| 1 |
pva 08/04/01 19:03:35 |
| 2 |
|
| 3 |
Added: cups-1.2.12-CVE-2008-0053.patch |
| 4 |
cups-1.2.12-CVE-2008-1373.patch |
| 5 |
Log: |
| 6 |
Fixing multiple security vulnerabilities, bug #214068, thank Robert Buchholz and all other developers working on that bug. |
| 7 |
(Portage version: 2.1.4.4, RepoMan options: --force) |
| 8 |
|
| 9 |
Revision Changes Path |
| 10 |
1.1 net-print/cups/files/cups-1.2.12-CVE-2008-0053.patch |
| 11 |
|
| 12 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-print/cups/files/cups-1.2.12-CVE-2008-0053.patch?rev=1.1&view=markup |
| 13 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-print/cups/files/cups-1.2.12-CVE-2008-0053.patch?rev=1.1&content-type=text/plain |
| 14 |
|
| 15 |
Index: cups-1.2.12-CVE-2008-0053.patch |
| 16 |
=================================================================== |
| 17 |
Index: cups-1.2.12/filter/hpgl-input.c |
| 18 |
=================================================================== |
| 19 |
--- cups-1.2.12.orig/filter/hpgl-input.c |
| 20 |
+++ cups-1.2.12/filter/hpgl-input.c |
| 21 |
@@ -56,6 +56,7 @@ ParseCommand(FILE *fp, /* I - File to |
| 22 |
i; /* Looping var */ |
| 23 |
char buf[262144], /* String buffer */ |
| 24 |
*bufptr; /* Pointer into buffer */ |
| 25 |
+ float temp; /* Temporary parameter value */ |
| 26 |
static param_t p[MAX_PARAMS]; /* Parameter buffer */ |
| 27 |
|
| 28 |
|
| 29 |
@@ -220,10 +221,10 @@ ParseCommand(FILE *fp, /* I - File to |
| 30 |
case '-' : |
| 31 |
case '+' : |
| 32 |
ungetc(ch, fp); |
| 33 |
- fscanf(fp, "%f", &(p[num_params].value.number)); |
| 34 |
- if (num_params < MAX_PARAMS) |
| 35 |
+ if (fscanf(fp, "%f", &temp) == 1 && num_params < MAX_PARAMS) |
| 36 |
{ |
| 37 |
- p[num_params].type = PARAM_RELATIVE; |
| 38 |
+ p[num_params].type = PARAM_RELATIVE; |
| 39 |
+ p[num_params].value.number = temp; |
| 40 |
num_params ++; |
| 41 |
} |
| 42 |
break; |
| 43 |
@@ -239,10 +240,10 @@ ParseCommand(FILE *fp, /* I - File to |
| 44 |
case '9' : |
| 45 |
case '.' : |
| 46 |
ungetc(ch, fp); |
| 47 |
- fscanf(fp, "%f", &(p[num_params].value.number)); |
| 48 |
- if (num_params < MAX_PARAMS) |
| 49 |
+ if (fscanf(fp, "%f", &temp) == 1 && num_params < MAX_PARAMS) |
| 50 |
{ |
| 51 |
- p[num_params].type = PARAM_ABSOLUTE; |
| 52 |
+ p[num_params].type = PARAM_ABSOLUTE; |
| 53 |
+ p[num_params].value.number = temp; |
| 54 |
num_params ++; |
| 55 |
} |
| 56 |
break; |
| 57 |
|
| 58 |
|
| 59 |
|
| 60 |
1.1 net-print/cups/files/cups-1.2.12-CVE-2008-1373.patch |
| 61 |
|
| 62 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-print/cups/files/cups-1.2.12-CVE-2008-1373.patch?rev=1.1&view=markup |
| 63 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-print/cups/files/cups-1.2.12-CVE-2008-1373.patch?rev=1.1&content-type=text/plain |
| 64 |
|
| 65 |
Index: cups-1.2.12-CVE-2008-1373.patch |
| 66 |
=================================================================== |
| 67 |
Index: cups-1.2.12/filter/image-gif.c |
| 68 |
=================================================================== |
| 69 |
--- cups-1.2.12.orig/filter/image-gif.c |
| 70 |
+++ cups-1.2.12/filter/image-gif.c |
| 71 |
@@ -47,6 +47,8 @@ |
| 72 |
#define GIF_INTERLACE 0x40 |
| 73 |
#define GIF_COLORMAP 0x80 |
| 74 |
|
| 75 |
+#define MAX_LWZ_BITS 12 |
| 76 |
+ |
| 77 |
typedef cups_ib_t gif_cmap_t[256][4]; |
| 78 |
typedef short gif_table_t[4096]; |
| 79 |
|
| 80 |
@@ -471,6 +473,9 @@ gif_read_image(FILE *fp, /* I - |
| 81 |
pass = 0; |
| 82 |
code_size = getc(fp); |
| 83 |
|
| 84 |
+ if (code_size > MAX_LWZ_BITS) |
| 85 |
+ return (-1); |
| 86 |
+ |
| 87 |
if (gif_read_lzw(fp, 1, code_size) < 0) |
| 88 |
return (-1); |
| 89 |
|
| 90 |
|
| 91 |
|
| 92 |
|
| 93 |
-- |
| 94 |
gentoo-commits@l.g.o mailing list |
Archives