From 67bca8bef80ee05a5e6a18c5d41f622a002f1719c1694a28d59253fe8793b0ff Mon Sep 17 00:00:00 2001 From: Johannes Meixner Date: Tue, 2 Feb 2021 13:43:11 +0000 Subject: [PATCH] Accepting request 868665 from home:jsmeix:branches:Printing CUPS security fix CVE-2020-10001 (bsc#1180520) OBS-URL: https://build.opensuse.org/request/show/868665 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=365 --- CVE-2020-10001.patch | 38 ++++++++++++++++++++++++++++++++++++++ cups.changes | 6 ++++++ cups.spec | 8 +++++++- 3 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 CVE-2020-10001.patch diff --git a/CVE-2020-10001.patch b/CVE-2020-10001.patch new file mode 100644 index 0000000..b75ad18 --- /dev/null +++ b/CVE-2020-10001.patch @@ -0,0 +1,38 @@ +--- cups/ipp.c.orig 2021-01-11 10:53:43.080847679 +0100 ++++ cups/ipp.c 2021-01-11 12:03:56.010423238 +0100 +@@ -2965,7 +2965,8 @@ ippReadIO(void *src, /* I - Data + unsigned char *buffer, /* Data buffer */ + string[IPP_MAX_TEXT], + /* Small string buffer */ +- *bufptr; /* Pointer into buffer */ ++ *bufptr, /* Pointer into buffer */ ++ *bufend; /* End of buffer */ + ipp_attribute_t *attr; /* Current attribute */ + ipp_tag_t tag; /* Current tag */ + ipp_tag_t value_tag; /* Current value tag */ +@@ -3524,6 +3525,7 @@ ippReadIO(void *src, /* I - Data + } + + bufptr = buffer; ++ bufend = buffer + n; + + /* + * text-with-language and name-with-language are composite +@@ -3537,7 +3539,7 @@ ippReadIO(void *src, /* I - Data + + n = (bufptr[0] << 8) | bufptr[1]; + +- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string)) ++ if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string)) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, + _("IPP language length overflows value."), 1); +@@ -3564,7 +3566,7 @@ ippReadIO(void *src, /* I - Data + bufptr += 2 + n; + n = (bufptr[0] << 8) | bufptr[1]; + +- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE)) ++ if ((bufptr + 2 + n) > bufend) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, + _("IPP string length overflows value."), 1); diff --git a/cups.changes b/cups.changes index 6093d25..42c390e 100644 --- a/cups.changes +++ b/cups.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Feb 2 14:22:38 CET 2021 - jsmeix@suse.de + +- CVE-2020-10001.patch fixes CVE-2020-10001 (bsc#1180520) + access to uninitialized buffer in ipp.c + ------------------------------------------------------------------- Wed Oct 14 09:11:00 UTC 2020 - Michael Gorse diff --git a/cups.spec b/cups.spec index 9cbd323..4d48a03 100644 --- a/cups.spec +++ b/cups.spec @@ -1,7 +1,7 @@ # # spec file for package cups # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -75,6 +75,9 @@ Patch101: cups-2.0.3-additional_policies.patch Patch103: cups-1.4-do_not_strip_recommended_from_PPDs.patch # Patch104 cups-config-libs.patch fixes option --libs in cups-config script: Patch104: cups-config-libs.patch +# Patch105 CVE-2020-10001.patch fixes CVE-2020-10001 (bsc#1180520) +# access to uninitialized buffer in ipp.c +Patch105: CVE-2020-10001.patch # Build Requirements: BuildRequires: dbus-1-devel BuildRequires: fdupes @@ -296,6 +299,9 @@ printer drivers for CUPS. %patch103 -b do_not_strip_recommended_from_PPDs.orig # Patch104 cups-config-libs.patch fixes option --libs in cups-config script: %patch104 -b cups-config-libs.orig +# Patch105 CVE-2020-10001.patch fixes CVE-2020-10001 (bsc#1180520) +# access to uninitialized buffer in ipp.c +%patch105 -b CVE-2020-10001.orig %build # Remove ".SILENT" rule for verbose build output