This commit is contained in:
parent
bf58c9893e
commit
2a347dafe7
153
cups-1.3-ipp_length.patch
Normal file
153
cups-1.3-ipp_length.patch
Normal file
@ -0,0 +1,153 @@
|
||||
Index: ipp.c
|
||||
===================================================================
|
||||
--- cups-1.3/cups/ipp.c (revision 7023)
|
||||
+++ cups-1.3/cups/ipp.c (working copy)
|
||||
@@ -1306,6 +1306,12 @@
|
||||
{
|
||||
case IPP_TAG_INTEGER :
|
||||
case IPP_TAG_ENUM :
|
||||
+ if (n != 4)
|
||||
+ {
|
||||
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
|
||||
+ return (IPP_ERROR);
|
||||
+ }
|
||||
+
|
||||
if ((*cb)(src, buffer, 4) < 4)
|
||||
{
|
||||
DEBUG_puts("ippReadIO: Unable to read integer value!");
|
||||
@@ -1318,6 +1324,12 @@
|
||||
value->integer = n;
|
||||
break;
|
||||
case IPP_TAG_BOOLEAN :
|
||||
+ if (n != 1)
|
||||
+ {
|
||||
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
|
||||
+ return (IPP_ERROR);
|
||||
+ }
|
||||
+
|
||||
if ((*cb)(src, buffer, 1) < 1)
|
||||
{
|
||||
DEBUG_puts("ippReadIO: Unable to read boolean value!");
|
||||
@@ -1335,6 +1347,12 @@
|
||||
case IPP_TAG_CHARSET :
|
||||
case IPP_TAG_LANGUAGE :
|
||||
case IPP_TAG_MIMETYPE :
|
||||
+ if (n >= sizeof(buffer))
|
||||
+ {
|
||||
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
|
||||
+ return (IPP_ERROR);
|
||||
+ }
|
||||
+
|
||||
if ((*cb)(src, buffer, n) < n)
|
||||
{
|
||||
DEBUG_puts("ippReadIO: unable to read name!");
|
||||
@@ -1347,6 +1365,12 @@
|
||||
value->string.text));
|
||||
break;
|
||||
case IPP_TAG_DATE :
|
||||
+ if (n != 11)
|
||||
+ {
|
||||
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
|
||||
+ return (IPP_ERROR);
|
||||
+ }
|
||||
+
|
||||
if ((*cb)(src, value->date, 11) < 11)
|
||||
{
|
||||
DEBUG_puts("ippReadIO: Unable to date integer value!");
|
||||
@@ -1354,6 +1378,12 @@
|
||||
}
|
||||
break;
|
||||
case IPP_TAG_RESOLUTION :
|
||||
+ if (n != 9)
|
||||
+ {
|
||||
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
|
||||
+ return (IPP_ERROR);
|
||||
+ }
|
||||
+
|
||||
if ((*cb)(src, buffer, 9) < 9)
|
||||
{
|
||||
DEBUG_puts("ippReadIO: Unable to read resolution value!");
|
||||
@@ -1370,6 +1400,12 @@
|
||||
(ipp_res_t)buffer[8];
|
||||
break;
|
||||
case IPP_TAG_RANGE :
|
||||
+ if (n != 8)
|
||||
+ {
|
||||
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
|
||||
+ return (IPP_ERROR);
|
||||
+ }
|
||||
+
|
||||
if ((*cb)(src, buffer, 8) < 8)
|
||||
{
|
||||
DEBUG_puts("ippReadIO: Unable to read range value!");
|
||||
@@ -1385,7 +1421,7 @@
|
||||
break;
|
||||
case IPP_TAG_TEXTLANG :
|
||||
case IPP_TAG_NAMELANG :
|
||||
- if (n > sizeof(buffer) || n < 4)
|
||||
+ if (n >= sizeof(buffer) || n < 4)
|
||||
{
|
||||
DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
|
||||
return (IPP_ERROR);
|
||||
@@ -1411,22 +1447,27 @@
|
||||
|
||||
n = (bufptr[0] << 8) | bufptr[1];
|
||||
|
||||
- if (n >= sizeof(string))
|
||||
+ if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)) ||
|
||||
+ n >= sizeof(string))
|
||||
{
|
||||
- memcpy(string, bufptr + 2, sizeof(string) - 1);
|
||||
- string[sizeof(string) - 1] = '\0';
|
||||
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
|
||||
+ return (IPP_ERROR);
|
||||
}
|
||||
- else
|
||||
- {
|
||||
- memcpy(string, bufptr + 2, n);
|
||||
- string[n] = '\0';
|
||||
- }
|
||||
|
||||
+ memcpy(string, bufptr + 2, n);
|
||||
+ string[n] = '\0';
|
||||
+
|
||||
value->string.charset = _cupsStrAlloc((char *)string);
|
||||
|
||||
bufptr += 2 + n;
|
||||
n = (bufptr[0] << 8) | bufptr[1];
|
||||
|
||||
+ if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)))
|
||||
+ {
|
||||
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
|
||||
+ return (IPP_ERROR);
|
||||
+ }
|
||||
+
|
||||
bufptr[2 + n] = '\0';
|
||||
value->string.text = _cupsStrAlloc((char *)bufptr + 2);
|
||||
break;
|
||||
@@ -1468,6 +1509,12 @@
|
||||
* we need to carry over...
|
||||
*/
|
||||
|
||||
+ if (n >= sizeof(buffer))
|
||||
+ {
|
||||
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
|
||||
+ return (IPP_ERROR);
|
||||
+ }
|
||||
+
|
||||
if ((*cb)(src, buffer, n) < n)
|
||||
{
|
||||
DEBUG_puts("ippReadIO: Unable to read member name value!");
|
||||
@@ -1489,6 +1536,12 @@
|
||||
break;
|
||||
|
||||
default : /* Other unsupported values */
|
||||
+ if (n > sizeof(buffer))
|
||||
+ {
|
||||
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
|
||||
+ return (IPP_ERROR);
|
||||
+ }
|
||||
+
|
||||
value->unknown.length = n;
|
||||
if (n > 0)
|
||||
{
|
@ -1,3 +1,8 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 23 12:31:31 CEST 2007 - kssingvo@suse.de
|
||||
|
||||
- fix for IPP boundaries swamp-14294, CVE-2007-4351 (bugzilla#335635)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Oct 15 19:40:33 CEST 2007 - kssingvo@suse.de
|
||||
|
||||
|
@ -17,7 +17,7 @@ License: GPL v2 or later
|
||||
Group: Hardware/Printing
|
||||
Summary: The Common UNIX Printing System
|
||||
Version: 1.3.3
|
||||
Release: 1
|
||||
Release: 8
|
||||
Requires: cups-libs = %{version}, cups-client = %{version}
|
||||
Requires: ghostscript_any, ghostscript-fonts-std, foomatic-filters
|
||||
Requires: util-linux
|
||||
@ -52,6 +52,7 @@ Patch14: cups-1.1.21-testppd_duplex.patch
|
||||
Patch15: cups-1.2.11-testppd_filename.patch
|
||||
Patch16: cups-1.2.5-desktop_file.patch
|
||||
Patch17: cups-1.3.3-testppd_none.patch
|
||||
Patch18: cups-1.3-ipp_length.patch
|
||||
Patch100: cups-1.1.23-testpage.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
%if %suse_version >= 801
|
||||
@ -144,6 +145,7 @@ Authors:
|
||||
%patch15 -p1
|
||||
%patch16 -p1
|
||||
%patch17 -p1
|
||||
%patch18 -p1
|
||||
if [ -f /.buildenv ]; then
|
||||
. /.buildenv
|
||||
else
|
||||
@ -380,6 +382,8 @@ rm -rf $RPM_BUILD_ROOT/usr/share/locale/no
|
||||
%{_libdir}/libcupsimage.so.*
|
||||
%{_datadir}/locale/*/cups_*
|
||||
%changelog
|
||||
* Tue Oct 23 2007 - kssingvo@suse.de
|
||||
- fix for IPP boundaries swamp-14294, CVE-2007-4351 (bugzilla#335635)
|
||||
* Mon Oct 15 2007 - kssingvo@suse.de
|
||||
- upgrade to version 1.3.3. Main features to 1.2.x:
|
||||
* Networking
|
||||
|
Loading…
Reference in New Issue
Block a user