diff options
| author | tron <tron@pkgsrc.org> | 2014-05-16 14:30:01 +0000 |
|---|---|---|
| committer | tron <tron@pkgsrc.org> | 2014-05-16 14:30:01 +0000 |
| commit | b7fd95b4ba393c4a1f656990c87e9e65534bf269 (patch) | |
| tree | 0aa96eefda385c536b43d991c2bde3c23dd31bc0 | |
| parent | 2ac03ce1b35577b8adb233a088f69c317b8d03f6 (diff) | |
| download | pkgsrc-b7fd95b4ba393c4a1f656990c87e9e65534bf269.tar.gz | |
Pullup ticket #4407 - requested by wiz
print/cups: security patch
Revisions pulled up:
- print/cups/Makefile 1.204
- print/cups/distinfo 1.98
- print/cups/patches/patch-scheduler_client.c 1.1
---
Module Name: pkgsrc
Committed By: wiz
Date: Thu May 15 12:51:58 UTC 2014
Modified Files:
pkgsrc/print/cups: Makefile distinfo
Added Files:
pkgsrc/print/cups/patches: patch-scheduler_client.c
Log Message:
Fix CVE-2014-2856 using upstream patch.
Bump PKGREVISION.
| -rw-r--r-- | print/cups/Makefile | 4 | ||||
| -rw-r--r-- | print/cups/distinfo | 3 | ||||
| -rw-r--r-- | print/cups/patches/patch-scheduler_client.c | 22 |
3 files changed, 26 insertions, 3 deletions
diff --git a/print/cups/Makefile b/print/cups/Makefile index de9b6b825ae..46269cb071c 100644 --- a/print/cups/Makefile +++ b/print/cups/Makefile @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.201 2014/02/12 23:18:28 tron Exp $ +# $NetBSD: Makefile,v 1.201.2.1 2014/05/16 14:30:01 tron Exp $ # # The CUPS author is very good about taking back changes into the main # CUPS distribution. The correct place to send patches or bug-fixes is: @@ -9,7 +9,7 @@ PKGNAME= cups-${DIST_VERS:S/-/./g} BASE_VERS= 1.5.4 DIST_VERS= ${BASE_VERS} -PKGREVISION= 9 +PKGREVISION= 11 CATEGORIES= print MASTER_SITES= http://ftp.easysw.com/pub/cups/${BASE_VERS}/ \ ftp://ftp.easysw.com/pub/cups/${BASE_VERS}/ \ diff --git a/print/cups/distinfo b/print/cups/distinfo index ad295b9b6c5..e4e8df40bdf 100644 --- a/print/cups/distinfo +++ b/print/cups/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.96 2013/10/12 06:01:58 richard Exp $ +$NetBSD: distinfo,v 1.96.4.1 2014/05/16 14:30:01 tron Exp $ SHA1 (cups-1.5.4-source.tar.bz2) = cb39961cbaf1851a47694828ad9a7cdf4da51fbd RMD160 (cups-1.5.4-source.tar.bz2) = 9d6a7fd69d3036ec1f3dfd9c70672a2c6fb517b6 @@ -18,4 +18,5 @@ SHA1 (patch-conf_Makefile) = 5b5d45abc1e8d6b73a1ad6b7a7098714d4c55395 SHA1 (patch-config-scripts_cups-gssapi.m4) = 6f558ee1d2d56ceba3a9705d3278c7969495be5d SHA1 (patch-ppdc_Makefile) = 7dcc34217557a4c6f42064b61abf593bd7620b60 SHA1 (patch-scheduler_auth.c) = 2056f20500e3c6e857f9dd2c83709c15be38fe0e +SHA1 (patch-scheduler_client.c) = d4b6667199c0ff9617847ba119b82a50457cfd98 SHA1 (patch-scheduler_dirsvc.c) = 62c6b47522a60b9f8042421e4a9d25a5dfa47c47 diff --git a/print/cups/patches/patch-scheduler_client.c b/print/cups/patches/patch-scheduler_client.c new file mode 100644 index 00000000000..8822cf2c6b7 --- /dev/null +++ b/print/cups/patches/patch-scheduler_client.c @@ -0,0 +1,22 @@ +$NetBSD: patch-scheduler_client.c,v 1.1.2.2 2014/05/16 14:30:01 tron Exp $ + +Fix for CVE-2014-2856 from +http://www.cups.org/str.php?L4356 + +--- scheduler/client.c.orig 2012-03-07 06:05:39.000000000 +0000 ++++ scheduler/client.c +@@ -4075,6 +4075,14 @@ is_path_absolute(const char *path) /* I + return (0); + + /* ++ * Check for "<" or quotes in the path and reject since this is probably ++ * someone trying to inject HTML... ++ */ ++ ++ if (strchr(path, '<') != NULL || strchr(path, '\"') != NULL || strchr(path, '\'') != NULL) ++ return (0); ++ ++ /* + * Check for "/.." in the path... + */ + |