summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--print/cups/Makefile4
-rw-r--r--print/cups/distinfo3
-rw-r--r--print/cups/patches/patch-scheduler_client.c22
3 files changed, 26 insertions, 3 deletions
diff --git a/print/cups/Makefile b/print/cups/Makefile
index 30fade3654c..7ccde13663f 100644
--- a/print/cups/Makefile
+++ b/print/cups/Makefile
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.203 2014/05/10 13:45:20 richard Exp $
+# $NetBSD: Makefile,v 1.204 2014/05/15 12:51:58 wiz Exp $
#
# The CUPS author is very good about taking back changes into the main
# CUPS distribution. The correct place to send patches or bug-fixes is:
@@ -9,7 +9,7 @@ PKGNAME= cups-${DIST_VERS:S/-/./g}
BASE_VERS= 1.5.4
DIST_VERS= ${BASE_VERS}
-PKGREVISION= 10
+PKGREVISION= 11
CATEGORIES= print
MASTER_SITES= http://ftp.easysw.com/pub/cups/${BASE_VERS}/ \
ftp://ftp.easysw.com/pub/cups/${BASE_VERS}/ \
diff --git a/print/cups/distinfo b/print/cups/distinfo
index f274d3d0918..53246bff73b 100644
--- a/print/cups/distinfo
+++ b/print/cups/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.97 2014/05/10 13:42:08 richard Exp $
+$NetBSD: distinfo,v 1.98 2014/05/15 12:51:58 wiz Exp $
SHA1 (cups-1.5.4-source.tar.bz2) = cb39961cbaf1851a47694828ad9a7cdf4da51fbd
RMD160 (cups-1.5.4-source.tar.bz2) = 9d6a7fd69d3036ec1f3dfd9c70672a2c6fb517b6
@@ -18,4 +18,5 @@ SHA1 (patch-conf_Makefile) = 5b5d45abc1e8d6b73a1ad6b7a7098714d4c55395
SHA1 (patch-config-scripts_cups-gssapi.m4) = 6f558ee1d2d56ceba3a9705d3278c7969495be5d
SHA1 (patch-ppdc_Makefile) = 7dcc34217557a4c6f42064b61abf593bd7620b60
SHA1 (patch-scheduler_auth.c) = 2056f20500e3c6e857f9dd2c83709c15be38fe0e
+SHA1 (patch-scheduler_client.c) = d4b6667199c0ff9617847ba119b82a50457cfd98
SHA1 (patch-scheduler_dirsvc.c) = 62c6b47522a60b9f8042421e4a9d25a5dfa47c47
diff --git a/print/cups/patches/patch-scheduler_client.c b/print/cups/patches/patch-scheduler_client.c
new file mode 100644
index 00000000000..99aa79989b5
--- /dev/null
+++ b/print/cups/patches/patch-scheduler_client.c
@@ -0,0 +1,22 @@
+$NetBSD: patch-scheduler_client.c,v 1.1 2014/05/15 12:51:58 wiz Exp $
+
+Fix for CVE-2014-2856 from
+http://www.cups.org/str.php?L4356
+
+--- scheduler/client.c.orig 2012-03-07 06:05:39.000000000 +0000
++++ scheduler/client.c
+@@ -4075,6 +4075,14 @@ is_path_absolute(const char *path) /* I
+ return (0);
+
+ /*
++ * Check for "<" or quotes in the path and reject since this is probably
++ * someone trying to inject HTML...
++ */
++
++ if (strchr(path, '<') != NULL || strchr(path, '\"') != NULL || strchr(path, '\'') != NULL)
++ return (0);
++
++ /*
+ * Check for "/.." in the path...
+ */
+