New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incomplete fix for CVE-2014-3537 (CVE-2014-5029/5030/5031) #4455
Comments
CUPS.org User: mike Proposed fix attached, with a tentative release date of July 30. |
CUPS.org User: mike Updated patch for 2.0 (forgot to include world-readable check) |
CUPS.org User: mike And the patch for 1.7 and earlier (which don't have the cupsdLogClient function) |
CUPS.org User: mike Now assigned to CVE-2014-5029/5030/5031. |
CUPS.org User: twaugh.redhat The world-readability test breaks authenticated 'GET /admin/log/error_log' requests. Is that intentional? |
CUPS.org User: jsmeix.suse For me it still works to view the error log I think this is because (at least for my cups-1.7.4) I vaguely remember there was a longer time ago some thread |
CUPS.org User: mike Tim, please file a separate bug for the log file regression; the default log file permissions in CUPS are 0644, but we can probably special-case the log files when authentication is enabled. |
"str4455.patch": Index: scheduler/client.c--- scheduler/client.c (revision 12054)
@@ -3071,7 +3071,7 @@
@@ -3079,7 +3079,7 @@
@@ -3087,18 +3087,28 @@
cupsdLogClient(con, CUPSD_LOG_DEBUG2, "get_file filestats=%p, filename=%p, len=" CUPS_LLFMT ", returning "%s".", filestats, filename, CUPS_LLCAST len, status ? "(null)" : filename); |
"str4455_v2.patch": Index: scheduler/client.c--- scheduler/client.c (revision 12054)
@@ -3071,7 +3071,7 @@
@@ -3079,7 +3079,7 @@
@@ -3087,18 +3087,39 @@
cupsdLogClient(con, CUPSD_LOG_DEBUG2, "get_file filestats=%p, filename=%p, len=" CUPS_LLFMT ", returning "%s".", filestats, filename, CUPS_LLCAST len, status ? "(null)" : filename); |
"str4455-1.7.patch": Index: scheduler/client.c--- scheduler/client.c (revision 12054)
@@ -3422,7 +3422,7 @@
@@ -3430,7 +3430,7 @@
@@ -3438,18 +3438,39 @@
cupsdLogMessage(CUPSD_LOG_DEBUG2, |
CUPS.org User: jsmeix.suse Lame self-reply because of my own lossy mind: |
CUPS.org User: twaugh.redhat Filed as STR #4461. |
CUPS.org User: twaugh.redhat Note that STR #4461 also affects cupsd.conf, effectively breaking cupsctl for all situations except the special case of cupsctl being able to read the file directly. |
Is there a commit for the issue? |
@galaktipus Yes, 6 years ago in the old Subversion repository. Searching the git log output I found commit 9e92ab1 which contained this change. |
Version: 1.7.4
CUPS.org User: carnil
Hi
I noticed the fix for CVE-2014-3537 might be incomplete. From http://www.cups.org/str.php?L4450 the intention was to dissalow symlinks. But the code in 1.7.4 (similarly in current development version) looks like:
3313 if ((status = stat(filename, filestats)) != 0 && language[0] &&
3314 strncmp(con->uri, "/icons/", 7) &&
3315 strncmp(con->uri, "/ppd/", 5) &&
3316 strncmp(con->uri, "/rss/", 5) &&
3317 strncmp(con->uri, "/admin/conf/", 12) &&
3318 strncmp(con->uri, "/admin/log/", 11))
3319 {
3320 /*
3321 * Drop the country code...
3322 /
3323
3324 language[3] = '\0';
3325 snprintf(filename, len, "%s%s%s", DocumentRoot, language, con->uri);
3326
3327 if ((ptr = strchr(filename, '?')) != NULL)
3328 *ptr = '\0';
3329
3330 if ((status = lstat(filename, filestats)) != 0)
3331 {
3332 /
3333 * Drop the language prefix and try the root directory...
3334 */
3335
3336 language[0] = '\0';
3337 snprintf(filename, len, "%s%s", DocumentRoot, con->uri);
3338
3339 if ((ptr = strchr(filename, '?')) != NULL)
3340 *ptr = '\0';
3341
3342 status = lstat(filename, filestats);
3343 }
3344 }
if language[0] is null, we do not reach the lstat calls for filename and afterwards
3346 /*
3347 * If we've found a symlink, 404 the sucker to avoid disclosing information.
3348 */
3349
3350 if (!status && S_ISLNK(filestats->st_mode))
3351 {
3352 cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Symlinks such as "%s" are not allowed.", c on->http.fd, filename);
3353 return (NULL);
3354 }
will not do what was intended.
Additionally (from Michael Sweet):
Regards,
Salvatore
The text was updated successfully, but these errors were encountered: