add some patches from upstream to fix security problems:

-use-after-free problem (CVE-2010-0302)
-information disclosure (CVE-2010-1748)
-unchecked memory allocation is texttops
-file overwrite problem
(I didn't find references from cups patches to CVE #s, or vice versa,
so the CVE #s are not certain.)
The missing http session check problem (CVE-2010-0540?) is not fixed,
this would be a large patch affecting tens of files.
bump PKGREVISION

6 files changed, 208 insertions, 3 deletions

diff --git a/print/cups/Makefile b/print/cups/Makefile
index 8a13e369bf8..a7bd802a006 100644
--- a/print/cups/Makefile
+++ b/print/cups/Makefile
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.166 2010/06/13 22:45:14 wiz Exp $
+# $NetBSD: Makefile,v 1.167 2010/06/16 18:18:26 drochner Exp $
 #
 # The CUPS author is very good about taking back changes into the main
 # CUPS distribution.  The correct place to send patches or bug-fixes is:
@@ -8,7 +8,7 @@ DISTNAME=	cups-${DIST_VERS}-source
 PKGNAME=	cups-${DIST_VERS:S/-/./g}
 BASE_VERS=	1.4.3
 DIST_VERS=	${BASE_VERS}
-PKGREVISION=	5
+PKGREVISION=	6
 
 CATEGORIES=	print
 MASTER_SITES=	http://ftp.easysw.com/pub/cups/${BASE_VERS}/ \
diff --git a/print/cups/distinfo b/print/cups/distinfo
index e91345617dc..efd87a34b26 100644
--- a/print/cups/distinfo
+++ b/print/cups/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.72 2010/06/09 09:01:43 sbd Exp $
+$NetBSD: distinfo,v 1.73 2010/06/16 18:18:26 drochner Exp $
 
 SHA1 (cups-1.4.3-source.tar.bz2) = 0dd9e3d709614d26cce77728b9263556c94c9559
 RMD160 (cups-1.4.3-source.tar.bz2) = 6c5ab282405d6a1132163c727583f3a572307d88
@@ -20,3 +20,7 @@ SHA1 (patch-an) = 231c871e31db279e8aeafba71506f93330e0a971
 SHA1 (patch-ao) = 7fe50080b9a6fd4dac186020f9351ef6000373c7
 SHA1 (patch-ap) = 70c5fa4a19ca2812818844180ca9db9cb7cfd601
 SHA1 (patch-at) = aee1f0e8cbcd9e2dbcfa9af3fb675ea7ce1ce622
+SHA1 (patch-ba) = a0c643a6d794a335e18155974123ef6e95a68743
+SHA1 (patch-bb) = 69fa95cdb1ee4ac6511dd8dfbba2349f625423a5
+SHA1 (patch-bc) = cf2e9458f31dd17ea65ebb12254e1ddeaf12e414
+SHA1 (patch-bd) = 885cd259b59d8a2c0d7c1cacfaf6fe2fe3f35053
diff --git a/print/cups/patches/patch-ba b/print/cups/patches/patch-ba
new file mode 100644
index 00000000000..69b177615dd
--- /dev/null
+++ b/print/cups/patches/patch-ba
@@ -0,0 +1,24 @@
+$NetBSD: patch-ba,v 1.3 2010/06/16 18:18:26 drochner Exp $
+
+--- scheduler/select.c.orig	2010-01-14 22:40:19.000000000 +0000
++++ scheduler/select.c
+@@ -454,7 +454,8 @@ cupsdDoSelect(long timeout)		/* I - Time
+     if (fdptr->read_cb && event->filter == EVFILT_READ)
+       (*(fdptr->read_cb))(fdptr->data);
+ 
+-    if (fdptr->use > 1 && fdptr->write_cb && event->filter == EVFILT_WRITE)
++    if (fdptr->use > 1 && fdptr->write_cb && event->filter == EVFILT_WRITE &&
++	!cupsArrayFind(cupsd_inactive_fds, fdptr))
+       (*(fdptr->write_cb))(fdptr->data);
+ 
+     release_fd(fdptr);
+@@ -500,7 +501,8 @@ cupsdDoSelect(long timeout)		/* I - Time
+ 	  (*(fdptr->read_cb))(fdptr->data);
+ 
+ 	if (fdptr->use > 1 && fdptr->write_cb &&
+-	    (event->events & (EPOLLOUT | EPOLLERR | EPOLLHUP)))
++	    (event->events & (EPOLLOUT | EPOLLERR | EPOLLHUP)) &&
++	    !cupsArrayFind(cupsd_inactive_fds, fdptr))
+ 	  (*(fdptr->write_cb))(fdptr->data);
+ 
+ 	release_fd(fdptr);
diff --git a/print/cups/patches/patch-bb b/print/cups/patches/patch-bb
new file mode 100644
index 00000000000..9e3b2e9617e
--- /dev/null
+++ b/print/cups/patches/patch-bb
@@ -0,0 +1,14 @@
+$NetBSD: patch-bb,v 1.5 2010/06/16 18:18:26 drochner Exp $
+
+--- cgi-bin/var.c.orig	2010-02-08 17:33:31.000000000 +0000
++++ cgi-bin/var.c
+@@ -927,6 +927,9 @@ cgi_initialize_string(const char *data)	
+ 	    * Read the hex code...
+ 	    */
+ 
++	    if (!isxdigit(data[1] & 255) || !isxdigit(data[2] & 255))
++		return (0);
++
+             if (s < (value + sizeof(value) - 1))
+ 	    {
+               data ++;
diff --git a/print/cups/patches/patch-bc b/print/cups/patches/patch-bc
new file mode 100644
index 00000000000..8044a2eaa79
--- /dev/null
+++ b/print/cups/patches/patch-bc
@@ -0,0 +1,27 @@
+$NetBSD: patch-bc,v 1.3 2010/06/16 18:18:26 drochner Exp $
+
+--- filter/texttops.c.orig	2008-11-06 16:42:18.000000000 +0000
++++ filter/texttops.c
+@@ -181,8 +181,20 @@ WriteProlog(const char *title,		/* I - T
+     exit(1);
+   }
+ 
+-  Page    = calloc(sizeof(lchar_t *), SizeLines);
+-  Page[0] = calloc(sizeof(lchar_t), SizeColumns * SizeLines);
++  if ((Page = calloc(sizeof(lchar_t *), SizeLines)) == NULL)
++  {
++    _cupsLangPrintf(stderr, _("ERROR: Unable to print %dx%d text page!\n"),
++		    SizeColumns, SizeLines);
++    exit(1);
++  }
++
++  if ((Page[0] = calloc(sizeof(lchar_t), SizeColumns * SizeLines)) == NULL)
++  {
++    _cupsLangPrintf(stderr, _("ERROR: Unable to print %dx%d text page!\n"),
++		    SizeColumns, SizeLines);
++    exit(1);
++  }
++
+   for (i = 1; i < SizeLines; i ++)
+     Page[i] = Page[0] + i * SizeColumns;
+ 
diff --git a/print/cups/patches/patch-bd b/print/cups/patches/patch-bd
new file mode 100644
index 00000000000..e8ca7369275
--- /dev/null
+++ b/print/cups/patches/patch-bd
@@ -0,0 +1,136 @@
+$NetBSD: patch-bd,v 1.3 2010/06/16 18:18:26 drochner Exp $
+
+--- cups/file.c.orig	2009-05-14 21:18:35.000000000 +0000
++++ cups/file.c
+@@ -59,6 +59,7 @@
+  */
+ 
+ #include "file-private.h"
++#include <sys/stat.h>
+ 
+ 
+ /*
+@@ -69,6 +70,7 @@
+ static ssize_t	cups_compress(cups_file_t *fp, const char *buf, size_t bytes);
+ #endif /* HAVE_LIBZ */
+ static ssize_t	cups_fill(cups_file_t *fp);
++static int cups_open(const char *filename, int mode);
+ static ssize_t	cups_read(cups_file_t *fp, char *buf, size_t bytes);
+ static ssize_t	cups_write(cups_file_t *fp, const char *buf, size_t bytes);
+ 
+@@ -827,7 +829,8 @@ cupsFileOpen(const char *filename,	/* I 
+   switch (*mode)
+   {
+     case 'a' : /* Append file */
+-        fd = open(filename, O_RDWR | O_CREAT | O_APPEND | O_LARGEFILE | O_BINARY, 0666);
++        fd = cups_open(filename,
++	O_RDWR | O_CREAT | O_APPEND | O_LARGEFILE | O_BINARY);
+         break;
+ 
+     case 'r' : /* Read file */
+@@ -835,7 +838,17 @@ cupsFileOpen(const char *filename,	/* I 
+ 	break;
+ 
+     case 'w' : /* Write file */
+-        fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT | O_LARGEFILE | O_BINARY, 0666);
++        fd = cups_open(filename, O_WRONLY | O_LARGEFILE | O_BINARY);
++ if (fd < 0 && errno == ENOENT)
++ {
++   fd = cups_open(filename,
++		  O_WRONLY | O_CREAT | O_EXCL | O_LARGEFILE | O_BINARY);
++   if (fd < 0 && errno == EEXIST)
++     fd = cups_open(filename, O_WRONLY | O_LARGEFILE | O_BINARY);
++ }
++
++ if (fd >= 0)
++   ftruncate(fd, 0);
+         break;
+ 
+     case 's' : /* Read/write socket */
+@@ -2207,6 +2220,86 @@ cups_fill(cups_file_t *fp)		/* I - CUPS 
+   return (bytes);
+ }
+ 
++/*
++ * 'cups_open()' - Safely open a file for writing.
++ *
++ * We don't allow appending to directories or files that are hard-linked or
++ * symlinked.
++ */
++
++static int /* O - File descriptor or -1 otherwise */
++cups_open(const char *filename, /* I - Filename */
++   int        mode) /* I - Open mode */
++{
++  int fd; /* File descriptor */
++  struct stat fileinfo; /* File information */
++#ifndef WIN32
++  struct stat linkinfo; /* Link information */
++#endif /* !WIN32 */
++
++
++ /*
++  * Open the file...
++  */
++
++  if ((fd = open(filename, mode, 0666)) < 0)
++    return (-1);
++
++ /*
++  * Then verify that the file descriptor doesn't point to a directory or hard-
++  * linked file.
++  */
++
++  if (fstat(fd, &fileinfo))
++  {
++    close(fd);
++    return (-1);
++  }
++
++  if (fileinfo.st_nlink != 1)
++  {
++    close(fd);
++    errno = EPERM;
++    return (-1);
++  }
++
++  if (S_ISDIR(fileinfo.st_mode))
++  {
++    close(fd);
++    errno = EISDIR;
++    return (-1);
++  }
++
++#ifndef WIN32
++ /*
++  * Then use lstat to determine whether the filename is a symlink...
++  */
++
++  if (lstat(filename, &linkinfo))
++  {
++    close(fd);
++    return (-1);
++  }
++
++  if (S_ISLNK(linkinfo.st_mode) ||
++      fileinfo.st_dev != linkinfo.st_dev ||
++      fileinfo.st_ino != linkinfo.st_ino ||
++      fileinfo.st_gen != linkinfo.st_gen ||
++      fileinfo.st_nlink != linkinfo.st_nlink ||
++      fileinfo.st_mode != linkinfo.st_mode)
++  {
++   /*
++    * Yes, don't allow!
++    */
++
++    close(fd);
++    errno = EPERM;
++    return (-1);
++  }
++#endif /* !WIN32 */
++
++  return (fd);
++}
+ 
+ /*
+  * 'cups_read()' - Read from a file descriptor.