[cups-devel] [UNKN] STR #4455: Incomplete fix for CVE-2014-3537

Salvatore Bonaccorso noreply at cups.org
Mon Jul 21 11:36:34 PDT 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

DO NOT REPLY TO THIS MESSAGE.  INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.

[STR New]

Hi

I noticed the fix for CVE-2014-3537 might be incomplete. From
http://www.cups.org/str.php?L4450 the intention was to dissalow symlinks.
But the code in 1.7.4 (similarly in current development version) looks
like:

3313   if ((status = stat(filename, filestats)) != 0 && language[0] &&
3314       strncmp(con->uri, "/icons/", 7) &&
3315       strncmp(con->uri, "/ppd/", 5) &&
3316       strncmp(con->uri, "/rss/", 5) &&
3317       strncmp(con->uri, "/admin/conf/", 12) &&
3318       strncmp(con->uri, "/admin/log/", 11))
3319   {
3320    /*
3321     * Drop the country code...
3322     */
3323
3324     language[3] = '\0';
3325     snprintf(filename, len, "%s%s%s", DocumentRoot, language,
con->uri);
3326
3327     if ((ptr = strchr(filename, '?')) != NULL)
3328       *ptr = '\0';
3329
3330     if ((status = lstat(filename, filestats)) != 0)
3331     {
3332      /*
3333       * Drop the language prefix and try the root directory...
3334       */
3335
3336       language[0] = '\0';
3337       snprintf(filename, len, "%s%s", DocumentRoot, con->uri);
3338
3339       if ((ptr = strchr(filename, '?')) != NULL)
3340         *ptr = '\0';
3341
3342       status = lstat(filename, filestats);
3343     }
3344   }

if language[0] is null, we do not reach the lstat calls for filename and
afterwards

3346  /*
3347   * If we've found a symlink, 404 the sucker to avoid disclosing
information.
3348   */
3349 
3350   if (!status && S_ISLNK(filestats->st_mode))
3351   {
3352     cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Symlinks such as
\"%s\" are not allowed.", c     on->http.fd, filename);
3353     return (NULL);
3354   }

will not do what was intended.

Additionally (from Michael Sweet):

> Yes, it looks like this needs to be an lstat as well, and we should
> probably add similar protections to the directory index files (which
> are also using stat).

Regards,
Salvatore

Link: https://www.cups.org/str.php?L4455
Version: 1.7.4
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJTzV2yAAoJENujp6sI12Ij6SkP/26w0kR9PtvfoWfQ3fOESRhz
ORJ8fDiJVkaKJKwG0aujxOLzukfl/T69pY0q798sEOvSADvq2mwEkSJSlZjupPew
DU0SPWyXOMgHn9/pYhj7sxKq+QhMN3RGCbL+TH/bhzsHDDzZi/7EMQCyF703CwMh
ubK4y//YrpPhz4UYP2NSt8EbCNqOxjSpOr4HGGsleChfP5xvxZj2s4FzjV8uEbxx
Bd3ukKCXDYWKe7fIMFehFNROg8EYJoE8HpPKIdu9C2UZOOfPXiw6xOFHfDkY55Y9
JcmUKeGYl4FaZmcplRgDRNFVOlqmEmVS+aNecTw6T7wSLxiV6gys1OmeZbrYLGC2
TT/j3hGWABz92FfOBUf9hrt5rvx0gZbU+vcPgMFiZJFVQLuegYoY1HNSKIeip8Fd
fHz2+IlsZQkFTO4LP6jHJCLtGjX0aJ7meCZWO7ho3bAbwgnnIzyy/ATi+e+NOjat
ojl9MjJSVbz8ZhxY0sLxcy5atPvxEFqu0xDAzXFgLNuwtq8toNcu19VlFEou1jAP
XZZXH51nEgwX1LfqIzRZKDTpM9pW3WxULWAvSTswkTWM4zYTvo22nlYdIBvbl3Xv
+p4osZnPO4sYDiG2iB6PZPhO4mSE42wxFehXEKr6LOgMIy2G3ZuNpJ3z5Ch1Snw9
7DFiIkEQq22DM2jfUE8C
=QlX0
-----END PGP SIGNATURE-----




More information about the cups-devel mailing list