Accepting request 868667 from Printing

CUPS security fix CVE-2020-10001 (bsc#1180520) (forwarded request 868665 from jsmeix)

OBS-URL: https://build.opensuse.org/request/show/868667
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cups?expand=0&rev=152

CVE-2020-10001.patch

@@ -0,0 +1,38 @@
+--- cups/ipp.c.orig	2021-01-11 10:53:43.080847679 +0100
++++ cups/ipp.c	2021-01-11 12:03:56.010423238 +0100
+@@ -2965,7 +2965,8 @@ ippReadIO(void       *src,		/* I - Data
+   unsigned char		*buffer,	/* Data buffer */
+ 			string[IPP_MAX_TEXT],
+ 					/* Small string buffer */
+-			*bufptr;	/* Pointer into buffer */
++			*bufptr,	/* Pointer into buffer */
++			*bufend;	/* End of buffer */
+   ipp_attribute_t	*attr;		/* Current attribute */
+   ipp_tag_t		tag;		/* Current tag */
+   ipp_tag_t		value_tag;	/* Current value tag */
+@@ -3524,6 +3525,7 @@ ippReadIO(void       *src,		/* I - Data
+ 		}
+ 
+                 bufptr = buffer;
++                bufend = buffer + n;
+ 
+ 	       /*
+ 	        * text-with-language and name-with-language are composite
+@@ -3537,7 +3539,7 @@ ippReadIO(void       *src,		/* I - Data
+ 
+ 		n = (bufptr[0] << 8) | bufptr[1];
+ 
+-		if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string))
++		if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string))
+ 		{
+ 		  _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
+ 		                _("IPP language length overflows value."), 1);
+@@ -3564,7 +3566,7 @@ ippReadIO(void       *src,		/* I - Data
+                 bufptr += 2 + n;
+ 		n = (bufptr[0] << 8) | bufptr[1];
+ 
+-		if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE))
++		if ((bufptr + 2 + n) > bufend)
+ 		{
+ 		  _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
+ 		                _("IPP string length overflows value."), 1);

cups.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Feb  2 14:22:38 CET 2021 - jsmeix@suse.de
+
+- CVE-2020-10001.patch fixes CVE-2020-10001 (bsc#1180520)
+  access to uninitialized buffer in ipp.c
+
 -------------------------------------------------------------------
 Wed Oct 14 09:11:00 UTC 2020 - Michael Gorse <mgorse@suse.com>
 

cups.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package cups
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -75,6 +75,9 @@ Patch101:       cups-2.0.3-additional_policies.patch
 Patch103:       cups-1.4-do_not_strip_recommended_from_PPDs.patch
 # Patch104 cups-config-libs.patch fixes option --libs in cups-config script:
 Patch104:       cups-config-libs.patch
+# Patch105 CVE-2020-10001.patch fixes CVE-2020-10001 (bsc#1180520)
+# access to uninitialized buffer in ipp.c
+Patch105:       CVE-2020-10001.patch
 # Build Requirements:
 BuildRequires:  dbus-1-devel
 BuildRequires:  fdupes
@@ -296,6 +299,9 @@ printer drivers for CUPS.
 %patch103 -b do_not_strip_recommended_from_PPDs.orig
 # Patch104 cups-config-libs.patch fixes option --libs in cups-config script:
 %patch104 -b cups-config-libs.orig
+# Patch105 CVE-2020-10001.patch fixes CVE-2020-10001 (bsc#1180520)
+# access to uninitialized buffer in ipp.c
+%patch105 -b CVE-2020-10001.orig
 
 %build
 # Remove ".SILENT" rule for verbose build output