From dfe96032b8b02a9d3b3e07081178dbe331fbae2a Mon Sep 17 00:00:00 2001 From: Yarny0 <41838844+Yarny0@users.noreply.github.com> Date: Tue, 27 Aug 2024 15:01:23 +0200 Subject: [PATCH 1/2] cups: replace CVE-2024-35235 patch file with fetchpatch The patch from commit https://github.com/NixOS/nixpkgs/commit/bdf63d7dcb4c04ff2f17fbadc56d158eb318e097 is also available in the cups source repository (up to some variations in code comments). --- pkgs/misc/cups/2.4.8-CVE-2024-35235.patch | 86 ----------------------- pkgs/misc/cups/default.nix | 7 +- 2 files changed, 6 insertions(+), 87 deletions(-) delete mode 100644 pkgs/misc/cups/2.4.8-CVE-2024-35235.patch diff --git a/pkgs/misc/cups/2.4.8-CVE-2024-35235.patch b/pkgs/misc/cups/2.4.8-CVE-2024-35235.patch deleted file mode 100644 index 243be682ceb66..0000000000000 --- a/pkgs/misc/cups/2.4.8-CVE-2024-35235.patch +++ /dev/null @@ -1,86 +0,0 @@ -Based on upstream ff1f8a623e090dee8a8aadf12a6a4b25efac143d, adjusted to -apply to 2.4.8 - -diff --git a/cups/http-addr.c b/cups/http-addr.c -index 6aeeb8074..73a6b2f37 100644 ---- a/cups/http-addr.c -+++ b/cups/http-addr.c -@@ -206,27 +206,30 @@ httpAddrListen(http_addr_t *addr, /* I - Address to bind to */ - * Remove any existing domain socket file... - */ - -- unlink(addr->un.sun_path); -- -- /* -- * Save the current umask and set it to 0 so that all users can access -- * the domain socket... -- */ -- -- mask = umask(0); -+ // Remove any existing domain socket file... -+ if ((status = unlink(addr->un.sun_path)) < 0) -+ { -+ DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno))); - -- /* -- * Bind the domain socket... -- */ -+ if (errno == ENOENT) -+ status = 0; -+ } - -- status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr)); -+ if (!status) -+ { -+ // Save the current umask and set it to 0 so that all users can access -+ // the domain socket... -+ mask = umask(0); - -- /* -- * Restore the umask and fix permissions... -- */ -+ // Bind the domain socket... -+ if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0) -+ { -+ DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno))); -+ } - -- umask(mask); -- chmod(addr->un.sun_path, 0140777); -+ // Restore the umask... -+ umask(mask); -+ } - } - else - #endif /* AF_LOCAL */ -diff --git a/scheduler/conf.c b/scheduler/conf.c -index defca78aa..ebf8ca8cc 100644 ---- a/scheduler/conf.c -+++ b/scheduler/conf.c -@@ -3083,6 +3083,26 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */ - cupsd_listener_t *lis; /* New listeners array */ - - -+ /* -+ * If we are launched on-demand, do not use domain sockets from the config -+ * file. Also check that the domain socket path is not too long... -+ */ -+ -+#ifdef HAVE_ONDEMAND -+ if (*value == '/' && OnDemand) -+ { -+ if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET)) -+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum); -+ continue; -+ } -+#endif // HAVE_ONDEMAND -+ -+ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1)) -+ { -+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum); -+ continue; -+ } -+ - /* - * Get the address list... - */ diff --git a/pkgs/misc/cups/default.nix b/pkgs/misc/cups/default.nix index 5d4b6f00acae1..5735d193fe5fe 100644 --- a/pkgs/misc/cups/default.nix +++ b/pkgs/misc/cups/default.nix @@ -19,6 +19,7 @@ , libpaper ? null , coreutils , nixosTests +, fetchpatch }: stdenv.mkDerivation rec { @@ -33,7 +34,11 @@ stdenv.mkDerivation rec { outputs = [ "out" "lib" "dev" "man" ]; patches = [ - ./2.4.8-CVE-2024-35235.patch + (fetchpatch { + name = "CVE-2024-35235.patch"; + url = "https://github.com/OpenPrinting/cups/commit/b273a1f29bda87317c551614cf9ab6125f56e317.patch"; + hash = "sha256-nzWKEMOEBKZMjqVPl2mcATtXZSrh++yhv9VMvbA+49E="; + }) ]; postPatch = '' From df3ad55663ecce0983be0da25d2c87657158f4f4 Mon Sep 17 00:00:00 2001 From: Yarny0 <41838844+Yarny0@users.noreply.github.com> Date: Tue, 27 Aug 2024 15:04:37 +0200 Subject: [PATCH 2/2] cups: fix socket-only usage If cups is started with no network listeners, i.e., only with `Listen /path/to/unix.socket` lines in cupsd.conf, it fails to start. This is caused by the patch of CVE-2024-35235, see also https://github.com/NixOS/nixpkgs/commit/bdf63d7dcb4c04ff2f17fbadc56d158eb318e097 https://github.com/NixOS/nixpkgs/commit/dfe96032b8b02a9d3b3e07081178dbe331fbae2a Upstream documented the problem here https://github.com/OpenPrinting/cups/issues/985 and fixed it here https://github.com/OpenPrinting/cups/pull/988 . In NixOS, the problem manifests itself with this configuration: > services.printing.listenAddresses = []; The commit at hand adds three more patches from the upstream repository. This is the smalles possible change that fixes the regression caused by the initial patch. --- pkgs/misc/cups/default.nix | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/pkgs/misc/cups/default.nix b/pkgs/misc/cups/default.nix index 5735d193fe5fe..396914479d4a5 100644 --- a/pkgs/misc/cups/default.nix +++ b/pkgs/misc/cups/default.nix @@ -39,6 +39,23 @@ stdenv.mkDerivation rec { url = "https://github.com/OpenPrinting/cups/commit/b273a1f29bda87317c551614cf9ab6125f56e317.patch"; hash = "sha256-nzWKEMOEBKZMjqVPl2mcATtXZSrh++yhv9VMvbA+49E="; }) + # the following three patches fix a regression introduced by the patch above + (fetchpatch { + name = "CVE-2024-35235-fixup-domainsocket-1.patch"; + url = "https://github.com/OpenPrinting/cups/commit/6131f6a73c188f3db0ec94ae488991ce80cfd7ea.patch"; + hash = "sha256-uftOI0zkwPXsW8CY8BoOkx4BysjDUc66LuzyZDjUHCI="; + }) + (fetchpatch { + name = "CVE-2024-35235-fixup-domainsocket-2.patch"; + url = "https://github.com/OpenPrinting/cups/commit/4417cd366f7baf64f4ada3efbb3ec13cd773a0f4.patch"; + hash = "sha256-ighA4Vmf43iiwkNl71//Ml8ynh8nF/bcNOKELeJFPKo="; + }) + (fetchpatch { + name = "CVE-2024-35235-fixup-domainsocket-3.patch"; + url = "https://github.com/OpenPrinting/cups/commit/145b946a86062aafab76c656ee9c1112bfd4f804.patch"; + includes = [ "scheduler/conf.c" ]; + hash = "sha256-2jQFHUFav8XDfqA/PVKNvbUnZI34na8Wbuu4XRy3uqc="; + }) ]; postPatch = ''