fix for CVE-2020-10001
This commit is contained in:
parent
6afae10a5e
commit
2b9fae5a8c
@ -17,7 +17,7 @@ Summary: CUPS printing system
|
|||||||
Name: cups
|
Name: cups
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
Version: 2.3.3%{OP_VER}
|
Version: 2.3.3%{OP_VER}
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
Url: http://www.cups.org/
|
Url: http://www.cups.org/
|
||||||
# Apple stopped uploading the new versions into github, use OpenPrinting fork
|
# Apple stopped uploading the new versions into github, use OpenPrinting fork
|
||||||
@ -69,6 +69,7 @@ Patch100: cups-lspp.patch
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
#### UPSTREAM PATCHES (starts with 1000) ####
|
#### UPSTREAM PATCHES (starts with 1000) ####
|
||||||
|
Patch1000: cve-2020-10001-ippReadIO-buffer.patch
|
||||||
|
|
||||||
##### Patches removed because IMHO they aren't no longer needed
|
##### Patches removed because IMHO they aren't no longer needed
|
||||||
##### but still I'll leave them in git in case their removal
|
##### but still I'll leave them in git in case their removal
|
||||||
@ -253,6 +254,9 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
|
|||||||
# Added IEEE 1284 Device ID for a Dymo device (bug #747866).
|
# Added IEEE 1284 Device ID for a Dymo device (bug #747866).
|
||||||
%patch13 -p1 -b .dymo-deviceid
|
%patch13 -p1 -b .dymo-deviceid
|
||||||
|
|
||||||
|
# UPSTREAM PATCHES
|
||||||
|
%patch1000 -p1 -b .cve2020-10001
|
||||||
|
|
||||||
%if %{lspp}
|
%if %{lspp}
|
||||||
# LSPP support.
|
# LSPP support.
|
||||||
%patch100 -p1 -b .lspp
|
%patch100 -p1 -b .lspp
|
||||||
@ -657,6 +661,9 @@ rm -f %{cups_serverbin}/backend/smb
|
|||||||
%{_mandir}/man7/ippeveps.7.gz
|
%{_mandir}/man7/ippeveps.7.gz
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Feb 01 2021 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op1-4
|
||||||
|
- fix for CVE-2020-10001
|
||||||
|
|
||||||
* Thu Jan 28 2021 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op1-3
|
* Thu Jan 28 2021 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op1-3
|
||||||
- remove nss-mdns dependency - let the user decide whether use resolved or nss-mdns
|
- remove nss-mdns dependency - let the user decide whether use resolved or nss-mdns
|
||||||
- remove cups dependency on cups-ipptool - actually not needed
|
- remove cups dependency on cups-ipptool - actually not needed
|
||||||
|
61
cve-2020-10001-ippReadIO-buffer.patch
Normal file
61
cve-2020-10001-ippReadIO-buffer.patch
Normal file
@ -0,0 +1,61 @@
|
|||||||
|
Fix for CVE-2020-10001, which is a bug in the CUPS ippReadIO function when it
|
||||||
|
reads tagged string values (nameWithLanguage and textWithLanguage). The
|
||||||
|
previous code verified that the length of the sub-strings (language identifier
|
||||||
|
and name/text value) did not exceed the size of the allocated buffer (1 byte
|
||||||
|
larger than the maximum IPP value size of 32767 bytes), but did not validate
|
||||||
|
against the length of the actual IPP value.
|
||||||
|
|
||||||
|
The issues introduced by this vulnerability include:
|
||||||
|
|
||||||
|
- Potential information disclosure by copying uninitialized areas of memory into
|
||||||
|
an IPP string value.
|
||||||
|
- Potential Denial of Service by supplying/using invalid string values when
|
||||||
|
strict validation has been disabled by the system administrator.
|
||||||
|
|
||||||
|
This change ensures that:
|
||||||
|
|
||||||
|
1. The language identifier does not extend beyond the end of the IPP value.
|
||||||
|
2. The length of the name/text string is within the IPP value.
|
||||||
|
3. The name/text string is within the IPP value.
|
||||||
|
|
||||||
|
diff --git a/cups/ipp.c b/cups/ipp.c
|
||||||
|
index 3d529346c..adbb26fba 100644
|
||||||
|
--- a/cups/ipp.c
|
||||||
|
+++ b/cups/ipp.c
|
||||||
|
@@ -2866,7 +2866,8 @@ ippReadIO(void *src, /* I - Data source */
|
||||||
|
unsigned char *buffer, /* Data buffer */
|
||||||
|
string[IPP_MAX_TEXT],
|
||||||
|
/* Small string buffer */
|
||||||
|
- *bufptr; /* Pointer into buffer */
|
||||||
|
+ *bufptr, /* Pointer into buffer */
|
||||||
|
+ *bufend; /* End of buffer */
|
||||||
|
ipp_attribute_t *attr; /* Current attribute */
|
||||||
|
ipp_tag_t tag; /* Current tag */
|
||||||
|
ipp_tag_t value_tag; /* Current value tag */
|
||||||
|
@@ -3441,6 +3442,7 @@ ippReadIO(void *src, /* I - Data source */
|
||||||
|
}
|
||||||
|
|
||||||
|
bufptr = buffer;
|
||||||
|
+ bufend = buffer + n;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* text-with-language and name-with-language are composite
|
||||||
|
@@ -3454,7 +3456,7 @@ ippReadIO(void *src, /* I - Data source */
|
||||||
|
|
||||||
|
n = (bufptr[0] << 8) | bufptr[1];
|
||||||
|
|
||||||
|
- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string))
|
||||||
|
+ if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string))
|
||||||
|
{
|
||||||
|
_cupsSetError(IPP_STATUS_ERROR_INTERNAL,
|
||||||
|
_("IPP language length overflows value."), 1);
|
||||||
|
@@ -3481,7 +3483,7 @@ ippReadIO(void *src, /* I - Data source */
|
||||||
|
bufptr += 2 + n;
|
||||||
|
n = (bufptr[0] << 8) | bufptr[1];
|
||||||
|
|
||||||
|
- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE))
|
||||||
|
+ if ((bufptr + 2 + n) > bufend)
|
||||||
|
{
|
||||||
|
_cupsSetError(IPP_STATUS_ERROR_INTERNAL,
|
||||||
|
_("IPP string length overflows value."), 1);
|
||||||
|
|
Loading…
Reference in New Issue
Block a user