summaryrefslogtreecommitdiff
path: root/print
diff options
context:
space:
mode:
authordrochner <drochner>2010-06-16 18:18:26 +0000
committerdrochner <drochner>2010-06-16 18:18:26 +0000
commit31c088deb34ee3ceab6640725ead3a9d4494a493 (patch)
tree4e55536c8df62713f1ddb143064ae26e90a7dccf /print
parentd4a7d3426a39562f3fd4715a04fb94b63c7cf84f (diff)
downloadpkgsrc-31c088deb34ee3ceab6640725ead3a9d4494a493.tar.gz
add some patches from upstream to fix security problems:
-use-after-free problem (CVE-2010-0302) -information disclosure (CVE-2010-1748) -unchecked memory allocation is texttops -file overwrite problem (I didn't find references from cups patches to CVE #s, or vice versa, so the CVE #s are not certain.) The missing http session check problem (CVE-2010-0540?) is not fixed, this would be a large patch affecting tens of files. bump PKGREVISION
Diffstat (limited to 'print')
-rw-r--r--print/cups/Makefile4
-rw-r--r--print/cups/distinfo6
-rw-r--r--print/cups/patches/patch-ba24
-rw-r--r--print/cups/patches/patch-bb14
-rw-r--r--print/cups/patches/patch-bc27
-rw-r--r--print/cups/patches/patch-bd136
6 files changed, 208 insertions, 3 deletions
diff --git a/print/cups/Makefile b/print/cups/Makefile
index 8a13e369bf8..a7bd802a006 100644
--- a/print/cups/Makefile
+++ b/print/cups/Makefile
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.166 2010/06/13 22:45:14 wiz Exp $
+# $NetBSD: Makefile,v 1.167 2010/06/16 18:18:26 drochner Exp $
#
# The CUPS author is very good about taking back changes into the main
# CUPS distribution. The correct place to send patches or bug-fixes is:
@@ -8,7 +8,7 @@ DISTNAME= cups-${DIST_VERS}-source
PKGNAME= cups-${DIST_VERS:S/-/./g}
BASE_VERS= 1.4.3
DIST_VERS= ${BASE_VERS}
-PKGREVISION= 5
+PKGREVISION= 6
CATEGORIES= print
MASTER_SITES= http://ftp.easysw.com/pub/cups/${BASE_VERS}/ \
diff --git a/print/cups/distinfo b/print/cups/distinfo
index e91345617dc..efd87a34b26 100644
--- a/print/cups/distinfo
+++ b/print/cups/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.72 2010/06/09 09:01:43 sbd Exp $
+$NetBSD: distinfo,v 1.73 2010/06/16 18:18:26 drochner Exp $
SHA1 (cups-1.4.3-source.tar.bz2) = 0dd9e3d709614d26cce77728b9263556c94c9559
RMD160 (cups-1.4.3-source.tar.bz2) = 6c5ab282405d6a1132163c727583f3a572307d88
@@ -20,3 +20,7 @@ SHA1 (patch-an) = 231c871e31db279e8aeafba71506f93330e0a971
SHA1 (patch-ao) = 7fe50080b9a6fd4dac186020f9351ef6000373c7
SHA1 (patch-ap) = 70c5fa4a19ca2812818844180ca9db9cb7cfd601
SHA1 (patch-at) = aee1f0e8cbcd9e2dbcfa9af3fb675ea7ce1ce622
+SHA1 (patch-ba) = a0c643a6d794a335e18155974123ef6e95a68743
+SHA1 (patch-bb) = 69fa95cdb1ee4ac6511dd8dfbba2349f625423a5
+SHA1 (patch-bc) = cf2e9458f31dd17ea65ebb12254e1ddeaf12e414
+SHA1 (patch-bd) = 885cd259b59d8a2c0d7c1cacfaf6fe2fe3f35053
diff --git a/print/cups/patches/patch-ba b/print/cups/patches/patch-ba
new file mode 100644
index 00000000000..69b177615dd
--- /dev/null
+++ b/print/cups/patches/patch-ba
@@ -0,0 +1,24 @@
+$NetBSD: patch-ba,v 1.3 2010/06/16 18:18:26 drochner Exp $
+
+--- scheduler/select.c.orig 2010-01-14 22:40:19.000000000 +0000
++++ scheduler/select.c
+@@ -454,7 +454,8 @@ cupsdDoSelect(long timeout) /* I - Time
+ if (fdptr->read_cb && event->filter == EVFILT_READ)
+ (*(fdptr->read_cb))(fdptr->data);
+
+- if (fdptr->use > 1 && fdptr->write_cb && event->filter == EVFILT_WRITE)
++ if (fdptr->use > 1 && fdptr->write_cb && event->filter == EVFILT_WRITE &&
++ !cupsArrayFind(cupsd_inactive_fds, fdptr))
+ (*(fdptr->write_cb))(fdptr->data);
+
+ release_fd(fdptr);
+@@ -500,7 +501,8 @@ cupsdDoSelect(long timeout) /* I - Time
+ (*(fdptr->read_cb))(fdptr->data);
+
+ if (fdptr->use > 1 && fdptr->write_cb &&
+- (event->events & (EPOLLOUT | EPOLLERR | EPOLLHUP)))
++ (event->events & (EPOLLOUT | EPOLLERR | EPOLLHUP)) &&
++ !cupsArrayFind(cupsd_inactive_fds, fdptr))
+ (*(fdptr->write_cb))(fdptr->data);
+
+ release_fd(fdptr);
diff --git a/print/cups/patches/patch-bb b/print/cups/patches/patch-bb
new file mode 100644
index 00000000000..9e3b2e9617e
--- /dev/null
+++ b/print/cups/patches/patch-bb
@@ -0,0 +1,14 @@
+$NetBSD: patch-bb,v 1.5 2010/06/16 18:18:26 drochner Exp $
+
+--- cgi-bin/var.c.orig 2010-02-08 17:33:31.000000000 +0000
++++ cgi-bin/var.c
+@@ -927,6 +927,9 @@ cgi_initialize_string(const char *data)
+ * Read the hex code...
+ */
+
++ if (!isxdigit(data[1] & 255) || !isxdigit(data[2] & 255))
++ return (0);
++
+ if (s < (value + sizeof(value) - 1))
+ {
+ data ++;
diff --git a/print/cups/patches/patch-bc b/print/cups/patches/patch-bc
new file mode 100644
index 00000000000..8044a2eaa79
--- /dev/null
+++ b/print/cups/patches/patch-bc
@@ -0,0 +1,27 @@
+$NetBSD: patch-bc,v 1.3 2010/06/16 18:18:26 drochner Exp $
+
+--- filter/texttops.c.orig 2008-11-06 16:42:18.000000000 +0000
++++ filter/texttops.c
+@@ -181,8 +181,20 @@ WriteProlog(const char *title, /* I - T
+ exit(1);
+ }
+
+- Page = calloc(sizeof(lchar_t *), SizeLines);
+- Page[0] = calloc(sizeof(lchar_t), SizeColumns * SizeLines);
++ if ((Page = calloc(sizeof(lchar_t *), SizeLines)) == NULL)
++ {
++ _cupsLangPrintf(stderr, _("ERROR: Unable to print %dx%d text page!\n"),
++ SizeColumns, SizeLines);
++ exit(1);
++ }
++
++ if ((Page[0] = calloc(sizeof(lchar_t), SizeColumns * SizeLines)) == NULL)
++ {
++ _cupsLangPrintf(stderr, _("ERROR: Unable to print %dx%d text page!\n"),
++ SizeColumns, SizeLines);
++ exit(1);
++ }
++
+ for (i = 1; i < SizeLines; i ++)
+ Page[i] = Page[0] + i * SizeColumns;
+
diff --git a/print/cups/patches/patch-bd b/print/cups/patches/patch-bd
new file mode 100644
index 00000000000..e8ca7369275
--- /dev/null
+++ b/print/cups/patches/patch-bd
@@ -0,0 +1,136 @@
+$NetBSD: patch-bd,v 1.3 2010/06/16 18:18:26 drochner Exp $
+
+--- cups/file.c.orig 2009-05-14 21:18:35.000000000 +0000
++++ cups/file.c
+@@ -59,6 +59,7 @@
+ */
+
+ #include "file-private.h"
++#include <sys/stat.h>
+
+
+ /*
+@@ -69,6 +70,7 @@
+ static ssize_t cups_compress(cups_file_t *fp, const char *buf, size_t bytes);
+ #endif /* HAVE_LIBZ */
+ static ssize_t cups_fill(cups_file_t *fp);
++static int cups_open(const char *filename, int mode);
+ static ssize_t cups_read(cups_file_t *fp, char *buf, size_t bytes);
+ static ssize_t cups_write(cups_file_t *fp, const char *buf, size_t bytes);
+
+@@ -827,7 +829,8 @@ cupsFileOpen(const char *filename, /* I
+ switch (*mode)
+ {
+ case 'a' : /* Append file */
+- fd = open(filename, O_RDWR | O_CREAT | O_APPEND | O_LARGEFILE | O_BINARY, 0666);
++ fd = cups_open(filename,
++ O_RDWR | O_CREAT | O_APPEND | O_LARGEFILE | O_BINARY);
+ break;
+
+ case 'r' : /* Read file */
+@@ -835,7 +838,17 @@ cupsFileOpen(const char *filename, /* I
+ break;
+
+ case 'w' : /* Write file */
+- fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT | O_LARGEFILE | O_BINARY, 0666);
++ fd = cups_open(filename, O_WRONLY | O_LARGEFILE | O_BINARY);
++ if (fd < 0 && errno == ENOENT)
++ {
++ fd = cups_open(filename,
++ O_WRONLY | O_CREAT | O_EXCL | O_LARGEFILE | O_BINARY);
++ if (fd < 0 && errno == EEXIST)
++ fd = cups_open(filename, O_WRONLY | O_LARGEFILE | O_BINARY);
++ }
++
++ if (fd >= 0)
++ ftruncate(fd, 0);
+ break;
+
+ case 's' : /* Read/write socket */
+@@ -2207,6 +2220,86 @@ cups_fill(cups_file_t *fp) /* I - CUPS
+ return (bytes);
+ }
+
++/*
++ * 'cups_open()' - Safely open a file for writing.
++ *
++ * We don't allow appending to directories or files that are hard-linked or
++ * symlinked.
++ */
++
++static int /* O - File descriptor or -1 otherwise */
++cups_open(const char *filename, /* I - Filename */
++ int mode) /* I - Open mode */
++{
++ int fd; /* File descriptor */
++ struct stat fileinfo; /* File information */
++#ifndef WIN32
++ struct stat linkinfo; /* Link information */
++#endif /* !WIN32 */
++
++
++ /*
++ * Open the file...
++ */
++
++ if ((fd = open(filename, mode, 0666)) < 0)
++ return (-1);
++
++ /*
++ * Then verify that the file descriptor doesn't point to a directory or hard-
++ * linked file.
++ */
++
++ if (fstat(fd, &fileinfo))
++ {
++ close(fd);
++ return (-1);
++ }
++
++ if (fileinfo.st_nlink != 1)
++ {
++ close(fd);
++ errno = EPERM;
++ return (-1);
++ }
++
++ if (S_ISDIR(fileinfo.st_mode))
++ {
++ close(fd);
++ errno = EISDIR;
++ return (-1);
++ }
++
++#ifndef WIN32
++ /*
++ * Then use lstat to determine whether the filename is a symlink...
++ */
++
++ if (lstat(filename, &linkinfo))
++ {
++ close(fd);
++ return (-1);
++ }
++
++ if (S_ISLNK(linkinfo.st_mode) ||
++ fileinfo.st_dev != linkinfo.st_dev ||
++ fileinfo.st_ino != linkinfo.st_ino ||
++ fileinfo.st_gen != linkinfo.st_gen ||
++ fileinfo.st_nlink != linkinfo.st_nlink ||
++ fileinfo.st_mode != linkinfo.st_mode)
++ {
++ /*
++ * Yes, don't allow!
++ */
++
++ close(fd);
++ errno = EPERM;
++ return (-1);
++ }
++#endif /* !WIN32 */
++
++ return (fd);
++}
+
+ /*
+ * 'cups_read()' - Read from a file descriptor.