Merge branch 'f14'

2010-11-11 11:41:05 +00:00 · 2010-11-11 11:41:05 +00:00 · 7177a9dee7
commit 7177a9dee7
parent ce983b4c85 a2e546c6f4
3 changed files with 74 additions and 1 deletions
--- a/cups-CVE-2010-2941.patch
+++ b/cups-CVE-2010-2941.patch
@ -0,0 +1,47 @@
+diff -up cups-1.4.4/cups/ipp.c.CVE-2010-2941 cups-1.4.4/cups/ipp.c
+--- cups-1.4.4/cups/ipp.c.CVE-2010-2941	2010-04-23 19:56:34.000000000 +0100
+++ cups-1.4.4/cups/ipp.c	2010-11-11 11:30:28.566745595 +0000
+@@ -1275,7 +1275,9 @@ ippReadIO(void       *src,		/* I - Data 
+ 
+ 	      attr->value_tag = tag;
+ 	    }
+-	    else if ((value_tag >= IPP_TAG_TEXTLANG &&
+	    else if (value_tag == IPP_TAG_TEXTLANG ||
+	             value_tag == IPP_TAG_NAMELANG ||
+		     (value_tag >= IPP_TAG_TEXT &&
+ 		      value_tag <= IPP_TAG_MIMETYPE))
+             {
+ 	     /*
+@@ -1283,8 +1285,9 @@ ippReadIO(void       *src,		/* I - Data 
+ 	      * forms; accept sets of differing values...
+ 	      */
+ 
+-	      if ((tag < IPP_TAG_TEXTLANG || tag > IPP_TAG_MIMETYPE) &&
+-	          tag != IPP_TAG_NOVALUE)
+	      if (tag != IPP_TAG_TEXTLANG && tag != IPP_TAG_NAMELANG &&
+	          (tag < IPP_TAG_TEXT || tag > IPP_TAG_MIMETYPE) &&
+		  tag != IPP_TAG_NOVALUE)
+ 	      {
+ 		DEBUG_printf(("1ippReadIO: 1setOf value tag %x(%s) != %x(%s)",
+ 			      value_tag, ippTagString(value_tag), tag,
+@@ -2766,6 +2769,7 @@ _ippFreeAttr(ipp_attribute_t *attr)	/* I
+   {
+     case IPP_TAG_TEXT :
+     case IPP_TAG_NAME :
+    case IPP_TAG_RESERVED_STRING :
+     case IPP_TAG_KEYWORD :
+     case IPP_TAG_URI :
+     case IPP_TAG_URISCHEME :
+diff -up cups-1.4.4/cups/ipp.h.CVE-2010-2941 cups-1.4.4/cups/ipp.h
+--- cups-1.4.4/cups/ipp.h.CVE-2010-2941	2010-04-23 19:56:34.000000000 +0100
+++ cups-1.4.4/cups/ipp.h	2010-11-11 11:30:28.568745537 +0000
+@@ -93,7 +93,8 @@ typedef enum ipp_tag_e			/**** Format ta
+   IPP_TAG_END_COLLECTION,		/* End of collection value */
+   IPP_TAG_TEXT = 0x41,			/* Text value */
+   IPP_TAG_NAME,				/* Name value */
+-  IPP_TAG_KEYWORD = 0x44,		/* Keyword value */
+  IPP_TAG_RESERVED_STRING,		/* Reserved for future string value @private@ */
+  IPP_TAG_KEYWORD,			/* Keyword value */
+   IPP_TAG_URI,				/* URI value */
+   IPP_TAG_URISCHEME,			/* URI scheme value */
+   IPP_TAG_CHARSET,			/* Character set value */
--- a/cups-autotype-crash.patch
+++ b/cups-autotype-crash.patch
@ -0,0 +1,15 @@
+diff -up cups-1.4.4/scheduler/ipp.c.autotype-crash cups-1.4.4/scheduler/ipp.c
+--- cups-1.4.4/scheduler/ipp.c.autotype-crash	2010-10-15 15:25:15.093421917 +0100
+++ cups-1.4.4/scheduler/ipp.c	2010-10-15 15:25:49.645296947 +0100
+@@ -10481,8 +10481,9 @@ send_document(cupsd_client_t  *con,	/* I
+     if (!filetype)
+       filetype = mimeType(MimeDatabase, super, type);
+ 
+-    cupsdLogJob(job, CUPSD_LOG_DEBUG, "Request file type is %s/%s.",
+-		filetype->super, filetype->type);
+    if (filetype)
+      cupsdLogJob(job, CUPSD_LOG_DEBUG, "Request file type is %s/%s.",
+		  filetype->super, filetype->type);
+   }
+   else
+     filetype = mimeType(MimeDatabase, super, type);
--- a/cups.spec
+++ b/cups.spec
@ -8,7 +8,7 @@
 Summary: Common Unix Printing System
 Name: cups
 Version: 1.4.4
-Release: 11%{?dist}
+Release: 12%{?dist}
 License: GPLv2
 Group: System Environment/Daemons
 Source: http://ftp.easysw.com/pub/cups/%{version}/cups-%{version}-source.tar.bz2
@ -67,10 +67,12 @@ Patch35: cups-dnssd-deviceid.patch
 Patch36: cups-ricoh-deviceid-oid.patch
 Patch37: cups-texttops-rotate-page.patch
 Patch38: cups-str3608.patch
+Patch39: cups-autotype-crash.patch

 Patch100: cups-lspp.patch

 ## SECURITY PATCHES:
+Patch200: cups-CVE-2010-2941.patch

 Epoch: 1
 Url: http://www.cups.org/
@ -279,6 +281,8 @@ module.
 # Avoid empty notify-subscribed-event attributes (bug #606909, STR
 # #3608).
 %patch38 -p1 -b .str3608
+# Don't crash when MIME database could not be loaded (bug #610088).
+%patch39 -p1 -b .autotype-crash

 %if %lspp
 # LSPP support.
@ -286,6 +290,8 @@ module.
 %endif

 # SECURITY PATCHES:
+# Fix cupsd memory corruption vulnerability (CVE-2010-2941, bug #652161).
+%patch200 -p1 -b .CVE-2010-2941

 sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in

@ -578,6 +584,11 @@ rm -rf $RPM_BUILD_ROOT
 %{php_extdir}/phpcups.so

 %changelog
+* Thu Nov 11 2010 Tim Waugh <twaugh@redhat.com> 1:1.4.4-12
+- Applied patch to fix cupsd memory corruption vulnerability
+  (CVE-2010-2941, bug #652161).
+- Don't crash when MIME database could not be loaded (bug #610088).
+
 * Wed Sep 29 2010 jkeating - 1:1.4.4-11
 - Rebuilt for gcc bug 634757