diff options
| -rw-r--r-- | print/cups/Makefile | 4 | ||||
| -rw-r--r-- | print/cups/distinfo | 3 | ||||
| -rw-r--r-- | print/cups/patches/patch-au | 155 |
3 files changed, 159 insertions, 3 deletions
diff --git a/print/cups/Makefile b/print/cups/Makefile index 67fa0d42814..059fa25d4ac 100644 --- a/print/cups/Makefile +++ b/print/cups/Makefile @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.127 2007/10/22 11:56:46 dsainty Exp $ +# $NetBSD: Makefile,v 1.128 2007/11/05 20:16:19 adrianp Exp $ # # The CUPS author is very good about taking back changes into the main # CUPS distribution. The correct place to send patches or bug-fixes is: @@ -9,7 +9,7 @@ PKGNAME= cups-${VERS} BASE_VERS= 1.2.12 DIST_VERS= ${BASE_VERS} VERS= ${DIST_VERS:S/-/./g} -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= print MASTER_SITES= http://ftp.easysw.com/pub/cups/${BASE_VERS}/ \ ftp://ftp2.easysw.com/pub/cups/${BASE_VERS}/ \ diff --git a/print/cups/distinfo b/print/cups/distinfo index 47fffe24291..7bf6d6924b9 100644 --- a/print/cups/distinfo +++ b/print/cups/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.52 2007/08/15 04:15:10 markd Exp $ +$NetBSD: distinfo,v 1.53 2007/11/05 20:16:19 adrianp Exp $ SHA1 (cups-1.2.12-source.tar.bz2) = 11a540f76a1d3164b6636bf8ba47928803ad9356 RMD160 (cups-1.2.12-source.tar.bz2) = 598270e37ff8a9b9ff1e667066d6f7e120493e32 @@ -10,3 +10,4 @@ SHA1 (patch-ad) = 6695c344453495cd960460733a80d50654786c60 SHA1 (patch-an) = 4c5271b0f4a262e782e3de8396870498125675bd SHA1 (patch-ao) = 5cb88810f316ffad2a004d13e65b70108c8234b2 SHA1 (patch-at) = eea32b989402c353f5f1644348c1042a3d4ddfa1 +SHA1 (patch-au) = 9d9f8474cb553e112f5b53e84593347f919534e1 diff --git a/print/cups/patches/patch-au b/print/cups/patches/patch-au new file mode 100644 index 00000000000..e408e945e3d --- /dev/null +++ b/print/cups/patches/patch-au @@ -0,0 +1,155 @@ +$NetBSD: patch-au,v 1.9 2007/11/05 20:16:19 adrianp Exp $ + +# CVE-2007-4351 + +--- cups/ipp.c.orig 2007-02-05 20:25:50.000000000 +0000 ++++ cups/ipp.c +@@ -1315,6 +1315,12 @@ ippReadIO(void *src, /* I - Data + { + case IPP_TAG_INTEGER : + case IPP_TAG_ENUM : ++ if (n != 4) ++ { ++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); ++ return (IPP_ERROR); ++ } ++ + if ((*cb)(src, buffer, 4) < 4) + { + DEBUG_puts("ippReadIO: Unable to read integer value!"); +@@ -1327,6 +1333,12 @@ ippReadIO(void *src, /* I - Data + value->integer = n; + break; + case IPP_TAG_BOOLEAN : ++ if (n != 1) ++ { ++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); ++ return (IPP_ERROR); ++ } ++ + if ((*cb)(src, buffer, 1) < 1) + { + DEBUG_puts("ippReadIO: Unable to read boolean value!"); +@@ -1344,6 +1356,12 @@ ippReadIO(void *src, /* I - Data + case IPP_TAG_CHARSET : + case IPP_TAG_LANGUAGE : + case IPP_TAG_MIMETYPE : ++ if (n >= sizeof(buffer)) ++ { ++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); ++ return (IPP_ERROR); ++ } ++ + if ((*cb)(src, buffer, n) < n) + { + DEBUG_puts("ippReadIO: unable to read name!"); +@@ -1356,6 +1374,12 @@ ippReadIO(void *src, /* I - Data + value->string.text)); + break; + case IPP_TAG_DATE : ++ if (n != 11) ++ { ++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); ++ return (IPP_ERROR); ++ } ++ + if ((*cb)(src, value->date, 11) < 11) + { + DEBUG_puts("ippReadIO: Unable to date integer value!"); +@@ -1363,6 +1387,12 @@ ippReadIO(void *src, /* I - Data + } + break; + case IPP_TAG_RESOLUTION : ++ if (n != 9) ++ { ++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); ++ return (IPP_ERROR); ++ } ++ + if ((*cb)(src, buffer, 9) < 9) + { + DEBUG_puts("ippReadIO: Unable to read resolution value!"); +@@ -1379,6 +1409,12 @@ ippReadIO(void *src, /* I - Data + (ipp_res_t)buffer[8]; + break; + case IPP_TAG_RANGE : ++ if (n != 8) ++ { ++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); ++ return (IPP_ERROR); ++ } ++ + if ((*cb)(src, buffer, 8) < 8) + { + DEBUG_puts("ippReadIO: Unable to read range value!"); +@@ -1394,7 +1430,7 @@ ippReadIO(void *src, /* I - Data + break; + case IPP_TAG_TEXTLANG : + case IPP_TAG_NAMELANG : +- if (n > sizeof(buffer) || n < 4) ++ if (n >= sizeof(buffer) || n < 4) + { + DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); + return (IPP_ERROR); +@@ -1420,22 +1456,27 @@ ippReadIO(void *src, /* I - Data + + n = (bufptr[0] << 8) | bufptr[1]; + +- if (n >= sizeof(string)) ++ if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)) || ++ n >= sizeof(string)) + { +- memcpy(string, bufptr + 2, sizeof(string) - 1); +- string[sizeof(string) - 1] = '\0'; ++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); ++ return (IPP_ERROR); + } +- else +- { +- memcpy(string, bufptr + 2, n); +- string[n] = '\0'; +- } ++ ++ memcpy(string, bufptr + 2, n); ++ string[n] = '\0'; + + value->string.charset = _cupsStrAlloc((char *)string); + + bufptr += 2 + n; + n = (bufptr[0] << 8) | bufptr[1]; + ++ if ((bufptr + 2 + n) >= (buffer + sizeof(buffer))) ++ { ++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); ++ return (IPP_ERROR); ++ } ++ + bufptr[2 + n] = '\0'; + value->string.text = _cupsStrAlloc((char *)bufptr + 2); + break; +@@ -1477,6 +1518,12 @@ ippReadIO(void *src, /* I - Data + * we need to carry over... + */ + ++ if (n >= sizeof(buffer)) ++ { ++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); ++ return (IPP_ERROR); ++ } ++ + if ((*cb)(src, buffer, n) < n) + { + DEBUG_puts("ippReadIO: Unable to read member name value!"); +@@ -1498,6 +1545,12 @@ ippReadIO(void *src, /* I - Data + break; + + default : /* Other unsupported values */ ++ if (n > sizeof(buffer)) ++ { ++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); ++ return (IPP_ERROR); ++ } ++ + value->unknown.length = n; + if (n > 0) + { |