rpms/cups/F-8 cups-CVE-2008-5183.patch, NONE, 1.1 cups.spec, 1.399, 1.400
Tim Waugh
twaugh at fedoraproject.org
Wed Dec 3 12:52:12 UTC 2008
Author: twaugh
Update of /cvs/pkgs/rpms/cups/F-8
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv1388
Modified Files:
cups.spec
Added Files:
cups-CVE-2008-5183.patch
Log Message:
* Wed Dec 3 2008 Tim Waugh <twaugh at redhat.com>
- Applied patch to fix RSS subscription limiting (bug #473901,
CVE-2008-5183).
cups-CVE-2008-5183.patch:
--- NEW FILE cups-CVE-2008-5183.patch ---
diff -up cups-1.3.9/scheduler/ipp.c.CVE-2008-5183 cups-1.3.9/scheduler/ipp.c
--- cups-1.3.9/scheduler/ipp.c.CVE-2008-5183 2008-12-03 12:16:23.000000000 +0000
+++ cups-1.3.9/scheduler/ipp.c 2008-12-03 12:17:16.000000000 +0000
@@ -2348,24 +2348,25 @@ add_job_subscriptions(
if (mask == CUPSD_EVENT_NONE)
mask = CUPSD_EVENT_JOB_COMPLETED;
- sub = cupsdAddSubscription(mask, cupsdFindDest(job->dest), job, recipient,
- 0);
+ if ((sub = cupsdAddSubscription(mask, cupsdFindDest(job->dest), job,
+ recipient, 0)) != NULL)
+ {
+ sub->interval = interval;
- sub->interval = interval;
+ cupsdSetString(&sub->owner, job->username);
- cupsdSetString(&sub->owner, job->username);
+ if (user_data)
+ {
+ sub->user_data_len = user_data->values[0].unknown.length;
+ memcpy(sub->user_data, user_data->values[0].unknown.data,
+ sub->user_data_len);
+ }
- if (user_data)
- {
- sub->user_data_len = user_data->values[0].unknown.length;
- memcpy(sub->user_data, user_data->values[0].unknown.data,
- sub->user_data_len);
+ ippAddSeparator(con->response);
+ ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_INTEGER,
+ "notify-subscription-id", sub->id);
}
- ippAddSeparator(con->response);
- ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_INTEGER,
- "notify-subscription-id", sub->id);
-
if (attr)
attr = attr->next;
}
@@ -6028,7 +6029,12 @@ create_subscription(
else
job = NULL;
- sub = cupsdAddSubscription(mask, printer, job, recipient, 0);
+ if ((sub = cupsdAddSubscription(mask, printer, job, recipient, 0)) == NULL)
+ {
+ send_ipp_status(con, IPP_TOO_MANY_SUBSCRIPTIONS,
+ _("There are too many subscriptions."));
+ return;
+ }
if (job)
cupsdLogMessage(CUPSD_LOG_DEBUG, "Added subscription %d for job %d",
diff -up cups-1.3.9/scheduler/subscriptions.c.CVE-2008-5183 cups-1.3.9/scheduler/subscriptions.c
--- cups-1.3.9/scheduler/subscriptions.c.CVE-2008-5183 2008-12-03 12:16:23.000000000 +0000
+++ cups-1.3.9/scheduler/subscriptions.c 2008-12-03 12:17:16.000000000 +0000
@@ -341,8 +341,54 @@ cupsdAddSubscription(
* Limit the number of subscriptions...
*/
- if (cupsArrayCount(Subscriptions) >= MaxSubscriptions)
+ if (MaxSubscriptions > 0 && cupsArrayCount(Subscriptions) >= MaxSubscriptions)
+ {
+ cupsdLogMessage(CUPSD_LOG_DEBUG,
+ "cupsdAddSubscription: Reached MaxSubscriptions %d",
+ MaxSubscriptions);
return (NULL);
+ }
+
+ if (MaxSubscriptionsPerJob > 0 && job)
+ {
+ int count; /* Number of job subscriptions */
+
+ for (temp = (cupsd_subscription_t *)cupsArrayFirst(Subscriptions),
+ count = 0;
+ temp;
+ temp = (cupsd_subscription_t *)cupsArrayNext(Subscriptions))
+ if (temp->job == job)
+ count ++;
+
+ if (count >= MaxSubscriptionsPerJob)
+ {
+ cupsdLogMessage(CUPSD_LOG_DEBUG,
+ "cupsdAddSubscription: Reached MaxSubscriptionsPerJob %d "
+ "for job #%d", MaxSubscriptionsPerJob, job->id);
+ return (NULL);
+ }
+ }
+
+ if (MaxSubscriptionsPerPrinter > 0 && dest)
+ {
+ int count; /* Number of printer subscriptions */
+
+ for (temp = (cupsd_subscription_t *)cupsArrayFirst(Subscriptions),
+ count = 0;
+ temp;
+ temp = (cupsd_subscription_t *)cupsArrayNext(Subscriptions))
+ if (temp->dest == dest)
+ count ++;
+
+ if (count >= MaxSubscriptionsPerPrinter)
+ {
+ cupsdLogMessage(CUPSD_LOG_DEBUG,
+ "cupsdAddSubscription: Reached "
+ "MaxSubscriptionsPerPrinter %d for %s",
+ MaxSubscriptionsPerPrinter, dest->name);
+ return (NULL);
+ }
+ }
/*
* Allocate memory for this subscription...
@@ -758,7 +804,6 @@ cupsdLoadAllSubscriptions(void)
cupsdLogMessage(CUPSD_LOG_ERROR,
"Syntax error on line %d of subscriptions.conf.",
linenum);
- break;
}
else if (!strcasecmp(line, "Events"))
{
diff -up cups-1.3.9/test/4.4-subscription-ops.test.CVE-2008-5183 cups-1.3.9/test/4.4-subscription-ops.test
--- cups-1.3.9/test/4.4-subscription-ops.test.CVE-2008-5183 2007-07-09 21:34:48.000000000 +0100
+++ cups-1.3.9/test/4.4-subscription-ops.test 2008-12-03 12:17:16.000000000 +0000
@@ -116,6 +116,32 @@
EXPECT notify-events
DISPLAY notify-events
}
+{
+ # The name of the test...
+ NAME "Check MaxSubscriptions limits"
+
+ # The operation to use
+ OPERATION Create-Printer-Subscription
+ RESOURCE /
+
+ # The attributes to send
+ GROUP operation
+ ATTR charset attributes-charset utf-8
+ ATTR language attributes-natural-language en
+ ATTR uri printer-uri $method://$hostname:$port/printers/Test1
+
+ GROUP subscription
+ ATTR uri notify-recipient-uri testnotify://
+ ATTR keyword notify-events printer-state-changed
+ ATTR integer notify-lease-duration 5
+
+ # What statuses are OK?
+ STATUS client-error-too-many-subscriptions
+
+ # What attributes do we expect?
+ EXPECT attributes-charset
+ EXPECT attributes-natural-language
+}
#
# End of "$Id: 4.4-subscription-ops.test 6635 2007-07-09 20:34:48Z mike $"
diff -up cups-1.3.9/test/run-stp-tests.sh.CVE-2008-5183 cups-1.3.9/test/run-stp-tests.sh
--- cups-1.3.9/test/run-stp-tests.sh.CVE-2008-5183 2008-07-14 19:29:58.000000000 +0100
+++ cups-1.3.9/test/run-stp-tests.sh 2008-12-03 12:17:16.000000000 +0000
@@ -307,6 +307,7 @@ FontPath /tmp/cups-$user/share/fonts
DocumentRoot $root/doc
RequestRoot /tmp/cups-$user/spool
TempDir /tmp/cups-$user/spool/temp
+MaxSubscriptions 3
MaxLogSize 0
AccessLog /tmp/cups-$user/log/access_log
ErrorLog /tmp/cups-$user/log/error_log
Index: cups.spec
===================================================================
RCS file: /cvs/pkgs/rpms/cups/F-8/cups.spec,v
retrieving revision 1.399
retrieving revision 1.400
diff -u -r1.399 -r1.400
--- cups.spec 21 Oct 2008 10:25:33 -0000 1.399
+++ cups.spec 3 Dec 2008 12:51:41 -0000 1.400
@@ -46,6 +46,7 @@
Patch21: cups-driverd-timeout.patch
Patch22: cups-strict-ppd-line-length.patch
Patch25: cups-usb-paperout.patch
+Patch26: cups-CVE-2008-5183.patch
Patch100: cups-lspp.patch
Epoch: 1
Url: http://www.cups.org/
@@ -159,6 +160,7 @@
%patch21 -p1 -b .driverd-timeout
%patch22 -p1 -b .strict-ppd-line-length
%patch25 -p1 -b .usb-paperout
+%patch26 -p1 -b .CVE-2008-5183
%if %lspp
%patch100 -p1 -b .lspp
@@ -452,6 +454,10 @@
%{cups_serverbin}/daemon/cups-lpd
%changelog
+* Wed Dec 3 2008 Tim Waugh <twaugh at redhat.com>
+- Applied patch to fix RSS subscription limiting (bug #473901,
+ CVE-2008-5183).
+
* Tue Oct 21 2008 Tim Waugh <twaugh at redhat.com>
- Fixed textonly filter to send FF correctly.
More information about the fedora-extras-commits
mailing list