rpms/cups/F-7 cups-CVE-2007-4351.patch, NONE, 1.1 cups.spec, 1.345, 1.346
Tim Waugh (twaugh)
fedora-extras-commits at redhat.com
Thu Nov 1 14:43:25 UTC 2007
Author: twaugh
Update of /cvs/pkgs/rpms/cups/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv4919
Modified Files:
cups.spec
Added Files:
cups-CVE-2007-4351.patch
Log Message:
* Thu Nov 1 2007 Tim Waugh <twaugh at redhat.com> 1:1.2.12-6
- Applied patch to fix CVE-2007-4351 (STR #2561, bug #361661).
cups-CVE-2007-4351.patch:
--- NEW FILE cups-CVE-2007-4351.patch ---
diff -up cups-1.2.12/cups/ipp.c.CVE-2007-4351 cups-1.2.12/cups/ipp.c
--- cups-1.2.12/cups/ipp.c.CVE-2007-4351 2007-02-05 20:25:50.000000000 +0000
+++ cups-1.2.12/cups/ipp.c 2007-11-01 14:38:25.000000000 +0000
@@ -1315,6 +1315,12 @@ ippReadIO(void *src, /* I - Data
{
case IPP_TAG_INTEGER :
case IPP_TAG_ENUM :
+ if (n != 4)
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
if ((*cb)(src, buffer, 4) < 4)
{
DEBUG_puts("ippReadIO: Unable to read integer value!");
@@ -1327,6 +1333,12 @@ ippReadIO(void *src, /* I - Data
value->integer = n;
break;
case IPP_TAG_BOOLEAN :
+ if (n != 1)
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
if ((*cb)(src, buffer, 1) < 1)
{
DEBUG_puts("ippReadIO: Unable to read boolean value!");
@@ -1344,6 +1356,12 @@ ippReadIO(void *src, /* I - Data
case IPP_TAG_CHARSET :
case IPP_TAG_LANGUAGE :
case IPP_TAG_MIMETYPE :
+ if (n >= sizeof(buffer))
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
if ((*cb)(src, buffer, n) < n)
{
DEBUG_puts("ippReadIO: unable to read name!");
@@ -1356,6 +1374,12 @@ ippReadIO(void *src, /* I - Data
value->string.text));
break;
case IPP_TAG_DATE :
+ if (n != 11)
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
if ((*cb)(src, value->date, 11) < 11)
{
DEBUG_puts("ippReadIO: Unable to date integer value!");
@@ -1363,6 +1387,12 @@ ippReadIO(void *src, /* I - Data
}
break;
case IPP_TAG_RESOLUTION :
+ if (n != 9)
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
if ((*cb)(src, buffer, 9) < 9)
{
DEBUG_puts("ippReadIO: Unable to read resolution value!");
@@ -1379,6 +1409,12 @@ ippReadIO(void *src, /* I - Data
(ipp_res_t)buffer[8];
break;
case IPP_TAG_RANGE :
+ if (n != 8)
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
if ((*cb)(src, buffer, 8) < 8)
{
DEBUG_puts("ippReadIO: Unable to read range value!");
@@ -1394,7 +1430,7 @@ ippReadIO(void *src, /* I - Data
break;
case IPP_TAG_TEXTLANG :
case IPP_TAG_NAMELANG :
- if (n > sizeof(buffer) || n < 4)
+ if (n >= sizeof(buffer) || n < 4)
{
DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
return (IPP_ERROR);
@@ -1420,22 +1456,27 @@ ippReadIO(void *src, /* I - Data
n = (bufptr[0] << 8) | bufptr[1];
- if (n >= sizeof(string))
+ if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)) ||
+ n >= sizeof(string))
{
- memcpy(string, bufptr + 2, sizeof(string) - 1);
- string[sizeof(string) - 1] = '\0';
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
}
- else
- {
- memcpy(string, bufptr + 2, n);
- string[n] = '\0';
- }
+
+ memcpy(string, bufptr + 2, n);
+ string[n] = '\0';
value->string.charset = _cupsStrAlloc((char *)string);
bufptr += 2 + n;
n = (bufptr[0] << 8) | bufptr[1];
+ if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)))
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
bufptr[2 + n] = '\0';
value->string.text = _cupsStrAlloc((char *)bufptr + 2);
break;
@@ -1477,6 +1518,12 @@ ippReadIO(void *src, /* I - Data
* we need to carry over...
*/
+ if (n >= sizeof(buffer))
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
if ((*cb)(src, buffer, n) < n)
{
DEBUG_puts("ippReadIO: Unable to read member name value!");
@@ -1498,6 +1545,12 @@ ippReadIO(void *src, /* I - Data
break;
default : /* Other unsupported values */
+ if (n > sizeof(buffer))
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
value->unknown.length = n;
if (n > 0)
{
Index: cups.spec
===================================================================
RCS file: /cvs/pkgs/rpms/cups/F-7/cups.spec,v
retrieving revision 1.345
retrieving revision 1.346
diff -u -r1.345 -r1.346
--- cups.spec 10 Oct 2007 11:24:24 -0000 1.345
+++ cups.spec 1 Nov 2007 14:42:52 -0000 1.346
@@ -6,7 +6,7 @@
Summary: Common Unix Printing System
Name: cups
Version: 1.2.12
-Release: 5%{?dist}
+Release: 6%{?dist}
License: GPL
Group: System Environment/Daemons
Source: ftp://ftp.easysw.com/pub/cups/%{version}/cups-%{version}-source.tar.bz2
@@ -48,6 +48,7 @@
Patch24: cups-str2109.patch
Patch25: cups-usb-paperout.patch
Patch26: cups-CVE-2007-3387.patch
+Patch27: cups-CVE-2007-4351.patch
Patch100: cups-lspp.patch
Epoch: 1
Url: http://www.cups.org/
@@ -158,6 +159,7 @@
%patch24 -p1 -b .str2109
%patch25 -p1 -b .usb-paperout
%patch26 -p1 -b .CVE-2007-3387
+%patch27 -p1 -b .CVE-2007-4351
%if %lspp
%patch100 -p1 -b .lspp
@@ -445,6 +447,9 @@
%{cups_serverbin}/daemon/cups-lpd
%changelog
+* Thu Nov 1 2007 Tim Waugh <twaugh at redhat.com> 1:1.2.12-6
+- Applied patch to fix CVE-2007-4351 (STR #2561, bug #361661).
+
* Wed Oct 10 2007 Tim Waugh <twaugh at redhat.com> 1:1.2.12-5
- Use ppdev for parallel port Device ID retrieval (bug #311671).
More information about the fedora-extras-commits
mailing list