Gentoo Archives: gentoo-commits

From: "Timo Gurr (tgurr)" <tgurr@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo-x86 commit in net-print/cups/files: cups-1.2.12-CVE-2008-0882.patch cups-1.2.12-CVE-2007-4351.patch cups-1.2.12-CVE-2007-4045.patch cups-1.2-str2561-v2.patch pdftops.pl cups-1.3.0-bindnow.patch cups-1.2.4-CVE-2007-4045.patch cups-1.3.4-CVE-2007-4045.patch
Date: Thu, 28 Feb 2008 20:24:53
Message-Id: E1JUpJC-0006Uh-EI@stork.gentoo.org
1 tgurr 08/02/28 20:24:50
2
3 Added: cups-1.2.12-CVE-2008-0882.patch
4 cups-1.2.12-CVE-2007-4351.patch
5 cups-1.2.12-CVE-2007-4045.patch
6 Removed: cups-1.2-str2561-v2.patch pdftops.pl
7 cups-1.3.0-bindnow.patch
8 cups-1.2.4-CVE-2007-4045.patch
9 cups-1.3.4-CVE-2007-4045.patch
10 Log:
11 Add cups-1.2.12-r5.ebuild to fix security issue CVE-2008-0882, see bug #211449.Remove older vulnerable versions. Rename patches for better versioning. Minor ebuild cleanups.
12 (Portage version: 2.1.4.4)
13
14 Revision Changes Path
15 1.1 net-print/cups/files/cups-1.2.12-CVE-2008-0882.patch
16
17 file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-print/cups/files/cups-1.2.12-CVE-2008-0882.patch?rev=1.1&view=markup
18 plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-print/cups/files/cups-1.2.12-CVE-2008-0882.patch?rev=1.1&content-type=text/plain
19
20 Index: cups-1.2.12-CVE-2008-0882.patch
21 ===================================================================
22 diff -up cups-1.2.4/scheduler/dirsvc.c.str2656 cups-1.2.4/scheduler/dirsvc.c
23 --- cups-1.2.4/scheduler/dirsvc.c.str2656 2008-02-21 13:33:06.000000000 +0000
24 +++ cups-1.2.4/scheduler/dirsvc.c 2008-02-21 13:33:49.000000000 +0000
25 @@ -1943,9 +1943,9 @@ process_browse_data(
26 if (hptr && !*hptr)
27 *hptr = '.'; /* Resource FQDN */
28
29 - if ((p = cupsdFindClass(name)) == NULL && BrowseShortNames)
30 + if ((p = cupsdFindDest(name)) == NULL && BrowseShortNames)
31 {
32 - if ((p = cupsdFindClass(resource + 9)) != NULL)
33 + if ((p = cupsdFindDest(resource + 9)) != NULL)
34 {
35 if (p->hostname && strcasecmp(p->hostname, host))
36 {
37 @@ -2049,9 +2049,9 @@ process_browse_data(
38 if (hptr && !*hptr)
39 *hptr = '.'; /* Resource FQDN */
40
41 - if ((p = cupsdFindPrinter(name)) == NULL && BrowseShortNames)
42 + if ((p = cupsdFindDest(name)) == NULL && BrowseShortNames)
43 {
44 - if ((p = cupsdFindPrinter(resource + 10)) != NULL)
45 + if ((p = cupsdFindDest(resource + 10)) != NULL)
46 {
47 if (p->hostname && strcasecmp(p->hostname, host))
48 {
49
50
51
52
53 1.1 net-print/cups/files/cups-1.2.12-CVE-2007-4351.patch
54
55 file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-print/cups/files/cups-1.2.12-CVE-2007-4351.patch?rev=1.1&view=markup
56 plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-print/cups/files/cups-1.2.12-CVE-2007-4351.patch?rev=1.1&content-type=text/plain
57
58 Index: cups-1.2.12-CVE-2007-4351.patch
59 ===================================================================
60 Index: ipp.c
61 ===================================================================
62 --- cups-1.2.12.orig/cups/ipp.c (revision 7023)
63 +++ cups-1.2.12./cups/ipp.c (working copy)
64 @@ -1315,6 +1315,12 @@
65 {
66 case IPP_TAG_INTEGER :
67 case IPP_TAG_ENUM :
68 + if (n != 4)
69 + {
70 + DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
71 + return (IPP_ERROR);
72 + }
73 +
74 if ((*cb)(src, buffer, 4) < 4)
75 {
76 DEBUG_puts("ippReadIO: Unable to read integer value!");
77 @@ -1327,6 +1333,12 @@
78 value->integer = n;
79 break;
80 case IPP_TAG_BOOLEAN :
81 + if (n != 1)
82 + {
83 + DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
84 + return (IPP_ERROR);
85 + }
86 +
87 if ((*cb)(src, buffer, 1) < 1)
88 {
89 DEBUG_puts("ippReadIO: Unable to read boolean value!");
90 @@ -1344,6 +1356,12 @@
91 case IPP_TAG_CHARSET :
92 case IPP_TAG_LANGUAGE :
93 case IPP_TAG_MIMETYPE :
94 + if (n >= sizeof(buffer))
95 + {
96 + DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
97 + return (IPP_ERROR);
98 + }
99 +
100 if ((*cb)(src, buffer, n) < n)
101 {
102 DEBUG_puts("ippReadIO: unable to read name!");
103 @@ -1356,6 +1374,12 @@
104 value->string.text));
105 break;
106 case IPP_TAG_DATE :
107 + if (n != 11)
108 + {
109 + DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
110 + return (IPP_ERROR);
111 + }
112 +
113 if ((*cb)(src, value->date, 11) < 11)
114 {
115 DEBUG_puts("ippReadIO: Unable to date integer value!");
116 @@ -1363,6 +1387,12 @@
117 }
118 break;
119 case IPP_TAG_RESOLUTION :
120 + if (n != 9)
121 + {
122 + DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
123 + return (IPP_ERROR);
124 + }
125 +
126 if ((*cb)(src, buffer, 9) < 9)
127 {
128 DEBUG_puts("ippReadIO: Unable to read resolution value!");
129 @@ -1379,6 +1409,12 @@
130 (ipp_res_t)buffer[8];
131 break;
132 case IPP_TAG_RANGE :
133 + if (n != 8)
134 + {
135 + DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
136 + return (IPP_ERROR);
137 + }
138 +
139 if ((*cb)(src, buffer, 8) < 8)
140 {
141 DEBUG_puts("ippReadIO: Unable to read range value!");
142 @@ -1394,7 +1430,7 @@
143 break;
144 case IPP_TAG_TEXTLANG :
145 case IPP_TAG_NAMELANG :
146 - if (n > sizeof(buffer) || n < 4)
147 + if (n >= sizeof(buffer) || n < 4)
148 {
149 DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
150 return (IPP_ERROR);
151 @@ -1420,22 +1456,27 @@
152
153 n = (bufptr[0] << 8) | bufptr[1];
154
155 - if (n >= sizeof(string))
156 + if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)) ||
157 + n >= sizeof(string))
158 {
159 - memcpy(string, bufptr + 2, sizeof(string) - 1);
160 - string[sizeof(string) - 1] = '\0';
161 + DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
162 + return (IPP_ERROR);
163 }
164 - else
165 - {
166 - memcpy(string, bufptr + 2, n);
167 - string[n] = '\0';
168 - }
169
170 + memcpy(string, bufptr + 2, n);
171 + string[n] = '\0';
172 +
173 value->string.charset = _cupsStrAlloc((char *)string);
174
175 bufptr += 2 + n;
176 n = (bufptr[0] << 8) | bufptr[1];
177
178 + if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)))
179 + {
180 + DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
181 + return (IPP_ERROR);
182 + }
183 +
184 bufptr[2 + n] = '\0';
185 value->string.text = _cupsStrAlloc((char *)bufptr + 2);
186 break;
187 @@ -1477,6 +1518,12 @@
188 * we need to carry over...
189 */
190
191 + if (n >= sizeof(buffer))
192 + {
193 + DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
194 + return (IPP_ERROR);
195 + }
196 +
197 if ((*cb)(src, buffer, n) < n)
198 {
199 DEBUG_puts("ippReadIO: Unable to read member name value!");
200 @@ -1498,6 +1545,12 @@
201 break;
202
203 default : /* Other unsupported values */
204 + if (n > sizeof(buffer))
205 + {
206 + DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
207 + return (IPP_ERROR);
208 + }
209 +
210 value->unknown.length = n;
211 if (n > 0)
212 {
213
214
215
216
217 1.1 net-print/cups/files/cups-1.2.12-CVE-2007-4045.patch
218
219 file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-print/cups/files/cups-1.2.12-CVE-2007-4045.patch?rev=1.1&view=markup
220 plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-print/cups/files/cups-1.2.12-CVE-2007-4045.patch?rev=1.1&content-type=text/plain
221
222 Index: cups-1.2.12-CVE-2007-4045.patch
223 ===================================================================
224 diff -up cups-1.2.4/scheduler/client.c.CVE-2007-4045 cups-1.2.4/scheduler/client.c
225 --- cups-1.2.4/scheduler/client.c.CVE-2007-4045 2007-10-30 09:51:04.000000000 +0000
226 +++ cups-1.2.4/scheduler/client.c 2007-10-30 10:07:10.000000000 +0000
227 @@ -105,6 +105,25 @@ static int write_file(cupsd_client_t *c
228 struct stat *filestats);
229
230
231 +void
232 +_cupsdFixClientsBIO(void)
233 +{
234 +#ifdef HAVE_LIBSSL
235 + cupsd_client_t *c;
236 + BIO *bio;
237 + cupsArraySave (Clients);
238 + for (c = (cupsd_client_t *)cupsArrayFirst(Clients);
239 + c;
240 + c = (cupsd_client_t *)cupsArrayNext(Clients))
241 + {
242 + bio = SSL_get_wbio(c->http.tls);
243 + BIO_ctrl(bio, BIO_C_SET_FILE_PTR, 0, (char *)HTTP(c));
244 + }
245 + cupsArrayRestore (Clients);
246 +#endif
247 +}
248 +
249 +
250 /*
251 * 'cupsdAcceptClient()' - Accept a new client.
252 */
253 @@ -438,6 +457,7 @@ cupsdAcceptClient(cupsd_listener_t *lis)
254 }
255
256 cupsArrayAdd(Clients, con);
257 + _cupsdFixClientsBIO();
258
259 cupsdLogMessage(CUPSD_LOG_DEBUG2,
260 "cupsdAcceptClient: %d connected to server on %s:%d",
261 @@ -729,6 +749,7 @@ cupsdCloseClient(cupsd_client_t *con) /*
262 */
263
264 cupsArrayRemove(Clients, con);
265 + _cupsdFixClientsBIO();
266
267 free(con);
268 }
269 diff -up cups-1.2.4/scheduler/main.c.CVE-2007-4045 cups-1.2.4/scheduler/main.c
270 --- cups-1.2.4/scheduler/main.c.CVE-2007-4045 2007-10-30 09:51:04.000000000 +0000
271 +++ cups-1.2.4/scheduler/main.c 2007-10-30 09:51:05.000000000 +0000
272 @@ -948,7 +948,7 @@ main(int argc, /* I - Number of comm
273 * Write data as needed...
274 */
275
276 - if (con->pipe_pid && FD_ISSET(con->file, input))
277 + if (con->pipe_pid && con->file >= 0 && FD_ISSET(con->file, input))
278 {
279 /*
280 * Keep track of pending input from the file/pipe separately
281
282
283
284
285 --
286 gentoo-commits@l.g.o mailing list