!153 Fix regression of fixing CVE-2024-35235 (upstream issue#985)

From: @fundawang 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng

backport-CVE-2023-34241.patch

@@ -0,0 +1,63 @@
+From 450b6ba5f3785d18095a56eb9fbd5bbdaad43d1a Mon Sep 17 00:00:00 2001
+From: Rose <83477269+AtariDreams@users.noreply.github.com>
+Date: Thu, 1 Jun 2023 11:33:39 -0400
+Subject: [PATCH] Log result of httpGetHostname BEFORE closing the connection
+
+httpClose frees the memory of con->http. This is problematic because httpGetHostname then tries to access the memory it points to.
+
+We have to log the hostname first.
+---
+ scheduler/client.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/scheduler/client.c b/scheduler/client.c
+index 236355a..d76e1e0 100644
+--- a/scheduler/client.c
++++ b/scheduler/client.c
+@@ -203,13 +203,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
+    /*
+     * Can't have an unresolved IP address with double-lookups enabled...
+     */
+-
+-    httpClose(con->http);
+-
+     cupsdLogClient(con, CUPSD_LOG_WARN,
+-                    "Name lookup failed - connection from %s closed!",
++                    "Name lookup failed - closing connection from %s!",
+                     httpGetHostname(con->http, NULL, 0));
+ 
++    httpClose(con->http);
+     free(con);
+     return;
+   }
+@@ -245,11 +243,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
+       * with double-lookups enabled...
+       */
+ 
+-      httpClose(con->http);
+-
+       cupsdLogClient(con, CUPSD_LOG_WARN,
+-                      "IP lookup failed - connection from %s closed!",
++                      "IP lookup failed - closing connection from %s!",
+                       httpGetHostname(con->http, NULL, 0));
++
++      httpClose(con->http);
+       free(con);
+       return;
+     }
+@@ -266,11 +264,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
+ 
+   if (!hosts_access(&wrap_req))
+   {
+-    httpClose(con->http);
+-
+     cupsdLogClient(con, CUPSD_LOG_WARN,
+                     "Connection from %s refused by /etc/hosts.allow and "
+ 		    "/etc/hosts.deny rules.", httpGetHostname(con->http, NULL, 0));
++
++    httpClose(con->http);
+     free(con);
+     return;
+   }
+-- 
+2.33.0

backport-CVE-2023-4504.patch

@@ -0,0 +1,44 @@
+From 2431caddb7e6a87f04ac90b5c6366ad268b6ff31 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Wed, 20 Sep 2023 14:45:17 +0200
+Subject: [PATCH] raster-interpret.c: Fix CVE-2023-4504
+ 
+We didn't check for end of buffer if it looks there is an escaped
+character - check for NULL terminator there and if found, return NULL
+as return value and in `ptr`, because a lone backslash is not
+a valid PostScript character.
+ 
+Reference:https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31
+Conflict:Unmodified CHANGES.md
+ 
+---
+ filter/interpret.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+ 
+diff --git a/filter/interpret.c b/filter/interpret.c
+index 031b1d5..191e759 100644
+--- a/filter/interpret.c
++++ b/filter/interpret.c
+@@ -1117,7 +1117,19 @@ scan_ps(_cups_ps_stack_t *st,		/* I  - Stack */
+ 
+ 	    cur ++;
+ 
+-            if (*cur == 'b')
++	   /*
++	    * Return NULL if we reached NULL terminator, a lone backslash
++	    * is not a valid character in PostScript.
++	    */
++
++	    if (!*cur)
++	    {
++	      *ptr = NULL;
++
++	      return (NULL);
++	    }
++
++	    if (*cur == 'b')
+ 	      *valptr++ = '\b';
+ 	    else if (*cur == 'f')
+ 	      *valptr++ = '\f';
+-- 
+2.27.0

backport-Fix-CVE-2024-35235-regression.patch

@@ -0,0 +1,52 @@
+From 6131f6a73c188f3db0ec94ae488991ce80cfd7ea Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Fri, 14 Jun 2024 15:10:21 -0400
+Subject: [PATCH] Don't abort early if there are no listen sockets after
+ loading cupsd.conf (Issue #985)
+
+---
+ scheduler/conf.c |  2 +-
+ scheduler/main.c | 17 +++++++++++++++++
+ 2 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/scheduler/conf.c b/scheduler/conf.c
+index ebf8ca8ccd..34b30e56d1 100644
+--- a/scheduler/conf.c
++++ b/scheduler/conf.c
+@@ -1048,7 +1048,7 @@ cupsdReadConfiguration(void)
+   * as an error and exit!
+   */
+ 
+-  if (cupsArrayCount(Listeners) == 0)
++  if (cupsArrayCount(Listeners) == 0 && !OnDemand)
+   {
+    /*
+     * No listeners!
+diff --git a/scheduler/main.c b/scheduler/main.c
+index 4472863081..70f3159df6 100644
+--- a/scheduler/main.c
++++ b/scheduler/main.c
+@@ -2036,6 +2036,23 @@ service_checkin(void)
+     service_add_listener(fd, 0);
+   }
+ #endif /* HAVE_LAUNCHD */
++
++  if (cupsArrayCount(Listeners) == 0)
++  {
++   /*
++    * No listeners!
++    */
++
++    cupsdLogMessage(CUPSD_LOG_EMERG,
++                    "No valid Listen or Port lines were found in the "
++		    "configuration file.");
++
++   /*
++    * Commit suicide...
++    */
++
++    cupsdEndProcess(getpid(), 0);
++  }
+ }
+ 
+ 

backport-Fix-CVE-2024-35235.patch

@@ -0,0 +1,94 @@
+From a436956f374b0fd7f5da9df482e4f5840fa1c0d2 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Mon, 3 Jun 2024 18:53:58 +020
+Subject: [PATCH] Fix domain socket handling
+Reference: https://github.com/OpenPrinting/cups/commit/a436956f374b0fd7f5da9df482e4f5840fa1c0d2
+---
+ cups/http-addr.c | 38 +++++++++++++++++++-------------------
+ scheduler/conf.c | 19 +++++++++++++++++++
+ 2 files changed, 38 insertions(+), 19 deletions(-)
+
+diff --git a/cups/http-addr.c b/cups/http-addr.c
+index 71e61f5..1905c46 100644
+--- a/cups/http-addr.c
++++ b/cups/http-addr.c
+@@ -206,27 +206,27 @@ httpAddrListen(http_addr_t *addr,	/* I - Address to bind to */
+     * Remove any existing domain socket file...
+     */
+ 
+-    unlink(addr->un.sun_path);
+-
+-   /*
+-    * Save the current umask and set it to 0 so that all users can access
+-    * the domain socket...
+-    */
+-
+-    mask = umask(0);
+-
+-   /*
+-    * Bind the domain socket...
+-    */
+-
+-    status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr));
++    if ((status = unlink(addr->un.sun_path)) < 0)
++    {
++      DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno)));
++      if (errno == ENOENT)
++	status = 0;
++    }
+ 
+-   /*
+-    * Restore the umask and fix permissions...
+-    */
++    if (!status)
++    {
++      // Save the current umask and set it to 0 so that all users can access
++      // the domain socket...
++      mask = umask(0);
++      // Bind the domain socket...
++      if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0)
++      {
++	DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno)));
++      }
+ 
+-    umask(mask);
+-    chmod(addr->un.sun_path, 0140777);
++      // Restore the umask...
++      umask(mask);
++    }
+   }
+   else
+ #endif /* AF_LOCAL */
+diff --git a/scheduler/conf.c b/scheduler/conf.c
+index 4200b57..dc08652 100644
+--- a/scheduler/conf.c
++++ b/scheduler/conf.c
+@@ -3103,6 +3103,25 @@ read_cupsd_conf(cups_file_t *fp)	/* I - File to read from */
+ 
+       cupsd_listener_t	*lis;		/* New listeners array */
+ 
++     /*
++      * If we are launched on-demand, do not use domain sockets from the config
++      * file.  Also check that the domain socket path is not too long...
++      */
++
++#ifdef HAVE_ONDEMAND
++      if (*value == '/' && OnDemand)
++      {
++        if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
++          cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum);
++        continue;
++      }
++#endif // HAVE_ONDEMAND
++
++      if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1))
++      {
++        cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum);
++        continue;
++      }
+ 
+      /*
+       * Get the address list...
+-- 
+2.27.0
+

cups.spec

@@ -1,7 +1,7 @@
 Name:    cups
 Epoch:   1
 Version: 2.2.13
-Release: 15
+Release: 21
 Summary: CUPS is the standards-based, open source printing system for linux operating systems.
 License: GPLv2+ and LGPLv2+ with exceptions and AML
 Url:     http://www.cups.org/
@@ -39,6 +39,12 @@ Patch6002: backport-CVE-2022-26691.patch
 #Partial backport of 82e3ee0e3230287b76a76fb8f16b92ca6e50b444
 Patch6003: CVE-2019-8842.patch
 Patch6004: backport-CVE-2023-32324.patch
+Patch6005: fix-httpAddrGetList-test-case-fail.patch
+Patch6006: fix-verifying-that-history-still-exists-test-case-fail.patch
+Patch6007: backport-CVE-2023-34241.patch
+Patch6008: backport-CVE-2023-4504.patch
+Patch6009: backport-Fix-CVE-2024-35235.patch
+Patch6010: backport-Fix-CVE-2024-35235-regression.patch
 
 Provides: cupsddk cupsddk-drivers cups-filesystem cups-client cups-ipptool cups-lpd
 Provides: lpd lpr /usr/bin/lpq /usr/bin/lpr /usr/bin/lp /usr/bin/cancel /usr/bin/lprm /usr/bin/lpstat
@@ -333,6 +339,24 @@ rm -f %{_exec_prefix}/lib/cups/backend/smb
 %doc %{_datadir}/%{name}/www/apple-touch-icon.png
 
 %changelog
+* Wed Aug 14 2024 Funda Wang <fundawang@yeah.net> - 1:2.2.13-21
+- Fix regression of fixing CVE-2024-35235 (upstream issue#985)
+
+* Thu Jun 20 2024 baiguo <baiguo@kylinos.cn> - 1:2.2.13-20
+- fix CVE-2024-35235 
+
+* Fri Sep 22 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 1:2.2.13-19
+- fix CVE-2023-4504
+
+* Mon Jun 26 2023 zhangpan <zhangpan103@h-partners.com> - 1:2.2.13-18
+- fix test case fail
+
+* Mon Jun 26 2023 zhouwenpei <zhouwenpei@h-partners.com> - 1:2.2.13-17
+- fix CVE-2023-34241
+
+* Fri Jun 9 2023 zhangpan <zhangpan103@h-partners.com> - 1:2.2.13-16
+- fix build error
+
 * Sat Jun 3 2023 zhouwenpei <zhouwenpei@h-partners.com> - 1:2.2.13-15
 - fix CVE-2023-32324
 

fix-httpAddrGetList-test-case-fail.patch

@@ -0,0 +1,44 @@
+From 079c00aac0db4d95383cf73be73e641ff26ebfc6 Mon Sep 17 00:00:00 2001
+From: zhangpan <zhangpan103@h-partners.com>
+Date: Fri, 9 Jun 2023 11:04:18 +0800
+Subject: [PATCH] fix httpAddrGetList test case fail
+
+---
+ cups/testhttp.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/cups/testhttp.c b/cups/testhttp.c
+index 313e4bb..f446d65 100644
+--- a/cups/testhttp.c
++++ b/cups/testhttp.c
+@@ -14,7 +14,7 @@
+  */
+ 
+ #include "cups-private.h"
+-
++#include <unistd.h>
+ 
+ /*
+  * Types and structures...
+@@ -231,7 +231,8 @@ main(int  argc,				/* I - Number of command-line arguments */
+   char		scheme[HTTP_MAX_URI],	/* Scheme from URI */
+ 		hostname[HTTP_MAX_URI],	/* Hostname from URI */
+ 		username[HTTP_MAX_URI],	/* Username:password from URI */
+-		resource[HTTP_MAX_URI];	/* Resource from URI */
++		resource[HTTP_MAX_URI],	/* Resource from URI */
++		localhostname[HTTP_MAX_URI]; /* gethostname */
+   int		port;			/* Port number from URI */
+   http_uri_status_t uri_status;		/* Status of URI separation */
+   http_addrlist_t *addrlist,		/* Address list */
+@@ -391,7 +392,7 @@ main(int  argc,				/* I - Number of command-line arguments */
+ 
+     printf("httpAddrGetList(%s): ", hostname);
+ 
+-    addrlist = httpAddrGetList(hostname, AF_UNSPEC, NULL);
++    addrlist = httpAddrGetList(gethostname(localhostname, sizeof(localhostname)), AF_UNSPEC, NULL);
+     if (addrlist)
+     {
+       for (i = 0, addr = addrlist; addr; i ++, addr = addr->next)
+-- 
+2.33.0
+

fix-verifying-that-history-still-exists-test-case-fail.patch

@@ -0,0 +1,25 @@
+From 033bc4df3a58022b93e1cef8387b04d08dddd1fe Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Sat, 28 Nov 2020 08:43:46 -0500
+Subject: [PATCH] Force a 5 second sleep to wait for the job control file to be
+ written.
+
+Reference:https://github.com/OpenPrinting/cups/commit/033bc4df3a58022b93e1cef8387b04d08dddd1fe
+Conflict:NA
+
+---
+ test/run-stp-tests.sh | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/test/run-stp-tests.sh b/test/run-stp-tests.sh
+index d93388408a..4498a8c103 100755
+--- a/test/run-stp-tests.sh
++++ b/test/run-stp-tests.sh
+@@ -845,6 +845,7 @@ else
+ 	echo "PASS"
+ 	echo "    PASSED" >>$strfile
+ 
++	sleep 5
+ 	./waitjobs.sh >>$strfile
+ 
+         echo $ac_n "Verifying that history still exists: $ac_c"