|
Added
Link Here
|
| 0 |
- |
1 |
Patch for CVE-2008-2941 |
|
|
2 |
|
| 3 |
Fixes parser fragility: original code expects only strings or numbers as |
| 4 |
the input values, but not both. And hpssd client has the full control |
| 5 |
on the input data, so when number is tried to be transformed as string |
| 6 |
(by calling lower() method, for example) the unhandled exception |
| 7 |
terminates the daemon. |
| 8 |
|
| 9 |
Based on: https://bugzilla.redhat.com/attachment.cgi?id=312881 |
| 10 |
|
| 11 |
--- hpssd.py.orig 2008-11-23 22:41:08.000000000 +0300 |
| 12 |
+++ hpssd.py 2008-11-23 22:57:51.000000000 +0300 |
| 13 |
@@ -203,7 +203,7 @@ |
| 14 |
log.debug(self.out_buffer) |
| 15 |
return True |
| 16 |
|
| 17 |
- msg_type = self.fields.get('msg', 'unknown').lower() |
| 18 |
+ msg_type = str(self.fields.get('msg', 'unknown')).lower() |
| 19 |
log.debug("Handling: %s %s %s" % ("*"*20, msg_type, "*"*20)) |
| 20 |
log.debug(repr(self.in_buffer)) |
| 21 |
|
| 22 |
@@ -260,9 +260,9 @@ |
| 23 |
|
| 24 |
|
| 25 |
def handle_getvalue(self): |
| 26 |
- device_uri = self.fields.get('device-uri', '').replace('hpfax:', 'hp:') |
| 27 |
+ device_uri = str(self.fields.get('device-uri', '')).replace('hpfax:', 'hp:') |
| 28 |
value = '' |
| 29 |
- key = self.fields.get('key', '') |
| 30 |
+ key = str(self.fields.get('key', '')) |
| 31 |
result_code = self.__checkdevice(device_uri) |
| 32 |
|
| 33 |
if result_code == ERROR_SUCCESS: |
| 34 |
@@ -274,9 +274,9 @@ |
| 35 |
self.out_buffer = buildResultMessage('GetValueResult', value, result_code) |
| 36 |
|
| 37 |
def handle_setvalue(self): |
| 38 |
- device_uri = self.fields.get('device-uri', '').replace('hpfax:', 'hp:') |
| 39 |
- key = self.fields.get('key', '') |
| 40 |
- value = self.fields.get('value', '') |
| 41 |
+ device_uri = str(self.fields.get('device-uri', '')).replace('hpfax:', 'hp:') |
| 42 |
+ key = str(self.fields.get('key', '')) |
| 43 |
+ value = str(self.fields.get('value', '')) |
| 44 |
result_code = self.__checkdevice(device_uri) |
| 45 |
|
| 46 |
if result_code == ERROR_SUCCESS: |
| 47 |
@@ -285,7 +285,7 @@ |
| 48 |
self.out_buffer = buildResultMessage('SetValueResult', None, ERROR_SUCCESS) |
| 49 |
|
| 50 |
def handle_queryhistory(self): |
| 51 |
- device_uri = self.fields.get('device-uri', '').replace('hpfax:', 'hp:') |
| 52 |
+ device_uri = str(self.fields.get('device-uri', '')).replace('hpfax:', 'hp:') |
| 53 |
payload = '' |
| 54 |
result_code = self.__checkdevice(device_uri) |
| 55 |
|
| 56 |
@@ -305,8 +305,8 @@ |
| 57 |
|
| 58 |
# EVENT |
| 59 |
def handle_registerguievent(self): |
| 60 |
- username = self.fields.get('username', '') |
| 61 |
- typ = self.fields.get('type', 'unknown') |
| 62 |
+ username = str(self.fields.get('username', '')) |
| 63 |
+ typ = str(self.fields.get('type', 'unknown')) |
| 64 |
self.typ = typ |
| 65 |
self.username = username |
| 66 |
self.send_events = True |
| 67 |
@@ -314,13 +314,13 @@ |
| 68 |
|
| 69 |
# EVENT |
| 70 |
def handle_unregisterguievent(self): |
| 71 |
- username = self.fields.get('username', '') |
| 72 |
+ username = str(self.fields.get('username', '')) |
| 73 |
self.send_events = False |
| 74 |
|
| 75 |
|
| 76 |
def handle_test_email(self): |
| 77 |
result_code = ERROR_SUCCESS |
| 78 |
- username = self.fields.get('username', prop.username) |
| 79 |
+ username = str(self.fields.get('username', prop.username)) |
| 80 |
message = device.queryString('email_test_message') |
| 81 |
subject = device.queryString('email_test_subject') |
| 82 |
result_code = self.sendEmail(username, subject, message, True) |
| 83 |
@@ -343,11 +343,14 @@ |
| 84 |
|
| 85 |
# sent by hpfax: to indicate the start of a complete fax rendering job |
| 86 |
def handle_hpfaxbegin(self): |
| 87 |
- username = self.fields.get('username', prop.username) |
| 88 |
- job_id = self.fields.get('job-id', 0) |
| 89 |
- printer_name = self.fields.get('printer', '') |
| 90 |
- device_uri = self.fields.get('device-uri', '').replace('hp:', 'hpfax:') |
| 91 |
- title = self.fields.get('title', '') |
| 92 |
+ username = str(self.fields.get('username', prop.username)) |
| 93 |
+ try: |
| 94 |
+ job_id = int(self.fields.get('job-id', 0)) |
| 95 |
+ except ValueError: |
| 96 |
+ job_id = 0 |
| 97 |
+ printer_name = str(self.fields.get('printer', '')) |
| 98 |
+ device_uri = str(self.fields.get('device-uri', '')).replace('hp:', 'hpfax:') |
| 99 |
+ title = str(self.fields.get('title', '')) |
| 100 |
|
| 101 |
log.debug("Creating data store for %s:%d" % (username, job_id)) |
| 102 |
fax_file[(username, job_id)] = tempfile.NamedTemporaryFile(prefix="hpfax") |
| 103 |
@@ -360,8 +363,11 @@ |
| 104 |
|
| 105 |
# sent by hpfax: to transfer completed fax rendering data |
| 106 |
def handle_hpfaxdata(self): |
| 107 |
- username = self.fields.get('username', prop.username) |
| 108 |
- job_id = self.fields.get('job-id', 0) |
| 109 |
+ username = str(self.fields.get('username', prop.username)) |
| 110 |
+ try: |
| 111 |
+ job_id = int(self.fields.get('job-id', 0)) |
| 112 |
+ except ValueError: |
| 113 |
+ job_id = 0 |
| 114 |
|
| 115 |
if self.payload and (username, job_id) in fax_file and \ |
| 116 |
not fax_file_ready[(username, job_id)]: |
| 117 |
@@ -373,12 +379,18 @@ |
| 118 |
|
| 119 |
# sent by hpfax: to indicate the end of a complete fax rendering job |
| 120 |
def handle_hpfaxend(self): |
| 121 |
- username = self.fields.get('username', '') |
| 122 |
- job_id = self.fields.get('job-id', 0) |
| 123 |
- printer_name = self.fields.get('printer', '') |
| 124 |
- device_uri = self.fields.get('device-uri', '').replace('hp:', 'hpfax:') |
| 125 |
- title = self.fields.get('title', '') |
| 126 |
- job_size = self.fields.get('job-size', 0) |
| 127 |
+ username = str(self.fields.get('username', '')) |
| 128 |
+ try: |
| 129 |
+ job_id = int(self.fields.get('job-id', 0)) |
| 130 |
+ except ValueError: |
| 131 |
+ job_id = 0 |
| 132 |
+ printer_name = str(self.fields.get('printer', '')) |
| 133 |
+ device_uri = str(self.fields.get('device-uri', '')).replace('hp:', 'hpfax:') |
| 134 |
+ title = str(self.fields.get('title', '')) |
| 135 |
+ try: |
| 136 |
+ job_size = int(self.fields.get('job-size', 0)) |
| 137 |
+ except ValueError: |
| 138 |
+ job_size = 0 |
| 139 |
|
| 140 |
fax_file[(username, job_id)].seek(0) |
| 141 |
fax_file_ready[(username, job_id)] = True |
| 142 |
@@ -389,7 +401,7 @@ |
| 143 |
|
| 144 |
# sent by hp-sendfax to see if any faxes have been printed and need to be picked up |
| 145 |
def handle_faxcheck(self): |
| 146 |
- username = self.fields.get('username', '') |
| 147 |
+ username = str(self.fields.get('username', '')) |
| 148 |
result_code = ERROR_NO_DATA_AVAILABLE |
| 149 |
other_fields = {} |
| 150 |
|
| 151 |
@@ -413,8 +425,11 @@ |
| 152 |
# after being run with --job param, both after a hpfaxend message |
| 153 |
def handle_faxgetdata(self): |
| 154 |
result_code = ERROR_SUCCESS |
| 155 |
- username = self.fields.get('username', '') |
| 156 |
- job_id = self.fields.get('job-id', 0) |
| 157 |
+ username = str(self.fields.get('username', '')) |
| 158 |
+ try: |
| 159 |
+ job_id = int(self.fields.get('job-id', 0)) |
| 160 |
+ except ValueError: |
| 161 |
+ job_id = 0 |
| 162 |
|
| 163 |
try: |
| 164 |
fax_file[(username, job_id)] |
| 165 |
@@ -442,15 +457,18 @@ |
| 166 |
# EVENT |
| 167 |
def handle_event(self): |
| 168 |
gui_port, gui_host = None, None |
| 169 |
- event_type = self.fields.get('event-type', 'event') |
| 170 |
+ event_type = str(self.fields.get('event-type', 'event')) |
| 171 |
|
| 172 |
- event_code = self.fields.get('event-code', STATUS_PRINTER_IDLE) |
| 173 |
+ try: |
| 174 |
+ event_code = int(self.fields.get('event-code', STATUS_PRINTER_IDLE)) |
| 175 |
+ except ValueError: |
| 176 |
+ event_code = STATUS_PRINTER_IDLE |
| 177 |
|
| 178 |
# If event-code > 10001, its a PJL error code, so convert it |
| 179 |
if event_code > EVENT_MAX_EVENT: |
| 180 |
event_code = status.MapPJLErrorCode(event_code) |
| 181 |
|
| 182 |
- device_uri = self.fields.get('device-uri', '').replace('hpfax:', 'hp:') |
| 183 |
+ device_uri = str(self.fields.get('device-uri', '')).replace('hpfax:', 'hp:') |
| 184 |
result_code = self.__checkdevice(device_uri) |
| 185 |
if result_code != ERROR_SUCCESS: |
| 186 |
return |
| 187 |
@@ -461,7 +479,10 @@ |
| 188 |
|
| 189 |
log.debug("Short/Long: %s/%s" % (error_string_short, error_string_long)) |
| 190 |
|
| 191 |
- job_id = self.fields.get('job-id', 0) |
| 192 |
+ try: |
| 193 |
+ job_id = int(self.fields.get('job-id', 0)) |
| 194 |
+ except ValueError: |
| 195 |
+ job_id = 0 |
| 196 |
|
| 197 |
try: |
| 198 |
username = self.fields['username'] |
| 199 |
@@ -480,7 +501,10 @@ |
| 200 |
|
| 201 |
no_fwd = utils.to_bool(self.fields.get('no-fwd', '0')) |
| 202 |
log.debug("Username (jobid): %s (%d)" % (username, job_id)) |
| 203 |
- retry_timeout = self.fields.get('retry-timeout', 0) |
| 204 |
+ try: |
| 205 |
+ retry_timeout = int(self.fields.get('retry-timeout', 0)) |
| 206 |
+ except ValueError: |
| 207 |
+ retry_timeout = 0 |
| 208 |
user_alerts = alerts.get(username, {}) |
| 209 |
|
| 210 |
dup_event = False |