![](https://seccdn.libravatar.org/avatar/e2145bc5cf53dda95c308a3c75e8fef3.jpg?s=120&d=mm&r=g)
Hello community, here is the log from the commit of package cups checked in at Tue Jan 16 17:12:50 CET 2007. -------- --- cups/cups.changes 2007-01-10 11:32:52.000000000 +0100 +++ /mounts/work_src_done/STABLE/cups/cups.changes 2007-01-16 11:31:21.769156000 +0100 @@ -1,0 +2,5 @@ +Tue Jan 16 11:31:02 CET 2007 - kssingvo@suse.de + +- fix for xpdf bugzilla#233113, CVE-2007-0104, swamp-7887 + +------------------------------------------------------------------- New: ---- cups-1.2.6-xpdf_CVE_2007_0104.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cups.spec ++++++ --- /var/tmp/diff_new_pack.z13188/_old 2007-01-16 17:07:11.000000000 +0100 +++ /var/tmp/diff_new_pack.z13188/_new 2007-01-16 17:07:11.000000000 +0100 @@ -17,7 +17,7 @@ Group: Hardware/Printing Summary: The Common UNIX Printing System Version: 1.2.7 -Release: 11 +Release: 13 Requires: cups-libs = %{version}, cups-client = %{version} Requires: ghostscript_any, ghostscript-fonts-std, foomatic-filters Requires: util-linux, /usr/bin/ionice @@ -51,6 +51,7 @@ Patch15: cups-1.2.2-testppd_filename.patch Patch16: cups-1.2.5-desktop_file.patch Patch17: cups-1.2.6-lppasswd_permission.patch +Patch18: cups-1.2.6-xpdf_CVE_2007_0104.patch Patch100: cups-1.1.23-testpage.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %if %suse_version >= 801 @@ -370,6 +371,8 @@ %{_datadir}/locale/*/cups_* %changelog -n cups +* Tue Jan 16 2007 - kssingvo@suse.de +- fix for xpdf bugzilla#233113, CVE-2007-0104, swamp-7887 * Wed Jan 10 2007 - kssingvo@suse.de - added Required-Start: to rccupsrenice (bugzilla#231675) * Fri Jan 05 2007 - sbrabec@suse.cz ++++++ cups-1.2.6-xpdf_CVE_2007_0104.patch ++++++ --- cups-1.2.7/pdftops/Catalog.cxx.orig 2005-09-17 16:52:15.000000000 +0200 +++ cups-1.2.7/pdftops/Catalog.cxx 2007-01-16 11:15:23.000000000 +0100 @@ -23,6 +23,12 @@ #include "Link.h" #include "Catalog.h" +// This define is used to limit the depth of recursive readPageTree calls +// This is needed because the page tree nodes can reference their parents +// leaving us in an infinite loop +// Most sane pdf documents don't have a call depth higher than 10 +#define MAX_CALL_DEPTH 1000 + //------------------------------------------------------------------------ // Catalog //------------------------------------------------------------------------ @@ -71,7 +77,7 @@ pageRefs[i].num = -1; pageRefs[i].gen = -1; } - numPages = readPageTree(pagesDict.getDict(), NULL, 0); + numPages = readPageTree(pagesDict.getDict(), NULL, 0, 0); if (numPages != numPages0) { error(-1, "Page count in top-level pages object is incorrect"); } @@ -169,7 +175,7 @@ return s; } -int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start) { +int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start, int callDepth) { Object kids; Object kid; Object kidRef; @@ -214,9 +220,13 @@ // This should really be isDict("Pages"), but I've seen at least one // PDF file where the /Type entry is missing. } else if (kid.isDict()) { - if ((start = readPageTree(kid.getDict(), attrs1, start)) - < 0) - goto err2; + if (callDepth > MAX_CALL_DEPTH) { + error(-1, "Limit of %d recursive calls reached while reading the page tree. If your document is correct and not a test to try to force a crash, please report a bug.", MAX_CALL_DEPTH); + } else { + if ((start = readPageTree(kid.getDict(), attrs1, start, callDepth + 1)) + < 0) + goto err2; + } } else { error(-1, "Kid object (page %d) is wrong type (%s)", start+1, kid.getTypeName()); --- cups-1.2.7/pdftops/Catalog.h.orig 2005-09-17 16:52:15.000000000 +0200 +++ cups-1.2.7/pdftops/Catalog.h 2007-01-16 11:15:23.000000000 +0100 @@ -85,7 +85,7 @@ Object acroForm; // AcroForm dictionary GBool ok; // true if catalog is valid - int readPageTree(Dict *pages, PageAttrs *attrs, int start); + int readPageTree(Dict *pages, PageAttrs *attrs, int start, int callDepth); Object *findDestInTree(Object *tree, GString *name, Object *obj); }; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org
participants (1)
-
root@Hilbert.suse.de