cups security update and wiki documentaiton
Hi all,
Trying to be a good citizen, I want to provide a src:cups security
update for squeeze-lts (debdiff attached), following up on the
DSA-2990-1 upload to wheezy.
So I followed https://wiki.debian.org/LTS/Development and encountered
the following hurdles:
* Claiming the issue in lts-needed.txt : on svn commit I'm apparently
not allowed to push:
svn: E000013: Can't create directory '/svn/secure-
testing/db/transactions/27993-1.txn': Permission denied
* Claim an DLA ID in DLA/list asks to run bin/gen-DLA, but there's no
bin/ directory in (my?) svn checkout.
What am I doing wrong ?
Cheers,
OdyX
diff -u cups-1.4.4/debian/changelog cups-1.4.4/debian/changelog
--- cups-1.4.4/debian/changelog
+++ cups-1.4.4/debian/changelog
@@ -1,3 +1,13 @@
+cups (1.4.4-7+squeeze6) squeeze-lts; urgency=medium
+
+ * Backport upstream patches to fix:
+ - insufficient checking when allowing files download from the webinterface
+ (STR #4455), fixes CVE-2014-5029, CVE-2014-5030 and CVE-2014-5031
+ - privilege escalation through the CUPS webinterface (STR #4450), fixes
+ CVE-2014-3537.
+
+ -- Didier Raboud <odyx@debian.org> Wed, 30 Jul 2014 09:02:13 +0200
+
cups (1.4.4-7+squeeze5) oldstable; urgency=low
* Import upstream patch to fix XSS in the CUPS webinterface (STR #4356),
diff -u cups-1.4.4/debian/patches/00list cups-1.4.4/debian/patches/00list
--- cups-1.4.4/debian/patches/00list
+++ cups-1.4.4/debian/patches/00list
@@ -1,3 +1,7 @@
+# patches backported from upstream SVN trunk for 1.7:
+fix-insufficient-checking-leading-to-privilege-escalation-str4450.dpatch
+fix-insufficient-checking-when-allowing-files-download-from-the-webinterface.dpatch
+
# patches backported from upstream SVN trunk for 1.6:
fix-xss-in-cups-webinterface-str43576.dpatch
only in patch2:
unchanged:
--- cups-1.4.4.orig/debian/patches/fix-insufficient-checking-leading-to-privilege-escalation-str4450.dpatch
+++ cups-1.4.4/debian/patches/fix-insufficient-checking-leading-to-privilege-escalation-str4450.dpatch
@@ -0,0 +1,61 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## fix-insufficient-checking-leading-to-privilege-escalation-str4450.dpatch by Michael Sweet <msweet@apple.com>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: The web interface incorrectly served symlinked files and files
+## DP: that were not world-readable, potentially leading to a disclosure of
+## DP: information
+## DP: Author: Michael Sweet <msweet@apple.com>
+## DP: Bug-CVE: https://security-tracker.debian.org/tracker/CVE-2014-3537
+## DP: Bug: http://www.cups.org/str.php?L4450
+## DP: Last-Update: 2014-07-14
+
+@DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/scheduler/client.c cups/scheduler/client.c
+--- cups~/scheduler/client.c 2014-07-30 08:33:36.000000000 +0200
++++ cups/scheduler/client.c 2014-07-30 09:00:07.000000000 +0200
+@@ -3568,7 +3568,7 @@
+ if ((ptr = strchr(filename, '?')) != NULL)
+ *ptr = '\0';
+
+- if ((status = stat(filename, filestats)) != 0)
++ if ((status = lstat(filename, filestats)) != 0)
+ {
+ /*
+ * Drop the language prefix and try the root directory...
+@@ -3580,12 +3580,33 @@
+ if ((ptr = strchr(filename, '?')) != NULL)
+ *ptr = '\0';
+
+- status = stat(filename, filestats);
++ status = lstat(filename, filestats);
+ }
+ }
+
+ /*
+- * If we're found a directory, get the index.html file instead...
++ * If we've found a symlink, 404 the sucker to avoid disclosing information.
++ */
++
++ if (!status && S_ISLNK(filestats->st_mode))
++ {
++ cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Symlinks such as \"%s\" are not allowed.", con->http.fd, filename);
++ return (NULL);
++ }
++
++ /*
++ * Similarly, if the file/directory does not have world read permissions, do
++ * not allow access...
++ */
++
++ if (!status && !(filestats->st_mode & S_IROTH))
++ {
++ cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Files/directories such as \"%s\" must be world-readable.", con->http.fd, filename);
++ return (NULL);
++ }
++
++ /*
++ * If we've found a directory, get the index.html file instead...
+ */
+
+ if (!status && S_ISDIR(filestats->st_mode))
only in patch2:
unchanged:
--- cups-1.4.4.orig/debian/patches/fix-insufficient-checking-when-allowing-files-download-from-the-webinterface.dpatch
+++ cups-1.4.4/debian/patches/fix-insufficient-checking-when-allowing-files-download-from-the-webinterface.dpatch
@@ -0,0 +1,101 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## fix-insufficient-checking-when-allowing-files-download-from-the-webinterface.dpatch by Michael Sweet <msweet@apple.com>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Fix-unsufficient permission checking when allowing files download
+## DP: from the webinterface
+## DP: Author: Michael Sweet <msweet@apple.com>
+## DP: Bug: http://www.cups.org/str.php?L4455
+## DP: Bug-CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5029
+## DP: Bug-CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5030
+## DP: Bug-CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5031
+
+@DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/scheduler/client.c cups/scheduler/client.c
+--- cups~/scheduler/client.c 2014-07-30 09:00:40.000000000 +0200
++++ cups/scheduler/client.c 2014-07-30 09:00:40.524819850 +0200
+@@ -3553,7 +3553,7 @@
+ * then fallback to the default one...
+ */
+
+- if ((status = stat(filename, filestats)) != 0 && language[0] &&
++ if ((status = lstat(filename, filestats)) != 0 && language[0] &&
+ strncmp(con->uri, "/ppd/", 5) &&
+ strncmp(con->uri, "/admin/conf/", 12) &&
+ strncmp(con->uri, "/admin/log/", 11))
+@@ -3649,13 +3649,13 @@
+ plen = len - (ptr - filename);
+
+ strlcpy(ptr, "index.html", plen);
+- status = stat(filename, filestats);
++ status = lstat(filename, filestats);
+
+ #ifdef HAVE_JAVA
+ if (status)
+ {
+ strlcpy(ptr, "index.class", plen);
+- status = stat(filename, filestats);
++ status = lstat(filename, filestats);
+ }
+ #endif /* HAVE_JAVA */
+
+@@ -3663,7 +3663,7 @@
+ if (status)
+ {
+ strlcpy(ptr, "index.pl", plen);
+- status = stat(filename, filestats);
++ status = lstat(filename, filestats);
+ }
+ #endif /* HAVE_PERL */
+
+@@ -3671,7 +3671,7 @@
+ if (status)
+ {
+ strlcpy(ptr, "index.php", plen);
+- status = stat(filename, filestats);
++ status = lstat(filename, filestats);
+ }
+ #endif /* HAVE_PHP */
+
+@@ -3679,18 +3679,39 @@
+ if (status)
+ {
+ strlcpy(ptr, "index.pyc", plen);
+- status = stat(filename, filestats);
++ status = lstat(filename, filestats);
+ }
+
+ if (status)
+ {
+ strlcpy(ptr, "index.py", plen);
+- status = stat(filename, filestats);
++ status = lstat(filename, filestats);
+ }
+ #endif /* HAVE_PYTHON */
+
+ }
+ while (status && language[0]);
++
++ /*
++ * If we've found a symlink, 404 the sucker to avoid disclosing information.
++ */
++
++ if (!status && S_ISLNK(filestats->st_mode))
++ {
++ cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Symlinks such as \"%s\" are not allowed.", con->http.fd, filename);
++ return (NULL);
++ }
++
++ /*
++ * Similarly, if the file/directory does not have world read permissions, do
++ * not allow access...
++ */
++
++ if (!status && !(filestats->st_mode & S_IROTH))
++ {
++ cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Files/directories such as \"%s\" must be world-readable.", con->http.fd, filename);
++ return (NULL);
++ }
+ }
+
+ cupsdLogMessage(CUPSD_LOG_DEBUG2,
Reply to: