fix for CVE-2020-10001

cups.spec

@@ -17,7 +17,7 @@ Summary: CUPS printing system
 Name: cups
 Epoch: 1
 Version: 2.3.3%{OP_VER}
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: ASL 2.0
 Url: http://www.cups.org/
 # Apple stopped uploading the new versions into github, use OpenPrinting fork
@@ -69,6 +69,7 @@ Patch100: cups-lspp.patch
 %endif
 
 #### UPSTREAM PATCHES (starts with 1000) ####
+Patch1000: cve-2020-10001-ippReadIO-buffer.patch
 
 ##### Patches removed because IMHO they aren't no longer needed
 ##### but still I'll leave them in git in case their removal
@@ -253,6 +254,9 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
 # Added IEEE 1284 Device ID for a Dymo device (bug #747866).
 %patch13 -p1 -b .dymo-deviceid
 
+# UPSTREAM PATCHES
+%patch1000 -p1 -b .cve2020-10001
+
 %if %{lspp}
 # LSPP support.
 %patch100 -p1 -b .lspp
@@ -657,6 +661,9 @@ rm -f %{cups_serverbin}/backend/smb
 %{_mandir}/man7/ippeveps.7.gz
 
 %changelog
+* Mon Feb 01 2021 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op1-4
+- fix for CVE-2020-10001
+
 * Thu Jan 28 2021 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op1-3
 - remove nss-mdns dependency - let the user decide whether use resolved or nss-mdns
 - remove cups dependency on cups-ipptool - actually not needed

cve-2020-10001-ippReadIO-buffer.patch

@@ -0,0 +1,61 @@
+Fix for CVE-2020-10001, which is a bug in the CUPS ippReadIO function when it
+reads tagged string values (nameWithLanguage and textWithLanguage).  The
+previous code verified that the length of the sub-strings (language identifier
+and name/text value) did not exceed the size of the allocated buffer (1 byte
+larger than the maximum IPP value size of 32767 bytes), but did not validate
+against the length of the actual IPP value.
+
+The issues introduced by this vulnerability include:
+
+- Potential information disclosure by copying uninitialized areas of memory into
+  an IPP string value.
+- Potential Denial of Service by supplying/using invalid string values when
+  strict validation has been disabled by the system administrator.
+
+This change ensures that:
+
+1. The language identifier does not extend beyond the end of the IPP value.
+2. The length of the name/text string is within the IPP value.
+3. The name/text string is within the IPP value.
+
+diff --git a/cups/ipp.c b/cups/ipp.c
+index 3d529346c..adbb26fba 100644
+--- a/cups/ipp.c
++++ b/cups/ipp.c
+@@ -2866,7 +2866,8 @@ ippReadIO(void       *src,		/* I - Data source */
+   unsigned char		*buffer,	/* Data buffer */
+ 			string[IPP_MAX_TEXT],
+ 					/* Small string buffer */
+-			*bufptr;	/* Pointer into buffer */
++			*bufptr,	/* Pointer into buffer */
++			*bufend;	/* End of buffer */
+   ipp_attribute_t	*attr;		/* Current attribute */
+   ipp_tag_t		tag;		/* Current tag */
+   ipp_tag_t		value_tag;	/* Current value tag */
+@@ -3441,6 +3442,7 @@ ippReadIO(void       *src,		/* I - Data source */
+ 		}
+
+                 bufptr = buffer;
++                bufend = buffer + n;
+
+ 	       /*
+ 	        * text-with-language and name-with-language are composite
+@@ -3454,7 +3456,7 @@ ippReadIO(void       *src,		/* I - Data source */
+
+ 		n = (bufptr[0] << 8) | bufptr[1];
+
+-		if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string))
++		if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string))
+ 		{
+ 		  _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
+ 		                _("IPP language length overflows value."), 1);
+@@ -3481,7 +3483,7 @@ ippReadIO(void       *src,		/* I - Data source */
+                 bufptr += 2 + n;
+ 		n = (bufptr[0] << 8) | bufptr[1];
+
+-		if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE))
++		if ((bufptr + 2 + n) > bufend)
+ 		{
+ 		  _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
+ 		                _("IPP string length overflows value."), 1);
+