Skip to content

Commit 88516bf

Browse files
michaelrsweetmichaelrsweet
committed
CVE-2026-27447: The scheduler treated local user and group names as case-insensitive.
1 parent 4bcd4b4 commit 88516bf

1 file changed

Lines changed: 16 additions & 17 deletions

File tree

scheduler/auth.c

Lines changed: 16 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
/*
22
* Authorization routines for the CUPS scheduler.
33
*
4-
* Copyright © 2020-2025 by OpenPrinting.
4+
* Copyright © 2020-2026 by OpenPrinting.
55
* Copyright © 2007-2019 by Apple Inc.
66
* Copyright © 1997-2007 by Easy Software Products, all rights reserved.
77
*
@@ -1239,7 +1239,7 @@ cupsdCheckGroup(
12391239
group = getgrnam(groupname);
12401240
endgrent();
12411241

1242-
if (group != NULL)
1242+
if (user && group)
12431243
{
12441244
/*
12451245
* Group exists, check it...
@@ -1253,7 +1253,7 @@ cupsdCheckGroup(
12531253
* User appears in the group membership...
12541254
*/
12551255

1256-
if (!_cups_strcasecmp(username, group->gr_mem[i]))
1256+
if (!strcmp(user->pw_name, group->gr_mem[i]))
12571257
return (1);
12581258
}
12591259

@@ -1264,25 +1264,24 @@ cupsdCheckGroup(
12641264
* belongs to...
12651265
*/
12661266

1267-
if (user)
1268-
{
1269-
int ngroups; /* Number of groups */
1267+
int ngroups; /* Number of groups */
12701268
# ifdef __APPLE__
1271-
int groups[2048]; /* Groups that user belongs to */
1269+
int groups[2048]; /* Groups that user belongs to */
12721270
# else
1273-
gid_t groups[2048]; /* Groups that user belongs to */
1271+
gid_t groups[2048]; /* Groups that user belongs to */
12741272
# endif /* __APPLE__ */
12751273

1276-
ngroups = (int)(sizeof(groups) / sizeof(groups[0]));
1274+
ngroups = (int)(sizeof(groups) / sizeof(groups[0]));
12771275
# ifdef __APPLE__
1278-
getgrouplist(username, (int)user->pw_gid, groups, &ngroups);
1276+
getgrouplist(user->pw_name, (int)user->pw_gid, groups, &ngroups);
12791277
# else
1280-
getgrouplist(username, user->pw_gid, groups, &ngroups);
1278+
getgrouplist(user->pw_name, user->pw_gid, groups, &ngroups);
12811279
#endif /* __APPLE__ */
12821280

1283-
for (i = 0; i < ngroups; i ++)
1284-
if ((int)groupid == (int)groups[i])
1285-
return (1);
1281+
for (i = 0; i < ngroups; i ++)
1282+
{
1283+
if ((int)groupid == (int)groups[i])
1284+
return (1);
12861285
}
12871286
#endif /* HAVE_GETGROUPLIST */
12881287
}
@@ -2005,8 +2004,8 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */
20052004
name;
20062005
name = (char *)cupsArrayNext(best->names))
20072006
{
2008-
if (!_cups_strcasecmp(name, "@OWNER") && owner &&
2009-
!_cups_strcasecmp(username, ownername))
2007+
if (!_cups_strcasecmp(name, "@OWNER") && owner && pw &&
2008+
!strcmp(pw->pw_name, ownername))
20102009
return (HTTP_STATUS_OK);
20112010
else if (!_cups_strcasecmp(name, "@SYSTEM"))
20122011
{
@@ -2018,7 +2017,7 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */
20182017
if (cupsdCheckGroup(username, pw, name + 1))
20192018
return (HTTP_STATUS_OK);
20202019
}
2021-
else if (!_cups_strcasecmp(username, name))
2020+
else if (pw && !strcmp(pw->pw_name, name))
20222021
return (HTTP_STATUS_OK);
20232022
}
20242023

0 commit comments

Comments
 (0)