pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/print/cups Fix for CVE-2007-4351
details: https://anonhg.NetBSD.org/pkgsrc/rev/1981c725952b
branches: trunk
changeset: 535024:1981c725952b
user: adrianp <adrianp%pkgsrc.org@localhost>
date: Mon Nov 05 20:16:19 2007 +0000
description:
Fix for CVE-2007-4351
PKGREVISION++
diffstat:
print/cups/Makefile | 4 +-
print/cups/distinfo | 3 +-
print/cups/patches/patch-au | 155 ++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 159 insertions(+), 3 deletions(-)
diffs (191 lines):
diff -r 1524134622df -r 1981c725952b print/cups/Makefile
--- a/print/cups/Makefile Mon Nov 05 20:08:45 2007 +0000
+++ b/print/cups/Makefile Mon Nov 05 20:16:19 2007 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.127 2007/10/22 11:56:46 dsainty Exp $
+# $NetBSD: Makefile,v 1.128 2007/11/05 20:16:19 adrianp Exp $
#
# The CUPS author is very good about taking back changes into the main
# CUPS distribution. The correct place to send patches or bug-fixes is:
@@ -9,7 +9,7 @@
BASE_VERS= 1.2.12
DIST_VERS= ${BASE_VERS}
VERS= ${DIST_VERS:S/-/./g}
-PKGREVISION= 1
+PKGREVISION= 2
CATEGORIES= print
MASTER_SITES= http://ftp.easysw.com/pub/cups/${BASE_VERS}/ \
ftp://ftp2.easysw.com/pub/cups/${BASE_VERS}/ \
diff -r 1524134622df -r 1981c725952b print/cups/distinfo
--- a/print/cups/distinfo Mon Nov 05 20:08:45 2007 +0000
+++ b/print/cups/distinfo Mon Nov 05 20:16:19 2007 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.52 2007/08/15 04:15:10 markd Exp $
+$NetBSD: distinfo,v 1.53 2007/11/05 20:16:19 adrianp Exp $
SHA1 (cups-1.2.12-source.tar.bz2) = 11a540f76a1d3164b6636bf8ba47928803ad9356
RMD160 (cups-1.2.12-source.tar.bz2) = 598270e37ff8a9b9ff1e667066d6f7e120493e32
@@ -10,3 +10,4 @@
SHA1 (patch-an) = 4c5271b0f4a262e782e3de8396870498125675bd
SHA1 (patch-ao) = 5cb88810f316ffad2a004d13e65b70108c8234b2
SHA1 (patch-at) = eea32b989402c353f5f1644348c1042a3d4ddfa1
+SHA1 (patch-au) = 9d9f8474cb553e112f5b53e84593347f919534e1
diff -r 1524134622df -r 1981c725952b print/cups/patches/patch-au
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/print/cups/patches/patch-au Mon Nov 05 20:16:19 2007 +0000
@@ -0,0 +1,155 @@
+$NetBSD: patch-au,v 1.9 2007/11/05 20:16:19 adrianp Exp $
+
+# CVE-2007-4351
+
+--- cups/ipp.c.orig 2007-02-05 20:25:50.000000000 +0000
++++ cups/ipp.c
+@@ -1315,6 +1315,12 @@ ippReadIO(void *src, /* I - Data
+ {
+ case IPP_TAG_INTEGER :
+ case IPP_TAG_ENUM :
++ if (n != 4)
++ {
++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++ return (IPP_ERROR);
++ }
++
+ if ((*cb)(src, buffer, 4) < 4)
+ {
+ DEBUG_puts("ippReadIO: Unable to read integer value!");
+@@ -1327,6 +1333,12 @@ ippReadIO(void *src, /* I - Data
+ value->integer = n;
+ break;
+ case IPP_TAG_BOOLEAN :
++ if (n != 1)
++ {
++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++ return (IPP_ERROR);
++ }
++
+ if ((*cb)(src, buffer, 1) < 1)
+ {
+ DEBUG_puts("ippReadIO: Unable to read boolean value!");
+@@ -1344,6 +1356,12 @@ ippReadIO(void *src, /* I - Data
+ case IPP_TAG_CHARSET :
+ case IPP_TAG_LANGUAGE :
+ case IPP_TAG_MIMETYPE :
++ if (n >= sizeof(buffer))
++ {
++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++ return (IPP_ERROR);
++ }
++
+ if ((*cb)(src, buffer, n) < n)
+ {
+ DEBUG_puts("ippReadIO: unable to read name!");
+@@ -1356,6 +1374,12 @@ ippReadIO(void *src, /* I - Data
+ value->string.text));
+ break;
+ case IPP_TAG_DATE :
++ if (n != 11)
++ {
++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++ return (IPP_ERROR);
++ }
++
+ if ((*cb)(src, value->date, 11) < 11)
+ {
+ DEBUG_puts("ippReadIO: Unable to date integer value!");
+@@ -1363,6 +1387,12 @@ ippReadIO(void *src, /* I - Data
+ }
+ break;
+ case IPP_TAG_RESOLUTION :
++ if (n != 9)
++ {
++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++ return (IPP_ERROR);
++ }
++
+ if ((*cb)(src, buffer, 9) < 9)
+ {
+ DEBUG_puts("ippReadIO: Unable to read resolution value!");
+@@ -1379,6 +1409,12 @@ ippReadIO(void *src, /* I - Data
+ (ipp_res_t)buffer[8];
+ break;
+ case IPP_TAG_RANGE :
++ if (n != 8)
++ {
++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++ return (IPP_ERROR);
++ }
++
+ if ((*cb)(src, buffer, 8) < 8)
+ {
+ DEBUG_puts("ippReadIO: Unable to read range value!");
+@@ -1394,7 +1430,7 @@ ippReadIO(void *src, /* I - Data
+ break;
+ case IPP_TAG_TEXTLANG :
+ case IPP_TAG_NAMELANG :
+- if (n > sizeof(buffer) || n < 4)
++ if (n >= sizeof(buffer) || n < 4)
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+@@ -1420,22 +1456,27 @@ ippReadIO(void *src, /* I - Data
+
+ n = (bufptr[0] << 8) | bufptr[1];
+
+- if (n >= sizeof(string))
++ if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)) ||
++ n >= sizeof(string))
+ {
+- memcpy(string, bufptr + 2, sizeof(string) - 1);
+- string[sizeof(string) - 1] = '\0';
++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++ return (IPP_ERROR);
+ }
+- else
+- {
+- memcpy(string, bufptr + 2, n);
+- string[n] = '\0';
+- }
++
++ memcpy(string, bufptr + 2, n);
++ string[n] = '\0';
+
+ value->string.charset = _cupsStrAlloc((char *)string);
+
+ bufptr += 2 + n;
+ n = (bufptr[0] << 8) | bufptr[1];
+
++ if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)))
++ {
++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++ return (IPP_ERROR);
++ }
++
+ bufptr[2 + n] = '\0';
+ value->string.text = _cupsStrAlloc((char *)bufptr + 2);
+ break;
+@@ -1477,6 +1518,12 @@ ippReadIO(void *src, /* I - Data
+ * we need to carry over...
+ */
+
++ if (n >= sizeof(buffer))
++ {
++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++ return (IPP_ERROR);
++ }
++
+ if ((*cb)(src, buffer, n) < n)
+ {
+ DEBUG_puts("ippReadIO: Unable to read member name value!");
+@@ -1498,6 +1545,12 @@ ippReadIO(void *src, /* I - Data
+ break;
+
+ default : /* Other unsupported values */
++ if (n > sizeof(buffer))
++ {
++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++ return (IPP_ERROR);
++ }
++
+ value->unknown.length = n;
+ if (n > 0)
+ {
Home |
Main Index |
Thread Index |
Old Index