- Applied patch to fix RSS subscription limiting (bug #473901,

CVE-2008-5183).
2008-12-09 12:19:10 +00:00 · 2008-12-09 12:19:10 +00:00 · 54fdf3149d
commit 54fdf3149d
parent 277864519c
2 changed files with 174 additions and 0 deletions
--- a/cups-CVE-2008-5183.patch
+++ b/cups-CVE-2008-5183.patch
@ -0,0 +1,170 @@
 diff -up cups-1.4b1/scheduler/ipp.c.CVE-2008-5183 cups-1.4b1/scheduler/ipp.c
 --- cups-1.4b1/scheduler/ipp.c.CVE-2008-5183	2008-12-09 12:16:15.000000000 +0000
 +++ cups-1.4b1/scheduler/ipp.c	2008-12-09 12:17:43.000000000 +0000
@@ -2392,24 +2392,25 @@ add_job_subscriptions(
     if (mask == CUPSD_EVENT_NONE)
       mask = CUPSD_EVENT_JOB_COMPLETED;
 -    sub = cupsdAddSubscription(mask, cupsdFindDest(job->dest), job, recipient,
 -                               0);
 +    if ((sub = cupsdAddSubscription(mask, cupsdFindDest(job->dest), job,
 +                                    recipient, 0)) != NULL)
 +    {
 +      sub->interval = interval;
 -    sub->interval = interval;
 +      cupsdSetString(&sub->owner, job->username);
 -    cupsdSetString(&sub->owner, job->username);
 +      if (user_data)
 +      {
 +	sub->user_data_len = user_data->values[0].unknown.length;
 +	memcpy(sub->user_data, user_data->values[0].unknown.data,
 +	       sub->user_data_len);
 +      }
 -    if (user_data)
 -    {
 -      sub->user_data_len = user_data->values[0].unknown.length;
 -      memcpy(sub->user_data, user_data->values[0].unknown.data,
 -             sub->user_data_len);
 +      ippAddSeparator(con->response);
 +      ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_INTEGER,
 +		    "notify-subscription-id", sub->id);
     }
 -    ippAddSeparator(con->response);
 -    ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_INTEGER,
 -                  "notify-subscription-id", sub->id);
 -
     if (attr)
       attr = attr->next;
   }
@@ -6668,7 +6669,12 @@ create_subscription(
     else
       job = NULL;
 -    sub = cupsdAddSubscription(mask, printer, job, recipient, 0);
 +    if ((sub = cupsdAddSubscription(mask, printer, job, recipient, 0)) == NULL)
 +    {
 +      send_ipp_status(con, IPP_TOO_MANY_SUBSCRIPTIONS,
 +		      _("There are too many subscriptions."));
 +      return;
 +    }
     if (job)
       cupsdLogMessage(CUPSD_LOG_DEBUG, "Added subscription %d for job %d",
 diff -up cups-1.4b1/scheduler/subscriptions.c.CVE-2008-5183 cups-1.4b1/scheduler/subscriptions.c
 --- cups-1.4b1/scheduler/subscriptions.c.CVE-2008-5183	2008-12-09 12:16:15.000000000 +0000
 +++ cups-1.4b1/scheduler/subscriptions.c	2008-12-09 12:17:43.000000000 +0000
@@ -341,8 +341,54 @@ cupsdAddSubscription(
   * Limit the number of subscriptions...
   */
 -  if (cupsArrayCount(Subscriptions) >= MaxSubscriptions)
 +  if (MaxSubscriptions > 0 && cupsArrayCount(Subscriptions) >= MaxSubscriptions)
 +  {
 +    cupsdLogMessage(CUPSD_LOG_DEBUG,
 +                    "cupsdAddSubscription: Reached MaxSubscriptions %d",
 +		    MaxSubscriptions);
     return (NULL);
 +  }
 +
 +  if (MaxSubscriptionsPerJob > 0 && job)
 +  {
 +    int	count;				/* Number of job subscriptions */
 +
 +    for (temp = (cupsd_subscription_t *)cupsArrayFirst(Subscriptions),
 +             count = 0;
 +         temp;
 +	 temp = (cupsd_subscription_t *)cupsArrayNext(Subscriptions))
 +      if (temp->job == job)
 +        count ++;
 +
 +    if (count >= MaxSubscriptionsPerJob)
 +    {
 +      cupsdLogMessage(CUPSD_LOG_DEBUG,
 +		      "cupsdAddSubscription: Reached MaxSubscriptionsPerJob %d "
 +		      "for job #%d", MaxSubscriptionsPerJob, job->id);
 +      return (NULL);
 +    }
 +  }
 +
 +  if (MaxSubscriptionsPerPrinter > 0 && dest)
 +  {
 +    int	count;				/* Number of printer subscriptions */
 +
 +    for (temp = (cupsd_subscription_t *)cupsArrayFirst(Subscriptions),
 +             count = 0;
 +         temp;
 +	 temp = (cupsd_subscription_t *)cupsArrayNext(Subscriptions))
 +      if (temp->dest == dest)
 +        count ++;
 +
 +    if (count >= MaxSubscriptionsPerPrinter)
 +    {
 +      cupsdLogMessage(CUPSD_LOG_DEBUG,
 +		      "cupsdAddSubscription: Reached "
 +		      "MaxSubscriptionsPerPrinter %d for %s",
 +		      MaxSubscriptionsPerPrinter, dest->name);
 +      return (NULL);
 +    }
 +  }
  /*
   * Allocate memory for this subscription...
@@ -765,7 +811,6 @@ cupsdLoadAllSubscriptions(void)
       cupsdLogMessage(CUPSD_LOG_ERROR,
                       "Syntax error on line %d of subscriptions.conf.",
 	              linenum);
 -      break;
     }
     else if (!strcasecmp(line, "Events"))
     {
 diff -up cups-1.4b1/test/4.4-subscription-ops.test.CVE-2008-5183 cups-1.4b1/test/4.4-subscription-ops.test
 --- cups-1.4b1/test/4.4-subscription-ops.test.CVE-2008-5183	2007-07-09 21:34:48.000000000 +0100
 +++ cups-1.4b1/test/4.4-subscription-ops.test	2008-12-09 12:17:43.000000000 +0000
@@ -116,6 +116,32 @@
 	EXPECT notify-events
 	DISPLAY notify-events
 }
 +{
 +	# The name of the test...
 +	NAME "Check MaxSubscriptions limits"
 +
 +	# The operation to use
 +	OPERATION Create-Printer-Subscription
 +	RESOURCE /
 +
 +	# The attributes to send
 +	GROUP operation
 +	ATTR charset attributes-charset utf-8
 +	ATTR language attributes-natural-language en
 +	ATTR uri printer-uri $method://$hostname:$port/printers/Test1
 +
 +        GROUP subscription
 +	ATTR uri notify-recipient-uri testnotify://
 +	ATTR keyword notify-events printer-state-changed
 +	ATTR integer notify-lease-duration 5
 +
 +	# What statuses are OK?
 +	STATUS client-error-too-many-subscriptions
 +
 +	# What attributes do we expect?
 +	EXPECT attributes-charset
 +	EXPECT attributes-natural-language
 +}
 #
 # End of "$Id: 4.4-subscription-ops.test 6635 2007-07-09 20:34:48Z mike $"
 diff -up cups-1.4b1/test/run-stp-tests.sh.CVE-2008-5183 cups-1.4b1/test/run-stp-tests.sh
 --- cups-1.4b1/test/run-stp-tests.sh.CVE-2008-5183	2008-10-02 00:56:42.000000000 +0100
 +++ cups-1.4b1/test/run-stp-tests.sh	2008-12-09 12:17:43.000000000 +0000
@@ -326,6 +326,7 @@ PassEnv LOCALEDIR
 DocumentRoot $root/doc
 RequestRoot /tmp/cups-$user/spool
 TempDir /tmp/cups-$user/spool/temp
 +MaxSubscriptions 3
 MaxLogSize 0
 AccessLog /tmp/cups-$user/log/access_log
 ErrorLog /tmp/cups-$user/log/error_log
--- a/cups.spec
+++ b/cups.spec
@ -28,6 +28,7 @@ Patch1: cups-no-gzip-man.patch
 Patch2: cups-1.1.16-system-auth.patch
 Patch3: cups-multilib.patch
 Patch4: cups-str2831.patch
 Patch5: cups-CVE-2008-5183.patch
 Patch6: cups-banners.patch
 Patch7: cups-serverbin-compat.patch
 Patch8: cups-no-export-ssllibs.patch
@ -168,6 +169,7 @@ module.
 %patch2 -p1 -b .system-auth
 %patch3 -p1 -b .multilib
 %patch4 -p1 -b .str2831
 %patch5 -p1 -b .CVE-2008-5183
 %patch6 -p1 -b .banners
 %patch7 -p1 -b .serverbin-compat
 %patch8 -p1 -b .no-export-ssllibs
@ -449,6 +451,8 @@ rm -rf $RPM_BUILD_ROOT
 %changelog
 * Tue Dec  9 2008 Tim Waugh <twaugh@redhat.com> 1:1.4-0.b1.5
 - Applied patch to fix RSS subscription limiting (bug #473901,
  CVE-2008-5183).
 - Attempt to unbreak the fix for STR #2831 (bug #474742).
 * Sun Nov 30 2008 Tim Waugh <twaugh@redhat.com> 1:1.4-0.b1.4