diff options
-rw-r--r-- | print/cups/Makefile | 4 | ||||
-rw-r--r-- | print/cups/distinfo | 3 | ||||
-rw-r--r-- | print/cups/patches/patch-scheduler_client.c | 22 |
3 files changed, 26 insertions, 3 deletions
diff --git a/print/cups/Makefile b/print/cups/Makefile index 30fade3654c..7ccde13663f 100644 --- a/print/cups/Makefile +++ b/print/cups/Makefile @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.203 2014/05/10 13:45:20 richard Exp $ +# $NetBSD: Makefile,v 1.204 2014/05/15 12:51:58 wiz Exp $ # # The CUPS author is very good about taking back changes into the main # CUPS distribution. The correct place to send patches or bug-fixes is: @@ -9,7 +9,7 @@ PKGNAME= cups-${DIST_VERS:S/-/./g} BASE_VERS= 1.5.4 DIST_VERS= ${BASE_VERS} -PKGREVISION= 10 +PKGREVISION= 11 CATEGORIES= print MASTER_SITES= http://ftp.easysw.com/pub/cups/${BASE_VERS}/ \ ftp://ftp.easysw.com/pub/cups/${BASE_VERS}/ \ diff --git a/print/cups/distinfo b/print/cups/distinfo index f274d3d0918..53246bff73b 100644 --- a/print/cups/distinfo +++ b/print/cups/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.97 2014/05/10 13:42:08 richard Exp $ +$NetBSD: distinfo,v 1.98 2014/05/15 12:51:58 wiz Exp $ SHA1 (cups-1.5.4-source.tar.bz2) = cb39961cbaf1851a47694828ad9a7cdf4da51fbd RMD160 (cups-1.5.4-source.tar.bz2) = 9d6a7fd69d3036ec1f3dfd9c70672a2c6fb517b6 @@ -18,4 +18,5 @@ SHA1 (patch-conf_Makefile) = 5b5d45abc1e8d6b73a1ad6b7a7098714d4c55395 SHA1 (patch-config-scripts_cups-gssapi.m4) = 6f558ee1d2d56ceba3a9705d3278c7969495be5d SHA1 (patch-ppdc_Makefile) = 7dcc34217557a4c6f42064b61abf593bd7620b60 SHA1 (patch-scheduler_auth.c) = 2056f20500e3c6e857f9dd2c83709c15be38fe0e +SHA1 (patch-scheduler_client.c) = d4b6667199c0ff9617847ba119b82a50457cfd98 SHA1 (patch-scheduler_dirsvc.c) = 62c6b47522a60b9f8042421e4a9d25a5dfa47c47 diff --git a/print/cups/patches/patch-scheduler_client.c b/print/cups/patches/patch-scheduler_client.c new file mode 100644 index 00000000000..99aa79989b5 --- /dev/null +++ b/print/cups/patches/patch-scheduler_client.c @@ -0,0 +1,22 @@ +$NetBSD: patch-scheduler_client.c,v 1.1 2014/05/15 12:51:58 wiz Exp $ + +Fix for CVE-2014-2856 from +http://www.cups.org/str.php?L4356 + +--- scheduler/client.c.orig 2012-03-07 06:05:39.000000000 +0000 ++++ scheduler/client.c +@@ -4075,6 +4075,14 @@ is_path_absolute(const char *path) /* I + return (0); + + /* ++ * Check for "<" or quotes in the path and reject since this is probably ++ * someone trying to inject HTML... ++ */ ++ ++ if (strchr(path, '<') != NULL || strchr(path, '\"') != NULL || strchr(path, '\'') != NULL) ++ return (0); ++ ++ /* + * Check for "/.." in the path... + */ + |