From: Zdenek Dohnal Date: Tue, 11 Jun 2024 14:19:11 +0000 (+0200) Subject: Fix domain socket handling (fixes CVE-2024-35235) X-Git-Tag: v2.4.9~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b273a1f29bda87317c551614cf9ab6125f56e317;p=thirdparty%2Fcups.git Fix domain socket handling (fixes CVE-2024-35235) - Check status of unlink and bind system calls. - Don't allow extra domain sockets when running from launchd/systemd. - Validate length of domain socket path (< sizeof(sun_path)) Fixes CVE-2024-35235, written by Mike Sweet --- diff --git a/cups/http-addr.c b/cups/http-addr.c index 6aeeb80748..80c1fa8fcb 100644 --- a/cups/http-addr.c +++ b/cups/http-addr.c @@ -206,27 +206,29 @@ httpAddrListen(http_addr_t *addr, /* I - Address to bind to */ * Remove any existing domain socket file... */ - unlink(addr->un.sun_path); - - /* - * Save the current umask and set it to 0 so that all users can access - * the domain socket... - */ - - mask = umask(0); + if ((status = unlink(addr->un.sun_path)) < 0) + { + DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno))); - /* - * Bind the domain socket... - */ + if (errno == ENOENT) + status = 0; + } - status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr)); + if (!status) + { + // Save the current umask and set it to 0 so that all users can access + // the domain socket... + mask = umask(0); - /* - * Restore the umask and fix permissions... - */ + // Bind the domain socket... + if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0) + { + DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno))); + } - umask(mask); - chmod(addr->un.sun_path, 0140777); + // Restore the umask... + umask(mask); + } } else #endif /* AF_LOCAL */ diff --git a/scheduler/conf.c b/scheduler/conf.c index defca78aae..ebf8ca8ccd 100644 --- a/scheduler/conf.c +++ b/scheduler/conf.c @@ -3083,6 +3083,26 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */ cupsd_listener_t *lis; /* New listeners array */ + /* + * If we are launched on-demand, do not use domain sockets from the config + * file. Also check that the domain socket path is not too long... + */ + +#ifdef HAVE_ONDEMAND + if (*value == '/' && OnDemand) + { + if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET)) + cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum); + continue; + } +#endif // HAVE_ONDEMAND + + if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1)) + { + cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum); + continue; + } + /* * Get the address list... */