diff --git a/cups-CVE-2008-0047.patch b/cups-CVE-2008-0047.patch new file mode 100644 index 0000000..ac2ba64 --- /dev/null +++ b/cups-CVE-2008-0047.patch @@ -0,0 +1,14 @@ +diff -up cups-1.2.12/cgi-bin/search.c.CVE-2008-0047 cups-1.2.12/cgi-bin/search.c +--- cups-1.2.12/cgi-bin/search.c.CVE-2008-0047 2006-09-17 20:01:47.000000000 +0100 ++++ cups-1.2.12/cgi-bin/search.c 2008-04-01 16:55:01.000000000 +0100 +@@ -171,7 +171,9 @@ cgiCompileSearch(const char *query) /* I + * string + RE overhead... + */ + +- wlen = (sptr - s) + 4 * wlen + 2 * strlen(prefix) + 4; ++ wlen = (sptr - s) + 2 * 4 * wlen + 2 * strlen(prefix) + 11; ++ if (lword) ++ wlen += strlen(lword); + + if (wlen > slen) + { diff --git a/cups-CVE-2008-0053.patch b/cups-CVE-2008-0053.patch new file mode 100644 index 0000000..e7f0867 --- /dev/null +++ b/cups-CVE-2008-0053.patch @@ -0,0 +1,47 @@ +diff -up cups-1.2.12/filter/hpgl-input.c.CVE-2008-0053 cups-1.2.12/filter/hpgl-input.c +--- cups-1.2.12/filter/hpgl-input.c.CVE-2008-0053 2007-07-06 23:39:54.000000000 +0100 ++++ cups-1.2.12/filter/hpgl-input.c 2008-04-01 16:56:26.000000000 +0100 +@@ -3,6 +3,7 @@ + * + * HP-GL/2 input processing for the Common UNIX Printing System (CUPS). + * ++ * Copyright 2007-2008 by Apple Inc. + * Copyright 1993-2006 by Easy Software Products. + * + * These coded instructions, statements, and computer programs are the +@@ -56,6 +57,7 @@ ParseCommand(FILE *fp, /* I - File to + i; /* Looping var */ + char buf[262144], /* String buffer */ + *bufptr; /* Pointer into buffer */ ++ float temp; /* Temporary parameter value */ + static param_t p[MAX_PARAMS]; /* Parameter buffer */ + + +@@ -220,10 +222,10 @@ ParseCommand(FILE *fp, /* I - File to + case '-' : + case '+' : + ungetc(ch, fp); +- fscanf(fp, "%f", &(p[num_params].value.number)); +- if (num_params < MAX_PARAMS) ++ if (fscanf(fp, "%f", &temp) == 1 && num_params < MAX_PARAMS) + { +- p[num_params].type = PARAM_RELATIVE; ++ p[num_params].type = PARAM_RELATIVE; ++ p[num_params].value.number = temp; + num_params ++; + } + break; +@@ -239,10 +241,10 @@ ParseCommand(FILE *fp, /* I - File to + case '9' : + case '.' : + ungetc(ch, fp); +- fscanf(fp, "%f", &(p[num_params].value.number)); +- if (num_params < MAX_PARAMS) ++ if (fscanf(fp, "%f", &temp) == 1 && num_params < MAX_PARAMS) + { +- p[num_params].type = PARAM_ABSOLUTE; ++ p[num_params].type = PARAM_ABSOLUTE; ++ p[num_params].value.number = temp; + num_params ++; + } + break; diff --git a/cups-CVE-2008-1373.patch b/cups-CVE-2008-1373.patch new file mode 100644 index 0000000..44da6ed --- /dev/null +++ b/cups-CVE-2008-1373.patch @@ -0,0 +1,22 @@ +diff -up cups-1.2.12/filter/image-gif.c.CVE-2008-1373 cups-1.2.12/filter/image-gif.c +--- cups-1.2.12/filter/image-gif.c.CVE-2008-1373 2006-05-11 12:41:36.000000000 +0100 ++++ cups-1.2.12/filter/image-gif.c 2008-04-01 16:57:58.000000000 +0100 +@@ -47,6 +47,8 @@ + #define GIF_INTERLACE 0x40 + #define GIF_COLORMAP 0x80 + ++#define MAX_LWZ_BITS 12 ++ + typedef cups_ib_t gif_cmap_t[256][4]; + typedef short gif_table_t[4096]; + +@@ -471,6 +473,9 @@ gif_read_image(FILE *fp, /* I - + pass = 0; + code_size = getc(fp); + ++ if (code_size > MAX_LWZ_BITS) ++ return (-1); ++ + if (gif_read_lzw(fp, 1, code_size) < 0) + return (-1); + diff --git a/cups.spec b/cups.spec index 262c060..e596bd8 100644 --- a/cups.spec +++ b/cups.spec @@ -6,7 +6,7 @@ Summary: Common Unix Printing System Name: cups Version: 1.2.12 -Release: 9%{?dist} +Release: 10%{?dist} License: GPL Group: System Environment/Daemons Source: ftp://ftp.easysw.com/pub/cups/%{version}/cups-%{version}-source.tar.bz2 @@ -52,6 +52,9 @@ Patch27: cups-CVE-2007-4351.patch Patch28: cups-CVE-2007-4352,5392,5393.patch Patch29: cups-CVE-2007-4045.patch Patch30: cups-str2656.patch +Patch31: cups-CVE-2008-0047.patch +Patch32: cups-CVE-2008-0053.patch +Patch33: cups-CVE-2008-1373.patch Patch100: cups-lspp.patch Epoch: 1 Url: http://www.cups.org/ @@ -166,6 +169,9 @@ lpd emulation. %patch28 -p1 -b .CVE-2007-4352,5392,5393 %patch29 -p1 -b .CVE-2007-4045 %patch30 -p1 -b .str2656 +%patch31 -p1 -b .CVE-2008-0047 +%patch32 -p1 -b .CVE-2008-0053 +%patch33 -p1 -b .CVE-2008-1373 %if %lspp %patch100 -p1 -b .lspp @@ -453,6 +459,12 @@ rm -rf $RPM_BUILD_ROOT %{cups_serverbin}/daemon/cups-lpd %changelog +* Tue Apr 1 2008 Tim Waugh 1:1.2.12-10 +- Applied patch to fix CVE-2008-1373 (GIF overflow, bug #438303). +- Applied patch to fix CVE-2008-0053 (HP-GL/2 input processing, bug #438117). +- Applied patch to prevent heap-based buffer overflow in CUPS helper + program (bug #436153, CVE-2008-0047, STR #2729). + * Fri Feb 22 2008 Tim Waugh 1:1.2.12-9 - Prevent double-free when a browsed class has the same name as a printer or vice versa (CVE-2008-0882, bug #433758, STR #2656).