Hello community, here is the log from the commit of package cups for openSUSE:Leap:15.2 checked in at 2020-04-30 18:51:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/cups (Old) and /work/SRC/openSUSE:Leap:15.2/.cups.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "cups" Thu Apr 30 18:51:16 2020 rev:30 rq:797246 version:2.2.7 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/cups/cups.changes 2020-01-15 14:51:21.565449709 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.cups.new.2738/cups.changes 2020-04-30 18:51:23.828592609 +0200 @@ -1,0 +2,6 @@ +Mon Apr 6 10:59:36 CEST 2020 - jsmeix@suse.de + +- cups-2.2.7-CVE-2020-3898.patch fixes CVE-2020-3898 (bsc#1168422) + heap-buffer-overflow in libcups ppdFindOption() function + +------------------------------------------------------------------- New: ---- cups-2.2.7-CVE-2020-3898.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cups.spec ++++++ --- /var/tmp/diff_new_pack.GZ2XyH/_old 2020-04-30 18:51:24.896594885 +0200 +++ /var/tmp/diff_new_pack.GZ2XyH/_new 2020-04-30 18:51:24.900594893 +0200 @@ -92,6 +92,9 @@ # and some other security/disclosure issues # https://github.com/apple/cups/commit/f24e6cf6a39300ad0c3726a41a4aab51ad54c10... Patch107: cups-2.2.7-CVE-2019-8675.CVE-2019-8696.patch +# Patch108 cups-2.2.7-CVE-2020-3898.patch fixes CVE-2020-3898 (bsc#1168422) +# heap-buffer-overflow in libcups ppdFindOption() function +Patch108: cups-2.2.7-CVE-2020-3898.patch BuildRequires: dbus-1-devel BuildRequires: fdupes BuildRequires: gcc-c++ @@ -363,6 +366,9 @@ # and some other security/disclosure issues # https://github.com/apple/cups/commit/f24e6cf6a39300ad0c3726a41a4aab51ad54c10... %patch107 -b CVE-2019-8675.CVE-2019-8696.orig +# Patch108 cups-2.2.7-CVE-2020-3898.patch fixes CVE-2020-3898 (bsc#1168422) +# heap-buffer-overflow in libcups ppdFindOption() function +%patch108 -b CVE-2020-3898.orig %build # Remove ".SILENT" rule for verbose build output ++++++ cups-2.2.7-CVE-2020-3898.patch ++++++ --- cups/ppd.c.orig 2018-03-23 04:48:36.000000000 +0100 +++ cups/ppd.c 2020-04-06 11:52:56.257015366 +0200 @@ -1753,8 +1753,7 @@ _ppdOpen( constraint->choice1, constraint->option2, constraint->choice2)) { - case 0 : /* Error */ - case 1 : /* Error */ + default : /* Error */ pg->ppd_status = PPD_BAD_UI_CONSTRAINTS; goto error; --- ppdc/ppdc-source.cxx.orig 2018-03-23 04:48:36.000000000 +0100 +++ ppdc/ppdc-source.cxx 2020-04-06 11:59:29.061404709 +0200 @@ -1746,14 +1746,16 @@ ppdcSource::get_resolution(ppdcFile *fp) switch (sscanf(name, "%dx%d", &xdpi, &ydpi)) { - case 0 : - _cupsLangPrintf(stderr, - _("ppdc: Bad resolution name \"%s\" on line %d of " - "%s."), name, fp->line, fp->filename); - break; case 1 : ydpi = xdpi; break; + case 2 : + break; + default : + _cupsLangPrintf(stderr, + _("ppdc: Bad resolution name \"%s\" on line %d of " + "%s."), name, fp->line, fp->filename); + break; } // Create the necessary PS commands...