Incomplete fix for CVE-2014-3537 (CVE-2014-5029/5030/5031) #4455
Comments
|
CUPS.org User: mike Proposed fix attached, with a tentative release date of July 30. |
|
CUPS.org User: mike Updated patch for 2.0 (forgot to include world-readable check) |
|
CUPS.org User: mike And the patch for 1.7 and earlier (which don't have the cupsdLogClient function) |
|
CUPS.org User: mike Now assigned to CVE-2014-5029/5030/5031. |
|
CUPS.org User: twaugh.redhat The world-readability test breaks authenticated 'GET /admin/log/error_log' requests. Is that intentional? |
|
CUPS.org User: jsmeix.suse For me it still works to view the error log I think this is because (at least for my cups-1.7.4) I vaguely remember there was a longer time ago some thread |
|
CUPS.org User: mike Tim, please file a separate bug for the log file regression; the default log file permissions in CUPS are 0644, but we can probably special-case the log files when authentication is enabled. |
|
"str4455.patch": Index: scheduler/client.c--- scheduler/client.c (revision 12054)
@@ -3071,7 +3071,7 @@
@@ -3079,7 +3079,7 @@
@@ -3087,18 +3087,28 @@
cupsdLogClient(con, CUPSD_LOG_DEBUG2, "get_file filestats=%p, filename=%p, len=" CUPS_LLFMT ", returning "%s".", filestats, filename, CUPS_LLCAST len, status ? "(null)" : filename); |
|
"str4455_v2.patch": Index: scheduler/client.c--- scheduler/client.c (revision 12054)
@@ -3071,7 +3071,7 @@
@@ -3079,7 +3079,7 @@
@@ -3087,18 +3087,39 @@
cupsdLogClient(con, CUPSD_LOG_DEBUG2, "get_file filestats=%p, filename=%p, len=" CUPS_LLFMT ", returning "%s".", filestats, filename, CUPS_LLCAST len, status ? "(null)" : filename); |
|
"str4455-1.7.patch": Index: scheduler/client.c--- scheduler/client.c (revision 12054)
@@ -3422,7 +3422,7 @@
@@ -3430,7 +3430,7 @@
@@ -3438,18 +3438,39 @@
cupsdLogMessage(CUPSD_LOG_DEBUG2, |
|
CUPS.org User: jsmeix.suse Lame self-reply because of my own lossy mind: |
|
CUPS.org User: twaugh.redhat Filed as STR #4461. |
|
CUPS.org User: twaugh.redhat Note that STR #4461 also affects cupsd.conf, effectively breaking cupsctl for all situations except the special case of cupsctl being able to read the file directly. |
|
Is there a commit for the issue? |
|
@galaktipus Yes, 6 years ago in the old Subversion repository. Searching the git log output I found commit 9e92ab1 which contained this change. |
Version: 1.7.4
CUPS.org User: carnil
Hi
I noticed the fix for CVE-2014-3537 might be incomplete. From http://www.cups.org/str.php?L4450 the intention was to dissalow symlinks. But the code in 1.7.4 (similarly in current development version) looks like:
3313 if ((status = stat(filename, filestats)) != 0 && language[0] &&
3314 strncmp(con->uri, "/icons/", 7) &&
3315 strncmp(con->uri, "/ppd/", 5) &&
3316 strncmp(con->uri, "/rss/", 5) &&
3317 strncmp(con->uri, "/admin/conf/", 12) &&
3318 strncmp(con->uri, "/admin/log/", 11))
3319 {
3320 /*
3321 * Drop the country code...
3322 /
3323
3324 language[3] = '\0';
3325 snprintf(filename, len, "%s%s%s", DocumentRoot, language, con->uri);
3326
3327 if ((ptr = strchr(filename, '?')) != NULL)
3328 *ptr = '\0';
3329
3330 if ((status = lstat(filename, filestats)) != 0)
3331 {
3332 /
3333 * Drop the language prefix and try the root directory...
3334 */
3335
3336 language[0] = '\0';
3337 snprintf(filename, len, "%s%s", DocumentRoot, con->uri);
3338
3339 if ((ptr = strchr(filename, '?')) != NULL)
3340 *ptr = '\0';
3341
3342 status = lstat(filename, filestats);
3343 }
3344 }
if language[0] is null, we do not reach the lstat calls for filename and afterwards
3346 /*
3347 * If we've found a symlink, 404 the sucker to avoid disclosing information.
3348 */
3349
3350 if (!status && S_ISLNK(filestats->st_mode))
3351 {
3352 cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Symlinks such as "%s" are not allowed.", c on->http.fd, filename);
3353 return (NULL);
3354 }
will not do what was intended.
Additionally (from Michael Sweet):
Regards,
Salvatore
The text was updated successfully, but these errors were encountered: