1 |
tgurr 08/02/28 20:24:50 |
2 |
|
3 |
Added: cups-1.2.12-CVE-2008-0882.patch |
4 |
cups-1.2.12-CVE-2007-4351.patch |
5 |
cups-1.2.12-CVE-2007-4045.patch |
6 |
Removed: cups-1.2-str2561-v2.patch pdftops.pl |
7 |
cups-1.3.0-bindnow.patch |
8 |
cups-1.2.4-CVE-2007-4045.patch |
9 |
cups-1.3.4-CVE-2007-4045.patch |
10 |
Log: |
11 |
Add cups-1.2.12-r5.ebuild to fix security issue CVE-2008-0882, see bug #211449.Remove older vulnerable versions. Rename patches for better versioning. Minor ebuild cleanups. |
12 |
(Portage version: 2.1.4.4) |
13 |
|
14 |
Revision Changes Path |
15 |
1.1 net-print/cups/files/cups-1.2.12-CVE-2008-0882.patch |
16 |
|
17 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-print/cups/files/cups-1.2.12-CVE-2008-0882.patch?rev=1.1&view=markup |
18 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-print/cups/files/cups-1.2.12-CVE-2008-0882.patch?rev=1.1&content-type=text/plain |
19 |
|
20 |
Index: cups-1.2.12-CVE-2008-0882.patch |
21 |
=================================================================== |
22 |
diff -up cups-1.2.4/scheduler/dirsvc.c.str2656 cups-1.2.4/scheduler/dirsvc.c |
23 |
--- cups-1.2.4/scheduler/dirsvc.c.str2656 2008-02-21 13:33:06.000000000 +0000 |
24 |
+++ cups-1.2.4/scheduler/dirsvc.c 2008-02-21 13:33:49.000000000 +0000 |
25 |
@@ -1943,9 +1943,9 @@ process_browse_data( |
26 |
if (hptr && !*hptr) |
27 |
*hptr = '.'; /* Resource FQDN */ |
28 |
|
29 |
- if ((p = cupsdFindClass(name)) == NULL && BrowseShortNames) |
30 |
+ if ((p = cupsdFindDest(name)) == NULL && BrowseShortNames) |
31 |
{ |
32 |
- if ((p = cupsdFindClass(resource + 9)) != NULL) |
33 |
+ if ((p = cupsdFindDest(resource + 9)) != NULL) |
34 |
{ |
35 |
if (p->hostname && strcasecmp(p->hostname, host)) |
36 |
{ |
37 |
@@ -2049,9 +2049,9 @@ process_browse_data( |
38 |
if (hptr && !*hptr) |
39 |
*hptr = '.'; /* Resource FQDN */ |
40 |
|
41 |
- if ((p = cupsdFindPrinter(name)) == NULL && BrowseShortNames) |
42 |
+ if ((p = cupsdFindDest(name)) == NULL && BrowseShortNames) |
43 |
{ |
44 |
- if ((p = cupsdFindPrinter(resource + 10)) != NULL) |
45 |
+ if ((p = cupsdFindDest(resource + 10)) != NULL) |
46 |
{ |
47 |
if (p->hostname && strcasecmp(p->hostname, host)) |
48 |
{ |
49 |
|
50 |
|
51 |
|
52 |
|
53 |
1.1 net-print/cups/files/cups-1.2.12-CVE-2007-4351.patch |
54 |
|
55 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-print/cups/files/cups-1.2.12-CVE-2007-4351.patch?rev=1.1&view=markup |
56 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-print/cups/files/cups-1.2.12-CVE-2007-4351.patch?rev=1.1&content-type=text/plain |
57 |
|
58 |
Index: cups-1.2.12-CVE-2007-4351.patch |
59 |
=================================================================== |
60 |
Index: ipp.c |
61 |
=================================================================== |
62 |
--- cups-1.2.12.orig/cups/ipp.c (revision 7023) |
63 |
+++ cups-1.2.12./cups/ipp.c (working copy) |
64 |
@@ -1315,6 +1315,12 @@ |
65 |
{ |
66 |
case IPP_TAG_INTEGER : |
67 |
case IPP_TAG_ENUM : |
68 |
+ if (n != 4) |
69 |
+ { |
70 |
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); |
71 |
+ return (IPP_ERROR); |
72 |
+ } |
73 |
+ |
74 |
if ((*cb)(src, buffer, 4) < 4) |
75 |
{ |
76 |
DEBUG_puts("ippReadIO: Unable to read integer value!"); |
77 |
@@ -1327,6 +1333,12 @@ |
78 |
value->integer = n; |
79 |
break; |
80 |
case IPP_TAG_BOOLEAN : |
81 |
+ if (n != 1) |
82 |
+ { |
83 |
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); |
84 |
+ return (IPP_ERROR); |
85 |
+ } |
86 |
+ |
87 |
if ((*cb)(src, buffer, 1) < 1) |
88 |
{ |
89 |
DEBUG_puts("ippReadIO: Unable to read boolean value!"); |
90 |
@@ -1344,6 +1356,12 @@ |
91 |
case IPP_TAG_CHARSET : |
92 |
case IPP_TAG_LANGUAGE : |
93 |
case IPP_TAG_MIMETYPE : |
94 |
+ if (n >= sizeof(buffer)) |
95 |
+ { |
96 |
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); |
97 |
+ return (IPP_ERROR); |
98 |
+ } |
99 |
+ |
100 |
if ((*cb)(src, buffer, n) < n) |
101 |
{ |
102 |
DEBUG_puts("ippReadIO: unable to read name!"); |
103 |
@@ -1356,6 +1374,12 @@ |
104 |
value->string.text)); |
105 |
break; |
106 |
case IPP_TAG_DATE : |
107 |
+ if (n != 11) |
108 |
+ { |
109 |
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); |
110 |
+ return (IPP_ERROR); |
111 |
+ } |
112 |
+ |
113 |
if ((*cb)(src, value->date, 11) < 11) |
114 |
{ |
115 |
DEBUG_puts("ippReadIO: Unable to date integer value!"); |
116 |
@@ -1363,6 +1387,12 @@ |
117 |
} |
118 |
break; |
119 |
case IPP_TAG_RESOLUTION : |
120 |
+ if (n != 9) |
121 |
+ { |
122 |
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); |
123 |
+ return (IPP_ERROR); |
124 |
+ } |
125 |
+ |
126 |
if ((*cb)(src, buffer, 9) < 9) |
127 |
{ |
128 |
DEBUG_puts("ippReadIO: Unable to read resolution value!"); |
129 |
@@ -1379,6 +1409,12 @@ |
130 |
(ipp_res_t)buffer[8]; |
131 |
break; |
132 |
case IPP_TAG_RANGE : |
133 |
+ if (n != 8) |
134 |
+ { |
135 |
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); |
136 |
+ return (IPP_ERROR); |
137 |
+ } |
138 |
+ |
139 |
if ((*cb)(src, buffer, 8) < 8) |
140 |
{ |
141 |
DEBUG_puts("ippReadIO: Unable to read range value!"); |
142 |
@@ -1394,7 +1430,7 @@ |
143 |
break; |
144 |
case IPP_TAG_TEXTLANG : |
145 |
case IPP_TAG_NAMELANG : |
146 |
- if (n > sizeof(buffer) || n < 4) |
147 |
+ if (n >= sizeof(buffer) || n < 4) |
148 |
{ |
149 |
DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); |
150 |
return (IPP_ERROR); |
151 |
@@ -1420,22 +1456,27 @@ |
152 |
|
153 |
n = (bufptr[0] << 8) | bufptr[1]; |
154 |
|
155 |
- if (n >= sizeof(string)) |
156 |
+ if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)) || |
157 |
+ n >= sizeof(string)) |
158 |
{ |
159 |
- memcpy(string, bufptr + 2, sizeof(string) - 1); |
160 |
- string[sizeof(string) - 1] = '\0'; |
161 |
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); |
162 |
+ return (IPP_ERROR); |
163 |
} |
164 |
- else |
165 |
- { |
166 |
- memcpy(string, bufptr + 2, n); |
167 |
- string[n] = '\0'; |
168 |
- } |
169 |
|
170 |
+ memcpy(string, bufptr + 2, n); |
171 |
+ string[n] = '\0'; |
172 |
+ |
173 |
value->string.charset = _cupsStrAlloc((char *)string); |
174 |
|
175 |
bufptr += 2 + n; |
176 |
n = (bufptr[0] << 8) | bufptr[1]; |
177 |
|
178 |
+ if ((bufptr + 2 + n) >= (buffer + sizeof(buffer))) |
179 |
+ { |
180 |
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); |
181 |
+ return (IPP_ERROR); |
182 |
+ } |
183 |
+ |
184 |
bufptr[2 + n] = '\0'; |
185 |
value->string.text = _cupsStrAlloc((char *)bufptr + 2); |
186 |
break; |
187 |
@@ -1477,6 +1518,12 @@ |
188 |
* we need to carry over... |
189 |
*/ |
190 |
|
191 |
+ if (n >= sizeof(buffer)) |
192 |
+ { |
193 |
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); |
194 |
+ return (IPP_ERROR); |
195 |
+ } |
196 |
+ |
197 |
if ((*cb)(src, buffer, n) < n) |
198 |
{ |
199 |
DEBUG_puts("ippReadIO: Unable to read member name value!"); |
200 |
@@ -1498,6 +1545,12 @@ |
201 |
break; |
202 |
|
203 |
default : /* Other unsupported values */ |
204 |
+ if (n > sizeof(buffer)) |
205 |
+ { |
206 |
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); |
207 |
+ return (IPP_ERROR); |
208 |
+ } |
209 |
+ |
210 |
value->unknown.length = n; |
211 |
if (n > 0) |
212 |
{ |
213 |
|
214 |
|
215 |
|
216 |
|
217 |
1.1 net-print/cups/files/cups-1.2.12-CVE-2007-4045.patch |
218 |
|
219 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-print/cups/files/cups-1.2.12-CVE-2007-4045.patch?rev=1.1&view=markup |
220 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-print/cups/files/cups-1.2.12-CVE-2007-4045.patch?rev=1.1&content-type=text/plain |
221 |
|
222 |
Index: cups-1.2.12-CVE-2007-4045.patch |
223 |
=================================================================== |
224 |
diff -up cups-1.2.4/scheduler/client.c.CVE-2007-4045 cups-1.2.4/scheduler/client.c |
225 |
--- cups-1.2.4/scheduler/client.c.CVE-2007-4045 2007-10-30 09:51:04.000000000 +0000 |
226 |
+++ cups-1.2.4/scheduler/client.c 2007-10-30 10:07:10.000000000 +0000 |
227 |
@@ -105,6 +105,25 @@ static int write_file(cupsd_client_t *c |
228 |
struct stat *filestats); |
229 |
|
230 |
|
231 |
+void |
232 |
+_cupsdFixClientsBIO(void) |
233 |
+{ |
234 |
+#ifdef HAVE_LIBSSL |
235 |
+ cupsd_client_t *c; |
236 |
+ BIO *bio; |
237 |
+ cupsArraySave (Clients); |
238 |
+ for (c = (cupsd_client_t *)cupsArrayFirst(Clients); |
239 |
+ c; |
240 |
+ c = (cupsd_client_t *)cupsArrayNext(Clients)) |
241 |
+ { |
242 |
+ bio = SSL_get_wbio(c->http.tls); |
243 |
+ BIO_ctrl(bio, BIO_C_SET_FILE_PTR, 0, (char *)HTTP(c)); |
244 |
+ } |
245 |
+ cupsArrayRestore (Clients); |
246 |
+#endif |
247 |
+} |
248 |
+ |
249 |
+ |
250 |
/* |
251 |
* 'cupsdAcceptClient()' - Accept a new client. |
252 |
*/ |
253 |
@@ -438,6 +457,7 @@ cupsdAcceptClient(cupsd_listener_t *lis) |
254 |
} |
255 |
|
256 |
cupsArrayAdd(Clients, con); |
257 |
+ _cupsdFixClientsBIO(); |
258 |
|
259 |
cupsdLogMessage(CUPSD_LOG_DEBUG2, |
260 |
"cupsdAcceptClient: %d connected to server on %s:%d", |
261 |
@@ -729,6 +749,7 @@ cupsdCloseClient(cupsd_client_t *con) /* |
262 |
*/ |
263 |
|
264 |
cupsArrayRemove(Clients, con); |
265 |
+ _cupsdFixClientsBIO(); |
266 |
|
267 |
free(con); |
268 |
} |
269 |
diff -up cups-1.2.4/scheduler/main.c.CVE-2007-4045 cups-1.2.4/scheduler/main.c |
270 |
--- cups-1.2.4/scheduler/main.c.CVE-2007-4045 2007-10-30 09:51:04.000000000 +0000 |
271 |
+++ cups-1.2.4/scheduler/main.c 2007-10-30 09:51:05.000000000 +0000 |
272 |
@@ -948,7 +948,7 @@ main(int argc, /* I - Number of comm |
273 |
* Write data as needed... |
274 |
*/ |
275 |
|
276 |
- if (con->pipe_pid && FD_ISSET(con->file, input)) |
277 |
+ if (con->pipe_pid && con->file >= 0 && FD_ISSET(con->file, input)) |
278 |
{ |
279 |
/* |
280 |
* Keep track of pending input from the file/pipe separately |
281 |
|
282 |
|
283 |
|
284 |
|
285 |
-- |
286 |
gentoo-commits@l.g.o mailing list |