Security fix for CAN-2005-2097.

"A vulnerability has been reported in CUPS, which can be exploited by malicious
people to cause a DoS (Denial of Service) on a vulnerable system.

When processing a PDF file, bounds checking was not correctly performed on
some fields. This could cause the pdftops filter (running as user "lp") to
crash."

http://secunia.com/advisories/16380/
http://rhn.redhat.com/errata/RHSA-2005-706.html

Patch from RedHat.

4 files changed, 30 insertions, 5 deletions

diff --git a/print/cups/Makefile b/print/cups/Makefile
index e7e7737834c..cf11b2140b3 100644
--- a/print/cups/Makefile
+++ b/print/cups/Makefile
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.94 2005/06/01 20:08:01 jlam Exp $
+# $NetBSD: Makefile,v 1.95 2005/08/10 23:37:08 salo Exp $
 #
 # The CUPS author is very good about taking back changes into the main
 # CUPS distribution.  The correct place to send patches or bug-fixes is:
@@ -6,7 +6,7 @@
 
 DISTNAME=	cups-${DIST_VERS}-source
 PKGNAME=	cups-${VERS}
-PKGREVISION=	2
+PKGREVISION=	3
 BASE_VERS=	1.1.23
 DIST_VERS=	${BASE_VERS}
 VERS=		${DIST_VERS:S/-/./g}
diff --git a/print/cups/buildlink3.mk b/print/cups/buildlink3.mk
index 055b1885ccf..f32976fe339 100644
--- a/print/cups/buildlink3.mk
+++ b/print/cups/buildlink3.mk
@@ -1,4 +1,4 @@
-# $NetBSD: buildlink3.mk,v 1.12 2005/01/11 00:09:21 salo Exp $
+# $NetBSD: buildlink3.mk,v 1.13 2005/08/10 23:37:08 salo Exp $
 
 BUILDLINK_DEPTH:=	${BUILDLINK_DEPTH}+
 CUPS_BUILDLINK3_MK:=	${CUPS_BUILDLINK3_MK}+
@@ -12,7 +12,7 @@ BUILDLINK_PACKAGES+=	cups
 
 .if !empty(CUPS_BUILDLINK3_MK:M+)
 BUILDLINK_DEPENDS.cups+=	cups>=1.1.19nb3
-BUILDLINK_RECOMMENDED.cups+=	cups>=1.1.23
+BUILDLINK_RECOMMENDED.cups+=	cups>=1.1.23nb3
 BUILDLINK_PKGSRCDIR.cups?=	../../print/cups
 .endif	# CUPS_BUILDLINK3_MK
 
diff --git a/print/cups/distinfo b/print/cups/distinfo
index 4ac88e4fae7..b6ca0cbb20c 100644
--- a/print/cups/distinfo
+++ b/print/cups/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.31 2005/03/02 18:33:02 drochner Exp $
+$NetBSD: distinfo,v 1.32 2005/08/10 23:37:08 salo Exp $
 
 SHA1 (cups-1.1.23-source.tar.bz2) = 32d5bfb44c4edc1b54ccb014b5a44499295c6c5c
 RMD160 (cups-1.1.23-source.tar.bz2) = 255ec4c22422b14f2367d69f3ec7e590dc46bea5
@@ -11,3 +11,4 @@ SHA1 (patch-ao) = c4c8f833cf4a09a686a338df6c209cebec36c6ef
 SHA1 (patch-at) = aa36ec591164675b889d2cf32e4d754e9b6db94f
 SHA1 (patch-au) = ab43911c1b27b250a257c67d1d34066237e4da98
 SHA1 (patch-av) = 33437f71e0b6443b172246f1962f9d2eebbd8f11
+SHA1 (patch-aw) = fbfe7c89952b5aadd48ee84b7d0502fa4e280870
diff --git a/print/cups/patches/patch-aw b/print/cups/patches/patch-aw
new file mode 100644
index 00000000000..920a41852eb
--- /dev/null
+++ b/print/cups/patches/patch-aw
@@ -0,0 +1,24 @@
+$NetBSD: patch-aw,v 1.3 2005/08/10 23:37:08 salo Exp $
+
+Fix for CAN-2005-2097, from RedHat.
+
+--- pdftops/FontFile.cxx.orig	2004-02-02 23:41:09.000000000 +0100
++++ pdftops/FontFile.cxx	2005-08-10 22:30:54.000000000 +0200
+@@ -18,6 +18,7 @@
+ #include <stdarg.h>
+ #include <string.h>
+ #include <ctype.h>
++#include <error.h>
+ #include "gmem.h"
+ #include "GHash.h"
+ #include "Error.h"
+@@ -3572,6 +3573,9 @@
+     } else {
+       origLocaTable[i].pos = 2 * getUShort(pos + 2*i);
+     }
++
++    if (origLocaTable[i].pos < 0 || origLocaTable[i].pos > len)
++      error (1, 0, "bad loca table pos value");
+   }
+   qsort(origLocaTable, nGlyphs + 1, sizeof(TrueTypeLoca), &cmpTrueTypeLocaPos);
+   for (i = 0; i < nGlyphs; ++i) {