cups-2.4.6

[Bruce Dubbs]

New point version.

[Douglas R. Reno]

Release Notes:

CUPS 2.4.6 is released to ship the fix for the latest CVE - CVE-2023-34241 - and two 
other bug fixes.

Detailed list:

    Fix linking error on old MacOS (Issue #715)
    Fix printing multiple files on specific printers (Issue #643)
    Fix use-after-free when logging warnings in case of failures in cupsdAcceptClient() 
(fixes CVE-2023-34241)

Information from oss-security:

     Summary

Cups logs data of free memory to the logging service AFTER the connection has been 
closed, when it should have logged the data right before.

     Details

The exact cause of this issue is the function httpClose(con->http) being called in 
scheduler/client.c before

|httpClose(con->http); cupsdLogClient(con, CUPSDLOGWARN, "IP lookup failed - connection 
from %s closed!", httpGetHostname(con->http, NULL, 0));|

The problem is that httpClose always, provided its argument is not null, frees the 
pointer at the end of the call, only for cupsdLogClient to pass the pointer to 
httpGetHostname.

This issue happens in function cupsdAcceptClient if LogLevel is |warn| or higher and in 
two scenarios:

 * there is a double-lookup for the IP Address (|HostNameLookups
   Double| is set in |cupsd.conf|) which fails to resolve,
 * or if CUPS is compiled with TCP wrappers and the connection is
   refused by rules from |/etc/hosts.allow| and |/etc/hosts.deny|.


     Reproducer

None provided

     Impact

This is a use-after-free bug, that impacts the entire cupsd process.

If you need an exploit scenario, consider: local (unprivileged) attacker who happens to 
be able to read the log using it to exfiltrate private keys and info from a privileged 
cups daemon
or simply denial-of-service by making it crash.

     Patch

Committed as https://github.com/OpenPrinting/cups/commit/9809947a959e18409dcf562a3466ef246cb90cb2

[Douglas R. Reno]

Fixed at 5162b4d9d4181727dd3b4adc0d186545178f2cd5

[Douglas R. Reno]

SA-11.3-044 issued

[Bruce Dubbs]

Milestone renamed