From de1d0c196179120260c80f8a81ad1f961172c4ead1107adb0e53d0e8ff7ebebd Mon Sep 17 00:00:00 2001
From: OBS User unknown <null@suse.de>
Date: Fri, 28 Nov 2008 15:23:12 +0000
Subject: [PATCH] OBS-URL:
 https://build.opensuse.org/package/show/openSUSE:Factory/cups?expand=0&rev=52

---
 cups-1.3.9-filter_png_overflow2.patch | 20 ++++++++++
 cups-1.3.9-hpgltops2.patch            | 54 +++++++++++++++++++++++++++
 cups.changes                          | 11 ++++++
 cups.spec                             | 13 ++++++-
 4 files changed, 96 insertions(+), 2 deletions(-)
 create mode 100644 cups-1.3.9-filter_png_overflow2.patch
 create mode 100644 cups-1.3.9-hpgltops2.patch

diff --git a/cups-1.3.9-filter_png_overflow2.patch b/cups-1.3.9-filter_png_overflow2.patch
new file mode 100644
index 0000000..8214529
--- /dev/null
+++ b/cups-1.3.9-filter_png_overflow2.patch
@@ -0,0 +1,20 @@
+--- cups-1.3.9/filter/image-png.c.orig	2008-07-12 00:48:49.000000000 +0200
++++ cups-1.3.9/filter/image-png.c	2008-11-25 16:38:13.000000000 +0100
+@@ -178,7 +178,7 @@ _cupsImageReadPNG(
+     {
+       bufsize = img->xsize * img->ysize;
+ 
+-      if ((bufsize / img->ysize) != img->xsize)
++      if ((bufsize / img->xsize) != img->ysize)
+       {
+ 	fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
+ 		(unsigned)width, (unsigned)height);
+@@ -190,7 +190,7 @@ _cupsImageReadPNG(
+     {
+       bufsize = img->xsize * img->ysize * 3;
+ 
+-      if ((bufsize / (img->ysize * 3)) != img->xsize)
++      if ((bufsize / (img->xsize * 3)) != img->ysize)
+       {
+ 	fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
+ 		(unsigned)width, (unsigned)height);
diff --git a/cups-1.3.9-hpgltops2.patch b/cups-1.3.9-hpgltops2.patch
new file mode 100644
index 0000000..7e784d8
--- /dev/null
+++ b/cups-1.3.9-hpgltops2.patch
@@ -0,0 +1,54 @@
+--- cups-1.3.9/filter/hpgl-attr.c.orig	2008-10-09 22:12:03.000000000 +0200
++++ cups-1.3.9/filter/hpgl-attr.c	2008-11-25 16:40:42.000000000 +0100
+@@ -214,7 +214,7 @@ NP_number_pens(int     num_params,	/* I
+             "DEBUG: HP-GL/2 \'NP\' command with invalid number of "
+ 	    "parameters (%d)!\n", num_params);
+ 
+-  for (i = 0; i <= PenCount; i ++)
++  for (i = 0; i < PenCount; i ++)
+     Pens[i].width = PenWidth;
+ 
+   PC_pen_color(0, NULL);
+@@ -232,14 +232,14 @@ PC_pen_color(int     num_params,	/* I -
+   int		i;			/* Looping var */
+   static float	standard_colors[8][3] =	/* Standard colors for first 8 pens */
+ 		{
+-		  { 1.0, 1.0, 1.0 },	/* White */
+ 		  { 0.0, 0.0, 0.0 },	/* Black */
+ 		  { 1.0, 0.0, 0.0 },	/* Red */
+ 		  { 0.0, 1.0, 0.0 },	/* Green */
+ 		  { 1.0, 1.0, 0.0 },	/* Yellow */
+ 		  { 0.0, 0.0, 1.0 },	/* Blue */
+ 		  { 1.0, 0.0, 1.0 },	/* Magenta */
+-		  { 0.0, 1.0, 1.0 }	/* Cyan */
++		  { 0.0, 1.0, 1.0 },	/* Cyan */
++		  { 1.0, 1.0, 1.0 }	/* White */
+ 		};
+ 
+ 
+--- cups-1.3.9/filter/hpgl-vector.c.orig	2008-07-12 00:48:49.000000000 +0200
++++ cups-1.3.9/filter/hpgl-vector.c	2008-11-25 16:40:42.000000000 +0100
+@@ -393,13 +393,20 @@ PE_polyline_encoded(int     num_params,
+           break;
+       case ':' :	/* Select pen */
+           s ++;
+-          PenNumber = (int)decode_number(&s, base_bits, 1.0);
++          temp = (int)decode_number(&s, base_bits, 1.0) - 1;
++	  if (temp < 0 || temp >= PenCount)
++	  {
++	    fprintf(stderr, "DEBUG: Bad pen number %d in PE\n", temp + 1);
++	    return;
++	  }
++
++          PenNumber = temp;
+ 
+ #ifdef DEBUG
+-          fprintf(stderr, "DEBUG:     set pen #%d\n", PenNumber);
++          fprintf(stderr, "DEBUG:     set pen #%d\n", PenNumber + 1);
+ #endif /* DEBUG */
+ 
+-          Outputf("%% PE: set pen #%d\n", PenNumber);
++          Outputf("%% PE: set pen #%d\n", PenNumber + 1);
+ 
+ 	  if (PageDirty)
+ 	    printf("%.3f %.3f %.3f %.2f SP\n", Pens[PenNumber].rgb[0],
diff --git a/cups.changes b/cups.changes
index 98e8f7f..77c8236 100644
--- a/cups.changes
+++ b/cups.changes
@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Fri Nov 28 16:09:12 CET 2008 - kssingvo@suse.de
+
+- fixed permission of snmp.conf (bnc#449570)
+
+-------------------------------------------------------------------
+Tue Nov 25 16:50:12 CET 2008 - kssingvo@suse.de
+
+- fix for png size validation CVE-2008-??? (bnc#448631)
+- correction for hpgl pen selection fix CVE-2008-3641 (bnc#430543)
+
 -------------------------------------------------------------------
 Thu Nov 20 15:05:36 CET 2008 - kssingvo@suse.de
 
diff --git a/cups.spec b/cups.spec
index a55f28f..441d8a8 100644
--- a/cups.spec
+++ b/cups.spec
@@ -30,7 +30,7 @@ License:        GPL v2 or later
 Group:          Hardware/Printing
 Summary:        The Common UNIX Printing System
 Version:        1.3.9
-Release:        5
+Release:        6
 Requires:       cups-libs = %{version}, cups-client = %{version}
 Requires:       ghostscript_any, ghostscript-fonts-std, foomatic-filters
 Requires:       util-linux /usr/bin/pdftops
@@ -83,6 +83,8 @@ Patch21:        cups-1.3.7-lppasswd_fixperm.patch
 Patch22:        cups-1.3.7-additional_policies.patch
 Patch23:        cups-1.3.9-cupstestppd.patch
 Patch24:        cups-1.3.9-max_subscription.patch
+Patch25:        cups-1.3.9-filter_png_overflow2.patch
+Patch26:        cups-1.3.9-hpgltops2.patch
 Patch100:       cups-1.1.23-testpage.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
@@ -194,6 +196,8 @@ mv pdftops pdftos.use_filter_pdftops_c
 %patch22 -p1
 %patch23 -p1
 %patch24 -p1
+%patch25 -p1
+%patch26 -p1
 if [ -f /.buildenv ]; then
 	. /.buildenv
 	test -z "$BUILD_DISTRIBUTION_NAME" && BUILD_DISTRIBUTION_NAME="%{?distribution}"
@@ -359,12 +363,12 @@ rm -rf $RPM_BUILD_ROOT/usr/share/locale/no
 %dir %attr(700,root,lp) %{_sysconfdir}/cups/ssl
 %dir %attr(755,root,lp) %{_sysconfdir}/cups/ppd
 %config(noreplace) %attr(640,root,lp) %{_sysconfdir}/cups/cupsd.conf
+%config(noreplace) %attr(640,root,lp) %{_sysconfdir}/cups/snmp.conf
 %{_sysconfdir}/cups/cupsd.conf.default
 %{_sysconfdir}/dbus-1/system.d/cups.conf
 %config(noreplace) %attr(755,lp,lp) %{_sysconfdir}/cups/interfaces
 %config(noreplace) %{_sysconfdir}/cups/mime.*
 %config(noreplace) %{_sysconfdir}/xinetd.d/cups-lpd
-%config(noreplace) %{_sysconfdir}/cups/snmp.conf
 %{_bindir}/poll_ppd_base
 %{_bindir}/cupstestppd
 %{_bindir}/cupstestdsc
@@ -447,6 +451,11 @@ rm -rf $RPM_BUILD_ROOT/usr/share/locale/no
 %{_datadir}/locale/*/cups_*
 
 %changelog
+* Fri Nov 28 2008 kssingvo@suse.de
+- fixed permission of snmp.conf (bnc#449570)
+* Tue Nov 25 2008 kssingvo@suse.de
+- fix for png size validation CVE-2008-??? (bnc#448631)
+- correction for hpgl pen selection fix CVE-2008-3641 (bnc#430543)
 * Thu Nov 20 2008 kssingvo@suse.de
 - fixed rss subscription issue (bnc#446975)
 * Tue Nov 04 2008 kssingvo@suse.de