OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cups?expand=0&rev=19

2007-11-03 15:14:52 +00:00 · 2007-11-03 15:14:52 +00:00 · 2a347dafe7
commit 2a347dafe7
parent bf58c9893e
3 changed files with 163 additions and 1 deletions
--- a/cups-1.3-ipp_length.patch
+++ b/cups-1.3-ipp_length.patch
@ -0,0 +1,153 @@
+Index: ipp.c
+===================================================================
+--- cups-1.3/cups/ipp.c	(revision 7023)
+++ cups-1.3/cups/ipp.c	(working copy)
+@@ -1306,6 +1306,12 @@
+ 	  {
+ 	    case IPP_TAG_INTEGER :
+ 	    case IPP_TAG_ENUM :
+		if (n != 4)
+		{
+		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+		  return (IPP_ERROR);
+		}
+
+ 	        if ((*cb)(src, buffer, 4) < 4)
+ 		{
+ 	          DEBUG_puts("ippReadIO: Unable to read integer value!");
+@@ -1318,6 +1324,12 @@
+                 value->integer = n;
+ 	        break;
+ 	    case IPP_TAG_BOOLEAN :
+		if (n != 1)
+		{
+		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+		  return (IPP_ERROR);
+		}
+
+ 	        if ((*cb)(src, buffer, 1) < 1)
+ 		{
+ 	          DEBUG_puts("ippReadIO: Unable to read boolean value!");
+@@ -1335,6 +1347,12 @@
+ 	    case IPP_TAG_CHARSET :
+ 	    case IPP_TAG_LANGUAGE :
+ 	    case IPP_TAG_MIMETYPE :
+		if (n >= sizeof(buffer))
+		{
+		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+		  return (IPP_ERROR);
+		}
+
+ 		if ((*cb)(src, buffer, n) < n)
+ 		{
+ 		  DEBUG_puts("ippReadIO: unable to read name!");
+@@ -1347,6 +1365,12 @@
+ 		              value->string.text));
+ 	        break;
+ 	    case IPP_TAG_DATE :
+		if (n != 11)
+		{
+		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+		  return (IPP_ERROR);
+		}
+
+ 	        if ((*cb)(src, value->date, 11) < 11)
+ 		{
+ 	          DEBUG_puts("ippReadIO: Unable to date integer value!");
+@@ -1354,6 +1378,12 @@
+ 		}
+ 	        break;
+ 	    case IPP_TAG_RESOLUTION :
+		if (n != 9)
+		{
+		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+		  return (IPP_ERROR);
+		}
+
+ 	        if ((*cb)(src, buffer, 9) < 9)
+ 		{
+ 	          DEBUG_puts("ippReadIO: Unable to read resolution value!");
+@@ -1370,6 +1400,12 @@
+ 		    (ipp_res_t)buffer[8];
+ 	        break;
+ 	    case IPP_TAG_RANGE :
+		if (n != 8)
+		{
+		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+		  return (IPP_ERROR);
+		}
+
+ 	        if ((*cb)(src, buffer, 8) < 8)
+ 		{
+ 	          DEBUG_puts("ippReadIO: Unable to read range value!");
+@@ -1385,7 +1421,7 @@
+ 	        break;
+ 	    case IPP_TAG_TEXTLANG :
+ 	    case IPP_TAG_NAMELANG :
+-	        if (n > sizeof(buffer) || n < 4)
+	        if (n >= sizeof(buffer) || n < 4)
+ 		{
+ 		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ 		  return (IPP_ERROR);
+@@ -1411,22 +1447,27 @@
+ 
+ 		n = (bufptr[0] << 8) | bufptr[1];
+ 
+-                if (n >= sizeof(string))
+		if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)) ||
+		    n >= sizeof(string))
+ 		{
+-		  memcpy(string, bufptr + 2, sizeof(string) - 1);
+-		  string[sizeof(string) - 1] = '\0';
+		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+		  return (IPP_ERROR);
+ 		}
+-		else
+-		{
+-		  memcpy(string, bufptr + 2, n);
+-		  string[n] = '\0';
+-                }
+ 
+		memcpy(string, bufptr + 2, n);
+		string[n] = '\0';
+
+ 		value->string.charset = _cupsStrAlloc((char *)string);
+ 
+                 bufptr += 2 + n;
+ 		n = (bufptr[0] << 8) | bufptr[1];
+ 
+		if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)))
+		{
+		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+		  return (IPP_ERROR);
+		}
+
+ 		bufptr[2 + n] = '\0';
+                 value->string.text = _cupsStrAlloc((char *)bufptr + 2);
+ 	        break;
+@@ -1468,6 +1509,12 @@
+ 		* we need to carry over...
+ 		*/
+ 
+		if (n >= sizeof(buffer))
+		{
+		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+		  return (IPP_ERROR);
+		}
+
+ 	        if ((*cb)(src, buffer, n) < n)
+ 		{
+ 	          DEBUG_puts("ippReadIO: Unable to read member name value!");
+@@ -1489,6 +1536,12 @@
+ 		break;
+ 
+             default : /* Other unsupported values */
+		if (n > sizeof(buffer))
+		{
+		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+		  return (IPP_ERROR);
+		}
+
+                 value->unknown.length = n;
+ 	        if (n > 0)
+ 		{
--- a/cups.changes
+++ b/cups.changes
@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Tue Oct 23 12:31:31 CEST 2007 - kssingvo@suse.de
+
+- fix for IPP boundaries swamp-14294, CVE-2007-4351 (bugzilla#335635)
+
 -------------------------------------------------------------------
 Mon Oct 15 19:40:33 CEST 2007 - kssingvo@suse.de

--- a/cups.spec
+++ b/cups.spec
@ -17,7 +17,7 @@ License:        GPL v2 or later
 Group:          Hardware/Printing
 Summary:        The Common UNIX Printing System
 Version:        1.3.3
-Release:        1
+Release:        8
 Requires:       cups-libs = %{version}, cups-client = %{version}
 Requires:       ghostscript_any, ghostscript-fonts-std, foomatic-filters
 Requires:       util-linux
@ -52,6 +52,7 @@ Patch14:        cups-1.1.21-testppd_duplex.patch
 Patch15:        cups-1.2.11-testppd_filename.patch
 Patch16:        cups-1.2.5-desktop_file.patch
 Patch17:        cups-1.3.3-testppd_none.patch
+Patch18:        cups-1.3-ipp_length.patch
 Patch100:       cups-1.1.23-testpage.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %if %suse_version >= 801
@ -144,6 +145,7 @@ Authors:
 %patch15 -p1
 %patch16 -p1
 %patch17 -p1
+%patch18 -p1
 if [ -f /.buildenv ]; then
 	. /.buildenv
 else
@ -380,6 +382,8 @@ rm -rf $RPM_BUILD_ROOT/usr/share/locale/no
 %{_libdir}/libcupsimage.so.*
 %{_datadir}/locale/*/cups_*
 %changelog
+* Tue Oct 23 2007 - kssingvo@suse.de
+- fix for IPP boundaries swamp-14294, CVE-2007-4351 (bugzilla#335635)
 * Mon Oct 15 2007 - kssingvo@suse.de
 - upgrade to version 1.3.3. Main features to 1.2.x:
  * Networking