From b7fd95b4ba393c4a1f656990c87e9e65534bf269 Mon Sep 17 00:00:00 2001 From: tron Date: Fri, 16 May 2014 14:30:01 +0000 Subject: Pullup ticket #4407 - requested by wiz print/cups: security patch Revisions pulled up: - print/cups/Makefile 1.204 - print/cups/distinfo 1.98 - print/cups/patches/patch-scheduler_client.c 1.1 --- Module Name: pkgsrc Committed By: wiz Date: Thu May 15 12:51:58 UTC 2014 Modified Files: pkgsrc/print/cups: Makefile distinfo Added Files: pkgsrc/print/cups/patches: patch-scheduler_client.c Log Message: Fix CVE-2014-2856 using upstream patch. Bump PKGREVISION. --- print/cups/Makefile | 4 ++-- print/cups/distinfo | 3 ++- print/cups/patches/patch-scheduler_client.c | 22 ++++++++++++++++++++++ 3 files changed, 26 insertions(+), 3 deletions(-) create mode 100644 print/cups/patches/patch-scheduler_client.c diff --git a/print/cups/Makefile b/print/cups/Makefile index de9b6b825ae..46269cb071c 100644 --- a/print/cups/Makefile +++ b/print/cups/Makefile @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.201 2014/02/12 23:18:28 tron Exp $ +# $NetBSD: Makefile,v 1.201.2.1 2014/05/16 14:30:01 tron Exp $ # # The CUPS author is very good about taking back changes into the main # CUPS distribution. The correct place to send patches or bug-fixes is: @@ -9,7 +9,7 @@ PKGNAME= cups-${DIST_VERS:S/-/./g} BASE_VERS= 1.5.4 DIST_VERS= ${BASE_VERS} -PKGREVISION= 9 +PKGREVISION= 11 CATEGORIES= print MASTER_SITES= http://ftp.easysw.com/pub/cups/${BASE_VERS}/ \ ftp://ftp.easysw.com/pub/cups/${BASE_VERS}/ \ diff --git a/print/cups/distinfo b/print/cups/distinfo index ad295b9b6c5..e4e8df40bdf 100644 --- a/print/cups/distinfo +++ b/print/cups/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.96 2013/10/12 06:01:58 richard Exp $ +$NetBSD: distinfo,v 1.96.4.1 2014/05/16 14:30:01 tron Exp $ SHA1 (cups-1.5.4-source.tar.bz2) = cb39961cbaf1851a47694828ad9a7cdf4da51fbd RMD160 (cups-1.5.4-source.tar.bz2) = 9d6a7fd69d3036ec1f3dfd9c70672a2c6fb517b6 @@ -18,4 +18,5 @@ SHA1 (patch-conf_Makefile) = 5b5d45abc1e8d6b73a1ad6b7a7098714d4c55395 SHA1 (patch-config-scripts_cups-gssapi.m4) = 6f558ee1d2d56ceba3a9705d3278c7969495be5d SHA1 (patch-ppdc_Makefile) = 7dcc34217557a4c6f42064b61abf593bd7620b60 SHA1 (patch-scheduler_auth.c) = 2056f20500e3c6e857f9dd2c83709c15be38fe0e +SHA1 (patch-scheduler_client.c) = d4b6667199c0ff9617847ba119b82a50457cfd98 SHA1 (patch-scheduler_dirsvc.c) = 62c6b47522a60b9f8042421e4a9d25a5dfa47c47 diff --git a/print/cups/patches/patch-scheduler_client.c b/print/cups/patches/patch-scheduler_client.c new file mode 100644 index 00000000000..8822cf2c6b7 --- /dev/null +++ b/print/cups/patches/patch-scheduler_client.c @@ -0,0 +1,22 @@ +$NetBSD: patch-scheduler_client.c,v 1.1.2.2 2014/05/16 14:30:01 tron Exp $ + +Fix for CVE-2014-2856 from +http://www.cups.org/str.php?L4356 + +--- scheduler/client.c.orig 2012-03-07 06:05:39.000000000 +0000 ++++ scheduler/client.c +@@ -4075,6 +4075,14 @@ is_path_absolute(const char *path) /* I + return (0); + + /* ++ * Check for "<" or quotes in the path and reject since this is probably ++ * someone trying to inject HTML... ++ */ ++ ++ if (strchr(path, '<') != NULL || strchr(path, '\"') != NULL || strchr(path, '\'') != NULL) ++ return (0); ++ ++ /* + * Check for "/.." in the path... + */ + -- cgit v1.2.3