if they are called
+- with a file name */
+- (argc == 6 ? "1" : argv[4]),
+- argv[5], filename);
++ }
++
++ backend_argv[0] = uri;
++ backend_argv[1] = argv[1];
++ backend_argv[2] = argv[2];
++ backend_argv[3] = argv[3];
++ backend_argv[4] = (argc == 6 ? "1" : argv[4]);
++ backend_argv[5] = argv[5];
++ backend_argv[6] = filename;
++ backend_argv[7] = NULL;
++
++ bytes = snprintf(backend_path, sizeof(backend_path),
++ "%s/backend/%s", cups_serverbin, scheme);
++ if (bytes < 0 || bytes >= sizeof(backend_path))
++ {
++ fprintf(stderr,
++ "ERROR: beh: Invalid scheme (\"%s\"), could not determing backend path.\n",
++ scheme);
++ exit (CUPS_BACKEND_FAILED);
++ }
+
+ /*
+ * Overwrite the device URI and run the actual backend...
+@@ -253,17 +287,40 @@ call_backend(char *uri, /* I - URI of final destination */
+ setenv("DEVICE_URI", uri, 1);
+
+ fprintf(stderr,
+- "DEBUG: beh: Executing backend command line \"%s\"...\n",
+- cmdline);
++ "DEBUG: beh: Executing backend command line \"%s '%s' '%s' '%s' '%s' '%s'%s%s\"...\n",
++ backend_path, backend_argv[1], backend_argv[2], backend_argv[3],
++ backend_argv[4], backend_argv[5],
++ (backend_argv[6] && backend_argv[6][0] ? " " : ""),
++ (backend_argv[6] && backend_argv[6][0] ? backend_argv[6] : ""));
+ fprintf(stderr,
+ "DEBUG: beh: Using device URI: %s\n",
+ uri);
+
+- retval = system(cmdline) >> 8;
++ if ((pid = fork()) == 0)
++ {
++ retval = execv(backend_path, backend_argv);
++ if (retval == -1)
++ fprintf(stderr, "ERROR: Unable to execute backend: %s\n",
++ strerror(errno));
++ exit (CUPS_BACKEND_FAILED);
++ }
++ else if (pid < 0)
++ {
++ fprintf(stderr, "ERROR: Unable to fork for backend\n");
++ return (CUPS_BACKEND_FAILED);
++ }
++
++ while ((wait_pid = wait(&wait_status)) < 0 && errno == EINTR);
+
+- if (retval == -1)
+- fprintf(stderr, "ERROR: Unable to execute backend command line: %s\n",
+- strerror(errno));
++ if (wait_pid >= 0 && wait_status)
++ {
++ if (WIFEXITED(wait_status))
++ retval = WEXITSTATUS(wait_status);
++ else if (WTERMSIG(wait_status) != SIGTERM)
++ retval = WTERMSIG(wait_status);
++ else
++ retval = 0;
++ }
+
+ return (retval);
+ }
+@@ -277,8 +334,10 @@ static void
+ sigterm_handler(int sig) { /* I - Signal number (unused) */
+ (void)sig;
+
+- fprintf(stderr,
+- "DEBUG: beh: Job canceled.\n");
++ const char * const msg = "DEBUG: beh: Job canceled.\n";
++ // The if() is to eliminate the return value and silence the warning
++ // about an unused return value.
++ if (write(2, msg, strlen(msg)));
+
+ if (job_canceled)
+ _exit(CUPS_BACKEND_OK);
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-24805 Pick the patch referenced by the nvd report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- .../recipes-printing/cups/cups-filters.inc | 1 + .../cups/cups-filters/CVE-2023-24805.patch | 213 ++++++++++++++++++ 2 files changed, 214 insertions(+) create mode 100644 meta-oe/recipes-printing/cups/cups-filters/CVE-2023-24805.patch