main/cups: security fix (CVE-2014-3537,CVE-2014-5029,5030,5031)

fixes #3251

3 files changed, 147 insertions, 3 deletions

diff --git a/main/cups/APKBUILD b/main/cups/APKBUILD
index 20a723615e8..86b1869335b 100644
--- a/main/cups/APKBUILD
+++ b/main/cups/APKBUILD
@@ -1,6 +1,6 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=cups
-pkgver=1.6.1
+pkgver=1.6.2
 pkgrel=1
 pkgdesc="The CUPS Printing System"
 url="http://www.cups.org/"
@@ -19,6 +19,8 @@ source="http://www.cups.org/software/$pkgver/$pkgname-$pkgver-source.tar.bz2
 	$pkgname.logrotate
 	cupsd.initd
 	CVE-2014-2856.patch
+	CVE-2014-3537.patch
+	CVE-2014-5029_5030_5031.patch
 	"
 
 
@@ -112,7 +114,9 @@ client() {
 		usr/sbin/reject
 }
 
-md5sums="87ade07e3d1efd03c9c3add949cf9c00  cups-1.6.1-source.tar.bz2
+md5sums="13c8b2b2336d42001abe4899766b62dc  cups-1.6.2-source.tar.bz2
 f861b18f4446c43918c8643dcbbd7f6d  cups.logrotate
 1154ed66fdcfa0523f929a369079f43c  cupsd.initd
-09c0def850cf68d5f0bd4adcb39192ba  CVE-2014-2856.patch"
+09c0def850cf68d5f0bd4adcb39192ba  CVE-2014-2856.patch
+e7b557c8515d17bda174caf39dc774ad  CVE-2014-3537.patch
+749673017347dacc336a60555e6c7a58  CVE-2014-5029_5030_5031.patch"
diff --git a/main/cups/CVE-2014-3537.patch b/main/cups/CVE-2014-3537.patch
new file mode 100644
index 00000000000..f947c9b9c27
--- /dev/null
+++ b/main/cups/CVE-2014-3537.patch
@@ -0,0 +1,51 @@
+Index: scheduler/client.c
+===================================================================
+--- ./scheduler/client.c	(revision 11982)
++++ ./scheduler/client.c	(working copy)
+@@ -2961,7 +2961,7 @@
+     if ((ptr = strchr(filename, '?')) != NULL)
+       *ptr = '\0';
+ 
+-    if ((status = stat(filename, filestats)) != 0)
++    if ((status = lstat(filename, filestats)) != 0)
+     {
+      /*
+       * Drop the language prefix and try the root directory...
+@@ -2973,14 +2973,35 @@
+       if ((ptr = strchr(filename, '?')) != NULL)
+ 	*ptr = '\0';
+ 
+-      status = stat(filename, filestats);
++      status = lstat(filename, filestats);
+     }
+   }
+ 
+  /*
+-  * If we're found a directory, get the index.html file instead...
++  * If we've found a symlink, 404 the sucker to avoid disclosing information.
+   */
+ 
++  if (!status && S_ISLNK(filestats->st_mode))
++  {
++    cupsdLogMessage(CUPSD_LOG_WARN, "Symlinks such as \"%s\" are not allowed.", filename);
++    return (NULL);
++  }
++
++ /*
++  * Similarly, if the file/directory does not have world read permissions, do
++  * not allow access...
++  */
++
++  if (!status && !(filestats->st_mode & S_IROTH))
++  {
++    cupsdLogMessage(CUPSD_LOG_WARN, "Files/directories such as \"%s\" must be world-readable.", filename);
++    return (NULL);
++  }
++
++ /*
++  * If we've found a directory, get the index.html file instead...
++  */
++
+   if (!status && S_ISDIR(filestats->st_mode))
+   {
+    /*
diff --git a/main/cups/CVE-2014-5029_5030_5031.patch b/main/cups/CVE-2014-5029_5030_5031.patch
new file mode 100644
index 00000000000..d80768a92a9
--- /dev/null
+++ b/main/cups/CVE-2014-5029_5030_5031.patch
@@ -0,0 +1,89 @@
+Index: scheduler/client.c
+===================================================================
+--- ./scheduler/client.c	(revision 12054)
++++ ./scheduler/client.c	(working copy)
+@@ -3310,7 +3310,7 @@
+   * then fallback to the default one...
+   */
+ 
+-  if ((status = stat(filename, filestats)) != 0 && language[0] &&
++  if ((status = lstat(filename, filestats)) != 0 && language[0] &&
+       strncmp(con->uri, "/icons/", 7) &&
+       strncmp(con->uri, "/ppd/", 5) &&
+       strncmp(con->uri, "/rss/", 5) &&
+@@ -3408,13 +3408,13 @@
+       plen = len - (ptr - filename);
+ 
+       strlcpy(ptr, "index.html", plen);
+-      status = stat(filename, filestats);
++      status = lstat(filename, filestats);
+ 
+ #ifdef HAVE_JAVA
+       if (status)
+       {
+ 	strlcpy(ptr, "index.class", plen);
+-	status = stat(filename, filestats);
++	status = lstat(filename, filestats);
+       }
+ #endif /* HAVE_JAVA */
+ 
+@@ -3422,7 +3422,7 @@
+       if (status)
+       {
+ 	strlcpy(ptr, "index.pl", plen);
+-	status = stat(filename, filestats);
++	status = lstat(filename, filestats);
+       }
+ #endif /* HAVE_PERL */
+ 
+@@ -3430,7 +3430,7 @@
+       if (status)
+       {
+ 	strlcpy(ptr, "index.php", plen);
+-	status = stat(filename, filestats);
++	status = lstat(filename, filestats);
+       }
+ #endif /* HAVE_PHP */
+ 
+@@ -3438,18 +3438,39 @@
+       if (status)
+       {
+ 	strlcpy(ptr, "index.pyc", plen);
+-	status = stat(filename, filestats);
++	status = lstat(filename, filestats);
+       }
+ 
+       if (status)
+       {
+ 	strlcpy(ptr, "index.py", plen);
+-	status = stat(filename, filestats);
++	status = lstat(filename, filestats);
+       }
+ #endif /* HAVE_PYTHON */
+ 
+     }
+     while (status && language[0]);
++
++   /*
++    * If we've found a symlink, 404 the sucker to avoid disclosing information.
++    */
++
++    if (!status && S_ISLNK(filestats->st_mode))
++    {
++      cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Symlinks such as \"%s\" are not allowed.", con->http.fd, filename);
++      return (NULL);
++    }
++
++   /*
++    * Similarly, if the file/directory does not have world read permissions, do
++    * not allow access...
++    */
++
++    if (!status && !(filestats->st_mode & S_IROTH))
++    {
++      cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Files/directories such as \"%s\" must be world-readable.", con->http.fd, filename);
++      return (NULL);
++    }
+   }
+ 
+   cupsdLogMessage(CUPSD_LOG_DEBUG2,