scheduler/cert.c: Fix string comparison (fixes CVE-2022-26691)

The previous algorithm didn't expect the strings can have a different
length, so one string can be a substring of the other and such substring
was reported as equal to the longer string.

diff --git a/CHANGES.md b/CHANGES.md
index b254bc57c5a15b5ec883e45652414466d7ff8f2e..1fc8ab0ca640d4335e403e5cde9f38e8598dab47 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -4,6 +4,7 @@ CHANGES - OpenPrinting CUPS 2.4.1 - 2022-01-27
 Changes in CUPS v2.4.2 (TBA)
 ----------------------------
 
+- Fixed certificate strings comparison for Local authorization (CVE-2022-26691)
 - The `cupsFileOpen` function no longer opens files for append in read-write
   mode (Issue #291)
 - The cupsd daemon removed processing temporary queue (Issue #364)

diff --git a/scheduler/cert.c b/scheduler/cert.c
index b268bf1b2df9ab49860792fed801fbbd68703a5f..9b65b96c9ce8835205a5343ef727748141f41129 100644 (file)
--- a/scheduler/cert.c
+++ b/scheduler/cert.c
@@ -444,5 +444,12 @@ ctcompare(const char *a,           /* I - First string */
     b ++;
   }
 
-  return (result);
+ /*
+  * The while loop finishes when *a == '\0' or *b == '\0'
+  * so after the while loop either both *a and *b == '\0',
+  * or one points inside a string, so when we apply logical OR on *a,
+  * *b and result, we get a non-zero return value if the compared strings don't match.
+  */
+
+  return (result | *a | *b);
 }