OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cups?expand=0&rev=2

cups-1.2.6-xpdf_CVE_2007_0104.patch

@@ -0,0 +1,61 @@
+--- cups-1.2.7/pdftops/Catalog.cxx.orig	2005-09-17 16:52:15.000000000 +0200
++++ cups-1.2.7/pdftops/Catalog.cxx	2007-01-16 11:15:23.000000000 +0100
+@@ -23,6 +23,12 @@
+ #include "Link.h"
+ #include "Catalog.h"
+ 
++// This define is used to limit the depth of recursive readPageTree calls
++// This is needed because the page tree nodes can reference their parents
++// leaving us in an infinite loop
++// Most sane pdf documents don't have a call depth higher than 10
++#define MAX_CALL_DEPTH 1000
++
+ //------------------------------------------------------------------------
+ // Catalog
+ //------------------------------------------------------------------------
+@@ -71,7 +77,7 @@
+     pageRefs[i].num = -1;
+     pageRefs[i].gen = -1;
+   }
+-  numPages = readPageTree(pagesDict.getDict(), NULL, 0);
++  numPages = readPageTree(pagesDict.getDict(), NULL, 0, 0);
+   if (numPages != numPages0) {
+     error(-1, "Page count in top-level pages object is incorrect");
+   }
+@@ -169,7 +175,7 @@
+   return s;
+ }
+ 
+-int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start) {
++int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start, int callDepth) {
+   Object kids;
+   Object kid;
+   Object kidRef;
+@@ -214,9 +220,13 @@
+     // This should really be isDict("Pages"), but I've seen at least one
+     // PDF file where the /Type entry is missing.
+     } else if (kid.isDict()) {
+-      if ((start = readPageTree(kid.getDict(), attrs1, start))
+-	  < 0)
+-	goto err2;
++      if (callDepth > MAX_CALL_DEPTH) {
++        error(-1, "Limit of %d recursive calls reached while reading the page tree. If your document is correct and not a test to try to force a crash, please report a bug.", MAX_CALL_DEPTH);
++      } else {
++        if ((start = readPageTree(kid.getDict(), attrs1, start, callDepth + 1))
++	    < 0)
++	  goto err2;
++      }
+     } else {
+       error(-1, "Kid object (page %d) is wrong type (%s)",
+ 	    start+1, kid.getTypeName());
+--- cups-1.2.7/pdftops/Catalog.h.orig	2005-09-17 16:52:15.000000000 +0200
++++ cups-1.2.7/pdftops/Catalog.h	2007-01-16 11:15:23.000000000 +0100
+@@ -85,7 +85,7 @@
+   Object acroForm;		// AcroForm dictionary
+   GBool ok;			// true if catalog is valid
+ 
+-  int readPageTree(Dict *pages, PageAttrs *attrs, int start);
++  int readPageTree(Dict *pages, PageAttrs *attrs, int start, int callDepth);
+   Object *findDestInTree(Object *tree, GString *name, Object *obj);
+ };
+ 

cups.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Tue Jan 16 11:31:02 CET 2007 - kssingvo@suse.de
+
+- fix for xpdf bugzilla#233113, CVE-2007-0104, swamp-7887
+
 -------------------------------------------------------------------
 Wed Jan 10 11:32:34 CET 2007 - kssingvo@suse.de
 

cups.spec

@@ -17,7 +17,7 @@ License:        GNU General Public License (GPL)
 Group:          Hardware/Printing
 Summary:        The Common UNIX Printing System
 Version:        1.2.7
-Release:        11
+Release:        13
 Requires:       cups-libs = %{version}, cups-client = %{version}
 Requires:       ghostscript_any, ghostscript-fonts-std, foomatic-filters
 Requires:       util-linux, /usr/bin/ionice
@@ -51,6 +51,7 @@ Patch14:        cups-1.1.21-testppd_duplex.patch
 Patch15:        cups-1.2.2-testppd_filename.patch
 Patch16:        cups-1.2.5-desktop_file.patch
 Patch17:        cups-1.2.6-lppasswd_permission.patch
+Patch18:        cups-1.2.6-xpdf_CVE_2007_0104.patch
 Patch100:       cups-1.1.23-testpage.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %if %suse_version >= 801
@@ -370,6 +371,8 @@ rm -rf $RPM_BUILD_ROOT/%{_mandir}/cat?
 %{_datadir}/locale/*/cups_*
 
 %changelog -n cups
+* Tue Jan 16 2007 - kssingvo@suse.de
+- fix for xpdf bugzilla#233113, CVE-2007-0104, swamp-7887
 * Wed Jan 10 2007 - kssingvo@suse.de
 - added Required-Start: to rccupsrenice (bugzilla#231675)
 * Fri Jan 05 2007 - sbrabec@suse.cz