From e9e894d6cb625436f6f4de988e8adf2bad962515 Mon Sep 17 00:00:00 2001 From: Funda Wang Date: Mon, 1 Dec 2025 22:32:47 +0800 Subject: [PATCH] fix CVE-2025-61915 (cherry picked from commit 598adaf8710e37cdfdbed81eb01cb78315a4ca86) --- backport-CVE-2025-61915.patch | 483 ++++++++++++++++++++++++++++++++++ cups.spec | 6 +- 2 files changed, 488 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2025-61915.patch diff --git a/backport-CVE-2025-61915.patch b/backport-CVE-2025-61915.patch new file mode 100644 index 0000000..b5798da --- /dev/null +++ b/backport-CVE-2025-61915.patch @@ -0,0 +1,483 @@ +From db8d560262c22a21ee1e55dfd62fa98d9359bcb0 Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal +Date: Fri, 21 Nov 2025 07:36:36 +0100 +Subject: [PATCH] Fix various issues in cupsd + +Various issues were found by @SilverPlate3, recognized as CVE-2025-61915: + +- out of bound write when handling IPv6 addresses, +- cupsd crash caused by null dereference when ErrorPolicy value is empty, + +On the top of that, Mike Sweet noticed vulnerability via domain socket, +exploitable locally if attacker has access to domain socket and knows username +of user within a group which is present in CUPS system groups: + +- rewrite of cupsd.conf via PeerCred authorization via domain socket + +The last vulnerability is fixed by introducing PeerCred directive for cups-files.conf, +which controls whether PeerCred is enabled/disabled for user in CUPS system groups. + +Fixes CVE-2025-61915 +--- + conf/cups-files.conf.in | 3 ++ + config-scripts/cups-defaults.m4 | 9 +++++ + config.h.in | 7 ++++ + configure | 22 ++++++++++ + doc/help/man-cups-files.conf.html | 9 ++++- + man/cups-files.conf.5 | 17 ++++++-- + scheduler/auth.c | 8 +++- + scheduler/auth.h | 7 ++++ + scheduler/client.c | 2 +- + scheduler/conf.c | 60 ++++++++++++++++++++++++---- + test/run-stp-tests.sh | 2 +- + vcnet/config.h | 7 ++++ + xcode/CUPS.xcodeproj/project.pbxproj | 2 - + xcode/config.h | 7 ++++ + 14 files changed, 145 insertions(+), 17 deletions(-) + +diff --git a/conf/cups-files.conf.in b/conf/cups-files.conf.in +index 93584a1..a3987d9 100644 +--- a/conf/cups-files.conf.in ++++ b/conf/cups-files.conf.in +@@ -19,6 +19,9 @@ + SystemGroup @CUPS_SYSTEM_GROUPS@ + @CUPS_SYSTEM_AUTHKEY@ + ++# Are Unix domain socket peer credentials used for authorization? ++PeerCred @CUPS_PEER_CRED@ ++ + # User that is substituted for unauthenticated (remote) root accesses... + #RemoteRoot remroot + +diff --git a/config-scripts/cups-defaults.m4 b/config-scripts/cups-defaults.m4 +index 04a9f53..5ceea98 100644 +--- a/config-scripts/cups-defaults.m4 ++++ b/config-scripts/cups-defaults.m4 +@@ -129,6 +129,15 @@ AC_ARG_WITH([log_level], AS_HELP_STRING([--with-log-level], [set default LogLeve + AC_SUBST([CUPS_LOG_LEVEL]) + AC_DEFINE_UNQUOTED([CUPS_DEFAULT_LOG_LEVEL], ["$CUPS_LOG_LEVEL"], [Default LogLevel value.]) + ++dnl Default PeerCred ++AC_ARG_WITH([peer_cred], AS_HELP_STRING([--with-peer-cred], [set default PeerCred value (on/off/root-only), default=on]), [ ++ CUPS_PEER_CRED="$withval" ++], [ ++ CUPS_PEER_CRED="on" ++]) ++AC_SUBST([CUPS_PEER_CRED]) ++AC_DEFINE_UNQUOTED([CUPS_DEFAULT_PEER_CRED], ["$CUPS_PEER_CRED"], [Default PeerCred value.]) ++ + dnl Default AccessLogLevel + AC_ARG_WITH(access_log_level, [ --with-access-log-level set default AccessLogLevel value, default=none], + CUPS_ACCESS_LOG_LEVEL="$withval", +diff --git a/config.h.in b/config.h.in +index 363780a..091d9c0 100644 +--- a/config.h.in ++++ b/config.h.in +@@ -86,6 +86,13 @@ + #define CUPS_DEFAULT_ERROR_POLICY "stop-printer" + + ++/* ++ * Default PeerCred value... ++ */ ++ ++#define CUPS_DEFAULT_PEER_CRED "on" ++ ++ + /* + * Default MaxCopies value... + */ +diff --git a/configure b/configure +index ad8bb61..b3948a8 100644 +--- a/configure ++++ b/configure +@@ -672,6 +672,7 @@ CUPS_BROWSING + CUPS_SYNC_ON_CLOSE + CUPS_PAGE_LOG_FORMAT + CUPS_ACCESS_LOG_LEVEL ++CUPS_PEER_CRED + CUPS_LOG_LEVEL + CUPS_FATAL_ERRORS + CUPS_ERROR_POLICY +@@ -925,6 +926,7 @@ with_max_log_size + with_error_policy + with_fatal_errors + with_log_level ++with_peer_cred + with_access_log_level + enable_page_logging + enable_sync_on_close +@@ -1661,6 +1663,8 @@ Optional Packages: + --with-error-policy set default ErrorPolicy value, default=stop-printer + --with-fatal-errors set default FatalErrors value, default=config + --with-log-level set default LogLevel value, default=warn ++ --with-peer-cred set default PeerCred value (on/off/root-only), ++ default=on + --with-access-log-level set default AccessLogLevel value, default=none + --with-local-protocols set default BrowseLocalProtocols, default="" + --with-cups-user set default user for CUPS +@@ -11708,6 +11712,24 @@ printf "%s\n" "#define CUPS_DEFAULT_LOG_LEVEL \"$CUPS_LOG_LEVEL\"" >>confdefs.h + + + ++# Check whether --with-peer_cred was given. ++if test ${with_peer_cred+y} ++then : ++ withval=$with_peer_cred; ++ CUPS_PEER_CRED="$withval" ++ ++else $as_nop ++ ++ CUPS_PEER_CRED="on" ++ ++fi ++ ++ ++ ++printf "%s\n" "#define CUPS_DEFAULT_PEER_CRED \"$CUPS_PEER_CRED\"" >>confdefs.h ++ ++ ++ + # Check whether --with-access_log_level was given. + if test ${with_access_log_level+y} + then : +diff --git a/doc/help/man-cups-files.conf.html b/doc/help/man-cups-files.conf.html +index 74047d9..e364275 100644 +--- a/doc/help/man-cups-files.conf.html ++++ b/doc/help/man-cups-files.conf.html +@@ -119,6 +119,13 @@ The default is "/var/log/cups/page_log". +
PassEnv variable [ ... variable ] +
Passes the specified environment variable(s) to child processes. + Note: the standard CUPS filter and backend environment variables cannot be overridden using this directive. ++
PeerCred off ++
PeerCred on ++
PeerCred root-only ++
Specifies whether peer credentials are used for authorization when communicating over the UNIX domain socket. ++When on, the peer credentials of any user are accepted for authorization. ++The value off disables the use of peer credentials entirely, while the value root-only allows peer credentials only for the root user. ++Note: for security reasons, the on setting is reduced to root-only for authorization of PUT requests. +
RemoteRoot username +
Specifies the username that is associated with unauthenticated accesses by clients claiming to be the root user. + The default is "remroot". +@@ -199,7 +206,7 @@ command is used instead. + subscriptions.conf(5), + CUPS Online Help (http://localhost:631/help) +

Copyright

+-Copyright © 2020-2023 by OpenPrinting. ++Copyright © 2020-2025 by OpenPrinting. + + + +diff --git a/man/cups-files.conf.5 b/man/cups-files.conf.5 +index a4a0184..32909e4 100644 +--- a/man/cups-files.conf.5 ++++ b/man/cups-files.conf.5 +@@ -1,14 +1,14 @@ + .\" + .\" cups-files.conf man page for CUPS. + .\" +-.\" Copyright © 2020-2023 by OpenPrinting. ++.\" Copyright © 2020-2025 by OpenPrinting. + .\" Copyright © 2007-2019 by Apple Inc. + .\" Copyright © 1997-2006 by Easy Software Products. + .\" + .\" Licensed under Apache License v2.0. See the file "LICENSE" for more + .\" information. + .\" +-.TH cups-files.conf 5 "CUPS" "2021-03-06" "OpenPrinting" ++.TH cups-files.conf 5 "CUPS" "2025-10-08" "OpenPrinting" + .SH NAME + cups\-files.conf \- file and directory configuration file for cups + .SH DESCRIPTION +@@ -166,6 +166,17 @@ The default is "/var/log/cups/page_log". + \fBPassEnv \fIvariable \fR[ ... \fIvariable \fR] + Passes the specified environment variable(s) to child processes. + Note: the standard CUPS filter and backend environment variables cannot be overridden using this directive. ++.\"#PeerCred ++.TP 5 ++\fBPeerCred off\fR ++.TP 5 ++\fBPeerCred on\fR ++.TP 5 ++\fBPeerCred root-only\fR ++Specifies whether peer credentials are used for authorization when communicating over the UNIX domain socket. ++When \fBon\fR, the peer credentials of any user are accepted for authorization. ++The value \fBoff\fR disables the use of peer credentials entirely, while the value \fBroot-only\fR allows peer credentials only for the root user. ++Note: for security reasons, the \fBon\fR setting is reduced to \fBroot-only\fR for authorization of PUT requests. + .\"#RemoteRoot + .TP 5 + \fBRemoteRoot \fIusername\fR +@@ -278,4 +289,4 @@ command is used instead. + .BR subscriptions.conf (5), + CUPS Online Help (http://localhost:631/help) + .SH COPYRIGHT +-Copyright \[co] 2020-2023 by OpenPrinting. ++Copyright \[co] 2020-2025 by OpenPrinting. +diff --git a/scheduler/auth.c b/scheduler/auth.c +index e58549d..efb8adf 100644 +--- a/scheduler/auth.c ++++ b/scheduler/auth.c +@@ -398,7 +398,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ + } + #endif /* HAVE_AUTHORIZATION_H */ + #if defined(SO_PEERCRED) && defined(AF_LOCAL) +- else if (!strncmp(authorization, "PeerCred ", 9) && ++ else if (PeerCred != CUPSD_PEERCRED_OFF && !strncmp(authorization, "PeerCred ", 9) && + con->http->hostaddr->addr.sa_family == AF_LOCAL && con->best) + { + /* +@@ -441,6 +441,12 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ + } + #endif /* HAVE_AUTHORIZATION_H */ + ++ if ((PeerCred == CUPSD_PEERCRED_ROOTONLY || httpGetState(con->http) == HTTP_STATE_PUT_RECV) && strcmp(authorization + 9, "root")) ++ { ++ cupsdLogClient(con, CUPSD_LOG_INFO, "User \"%s\" is not allowed to use peer credentials.", authorization + 9); ++ return; ++ } ++ + if ((pwd = getpwnam(authorization + 9)) == NULL) + { + cupsdLogClient(con, CUPSD_LOG_ERROR, "User \"%s\" does not exist.", authorization + 9); +diff --git a/scheduler/auth.h b/scheduler/auth.h +index 26459d6..c28542d 100644 +--- a/scheduler/auth.h ++++ b/scheduler/auth.h +@@ -50,6 +50,10 @@ + #define CUPSD_AUTH_LIMIT_ALL 127 /* Limit all requests */ + #define CUPSD_AUTH_LIMIT_IPP 128 /* Limit IPP requests */ + ++#define CUPSD_PEERCRED_OFF 0 /* Don't allow PeerCred authorization */ ++#define CUPSD_PEERCRED_ON 1 /* Allow PeerCred authorization for all users */ ++#define CUPSD_PEERCRED_ROOTONLY 2 /* Allow PeerCred authorization for root user */ ++ + #define IPP_ANY_OPERATION (ipp_op_t)0 + /* Any IPP operation */ + #define IPP_BAD_OPERATION (ipp_op_t)-1 +@@ -105,6 +109,9 @@ typedef struct + + VAR cups_array_t *Locations VALUE(NULL); + /* Authorization locations */ ++VAR int PeerCred VALUE(CUPSD_PEERCRED_ON); ++ /* Allow PeerCred authorization? */ ++ + #ifdef HAVE_TLS + VAR http_encryption_t DefaultEncryption VALUE(HTTP_ENCRYPT_REQUIRED); + /* Default encryption for authentication */ +diff --git a/scheduler/client.c b/scheduler/client.c +index ad1adb9..2c9a17d 100644 +--- a/scheduler/client.c ++++ b/scheduler/client.c +@@ -2294,7 +2294,7 @@ cupsdSendHeader( + auth_size = sizeof(auth_str) - (size_t)(auth_key - auth_str); + + #if defined(SO_PEERCRED) && defined(AF_LOCAL) +- if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL) ++ if (PeerCred != CUPSD_PEERCRED_OFF && httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL) + { + strlcpy(auth_key, ", PeerCred", auth_size); + auth_key += 10; +diff --git a/scheduler/conf.c b/scheduler/conf.c +index 1454822..38fa1cf 100644 +--- a/scheduler/conf.c ++++ b/scheduler/conf.c +@@ -50,6 +50,7 @@ typedef enum + { + CUPSD_VARTYPE_INTEGER, /* Integer option */ + CUPSD_VARTYPE_TIME, /* Time interval option */ ++ CUPSD_VARTYPE_NULLSTRING, /* String option or NULL/empty string */ + CUPSD_VARTYPE_STRING, /* String option */ + CUPSD_VARTYPE_BOOLEAN, /* Boolean option */ + CUPSD_VARTYPE_PATHNAME, /* File/directory name option */ +@@ -72,7 +73,7 @@ static const cupsd_var_t cupsd_vars[] = + { + { "AutoPurgeJobs", &JobAutoPurge, CUPSD_VARTYPE_BOOLEAN }, + #ifdef HAVE_DNSSD +- { "BrowseDNSSDSubTypes", &DNSSDSubTypes, CUPSD_VARTYPE_STRING }, ++ { "BrowseDNSSDSubTypes", &DNSSDSubTypes, CUPSD_VARTYPE_NULLSTRING }, + #endif /* HAVE_DNSSD */ + { "BrowseWebIF", &BrowseWebIF, CUPSD_VARTYPE_BOOLEAN }, + { "Browsing", &Browsing, CUPSD_VARTYPE_BOOLEAN }, +@@ -123,7 +124,7 @@ static const cupsd_var_t cupsd_vars[] = + { "MaxSubscriptionsPerPrinter",&MaxSubscriptionsPerPrinter, CUPSD_VARTYPE_INTEGER }, + { "MaxSubscriptionsPerUser", &MaxSubscriptionsPerUser, CUPSD_VARTYPE_INTEGER }, + { "MultipleOperationTimeout", &MultipleOperationTimeout, CUPSD_VARTYPE_TIME }, +- { "PageLogFormat", &PageLogFormat, CUPSD_VARTYPE_STRING }, ++ { "PageLogFormat", &PageLogFormat, CUPSD_VARTYPE_NULLSTRING }, + { "PreserveJobFiles", &JobFiles, CUPSD_VARTYPE_TIME }, + { "PreserveJobHistory", &JobHistory, CUPSD_VARTYPE_TIME }, + { "ReloadTimeout", &ReloadTimeout, CUPSD_VARTYPE_TIME }, +@@ -787,6 +788,13 @@ cupsdReadConfiguration(void) + IdleExitTimeout = 60; + #endif /* HAVE_ONDEMAND */ + ++ if (!strcmp(CUPS_DEFAULT_PEER_CRED, "off")) ++ PeerCred = CUPSD_PEERCRED_OFF; ++ else if (!strcmp(CUPS_DEFAULT_PEER_CRED, "root-only")) ++ PeerCred = CUPSD_PEERCRED_ROOTONLY; ++ else ++ PeerCred = CUPSD_PEERCRED_ON; ++ + /* + * Setup environment variables... + */ +@@ -1880,7 +1888,7 @@ get_addr_and_mask(const char *value, /* I - String from config file */ + + family = AF_INET6; + +- for (i = 0, ptr = value + 1; *ptr && i < 8; i ++) ++ for (i = 0, ptr = value + 1; *ptr && i >= 0 && i < 8; i ++) + { + if (*ptr == ']') + break; +@@ -2026,7 +2034,7 @@ get_addr_and_mask(const char *value, /* I - String from config file */ + #ifdef AF_INET6 + if (family == AF_INET6) + { +- if (i > 128) ++ if (i < 0 || i > 128) + return (0); + + i = 128 - i; +@@ -2060,7 +2068,7 @@ get_addr_and_mask(const char *value, /* I - String from config file */ + else + #endif /* AF_INET6 */ + { +- if (i > 32) ++ if (i < 0 || i > 32) + return (0); + + mask[0] = 0xffffffff; +@@ -2970,7 +2978,17 @@ parse_variable( + cupsdSetString((char **)var->ptr, temp); + break; + ++ case CUPSD_VARTYPE_NULLSTRING : ++ cupsdSetString((char **)var->ptr, value); ++ break; ++ + case CUPSD_VARTYPE_STRING : ++ if (!value) ++ { ++ cupsdLogMessage(CUPSD_LOG_ERROR, "Missing value for %s on line %d of %s.", line, linenum, filename); ++ return (0); ++ } ++ + cupsdSetString((char **)var->ptr, value); + break; + } +@@ -3495,9 +3513,10 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */ + line, value ? " " : "", value ? value : "", linenum, + ConfigurationFile, CupsFilesFile); + } +- else +- parse_variable(ConfigurationFile, linenum, line, value, +- sizeof(cupsd_vars) / sizeof(cupsd_vars[0]), cupsd_vars); ++ else if (!parse_variable(ConfigurationFile, linenum, line, value, ++ sizeof(cupsd_vars) / sizeof(cupsd_vars[0]), cupsd_vars) && ++ (FatalErrors & CUPSD_FATAL_CONFIG)) ++ return (0); + } + + return (1); +@@ -3656,6 +3675,31 @@ read_cups_files_conf(cups_file_t *fp) /* I - File to read from */ + break; + } + } ++ else if (!_cups_strcasecmp(line, "PeerCred") && value) ++ { ++ /* ++ * PeerCred {off,on,root-only} ++ */ ++ ++ if (!_cups_strcasecmp(value, "off")) ++ { ++ PeerCred = CUPSD_PEERCRED_OFF; ++ } ++ else if (!_cups_strcasecmp(value, "on")) ++ { ++ PeerCred = CUPSD_PEERCRED_ON; ++ } ++ else if (!_cups_strcasecmp(value, "root-only")) ++ { ++ PeerCred = CUPSD_PEERCRED_ROOTONLY; ++ } ++ else ++ { ++ cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown PeerCred \"%s\" on line %d of %s.", value, linenum, CupsFilesFile); ++ if (FatalErrors & CUPSD_FATAL_CONFIG) ++ return (0); ++ } ++ } + else if (!_cups_strcasecmp(line, "PrintcapFormat") && value) + { + /* +diff --git a/test/run-stp-tests.sh b/test/run-stp-tests.sh +index 39b53c3..2089f79 100644 +--- a/test/run-stp-tests.sh ++++ b/test/run-stp-tests.sh +@@ -512,7 +512,7 @@ fi + + cat >$BASE/cups-files.conf < - 1:2.4.7-9 +- fix CVE-2025-61915 + * Fri Nov 28 2025 weidongkl - 1:2.4.7-8 - fix: CVE-2025-58436 -- Gitee