From 2b9fae5a8c1dc8804c01598f3ef776e1481becbd Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Mon, 1 Feb 2021 11:52:16 +0100 Subject: [PATCH] fix for CVE-2020-10001 --- cups.spec | 9 +++- cve-2020-10001-ippReadIO-buffer.patch | 61 +++++++++++++++++++++++++++ 2 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 cve-2020-10001-ippReadIO-buffer.patch diff --git a/cups.spec b/cups.spec index 24478de..0cbc063 100644 --- a/cups.spec +++ b/cups.spec @@ -17,7 +17,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 2.3.3%{OP_VER} -Release: 3%{?dist} +Release: 4%{?dist} License: ASL 2.0 Url: http://www.cups.org/ # Apple stopped uploading the new versions into github, use OpenPrinting fork @@ -69,6 +69,7 @@ Patch100: cups-lspp.patch %endif #### UPSTREAM PATCHES (starts with 1000) #### +Patch1000: cve-2020-10001-ippReadIO-buffer.patch ##### Patches removed because IMHO they aren't no longer needed ##### but still I'll leave them in git in case their removal @@ -253,6 +254,9 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in # Added IEEE 1284 Device ID for a Dymo device (bug #747866). %patch13 -p1 -b .dymo-deviceid +# UPSTREAM PATCHES +%patch1000 -p1 -b .cve2020-10001 + %if %{lspp} # LSPP support. %patch100 -p1 -b .lspp @@ -657,6 +661,9 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man7/ippeveps.7.gz %changelog +* Mon Feb 01 2021 Zdenek Dohnal - 1:2.3.3op1-4 +- fix for CVE-2020-10001 + * Thu Jan 28 2021 Zdenek Dohnal - 1:2.3.3op1-3 - remove nss-mdns dependency - let the user decide whether use resolved or nss-mdns - remove cups dependency on cups-ipptool - actually not needed diff --git a/cve-2020-10001-ippReadIO-buffer.patch b/cve-2020-10001-ippReadIO-buffer.patch new file mode 100644 index 0000000..efc6492 --- /dev/null +++ b/cve-2020-10001-ippReadIO-buffer.patch @@ -0,0 +1,61 @@ +Fix for CVE-2020-10001, which is a bug in the CUPS ippReadIO function when it +reads tagged string values (nameWithLanguage and textWithLanguage). The +previous code verified that the length of the sub-strings (language identifier +and name/text value) did not exceed the size of the allocated buffer (1 byte +larger than the maximum IPP value size of 32767 bytes), but did not validate +against the length of the actual IPP value. + +The issues introduced by this vulnerability include: + +- Potential information disclosure by copying uninitialized areas of memory into + an IPP string value. +- Potential Denial of Service by supplying/using invalid string values when + strict validation has been disabled by the system administrator. + +This change ensures that: + +1. The language identifier does not extend beyond the end of the IPP value. +2. The length of the name/text string is within the IPP value. +3. The name/text string is within the IPP value. + +diff --git a/cups/ipp.c b/cups/ipp.c +index 3d529346c..adbb26fba 100644 +--- a/cups/ipp.c ++++ b/cups/ipp.c +@@ -2866,7 +2866,8 @@ ippReadIO(void *src, /* I - Data source */ + unsigned char *buffer, /* Data buffer */ + string[IPP_MAX_TEXT], + /* Small string buffer */ +- *bufptr; /* Pointer into buffer */ ++ *bufptr, /* Pointer into buffer */ ++ *bufend; /* End of buffer */ + ipp_attribute_t *attr; /* Current attribute */ + ipp_tag_t tag; /* Current tag */ + ipp_tag_t value_tag; /* Current value tag */ +@@ -3441,6 +3442,7 @@ ippReadIO(void *src, /* I - Data source */ + } + + bufptr = buffer; ++ bufend = buffer + n; + + /* + * text-with-language and name-with-language are composite +@@ -3454,7 +3456,7 @@ ippReadIO(void *src, /* I - Data source */ + + n = (bufptr[0] << 8) | bufptr[1]; + +- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string)) ++ if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string)) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, + _("IPP language length overflows value."), 1); +@@ -3481,7 +3483,7 @@ ippReadIO(void *src, /* I - Data source */ + bufptr += 2 + n; + n = (bufptr[0] << 8) | bufptr[1]; + +- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE)) ++ if ((bufptr + 2 + n) > bufend) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, + _("IPP string length overflows value."), 1); +