Home | Content | Search | Navigation | Indexes
 

Mailinglist Archive: opensuse-commit (857 mails)

< Previous Next >
commit cups
  • From: root@xxxxxxxxxxxxxxx (h_root)
  • Date: Sat, 03 Nov 2007 16:14:51 +0100
  • Message-id: <20071103151451.5869A678336@xxxxxxxxxxxxxxx>

Hello community,

here is the log from the commit of package cups
checked in at Sat Nov 3 16:14:51 CET 2007.

--------
--- cups/cups.changes 2007-10-15 19:40:36.000000000 +0200
+++ /mounts/work_src_done/STABLE/cups/cups.changes 2007-10-23
12:31:33.854982000 +0200
@@ -1,0 +2,5 @@
+Tue Oct 23 12:31:31 CEST 2007 - kssingvo@xxxxxxx
+
+- fix for IPP boundaries swamp-14294, CVE-2007-4351 (bugzilla#335635)
+
+-------------------------------------------------------------------

New:
----
cups-1.3-ipp_length.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ cups.spec ++++++
--- /var/tmp/diff_new_pack.Qn3033/_old 2007-11-03 16:14:38.000000000 +0100
+++ /var/tmp/diff_new_pack.Qn3033/_new 2007-11-03 16:14:38.000000000 +0100
@@ -17,7 +17,7 @@
Group: Hardware/Printing
Summary: The Common UNIX Printing System
Version: 1.3.3
-Release: 1
+Release: 8
Requires: cups-libs = %{version}, cups-client = %{version}
Requires: ghostscript_any, ghostscript-fonts-std, foomatic-filters
Requires: util-linux
@@ -52,6 +52,7 @@
Patch15: cups-1.2.11-testppd_filename.patch
Patch16: cups-1.2.5-desktop_file.patch
Patch17: cups-1.3.3-testppd_none.patch
+Patch18: cups-1.3-ipp_length.patch
Patch100: cups-1.1.23-testpage.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%if %suse_version >= 801
@@ -144,6 +145,7 @@
%patch15 -p1
%patch16 -p1
%patch17 -p1
+%patch18 -p1
if [ -f /.buildenv ]; then
. /.buildenv
else
@@ -380,6 +382,8 @@
%{_libdir}/libcupsimage.so.*
%{_datadir}/locale/*/cups_*
%changelog
+* Tue Oct 23 2007 - kssingvo@xxxxxxx
+- fix for IPP boundaries swamp-14294, CVE-2007-4351 (bugzilla#335635)
* Mon Oct 15 2007 - kssingvo@xxxxxxx
- upgrade to version 1.3.3. Main features to 1.2.x:
* Networking

++++++ cups-1.3-ipp_length.patch ++++++
Index: ipp.c
===================================================================
--- cups-1.3/cups/ipp.c (revision 7023)
+++ cups-1.3/cups/ipp.c (working copy)
@@ -1306,6 +1306,12 @@
{
case IPP_TAG_INTEGER :
case IPP_TAG_ENUM :
+ if (n != 4)
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
if ((*cb)(src, buffer, 4) < 4)
{
DEBUG_puts("ippReadIO: Unable to read integer value!");
@@ -1318,6 +1324,12 @@
value->integer = n;
break;
case IPP_TAG_BOOLEAN :
+ if (n != 1)
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
if ((*cb)(src, buffer, 1) < 1)
{
DEBUG_puts("ippReadIO: Unable to read boolean value!");
@@ -1335,6 +1347,12 @@
case IPP_TAG_CHARSET :
case IPP_TAG_LANGUAGE :
case IPP_TAG_MIMETYPE :
+ if (n >= sizeof(buffer))
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
if ((*cb)(src, buffer, n) < n)
{
DEBUG_puts("ippReadIO: unable to read name!");
@@ -1347,6 +1365,12 @@
value->string.text));
break;
case IPP_TAG_DATE :
+ if (n != 11)
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
if ((*cb)(src, value->date, 11) < 11)
{
DEBUG_puts("ippReadIO: Unable to date integer value!");
@@ -1354,6 +1378,12 @@
}
break;
case IPP_TAG_RESOLUTION :
+ if (n != 9)
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
if ((*cb)(src, buffer, 9) < 9)
{
DEBUG_puts("ippReadIO: Unable to read resolution value!");
@@ -1370,6 +1400,12 @@
(ipp_res_t)buffer[8];
break;
case IPP_TAG_RANGE :
+ if (n != 8)
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
if ((*cb)(src, buffer, 8) < 8)
{
DEBUG_puts("ippReadIO: Unable to read range value!");
@@ -1385,7 +1421,7 @@
break;
case IPP_TAG_TEXTLANG :
case IPP_TAG_NAMELANG :
- if (n > sizeof(buffer) || n < 4)
+ if (n >= sizeof(buffer) || n < 4)
{
DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
return (IPP_ERROR);
@@ -1411,22 +1447,27 @@

n = (bufptr[0] << 8) | bufptr[1];

- if (n >= sizeof(string))
+ if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)) ||
+ n >= sizeof(string))
{
- memcpy(string, bufptr + 2, sizeof(string) - 1);
- string[sizeof(string) - 1] = '\0';
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
}
- else
- {
- memcpy(string, bufptr + 2, n);
- string[n] = '\0';
- }

+ memcpy(string, bufptr + 2, n);
+ string[n] = '\0';
+
value->string.charset = _cupsStrAlloc((char *)string);

bufptr += 2 + n;
n = (bufptr[0] << 8) | bufptr[1];

+ if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)))
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
bufptr[2 + n] = '\0';
value->string.text = _cupsStrAlloc((char *)bufptr + 2);
break;
@@ -1468,6 +1509,12 @@
* we need to carry over...
*/

+ if (n >= sizeof(buffer))
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
if ((*cb)(src, buffer, n) < n)
{
DEBUG_puts("ippReadIO: Unable to read member name value!");
@@ -1489,6 +1536,12 @@
break;

default : /* Other unsupported values */
+ if (n > sizeof(buffer))
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
value->unknown.length = n;
if (n > 0)
{
















++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Remember to have fun...

---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-commit+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-commit+help@xxxxxxxxxxxx

< Previous Next >
This Thread