diff --git a/cups-CVE-2008-5183.patch b/cups-CVE-2008-5183.patch new file mode 100644 index 0000000..f55cb24 --- /dev/null +++ b/cups-CVE-2008-5183.patch @@ -0,0 +1,170 @@ +diff -up cups-1.3.9/scheduler/ipp.c.CVE-2008-5183 cups-1.3.9/scheduler/ipp.c +--- cups-1.3.9/scheduler/ipp.c.CVE-2008-5183 2008-12-03 12:16:23.000000000 +0000 ++++ cups-1.3.9/scheduler/ipp.c 2008-12-03 12:17:16.000000000 +0000 +@@ -2348,24 +2348,25 @@ add_job_subscriptions( + if (mask == CUPSD_EVENT_NONE) + mask = CUPSD_EVENT_JOB_COMPLETED; + +- sub = cupsdAddSubscription(mask, cupsdFindDest(job->dest), job, recipient, +- 0); ++ if ((sub = cupsdAddSubscription(mask, cupsdFindDest(job->dest), job, ++ recipient, 0)) != NULL) ++ { ++ sub->interval = interval; + +- sub->interval = interval; ++ cupsdSetString(&sub->owner, job->username); + +- cupsdSetString(&sub->owner, job->username); ++ if (user_data) ++ { ++ sub->user_data_len = user_data->values[0].unknown.length; ++ memcpy(sub->user_data, user_data->values[0].unknown.data, ++ sub->user_data_len); ++ } + +- if (user_data) +- { +- sub->user_data_len = user_data->values[0].unknown.length; +- memcpy(sub->user_data, user_data->values[0].unknown.data, +- sub->user_data_len); ++ ippAddSeparator(con->response); ++ ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_INTEGER, ++ "notify-subscription-id", sub->id); + } + +- ippAddSeparator(con->response); +- ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_INTEGER, +- "notify-subscription-id", sub->id); +- + if (attr) + attr = attr->next; + } +@@ -6028,7 +6029,12 @@ create_subscription( + else + job = NULL; + +- sub = cupsdAddSubscription(mask, printer, job, recipient, 0); ++ if ((sub = cupsdAddSubscription(mask, printer, job, recipient, 0)) == NULL) ++ { ++ send_ipp_status(con, IPP_TOO_MANY_SUBSCRIPTIONS, ++ _("There are too many subscriptions.")); ++ return; ++ } + + if (job) + cupsdLogMessage(CUPSD_LOG_DEBUG, "Added subscription %d for job %d", +diff -up cups-1.3.9/scheduler/subscriptions.c.CVE-2008-5183 cups-1.3.9/scheduler/subscriptions.c +--- cups-1.3.9/scheduler/subscriptions.c.CVE-2008-5183 2008-12-03 12:16:23.000000000 +0000 ++++ cups-1.3.9/scheduler/subscriptions.c 2008-12-03 12:17:16.000000000 +0000 +@@ -341,8 +341,54 @@ cupsdAddSubscription( + * Limit the number of subscriptions... + */ + +- if (cupsArrayCount(Subscriptions) >= MaxSubscriptions) ++ if (MaxSubscriptions > 0 && cupsArrayCount(Subscriptions) >= MaxSubscriptions) ++ { ++ cupsdLogMessage(CUPSD_LOG_DEBUG, ++ "cupsdAddSubscription: Reached MaxSubscriptions %d", ++ MaxSubscriptions); + return (NULL); ++ } ++ ++ if (MaxSubscriptionsPerJob > 0 && job) ++ { ++ int count; /* Number of job subscriptions */ ++ ++ for (temp = (cupsd_subscription_t *)cupsArrayFirst(Subscriptions), ++ count = 0; ++ temp; ++ temp = (cupsd_subscription_t *)cupsArrayNext(Subscriptions)) ++ if (temp->job == job) ++ count ++; ++ ++ if (count >= MaxSubscriptionsPerJob) ++ { ++ cupsdLogMessage(CUPSD_LOG_DEBUG, ++ "cupsdAddSubscription: Reached MaxSubscriptionsPerJob %d " ++ "for job #%d", MaxSubscriptionsPerJob, job->id); ++ return (NULL); ++ } ++ } ++ ++ if (MaxSubscriptionsPerPrinter > 0 && dest) ++ { ++ int count; /* Number of printer subscriptions */ ++ ++ for (temp = (cupsd_subscription_t *)cupsArrayFirst(Subscriptions), ++ count = 0; ++ temp; ++ temp = (cupsd_subscription_t *)cupsArrayNext(Subscriptions)) ++ if (temp->dest == dest) ++ count ++; ++ ++ if (count >= MaxSubscriptionsPerPrinter) ++ { ++ cupsdLogMessage(CUPSD_LOG_DEBUG, ++ "cupsdAddSubscription: Reached " ++ "MaxSubscriptionsPerPrinter %d for %s", ++ MaxSubscriptionsPerPrinter, dest->name); ++ return (NULL); ++ } ++ } + + /* + * Allocate memory for this subscription... +@@ -758,7 +804,6 @@ cupsdLoadAllSubscriptions(void) + cupsdLogMessage(CUPSD_LOG_ERROR, + "Syntax error on line %d of subscriptions.conf.", + linenum); +- break; + } + else if (!strcasecmp(line, "Events")) + { +diff -up cups-1.3.9/test/4.4-subscription-ops.test.CVE-2008-5183 cups-1.3.9/test/4.4-subscription-ops.test +--- cups-1.3.9/test/4.4-subscription-ops.test.CVE-2008-5183 2007-07-09 21:34:48.000000000 +0100 ++++ cups-1.3.9/test/4.4-subscription-ops.test 2008-12-03 12:17:16.000000000 +0000 +@@ -116,6 +116,32 @@ + EXPECT notify-events + DISPLAY notify-events + } ++{ ++ # The name of the test... ++ NAME "Check MaxSubscriptions limits" ++ ++ # The operation to use ++ OPERATION Create-Printer-Subscription ++ RESOURCE / ++ ++ # The attributes to send ++ GROUP operation ++ ATTR charset attributes-charset utf-8 ++ ATTR language attributes-natural-language en ++ ATTR uri printer-uri $method://$hostname:$port/printers/Test1 ++ ++ GROUP subscription ++ ATTR uri notify-recipient-uri testnotify:// ++ ATTR keyword notify-events printer-state-changed ++ ATTR integer notify-lease-duration 5 ++ ++ # What statuses are OK? ++ STATUS client-error-too-many-subscriptions ++ ++ # What attributes do we expect? ++ EXPECT attributes-charset ++ EXPECT attributes-natural-language ++} + + # + # End of "$Id: 4.4-subscription-ops.test 6635 2007-07-09 20:34:48Z mike $" +diff -up cups-1.3.9/test/run-stp-tests.sh.CVE-2008-5183 cups-1.3.9/test/run-stp-tests.sh +--- cups-1.3.9/test/run-stp-tests.sh.CVE-2008-5183 2008-07-14 19:29:58.000000000 +0100 ++++ cups-1.3.9/test/run-stp-tests.sh 2008-12-03 12:17:16.000000000 +0000 +@@ -307,6 +307,7 @@ FontPath /tmp/cups-$user/share/fonts + DocumentRoot $root/doc + RequestRoot /tmp/cups-$user/spool + TempDir /tmp/cups-$user/spool/temp ++MaxSubscriptions 3 + MaxLogSize 0 + AccessLog /tmp/cups-$user/log/access_log + ErrorLog /tmp/cups-$user/log/error_log diff --git a/cups.spec b/cups.spec index 0108dc7..0d72d87 100644 --- a/cups.spec +++ b/cups.spec @@ -50,6 +50,7 @@ Patch22: cups-getnameddest.patch Patch23: cups-str2536.patch Patch24: cups-str2988.patch Patch25: cups-str3023.patch +Patch26: cups-CVE-2008-5183.patch Patch100: cups-lspp.patch Epoch: 1 Url: http://www.cups.org/ @@ -173,6 +174,7 @@ lpd emulation. %patch23 -p1 -b .str2536 %patch24 -p1 -b .str2988 %patch25 -p1 -b .str3023 +%patch26 -p1 -b .CVE-2008-5183 %if %lspp %patch100 -p1 -b .lspp @@ -455,6 +457,10 @@ rm -rf $RPM_BUILD_ROOT %{cups_serverbin}/daemon/cups-lpd %changelog +* Wed Dec 3 2008 Tim Waugh +- Applied patch to fix RSS subscription limiting (bug #473901, + CVE-2008-5183). + * Tue Nov 25 2008 Tim Waugh - Fixed cups-polld again for res_init (STR #3023, bug #354071).