From de4f8c196106033e4c372dce3e91b9d42b0b9444 Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Thu, 26 May 2022 06:27:04 +0200 Subject: [PATCH] scheduler/cert.c: Fix string comparison (fixes CVE-2022-26691) The previous algorithm didn't expect the strings can have a different length, so one string can be a substring of the other and such substring was reported as equal to the longer string. --- CHANGES.md | 1 + scheduler/cert.c | 9 ++++++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGES.md b/CHANGES.md index b254bc57c5..1fc8ab0ca6 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -4,6 +4,7 @@ CHANGES - OpenPrinting CUPS 2.4.1 - 2022-01-27 Changes in CUPS v2.4.2 (TBA) ---------------------------- +- Fixed certificate strings comparison for Local authorization (CVE-2022-26691) - The `cupsFileOpen` function no longer opens files for append in read-write mode (Issue #291) - The cupsd daemon removed processing temporary queue (Issue #364) diff --git a/scheduler/cert.c b/scheduler/cert.c index b268bf1b2d..9b65b96c9c 100644 --- a/scheduler/cert.c +++ b/scheduler/cert.c @@ -444,5 +444,12 @@ ctcompare(const char *a, /* I - First string */ b ++; } - return (result); + /* + * The while loop finishes when *a == '\0' or *b == '\0' + * so after the while loop either both *a and *b == '\0', + * or one points inside a string, so when we apply logical OR on *a, + * *b and result, we get a non-zero return value if the compared strings don't match. + */ + + return (result | *a | *b); }