diff options
author | drochner <drochner> | 2010-06-16 18:18:26 +0000 |
---|---|---|
committer | drochner <drochner> | 2010-06-16 18:18:26 +0000 |
commit | 31c088deb34ee3ceab6640725ead3a9d4494a493 (patch) | |
tree | 4e55536c8df62713f1ddb143064ae26e90a7dccf /print | |
parent | d4a7d3426a39562f3fd4715a04fb94b63c7cf84f (diff) | |
download | pkgsrc-31c088deb34ee3ceab6640725ead3a9d4494a493.tar.gz |
add some patches from upstream to fix security problems:
-use-after-free problem (CVE-2010-0302)
-information disclosure (CVE-2010-1748)
-unchecked memory allocation is texttops
-file overwrite problem
(I didn't find references from cups patches to CVE #s, or vice versa,
so the CVE #s are not certain.)
The missing http session check problem (CVE-2010-0540?) is not fixed,
this would be a large patch affecting tens of files.
bump PKGREVISION
Diffstat (limited to 'print')
-rw-r--r-- | print/cups/Makefile | 4 | ||||
-rw-r--r-- | print/cups/distinfo | 6 | ||||
-rw-r--r-- | print/cups/patches/patch-ba | 24 | ||||
-rw-r--r-- | print/cups/patches/patch-bb | 14 | ||||
-rw-r--r-- | print/cups/patches/patch-bc | 27 | ||||
-rw-r--r-- | print/cups/patches/patch-bd | 136 |
6 files changed, 208 insertions, 3 deletions
diff --git a/print/cups/Makefile b/print/cups/Makefile index 8a13e369bf8..a7bd802a006 100644 --- a/print/cups/Makefile +++ b/print/cups/Makefile @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.166 2010/06/13 22:45:14 wiz Exp $ +# $NetBSD: Makefile,v 1.167 2010/06/16 18:18:26 drochner Exp $ # # The CUPS author is very good about taking back changes into the main # CUPS distribution. The correct place to send patches or bug-fixes is: @@ -8,7 +8,7 @@ DISTNAME= cups-${DIST_VERS}-source PKGNAME= cups-${DIST_VERS:S/-/./g} BASE_VERS= 1.4.3 DIST_VERS= ${BASE_VERS} -PKGREVISION= 5 +PKGREVISION= 6 CATEGORIES= print MASTER_SITES= http://ftp.easysw.com/pub/cups/${BASE_VERS}/ \ diff --git a/print/cups/distinfo b/print/cups/distinfo index e91345617dc..efd87a34b26 100644 --- a/print/cups/distinfo +++ b/print/cups/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.72 2010/06/09 09:01:43 sbd Exp $ +$NetBSD: distinfo,v 1.73 2010/06/16 18:18:26 drochner Exp $ SHA1 (cups-1.4.3-source.tar.bz2) = 0dd9e3d709614d26cce77728b9263556c94c9559 RMD160 (cups-1.4.3-source.tar.bz2) = 6c5ab282405d6a1132163c727583f3a572307d88 @@ -20,3 +20,7 @@ SHA1 (patch-an) = 231c871e31db279e8aeafba71506f93330e0a971 SHA1 (patch-ao) = 7fe50080b9a6fd4dac186020f9351ef6000373c7 SHA1 (patch-ap) = 70c5fa4a19ca2812818844180ca9db9cb7cfd601 SHA1 (patch-at) = aee1f0e8cbcd9e2dbcfa9af3fb675ea7ce1ce622 +SHA1 (patch-ba) = a0c643a6d794a335e18155974123ef6e95a68743 +SHA1 (patch-bb) = 69fa95cdb1ee4ac6511dd8dfbba2349f625423a5 +SHA1 (patch-bc) = cf2e9458f31dd17ea65ebb12254e1ddeaf12e414 +SHA1 (patch-bd) = 885cd259b59d8a2c0d7c1cacfaf6fe2fe3f35053 diff --git a/print/cups/patches/patch-ba b/print/cups/patches/patch-ba new file mode 100644 index 00000000000..69b177615dd --- /dev/null +++ b/print/cups/patches/patch-ba @@ -0,0 +1,24 @@ +$NetBSD: patch-ba,v 1.3 2010/06/16 18:18:26 drochner Exp $ + +--- scheduler/select.c.orig 2010-01-14 22:40:19.000000000 +0000 ++++ scheduler/select.c +@@ -454,7 +454,8 @@ cupsdDoSelect(long timeout) /* I - Time + if (fdptr->read_cb && event->filter == EVFILT_READ) + (*(fdptr->read_cb))(fdptr->data); + +- if (fdptr->use > 1 && fdptr->write_cb && event->filter == EVFILT_WRITE) ++ if (fdptr->use > 1 && fdptr->write_cb && event->filter == EVFILT_WRITE && ++ !cupsArrayFind(cupsd_inactive_fds, fdptr)) + (*(fdptr->write_cb))(fdptr->data); + + release_fd(fdptr); +@@ -500,7 +501,8 @@ cupsdDoSelect(long timeout) /* I - Time + (*(fdptr->read_cb))(fdptr->data); + + if (fdptr->use > 1 && fdptr->write_cb && +- (event->events & (EPOLLOUT | EPOLLERR | EPOLLHUP))) ++ (event->events & (EPOLLOUT | EPOLLERR | EPOLLHUP)) && ++ !cupsArrayFind(cupsd_inactive_fds, fdptr)) + (*(fdptr->write_cb))(fdptr->data); + + release_fd(fdptr); diff --git a/print/cups/patches/patch-bb b/print/cups/patches/patch-bb new file mode 100644 index 00000000000..9e3b2e9617e --- /dev/null +++ b/print/cups/patches/patch-bb @@ -0,0 +1,14 @@ +$NetBSD: patch-bb,v 1.5 2010/06/16 18:18:26 drochner Exp $ + +--- cgi-bin/var.c.orig 2010-02-08 17:33:31.000000000 +0000 ++++ cgi-bin/var.c +@@ -927,6 +927,9 @@ cgi_initialize_string(const char *data) + * Read the hex code... + */ + ++ if (!isxdigit(data[1] & 255) || !isxdigit(data[2] & 255)) ++ return (0); ++ + if (s < (value + sizeof(value) - 1)) + { + data ++; diff --git a/print/cups/patches/patch-bc b/print/cups/patches/patch-bc new file mode 100644 index 00000000000..8044a2eaa79 --- /dev/null +++ b/print/cups/patches/patch-bc @@ -0,0 +1,27 @@ +$NetBSD: patch-bc,v 1.3 2010/06/16 18:18:26 drochner Exp $ + +--- filter/texttops.c.orig 2008-11-06 16:42:18.000000000 +0000 ++++ filter/texttops.c +@@ -181,8 +181,20 @@ WriteProlog(const char *title, /* I - T + exit(1); + } + +- Page = calloc(sizeof(lchar_t *), SizeLines); +- Page[0] = calloc(sizeof(lchar_t), SizeColumns * SizeLines); ++ if ((Page = calloc(sizeof(lchar_t *), SizeLines)) == NULL) ++ { ++ _cupsLangPrintf(stderr, _("ERROR: Unable to print %dx%d text page!\n"), ++ SizeColumns, SizeLines); ++ exit(1); ++ } ++ ++ if ((Page[0] = calloc(sizeof(lchar_t), SizeColumns * SizeLines)) == NULL) ++ { ++ _cupsLangPrintf(stderr, _("ERROR: Unable to print %dx%d text page!\n"), ++ SizeColumns, SizeLines); ++ exit(1); ++ } ++ + for (i = 1; i < SizeLines; i ++) + Page[i] = Page[0] + i * SizeColumns; + diff --git a/print/cups/patches/patch-bd b/print/cups/patches/patch-bd new file mode 100644 index 00000000000..e8ca7369275 --- /dev/null +++ b/print/cups/patches/patch-bd @@ -0,0 +1,136 @@ +$NetBSD: patch-bd,v 1.3 2010/06/16 18:18:26 drochner Exp $ + +--- cups/file.c.orig 2009-05-14 21:18:35.000000000 +0000 ++++ cups/file.c +@@ -59,6 +59,7 @@ + */ + + #include "file-private.h" ++#include <sys/stat.h> + + + /* +@@ -69,6 +70,7 @@ + static ssize_t cups_compress(cups_file_t *fp, const char *buf, size_t bytes); + #endif /* HAVE_LIBZ */ + static ssize_t cups_fill(cups_file_t *fp); ++static int cups_open(const char *filename, int mode); + static ssize_t cups_read(cups_file_t *fp, char *buf, size_t bytes); + static ssize_t cups_write(cups_file_t *fp, const char *buf, size_t bytes); + +@@ -827,7 +829,8 @@ cupsFileOpen(const char *filename, /* I + switch (*mode) + { + case 'a' : /* Append file */ +- fd = open(filename, O_RDWR | O_CREAT | O_APPEND | O_LARGEFILE | O_BINARY, 0666); ++ fd = cups_open(filename, ++ O_RDWR | O_CREAT | O_APPEND | O_LARGEFILE | O_BINARY); + break; + + case 'r' : /* Read file */ +@@ -835,7 +838,17 @@ cupsFileOpen(const char *filename, /* I + break; + + case 'w' : /* Write file */ +- fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT | O_LARGEFILE | O_BINARY, 0666); ++ fd = cups_open(filename, O_WRONLY | O_LARGEFILE | O_BINARY); ++ if (fd < 0 && errno == ENOENT) ++ { ++ fd = cups_open(filename, ++ O_WRONLY | O_CREAT | O_EXCL | O_LARGEFILE | O_BINARY); ++ if (fd < 0 && errno == EEXIST) ++ fd = cups_open(filename, O_WRONLY | O_LARGEFILE | O_BINARY); ++ } ++ ++ if (fd >= 0) ++ ftruncate(fd, 0); + break; + + case 's' : /* Read/write socket */ +@@ -2207,6 +2220,86 @@ cups_fill(cups_file_t *fp) /* I - CUPS + return (bytes); + } + ++/* ++ * 'cups_open()' - Safely open a file for writing. ++ * ++ * We don't allow appending to directories or files that are hard-linked or ++ * symlinked. ++ */ ++ ++static int /* O - File descriptor or -1 otherwise */ ++cups_open(const char *filename, /* I - Filename */ ++ int mode) /* I - Open mode */ ++{ ++ int fd; /* File descriptor */ ++ struct stat fileinfo; /* File information */ ++#ifndef WIN32 ++ struct stat linkinfo; /* Link information */ ++#endif /* !WIN32 */ ++ ++ ++ /* ++ * Open the file... ++ */ ++ ++ if ((fd = open(filename, mode, 0666)) < 0) ++ return (-1); ++ ++ /* ++ * Then verify that the file descriptor doesn't point to a directory or hard- ++ * linked file. ++ */ ++ ++ if (fstat(fd, &fileinfo)) ++ { ++ close(fd); ++ return (-1); ++ } ++ ++ if (fileinfo.st_nlink != 1) ++ { ++ close(fd); ++ errno = EPERM; ++ return (-1); ++ } ++ ++ if (S_ISDIR(fileinfo.st_mode)) ++ { ++ close(fd); ++ errno = EISDIR; ++ return (-1); ++ } ++ ++#ifndef WIN32 ++ /* ++ * Then use lstat to determine whether the filename is a symlink... ++ */ ++ ++ if (lstat(filename, &linkinfo)) ++ { ++ close(fd); ++ return (-1); ++ } ++ ++ if (S_ISLNK(linkinfo.st_mode) || ++ fileinfo.st_dev != linkinfo.st_dev || ++ fileinfo.st_ino != linkinfo.st_ino || ++ fileinfo.st_gen != linkinfo.st_gen || ++ fileinfo.st_nlink != linkinfo.st_nlink || ++ fileinfo.st_mode != linkinfo.st_mode) ++ { ++ /* ++ * Yes, don't allow! ++ */ ++ ++ close(fd); ++ errno = EPERM; ++ return (-1); ++ } ++#endif /* !WIN32 */ ++ ++ return (fd); ++} + + /* + * 'cups_read()' - Read from a file descriptor. |