From 68d73b033b0dff204aadbcf4118976a694657a3e Mon Sep 17 00:00:00 2001
From: ghen <ghen@pkgsrc.org>
Date: Mon, 3 Dec 2007 13:13:14 +0000
Subject: Pullup ticket 2233 - requested by adrianp security fix for cups

- pkgsrc/print/cups/Makefile				1.127-1.128
- pkgsrc/print/cups/distifno				1.53
- pkgsrc/print/cups/patches/patch-au			1.9

   Module Name:	pkgsrc
   Committed By:	dsainty
   Date:		Mon Oct 22 11:56:46 UTC 2007

   Modified Files:
	   pkgsrc/print/cups: Makefile

   Log Message:
   Fix the output of "cups-config --ldflags" to output "-Wl,-R/usr/pkg" like
   other config scripts do.

   Bump PKGREVISION since client software may not correctly build or run
   without this fix.
---
   Module Name:	pkgsrc
   Committed By:	adrianp
   Date:		Mon Nov  5 20:16:19 UTC 2007

   Modified Files:
	   pkgsrc/print/cups: Makefile distinfo
   Added Files:
	   pkgsrc/print/cups/patches: patch-au

   Log Message:
   Fix for CVE-2007-4351
   PKGREVISION++
---
 print/cups/Makefile         |   9 ++-
 print/cups/distinfo         |   3 +-
 print/cups/patches/patch-au | 155 ++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 165 insertions(+), 2 deletions(-)
 create mode 100644 print/cups/patches/patch-au

diff --git a/print/cups/Makefile b/print/cups/Makefile
index d5020e77742..0b04d17e797 100644
--- a/print/cups/Makefile
+++ b/print/cups/Makefile
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.126 2007/10/08 11:39:47 rillig Exp $
+# $NetBSD: Makefile,v 1.126.2.1 2007/12/03 13:13:14 ghen Exp $
 #
 # The CUPS author is very good about taking back changes into the main
 # CUPS distribution.  The correct place to send patches or bug-fixes is:
@@ -9,6 +9,7 @@ PKGNAME=	cups-${VERS}
 BASE_VERS=	1.2.12
 DIST_VERS=	${BASE_VERS}
 VERS=		${DIST_VERS:S/-/./g}
+PKGREVISION=	2
 CATEGORIES=	print
 MASTER_SITES=	http://ftp.easysw.com/pub/cups/${BASE_VERS}/ \
 		ftp://ftp2.easysw.com/pub/cups/${BASE_VERS}/ \
@@ -136,6 +137,12 @@ SUBST_FILES.paths=	${WRKDIR}/cups.pam
 SUBST_SED.paths+=	-e 's,@LOCALBASE@,${LOCALBASE},g'
 SUBST_STAGE.paths=	post-patch
 
+SUBST_CLASSES+=		rpathfix
+SUBST_FILES.rpathfix=	cups-config.in
+SUBST_MESSAGE.rpathfix=	Adding rpath to cups-config.
+SUBST_SED.rpathfix=	-e 's|@EXPORT_LDFLAGS@|${COMPILER_RPATH_FLAG}${LOCALBASE}/lib|g'
+SUBST_STAGE.rpathfix=	post-patch
+
 pre-configure:
 	cd ${WRKSRC} && aclocal && autoconf
 
diff --git a/print/cups/distinfo b/print/cups/distinfo
index 47fffe24291..0be3197e061 100644
--- a/print/cups/distinfo
+++ b/print/cups/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.52 2007/08/15 04:15:10 markd Exp $
+$NetBSD: distinfo,v 1.52.2.1 2007/12/03 13:13:14 ghen Exp $
 
 SHA1 (cups-1.2.12-source.tar.bz2) = 11a540f76a1d3164b6636bf8ba47928803ad9356
 RMD160 (cups-1.2.12-source.tar.bz2) = 598270e37ff8a9b9ff1e667066d6f7e120493e32
@@ -10,3 +10,4 @@ SHA1 (patch-ad) = 6695c344453495cd960460733a80d50654786c60
 SHA1 (patch-an) = 4c5271b0f4a262e782e3de8396870498125675bd
 SHA1 (patch-ao) = 5cb88810f316ffad2a004d13e65b70108c8234b2
 SHA1 (patch-at) = eea32b989402c353f5f1644348c1042a3d4ddfa1
+SHA1 (patch-au) = 9d9f8474cb553e112f5b53e84593347f919534e1
diff --git a/print/cups/patches/patch-au b/print/cups/patches/patch-au
new file mode 100644
index 00000000000..aa6fdb50876
--- /dev/null
+++ b/print/cups/patches/patch-au
@@ -0,0 +1,155 @@
+$NetBSD: patch-au,v 1.8.4.1 2007/12/03 13:13:14 ghen Exp $
+
+# CVE-2007-4351
+
+--- cups/ipp.c.orig	2007-02-05 20:25:50.000000000 +0000
++++ cups/ipp.c
+@@ -1315,6 +1315,12 @@ ippReadIO(void       *src,		/* I - Data 
+ 	  {
+ 	    case IPP_TAG_INTEGER :
+ 	    case IPP_TAG_ENUM :
++		if (n != 4)
++		{
++		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++		  return (IPP_ERROR);
++		}
++
+ 	        if ((*cb)(src, buffer, 4) < 4)
+ 		{
+ 	          DEBUG_puts("ippReadIO: Unable to read integer value!");
+@@ -1327,6 +1333,12 @@ ippReadIO(void       *src,		/* I - Data 
+                 value->integer = n;
+ 	        break;
+ 	    case IPP_TAG_BOOLEAN :
++		if (n != 1)
++		{
++		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++		  return (IPP_ERROR);
++		}
++
+ 	        if ((*cb)(src, buffer, 1) < 1)
+ 		{
+ 	          DEBUG_puts("ippReadIO: Unable to read boolean value!");
+@@ -1344,6 +1356,12 @@ ippReadIO(void       *src,		/* I - Data 
+ 	    case IPP_TAG_CHARSET :
+ 	    case IPP_TAG_LANGUAGE :
+ 	    case IPP_TAG_MIMETYPE :
++		if (n >= sizeof(buffer))
++		{
++		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++		  return (IPP_ERROR);
++		}
++
+ 		if ((*cb)(src, buffer, n) < n)
+ 		{
+ 		  DEBUG_puts("ippReadIO: unable to read name!");
+@@ -1356,6 +1374,12 @@ ippReadIO(void       *src,		/* I - Data 
+ 		              value->string.text));
+ 	        break;
+ 	    case IPP_TAG_DATE :
++		if (n != 11)
++		{
++		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++		  return (IPP_ERROR);
++		}
++
+ 	        if ((*cb)(src, value->date, 11) < 11)
+ 		{
+ 	          DEBUG_puts("ippReadIO: Unable to date integer value!");
+@@ -1363,6 +1387,12 @@ ippReadIO(void       *src,		/* I - Data 
+ 		}
+ 	        break;
+ 	    case IPP_TAG_RESOLUTION :
++		if (n != 9)
++		{
++		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++		  return (IPP_ERROR);
++		}
++
+ 	        if ((*cb)(src, buffer, 9) < 9)
+ 		{
+ 	          DEBUG_puts("ippReadIO: Unable to read resolution value!");
+@@ -1379,6 +1409,12 @@ ippReadIO(void       *src,		/* I - Data 
+ 		    (ipp_res_t)buffer[8];
+ 	        break;
+ 	    case IPP_TAG_RANGE :
++		if (n != 8)
++		{
++		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++		  return (IPP_ERROR);
++		}
++
+ 	        if ((*cb)(src, buffer, 8) < 8)
+ 		{
+ 	          DEBUG_puts("ippReadIO: Unable to read range value!");
+@@ -1394,7 +1430,7 @@ ippReadIO(void       *src,		/* I - Data 
+ 	        break;
+ 	    case IPP_TAG_TEXTLANG :
+ 	    case IPP_TAG_NAMELANG :
+-	        if (n > sizeof(buffer) || n < 4)
++	        if (n >= sizeof(buffer) || n < 4)
+ 		{
+ 		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ 		  return (IPP_ERROR);
+@@ -1420,22 +1456,27 @@ ippReadIO(void       *src,		/* I - Data 
+ 
+ 		n = (bufptr[0] << 8) | bufptr[1];
+ 
+-                if (n >= sizeof(string))
++		if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)) ||
++		    n >= sizeof(string))
+ 		{
+-		  memcpy(string, bufptr + 2, sizeof(string) - 1);
+-		  string[sizeof(string) - 1] = '\0';
++		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++		  return (IPP_ERROR);
+ 		}
+-		else
+-		{
+-		  memcpy(string, bufptr + 2, n);
+-		  string[n] = '\0';
+-                }
++
++		memcpy(string, bufptr + 2, n);
++		string[n] = '\0';
+ 
+ 		value->string.charset = _cupsStrAlloc((char *)string);
+ 
+                 bufptr += 2 + n;
+ 		n = (bufptr[0] << 8) | bufptr[1];
+ 
++		if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)))
++		{
++		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++		  return (IPP_ERROR);
++		}
++
+ 		bufptr[2 + n] = '\0';
+                 value->string.text = _cupsStrAlloc((char *)bufptr + 2);
+ 	        break;
+@@ -1477,6 +1518,12 @@ ippReadIO(void       *src,		/* I - Data 
+ 		* we need to carry over...
+ 		*/
+ 
++		if (n >= sizeof(buffer))
++		{
++		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++		  return (IPP_ERROR);
++		}
++
+ 	        if ((*cb)(src, buffer, n) < n)
+ 		{
+ 	          DEBUG_puts("ippReadIO: Unable to read member name value!");
+@@ -1498,6 +1545,12 @@ ippReadIO(void       *src,		/* I - Data 
+ 		break;
+ 
+             default : /* Other unsupported values */
++		if (n > sizeof(buffer))
++		{
++		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++		  return (IPP_ERROR);
++		}
++
+                 value->unknown.length = n;
+ 	        if (n > 0)
+ 		{
-- 
cgit v1.2.3