[cups-devel] [UNKN] STR #4455: Incomplete fix for CVE-2014-3537
Salvatore Bonaccorso
noreply at cups.org
Mon Jul 21 11:36:34 PDT 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
DO NOT REPLY TO THIS MESSAGE. INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.
[STR New]
Hi
I noticed the fix for CVE-2014-3537 might be incomplete. From
http://www.cups.org/str.php?L4450 the intention was to dissalow symlinks.
But the code in 1.7.4 (similarly in current development version) looks
like:
3313 if ((status = stat(filename, filestats)) != 0 && language[0] &&
3314 strncmp(con->uri, "/icons/", 7) &&
3315 strncmp(con->uri, "/ppd/", 5) &&
3316 strncmp(con->uri, "/rss/", 5) &&
3317 strncmp(con->uri, "/admin/conf/", 12) &&
3318 strncmp(con->uri, "/admin/log/", 11))
3319 {
3320 /*
3321 * Drop the country code...
3322 */
3323
3324 language[3] = '\0';
3325 snprintf(filename, len, "%s%s%s", DocumentRoot, language,
con->uri);
3326
3327 if ((ptr = strchr(filename, '?')) != NULL)
3328 *ptr = '\0';
3329
3330 if ((status = lstat(filename, filestats)) != 0)
3331 {
3332 /*
3333 * Drop the language prefix and try the root directory...
3334 */
3335
3336 language[0] = '\0';
3337 snprintf(filename, len, "%s%s", DocumentRoot, con->uri);
3338
3339 if ((ptr = strchr(filename, '?')) != NULL)
3340 *ptr = '\0';
3341
3342 status = lstat(filename, filestats);
3343 }
3344 }
if language[0] is null, we do not reach the lstat calls for filename and
afterwards
3346 /*
3347 * If we've found a symlink, 404 the sucker to avoid disclosing
information.
3348 */
3349
3350 if (!status && S_ISLNK(filestats->st_mode))
3351 {
3352 cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Symlinks such as
\"%s\" are not allowed.", c on->http.fd, filename);
3353 return (NULL);
3354 }
will not do what was intended.
Additionally (from Michael Sweet):
> Yes, it looks like this needs to be an lstat as well, and we should
> probably add similar protections to the directory index files (which
> are also using stat).
Regards,
Salvatore
Link: https://www.cups.org/str.php?L4455
Version: 1.7.4
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJTzV2yAAoJENujp6sI12Ij6SkP/26w0kR9PtvfoWfQ3fOESRhz
ORJ8fDiJVkaKJKwG0aujxOLzukfl/T69pY0q798sEOvSADvq2mwEkSJSlZjupPew
DU0SPWyXOMgHn9/pYhj7sxKq+QhMN3RGCbL+TH/bhzsHDDzZi/7EMQCyF703CwMh
ubK4y//YrpPhz4UYP2NSt8EbCNqOxjSpOr4HGGsleChfP5xvxZj2s4FzjV8uEbxx
Bd3ukKCXDYWKe7fIMFehFNROg8EYJoE8HpPKIdu9C2UZOOfPXiw6xOFHfDkY55Y9
JcmUKeGYl4FaZmcplRgDRNFVOlqmEmVS+aNecTw6T7wSLxiV6gys1OmeZbrYLGC2
TT/j3hGWABz92FfOBUf9hrt5rvx0gZbU+vcPgMFiZJFVQLuegYoY1HNSKIeip8Fd
fHz2+IlsZQkFTO4LP6jHJCLtGjX0aJ7meCZWO7ho3bAbwgnnIzyy/ATi+e+NOjat
ojl9MjJSVbz8ZhxY0sLxcy5atPvxEFqu0xDAzXFgLNuwtq8toNcu19VlFEou1jAP
XZZXH51nEgwX1LfqIzRZKDTpM9pW3WxULWAvSTswkTWM4zYTvo22nlYdIBvbl3Xv
+p4osZnPO4sYDiG2iB6PZPhO4mSE42wxFehXEKr6LOgMIy2G3ZuNpJ3z5Ch1Snw9
7DFiIkEQq22DM2jfUE8C
=QlX0
-----END PGP SIGNATURE-----
More information about the cups-devel
mailing list