pool/cups
SHA256
12
0
Fork 2
Code Issues Pull Requests Activity

OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cups?expand=0&rev=20

Browse Source
This commit is contained in:
OBS User unknown
2007-11-13 20:45:43 +00:00
committed by Git OBS Bridge
parent 2a347dafe7
commit 806a60f85a
8 changed files with 771 additions and 160 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
cups-1.2-CVE_2007_4352.patch Normal file
View File

@@ -0,0 +1,16 @@
Index: cups-1.2.12/pdftops/Stream.cxx
===================================================================
--- cups-1.2.12.orig/pdftops/Stream.cxx
+++ cups-1.2.12/pdftops/Stream.cxx
@@ -3017,6 +3017,11 @@ GBool DCTStream::readScanInfo() {
}
scanInfo.firstCoeff = str->getChar();
scanInfo.lastCoeff = str->getChar();
+ if (scanInfo.firstCoeff < 0 || scanInfo.lastCoeff > 63 ||
+ scanInfo.firstCoeff > scanInfo.lastCoeff) {
+ error(getPos(), "Bad DCT coefficient numbers in scan info block");
+ return gFalse;
+ }
c = str->getChar();
scanInfo.ah = (c >> 4) & 0x0f;
scanInfo.al = c & 0x0f;

17
cups-1.2-CVE_2007_5392.patch Normal file
View File

@@ -0,0 +1,17 @@
Index: cups-1.2.12/pdftops/Stream.cxx
===================================================================
--- cups-1.2.12.orig/pdftops/Stream.cxx
+++ cups-1.2.12/pdftops/Stream.cxx
@@ -1956,6 +1956,12 @@ void DCTStream::reset() {
// allocate a buffer for the whole image
bufWidth = ((width + mcuWidth - 1) / mcuWidth) * mcuWidth;
bufHeight = ((height + mcuHeight - 1) / mcuHeight) * mcuHeight;
+ if (bufWidth <= 0 || bufHeight <= 0 ||
+ bufWidth > INT_MAX / bufWidth / (int)sizeof(int)) {
+ error(getPos(), "Invalid image size in DCT stream");
+ y = height;
+ return;
+ }
for (i = 0; i < numComps; ++i) {
frameBuf[i] = (int *)gmallocn(bufWidth * bufHeight, sizeof(int));
memset(frameBuf[i], 0, bufWidth * bufHeight * sizeof(int));

646
cups-1.2-CVE_2007_5393.patch Normal file
View File

@@ -0,0 +1,646 @@
Index: cups-1.2.12/pdftops/Stream.cxx
===================================================================
--- cups-1.2.12.orig/pdftops/Stream.cxx
+++ cups-1.2.12/pdftops/Stream.cxx
@@ -1266,6 +1266,7 @@ GBool RunLengthStream::fillBuf() {
// CCITTFaxStream
//------------------------------------------------------------------------
+#if 0
CCITTFaxStream::CCITTFaxStream(Stream *strA, int encodingA, GBool endOfLineA,
GBool byteAlignA, int columnsA, int rowsA,
GBool endOfBlockA, GBool blackA):
@@ -1770,6 +1771,609 @@ short CCITTFaxStream::lookBits(int n) {
}
return (inputBuf >> (inputBits - n)) & (0xffff >> (16 - n));
}
+#else // secfix
+CCITTFaxStream::CCITTFaxStream(Stream *strA, int encodingA, GBool endOfLineA,
+ GBool byteAlignA, int columnsA, int rowsA,
+ GBool endOfBlockA, GBool blackA):
+ FilterStream(strA) {
+ encoding = encodingA;
+ endOfLine = endOfLineA;
+ byteAlign = byteAlignA;
+ columns = columnsA;
+ if (columns < 1) {
+ columns = 1;
+ } else if (columns > (INT_MAX - 2)/sizeof(int)) {
+ columns = (INT_MAX - 2)/sizeof(int);
+ }
+ rows = rowsA;
+ endOfBlock = endOfBlockA;
+ black = blackA;
+ // 0 <= codingLine[0] < codingLine[1] < ... < codingLine[n] = columns
+ // ---> max codingLine size = columns + 1
+ // refLine has one extra guard entry at the end
+ // ---> max refLine size = columns + 2
+ codingLine = (int *)gmalloc((columns + 1) * sizeof(int));
+ refLine = (int *)gmalloc((columns + 2) * sizeof(int));
+
+ eof = gFalse;
+ row = 0;
+ nextLine2D = encoding < 0;
+ inputBits = 0;
+ codingLine[0] = columns;
+ a0i = 0;
+ outputBits = 0;
+
+ buf = EOF;
+}
+
+CCITTFaxStream::~CCITTFaxStream() {
+ delete str;
+ gfree(refLine);
+ gfree(codingLine);
+}
+
+void CCITTFaxStream::reset() {
+ short code1;
+
+ str->reset();
+ eof = gFalse;
+ row = 0;
+ nextLine2D = encoding < 0;
+ inputBits = 0;
+ codingLine[0] = columns;
+ a0i = 0;
+ outputBits = 0;
+ buf = EOF;
+
+ // skip any initial zero bits and end-of-line marker, and get the 2D
+ // encoding tag
+ while ((code1 = lookBits(12)) == 0) {
+ eatBits(1);
+ }
+ if (code1 == 0x001) {
+ eatBits(12);
+ }
+ if (encoding > 0) {
+ nextLine2D = !lookBits(1);
+ eatBits(1);
+ }
+}
+
+inline void CCITTFaxStream::addPixels(int a1, int blackPixels) {
+ if (a1 > codingLine[a0i]) {
+ if (a1 > columns) {
+ error(getPos(), "CCITTFax row is wrong length (%d)", a1);
+ err = gTrue;
+ a1 = columns;
+ }
+ if ((a0i & 1) ^ blackPixels) {
+ ++a0i;
+ }
+ codingLine[a0i] = a1;
+ }
+}
+
+inline void CCITTFaxStream::addPixelsNeg(int a1, int blackPixels) {
+ if (a1 > codingLine[a0i]) {
+ if (a1 > columns) {
+ error(getPos(), "CCITTFax row is wrong length (%d)", a1);
+ err = gTrue;
+ a1 = columns;
+ }
+ if ((a0i & 1) ^ blackPixels) {
+ ++a0i;
+ }
+ codingLine[a0i] = a1;
+ } else if (a1 < codingLine[a0i]) {
+ if (a1 < 0) {
+ error(getPos(), "Invalid CCITTFax code");
+ err = gTrue;
+ a1 = 0;
+ }
+ while (a0i > 0 && a1 <= codingLine[a0i - 1]) {
+ --a0i;
+ }
+ codingLine[a0i] = a1;
+ }
+}
+
+int CCITTFaxStream::lookChar() {
+ short code1, code2, code3;
+ int b1i, blackPixels, i, bits;
+ GBool gotEOL;
+
+ if (buf != EOF) {
+ return buf;
+ }
+
+ // read the next row
+ if (outputBits == 0) {
+
+ // if at eof just return EOF
+ if (eof) {
+ return EOF;
+ }
+
+ err = gFalse;
+
+ // 2-D encoding
+ if (nextLine2D) {
+ for (i = 0; codingLine[i] < columns; ++i) {
+ refLine[i] = codingLine[i];
+ }
+ refLine[i++] = columns;
+ refLine[i] = columns;
+ codingLine[0] = 0;
+ a0i = 0;
+ b1i = 0;
+ blackPixels = 0;
+ // invariant:
+ // refLine[b1i-1] <= codingLine[a0i] < refLine[b1i] < refLine[b1i+1]
+ // <= columns
+ // exception at left edge:
+ // codingLine[a0i = 0] = refLine[b1i = 0] = 0 is possible
+ // exception at right edge:
+ // refLine[b1i] = refLine[b1i+1] = columns is possible
+ while (codingLine[a0i] < columns) {
+ code1 = getTwoDimCode();
+ switch (code1) {
+ case twoDimPass:
+ addPixels(refLine[b1i + 1], blackPixels);
+ if (refLine[b1i + 1] < columns) {
+ b1i += 2;
+ }
+ break;
+ case twoDimHoriz:
+ code1 = code2 = 0;
+ if (blackPixels) {
+ do {
+ code1 += code3 = getBlackCode();
+ } while (code3 >= 64);
+ do {
+ code2 += code3 = getWhiteCode();
+ } while (code3 >= 64);
+ } else {
+ do {
+ code1 += code3 = getWhiteCode();
+ } while (code3 >= 64);
+ do {
+ code2 += code3 = getBlackCode();
+ } while (code3 >= 64);
+ }
+ addPixels(codingLine[a0i] + code1, blackPixels);
+ if (codingLine[a0i] < columns) {
+ addPixels(codingLine[a0i] + code2, blackPixels ^ 1);
+ }
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
+ b1i += 2;
+ }
+ break;
+ case twoDimVertR3:
+ addPixels(refLine[b1i] + 3, blackPixels);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < columns) {
+ ++b1i;
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
+ b1i += 2;
+ }
+ }
+ break;
+ case twoDimVertR2:
+ addPixels(refLine[b1i] + 2, blackPixels);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < columns) {
+ ++b1i;
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
+ b1i += 2;
+ }
+ }
+ break;
+ case twoDimVertR1:
+ addPixels(refLine[b1i] + 1, blackPixels);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < columns) {
+ ++b1i;
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
+ b1i += 2;
+ }
+ }
+ break;
+ case twoDimVert0:
+ addPixels(refLine[b1i], blackPixels);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < columns) {
+ ++b1i;
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
+ b1i += 2;
+ }
+ }
+ break;
+ case twoDimVertL3:
+ addPixelsNeg(refLine[b1i] - 3, blackPixels);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < columns) {
+ if (b1i > 0) {
+ --b1i;
+ } else {
+ ++b1i;
+ }
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
+ b1i += 2;
+ }
+ }
+ break;
+ case twoDimVertL2:
+ addPixelsNeg(refLine[b1i] - 2, blackPixels);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < columns) {
+ if (b1i > 0) {
+ --b1i;
+ } else {
+ ++b1i;
+ }
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
+ b1i += 2;
+ }
+ }
+ break;
+ case twoDimVertL1:
+ addPixelsNeg(refLine[b1i] - 1, blackPixels);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < columns) {
+ if (b1i > 0) {
+ --b1i;
+ } else {
+ ++b1i;
+ }
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
+ b1i += 2;
+ }
+ }
+ break;
+ case EOF:
+ addPixels(columns, 0);
+ eof = gTrue;
+ break;
+ default:
+ error(getPos(), "Bad 2D code %04x in CCITTFax stream", code1);
+ addPixels(columns, 0);
+ err = gTrue;
+ break;
+ }
+ }
+
+ // 1-D encoding
+ } else {
+ codingLine[0] = 0;
+ a0i = 0;
+ blackPixels = 0;
+ while (codingLine[a0i] < columns) {
+ code1 = 0;
+ if (blackPixels) {
+ do {
+ code1 += code3 = getBlackCode();
+ } while (code3 >= 64);
+ } else {
+ do {
+ code1 += code3 = getWhiteCode();
+ } while (code3 >= 64);
+ }
+ addPixels(codingLine[a0i] + code1, blackPixels);
+ blackPixels ^= 1;
+ }
+ }
+
+ // byte-align the row
+ if (byteAlign) {
+ inputBits &= ~7;
+ }
+
+ // check for end-of-line marker, skipping over any extra zero bits
+ gotEOL = gFalse;
+ if (!endOfBlock && row == rows - 1) {
+ eof = gTrue;
+ } else {
+ code1 = lookBits(12);
+ while (code1 == 0) {
+ eatBits(1);
+ code1 = lookBits(12);
+ }
+ if (code1 == 0x001) {
+ eatBits(12);
+ gotEOL = gTrue;
+ } else if (code1 == EOF) {
+ eof = gTrue;
+ }
+ }
+
+ // get 2D encoding tag
+ if (!eof && encoding > 0) {
+ nextLine2D = !lookBits(1);
+ eatBits(1);
+ }
+
+ // check for end-of-block marker
+ if (endOfBlock && gotEOL) {
+ code1 = lookBits(12);
+ if (code1 == 0x001) {
+ eatBits(12);
+ if (encoding > 0) {
+ lookBits(1);
+ eatBits(1);
+ }
+ if (encoding >= 0) {
+ for (i = 0; i < 4; ++i) {
+ code1 = lookBits(12);
+ if (code1 != 0x001) {
+ error(getPos(), "Bad RTC code in CCITTFax stream");
+ }
+ eatBits(12);
+ if (encoding > 0) {
+ lookBits(1);
+ eatBits(1);
+ }
+ }
+ }
+ eof = gTrue;
+ }
+
+ // look for an end-of-line marker after an error -- we only do
+ // this if we know the stream contains end-of-line markers because
+ // the "just plow on" technique tends to work better otherwise
+ } else if (err && endOfLine) {
+ while (1) {
+ code1 = lookBits(13);
+ if (code1 == EOF) {
+ eof = gTrue;
+ return EOF;
+ }
+ if ((code1 >> 1) == 0x001) {
+ break;
+ }
+ eatBits(1);
+ }
+ eatBits(12);
+ if (encoding > 0) {
+ eatBits(1);
+ nextLine2D = !(code1 & 1);
+ }
+ }
+
+ // set up for output
+ if (codingLine[0] > 0) {
+ outputBits = codingLine[a0i = 0];
+ } else {
+ outputBits = codingLine[a0i = 1];
+ }
+
+ ++row;
+ }
+
+ // get a byte
+ if (outputBits >= 8) {
+ buf = (a0i & 1) ? 0x00 : 0xff;
+ outputBits -= 8;
+ if (outputBits == 0 && codingLine[a0i] < columns) {
+ ++a0i;
+ outputBits = codingLine[a0i] - codingLine[a0i - 1];
+ }
+ } else {
+ bits = 8;
+ buf = 0;
+ do {
+ if (outputBits > bits) {
+ buf <<= bits;
+ if (!(a0i & 1)) {
+ buf |= 0xff >> (8 - bits);
+ }
+ outputBits -= bits;
+ bits = 0;
+ } else {
+ buf <<= outputBits;
+ if (!(a0i & 1)) {
+ buf |= 0xff >> (8 - outputBits);
+ }
+ bits -= outputBits;
+ outputBits = 0;
+ if (codingLine[a0i] < columns) {
+ ++a0i;
+ outputBits = codingLine[a0i] - codingLine[a0i - 1];
+ } else if (bits > 0) {
+ buf <<= bits;
+ bits = 0;
+ }
+ }
+ } while (bits);
+ }
+ if (black) {
+ buf ^= 0xff;
+ }
+ return buf;
+}
+
+short CCITTFaxStream::getTwoDimCode() {
+ short code;
+ CCITTCode *p;
+ int n;
+
+ code = 0; // make gcc happy
+ if (endOfBlock) {
+ code = lookBits(7);
+ p = &twoDimTab1[code];
+ if (p->bits > 0) {
+ eatBits(p->bits);
+ return p->n;
+ }
+ } else {
+ for (n = 1; n <= 7; ++n) {
+ code = lookBits(n);
+ if (n < 7) {
+ code <<= 7 - n;
+ }
+ p = &twoDimTab1[code];
+ if (p->bits == n) {
+ eatBits(n);
+ return p->n;
+ }
+ }
+ }
+ error(getPos(), "Bad two dim code (%04x) in CCITTFax stream", code);
+ return EOF;
+}
+
+short CCITTFaxStream::getWhiteCode() {
+ short code;
+ CCITTCode *p;
+ int n;
+
+ code = 0; // make gcc happy
+ if (endOfBlock) {
+ code = lookBits(12);
+ if (code == EOF) {
+ return 1;
+ }
+ if ((code >> 5) == 0) {
+ p = &whiteTab1[code];
+ } else {
+ p = &whiteTab2[code >> 3];
+ }
+ if (p->bits > 0) {
+ eatBits(p->bits);
+ return p->n;
+ }
+ } else {
+ for (n = 1; n <= 9; ++n) {
+ code = lookBits(n);
+ if (code == EOF) {
+ return 1;
+ }
+ if (n < 9) {
+ code <<= 9 - n;
+ }
+ p = &whiteTab2[code];
+ if (p->bits == n) {
+ eatBits(n);
+ return p->n;
+ }
+ }
+ for (n = 11; n <= 12; ++n) {
+ code = lookBits(n);
+ if (code == EOF) {
+ return 1;
+ }
+ if (n < 12) {
+ code <<= 12 - n;
+ }
+ p = &whiteTab1[code];
+ if (p->bits == n) {
+ eatBits(n);
+ return p->n;
+ }
+ }
+ }
+ error(getPos(), "Bad white code (%04x) in CCITTFax stream", code);
+ // eat a bit and return a positive number so that the caller doesn't
+ // go into an infinite loop
+ eatBits(1);
+ return 1;
+}
+
+short CCITTFaxStream::getBlackCode() {
+ short code;
+ CCITTCode *p;
+ int n;
+
+ code = 0; // make gcc happy
+ if (endOfBlock) {
+ code = lookBits(13);
+ if (code == EOF) {
+ return 1;
+ }
+ if ((code >> 7) == 0) {
+ p = &blackTab1[code];
+ } else if ((code >> 9) == 0 && (code >> 7) != 0) {
+ p = &blackTab2[(code >> 1) - 64];
+ } else {
+ p = &blackTab3[code >> 7];
+ }
+ if (p->bits > 0) {
+ eatBits(p->bits);
+ return p->n;
+ }
+ } else {
+ for (n = 2; n <= 6; ++n) {
+ code = lookBits(n);
+ if (code == EOF) {
+ return 1;
+ }
+ if (n < 6) {
+ code <<= 6 - n;
+ }
+ p = &blackTab3[code];
+ if (p->bits == n) {
+ eatBits(n);
+ return p->n;
+ }
+ }
+ for (n = 7; n <= 12; ++n) {
+ code = lookBits(n);
+ if (code == EOF) {
+ return 1;
+ }
+ if (n < 12) {
+ code <<= 12 - n;
+ }
+ if (code >= 64) {
+ p = &blackTab2[code - 64];
+ if (p->bits == n) {
+ eatBits(n);
+ return p->n;
+ }
+ }
+ }
+ for (n = 10; n <= 13; ++n) {
+ code = lookBits(n);
+ if (code == EOF) {
+ return 1;
+ }
+ if (n < 13) {
+ code <<= 13 - n;
+ }
+ p = &blackTab1[code];
+ if (p->bits == n) {
+ eatBits(n);
+ return p->n;
+ }
+ }
+ }
+ error(getPos(), "Bad black code (%04x) in CCITTFax stream", code);
+ // eat a bit and return a positive number so that the caller doesn't
+ // go into an infinite loop
+ eatBits(1);
+ return 1;
+}
+
+short CCITTFaxStream::lookBits(int n) {
+ int c;
+
+ while (inputBits < n) {
+ if ((c = str->getChar()) == EOF) {
+ if (inputBits == 0) {
+ return EOF;
+ }
+ // near the end of the stream, the caller may ask for more bits
+ // than are available, but there may still be a valid code in
+ // however many bits are available -- we need to return correct
+ // data in this case
+ return (inputBuf << (n - inputBits)) & (0xffff >> (16 - n));
+ }
+ inputBuf = (inputBuf << 8) + c;
+ inputBits += 8;
+ }
+ return (inputBuf >> (inputBits - n)) & (0xffff >> (16 - n));
+}
+
+#endif
GString *CCITTFaxStream::getPSFilter(int psLevel, char *indent) {
GString *s;
Index: cups-1.2.12/pdftops/Stream.h
===================================================================
--- cups-1.2.12.orig/pdftops/Stream.h
+++ cups-1.2.12/pdftops/Stream.h
@@ -519,13 +519,15 @@ private:
int row; // current row
int inputBuf; // input buffer
int inputBits; // number of bits in input buffer
- short *refLine; // reference line changing elements
- int b1; // index into refLine
- short *codingLine; // coding line changing elements
- int a0; // index into codingLine
+ int *codingLine; // coding line changing elements
+ int *refLine; // reference line changing elements
+ int a0i; // index into codingLine
+ GBool err; // error on current line
int outputBits; // remaining ouput bits
int buf; // character buffer
+ void addPixels(int a1, int black);
+ void addPixelsNeg(int a1, int black);
short getTwoDimCode();
short getWhiteCode();
short getBlackCode();

153
cups-1.3-ipp_length.patch
View File

@@ -1,153 +0,0 @@
Index: ipp.c
===================================================================
--- cups-1.3/cups/ipp.c (revision 7023)
+++ cups-1.3/cups/ipp.c (working copy)
@@ -1306,6 +1306,12 @@
{
case IPP_TAG_INTEGER :
case IPP_TAG_ENUM :
+ if (n != 4)
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
if ((*cb)(src, buffer, 4) < 4)
{
DEBUG_puts("ippReadIO: Unable to read integer value!");
@@ -1318,6 +1324,12 @@
value->integer = n;
break;
case IPP_TAG_BOOLEAN :
+ if (n != 1)
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
if ((*cb)(src, buffer, 1) < 1)
{
DEBUG_puts("ippReadIO: Unable to read boolean value!");
@@ -1335,6 +1347,12 @@
case IPP_TAG_CHARSET :
case IPP_TAG_LANGUAGE :
case IPP_TAG_MIMETYPE :
+ if (n >= sizeof(buffer))
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
if ((*cb)(src, buffer, n) < n)
{
DEBUG_puts("ippReadIO: unable to read name!");
@@ -1347,6 +1365,12 @@
value->string.text));
break;
case IPP_TAG_DATE :
+ if (n != 11)
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
if ((*cb)(src, value->date, 11) < 11)
{
DEBUG_puts("ippReadIO: Unable to date integer value!");
@@ -1354,6 +1378,12 @@
}
break;
case IPP_TAG_RESOLUTION :
+ if (n != 9)
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
if ((*cb)(src, buffer, 9) < 9)
{
DEBUG_puts("ippReadIO: Unable to read resolution value!");
@@ -1370,6 +1400,12 @@
(ipp_res_t)buffer[8];
break;
case IPP_TAG_RANGE :
+ if (n != 8)
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
if ((*cb)(src, buffer, 8) < 8)
{
DEBUG_puts("ippReadIO: Unable to read range value!");
@@ -1385,7 +1421,7 @@
break;
case IPP_TAG_TEXTLANG :
case IPP_TAG_NAMELANG :
- if (n > sizeof(buffer) || n < 4)
+ if (n >= sizeof(buffer) || n < 4)
{
DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
return (IPP_ERROR);
@@ -1411,22 +1447,27 @@
n = (bufptr[0] << 8) | bufptr[1];
- if (n >= sizeof(string))
+ if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)) ||
+ n >= sizeof(string))
{
- memcpy(string, bufptr + 2, sizeof(string) - 1);
- string[sizeof(string) - 1] = '\0';
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
}
- else
- {
- memcpy(string, bufptr + 2, n);
- string[n] = '\0';
- }
+ memcpy(string, bufptr + 2, n);
+ string[n] = '\0';
+
value->string.charset = _cupsStrAlloc((char *)string);
bufptr += 2 + n;
n = (bufptr[0] << 8) | bufptr[1];
+ if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)))
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
bufptr[2 + n] = '\0';
value->string.text = _cupsStrAlloc((char *)bufptr + 2);
break;
@@ -1468,6 +1509,12 @@
* we need to carry over...
*/
+ if (n >= sizeof(buffer))
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
if ((*cb)(src, buffer, n) < n)
{
DEBUG_puts("ippReadIO: Unable to read member name value!");
@@ -1489,6 +1536,12 @@
break;
default : /* Other unsupported values */
+ if (n > sizeof(buffer))
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
value->unknown.length = n;
if (n > 0)
{

3
cups-1.3.3-source.tar.bz2
View File

@@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5e9e5670777055293e309cb0cbb2758df9c1275bf648df70478b7389c2d804de
size 4077262

3
cups-1.3.4-source.tar.bz2 Normal file
View File

@@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:91581afc60aa0a6789b1c0373bc204d3b7deec5b608cc3cadc8c07d0ba749154
size 4082345

42
cups.changes
View File

@@ -1,3 +1,45 @@
-------------------------------------------------------------------
Wed Nov 7 12:05:41 CET 2007 - kssingvo@suse.de
- upgrade to version 1.3.4:
* Documentation updates
* CUPS now maps the "nb" locale to "no" on all platforms
* CUPS did not work with a Windows 2003 R2 KDC
* ippReadIO() could read past the end of a buffer
* The scheduler would crash on shutdown if it was unable to
create a Kerberos context.
* Multiple AuthTypes in cupsd.conf did not work
* The snmp.conf file referenced the wrong man page
* The cupsaddsmb program didn't handle domain sockets properly
* The scheduler now validates device URIs when adding printers.
* Updated httpSeparateURI() to support hostnames with the
backslash character.
* Updated the Japanese localization
* The parallel backend now gets the current IEEE-1284 device ID
string on Linux
* The IPP backend now checks the job status at variable
intervals (from 1 to 10 seconds) instead of every 10 seconds
for faster remote printing
* "lpr -p" and "lpr -l" did not work
* Compilation failed when a previous version of CUPS was
installed and was included in the SSL include path
* The scheduler did not reject requests with charsets other
than US-ASCII or UTF-8, and the CUPS API incorrectly passed
the locale charset to the scheduler instead of UTF-8
* cups-deviced did not filter out duplicate devices.
* The AppleTalk backend incorrectly added a scheme listing when
AppleTalk was disabled or no printers were found.
* The PostScript filter generated N^2 copies when the printer
supported collated copies and user requested reverse-order
output.
* The scheduler did not reprint all of the files in a job that
was held.
* The scheduler did not update the printcap file after removing
stale remote queues.
* The cupsd.conf man page incorrectly referenced "AuthType
Kerberos" instead of "AuthType Negotiate".
- fixes for xpdf CVE-2007-4352, CVE-2007-5393, CVE-2007-5392 (bugzilla#335637)
-------------------------------------------------------------------
Tue Oct 23 12:31:31 CEST 2007 - kssingvo@suse.de

51
cups.spec
View File

@@ -1,5 +1,5 @@
#
# spec file for package cups (Version 1.3.3)
# spec file for package cups (Version 1.3.4)
#
# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
@@ -16,8 +16,8 @@ Url: http://www.cups.org/
License: GPL v2 or later
Group: Hardware/Printing
Summary: The Common UNIX Printing System
Version: 1.3.3
Release: 8
Version: 1.3.4
Release: 1
Requires: cups-libs = %{version}, cups-client = %{version}
Requires: ghostscript_any, ghostscript-fonts-std, foomatic-filters
Requires: util-linux
@@ -52,7 +52,9 @@ Patch14: cups-1.1.21-testppd_duplex.patch
Patch15: cups-1.2.11-testppd_filename.patch
Patch16: cups-1.2.5-desktop_file.patch
Patch17: cups-1.3.3-testppd_none.patch
Patch18: cups-1.3-ipp_length.patch
Patch18: cups-1.2-CVE_2007_4352.patch
Patch19: cups-1.2-CVE_2007_5392.patch
Patch20: cups-1.2-CVE_2007_5393.patch
Patch100: cups-1.1.23-testpage.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%if %suse_version >= 801
@@ -146,6 +148,8 @@ Authors:
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
if [ -f /.buildenv ]; then
. /.buildenv
else
@@ -382,6 +386,45 @@ rm -rf $RPM_BUILD_ROOT/usr/share/locale/no
%{_libdir}/libcupsimage.so.*
%{_datadir}/locale/*/cups_*
%changelog
* Wed Nov 07 2007 - kssingvo@suse.de
- upgrade to version 1.3.4:
* Documentation updates
* CUPS now maps the "nb" locale to "no" on all platforms
* CUPS did not work with a Windows 2003 R2 KDC
* ippReadIO() could read past the end of a buffer
* The scheduler would crash on shutdown if it was unable to
create a Kerberos context.
* Multiple AuthTypes in cupsd.conf did not work
* The snmp.conf file referenced the wrong man page
* The cupsaddsmb program didn't handle domain sockets properly
* The scheduler now validates device URIs when adding printers.
* Updated httpSeparateURI() to support hostnames with the
backslash character.
* Updated the Japanese localization
* The parallel backend now gets the current IEEE-1284 device ID
string on Linux
* The IPP backend now checks the job status at variable
intervals (from 1 to 10 seconds) instead of every 10 seconds
for faster remote printing
* "lpr -p" and "lpr -l" did not work
* Compilation failed when a previous version of CUPS was
installed and was included in the SSL include path
* The scheduler did not reject requests with charsets other
than US-ASCII or UTF-8, and the CUPS API incorrectly passed
the locale charset to the scheduler instead of UTF-8
* cups-deviced did not filter out duplicate devices.
* The AppleTalk backend incorrectly added a scheme listing when
AppleTalk was disabled or no printers were found.
* The PostScript filter generated N^2 copies when the printer
supported collated copies and user requested reverse-order
output.
* The scheduler did not reprint all of the files in a job that
was held.
* The scheduler did not update the printcap file after removing
stale remote queues.
* The cupsd.conf man page incorrectly referenced "AuthType
Kerberos" instead of "AuthType Negotiate".
- fixes for xpdf CVE-2007-4352, CVE-2007-5393, CVE-2007-5392 (bugzilla#335637)
* Tue Oct 23 2007 - kssingvo@suse.de
- fix for IPP boundaries swamp-14294, CVE-2007-4351 (bugzilla#335635)
* Mon Oct 15 2007 - kssingvo@suse.de