diff --git a/0001-Add-check-for-whether-option-variable-exists-or-not-.patch b/0001-Add-check-for-whether-option-variable-exists-or-not-.patch new file mode 100644 index 0000000..f93498d --- /dev/null +++ b/0001-Add-check-for-whether-option-variable-exists-or-not-.patch @@ -0,0 +1,35 @@ +From 96a6f61db6eb0fc450e00168903b795c57b033cb Mon Sep 17 00:00:00 2001 +From: = +Date: Sat, 23 Jan 2021 00:44:09 +0530 +Subject: [PATCH] Add check for whether 'option' variable exists or not for + closeUI and JCLCloseUI lines in ppd.c + +--- + cups/ppd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/cups/ppd.c b/cups/ppd.c +index ae411cb3a..a82c8a584 100644 +--- a/cups/ppd.c ++++ b/cups/ppd.c +@@ -1496,7 +1496,7 @@ _ppdOpen( + goto error; + } + +- if (!_cups_strcasecmp(option->defchoice, "custom") || !_cups_strncasecmp(option->defchoice, "custom.", 7)) ++ if (option && (!_cups_strcasecmp(option->defchoice, "custom") || !_cups_strncasecmp(option->defchoice, "custom.", 7))) + { + /* + * "*DefaultOption: Custom..." may set the default to a custom value +@@ -1531,7 +1531,7 @@ _ppdOpen( + goto error; + } + +- if (!_cups_strcasecmp(option->defchoice, "custom") || !_cups_strncasecmp(option->defchoice, "custom.", 7)) ++ if (option && (!_cups_strcasecmp(option->defchoice, "custom") || !_cups_strncasecmp(option->defchoice, "custom.", 7))) + { + /* + * "*DefaultOption: Custom..." may set the default to a custom value +-- +2.26.2 + diff --git a/cups-helpcgi-segfault.patch b/cups-helpcgi-segfault.patch new file mode 100644 index 0000000..67f48cc --- /dev/null +++ b/cups-helpcgi-segfault.patch @@ -0,0 +1,13 @@ +diff --git a/cgi-bin/help-index.c b/cgi-bin/help-index.c +index ce97e47..3da1010 100644 +--- a/cgi-bin/help-index.c ++++ b/cgi-bin/help-index.c +@@ -579,7 +579,7 @@ helpSearchIndex(help_index_t *hi, /* I - Index */ + */ + + for (; node; node = (help_node_t *)cupsArrayNext(hi->nodes)) +- if (section && strcmp(node->section, section)) ++ if (node->section && section && strcmp(node->section, section)) + continue; + else if (filename && strcmp(node->filename, filename)) + continue; diff --git a/cups.spec b/cups.spec index 24478de..63b0bd3 100644 --- a/cups.spec +++ b/cups.spec @@ -17,7 +17,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 2.3.3%{OP_VER} -Release: 3%{?dist} +Release: 4%{?dist} License: ASL 2.0 Url: http://www.cups.org/ # Apple stopped uploading the new versions into github, use OpenPrinting fork @@ -69,6 +69,15 @@ Patch100: cups-lspp.patch %endif #### UPSTREAM PATCHES (starts with 1000) #### +# backported from upstream +Patch1000: cve-2020-10001-ippReadIO-buffer.patch +# 1921881 - [abrt] cups: __strcmp_avx2(): help.cgi killed by SIGSEGV +# help.cgi segfaulted because it compared NULL in strcmp() +# backported from upstream https://github.com/OpenPrinting/cups/pull/81 +Patch1001: cups-helpcgi-segfault.patch +# 1909980 - cupsd crashes on parsing malformed Brother PPD +# backported from upstream https://github.com/OpenPrinting/cups/pull/78 +Patch1002: 0001-Add-check-for-whether-option-variable-exists-or-not-.patch ##### Patches removed because IMHO they aren't no longer needed ##### but still I'll leave them in git in case their removal @@ -109,6 +118,11 @@ BuildRequires: audit-libs-devel # getaddrinfo from glibc needs nss-mdns or systemd-resolved for resolving # mdns .local addresses. Don't require a specific package for now and let # the user to decide what to use +# just recommend nss-mdns for Fedora for now to have working default, but +# don't hardwire it for resolved users +%if 0%{?fedora} +Recommends: nss-mdns +%endif # avahi is needed for mDNS discovery and sharing queues Recommends: avahi @@ -170,6 +184,11 @@ Requires: avahi # mdns address resolver (nss-mdns or systemd-resolved) is needed too, # but don't require a specific package for now and let the user to choose # what to use +# just recommend nss-mdns for Fedora for now to have working default, but +# don't hardwire it for resolved users +%if 0%{?fedora} +Recommends: nss-mdns +%endif %package printerapp Summary: CUPS printing system - tools for printer application @@ -179,6 +198,11 @@ Requires: avahi # mdns address resolver (nss-mdns or systemd-resolved) is needed too, # but don't require a specific package for now and let the user to choose # what to use +# just recommend nss-mdns for Fedora for now to have working default, but +# don't hardwire it for resolved users +%if 0%{?fedora} +Recommends: nss-mdns +%endif %description CUPS printing system provides a portable printing layer for @@ -253,6 +277,16 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in # Added IEEE 1284 Device ID for a Dymo device (bug #747866). %patch13 -p1 -b .dymo-deviceid +# UPSTREAM PATCHES +# cve-2020-10001 +%patch1000 -p1 -b .cve2020-10001 +# 1921881 - [abrt] cups: __strcmp_avx2(): help.cgi killed by SIGSEGV +%patch1001 -p1 -b .helpcgi-segfault +# 1909980 - cupsd crashes on parsing malformed Brother PPD +%patch1002 -p1 -b .malformed-ppd-crash + + + %if %{lspp} # LSPP support. %patch100 -p1 -b .lspp @@ -657,6 +691,12 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man7/ippeveps.7.gz %changelog +* Mon Feb 01 2021 Zdenek Dohnal - 1:2.3.3op1-4 +- fix for CVE-2020-10001 +- recommend nss-mdns for Fedora to have a working default for now +- 1921881 - [abrt] cups: __strcmp_avx2(): help.cgi killed by SIGSEGV +- 1909980 - cupsd crashes on parsing malformed Brother PPD + * Thu Jan 28 2021 Zdenek Dohnal - 1:2.3.3op1-3 - remove nss-mdns dependency - let the user decide whether use resolved or nss-mdns - remove cups dependency on cups-ipptool - actually not needed diff --git a/cve-2020-10001-ippReadIO-buffer.patch b/cve-2020-10001-ippReadIO-buffer.patch new file mode 100644 index 0000000..efc6492 --- /dev/null +++ b/cve-2020-10001-ippReadIO-buffer.patch @@ -0,0 +1,61 @@ +Fix for CVE-2020-10001, which is a bug in the CUPS ippReadIO function when it +reads tagged string values (nameWithLanguage and textWithLanguage). The +previous code verified that the length of the sub-strings (language identifier +and name/text value) did not exceed the size of the allocated buffer (1 byte +larger than the maximum IPP value size of 32767 bytes), but did not validate +against the length of the actual IPP value. + +The issues introduced by this vulnerability include: + +- Potential information disclosure by copying uninitialized areas of memory into + an IPP string value. +- Potential Denial of Service by supplying/using invalid string values when + strict validation has been disabled by the system administrator. + +This change ensures that: + +1. The language identifier does not extend beyond the end of the IPP value. +2. The length of the name/text string is within the IPP value. +3. The name/text string is within the IPP value. + +diff --git a/cups/ipp.c b/cups/ipp.c +index 3d529346c..adbb26fba 100644 +--- a/cups/ipp.c ++++ b/cups/ipp.c +@@ -2866,7 +2866,8 @@ ippReadIO(void *src, /* I - Data source */ + unsigned char *buffer, /* Data buffer */ + string[IPP_MAX_TEXT], + /* Small string buffer */ +- *bufptr; /* Pointer into buffer */ ++ *bufptr, /* Pointer into buffer */ ++ *bufend; /* End of buffer */ + ipp_attribute_t *attr; /* Current attribute */ + ipp_tag_t tag; /* Current tag */ + ipp_tag_t value_tag; /* Current value tag */ +@@ -3441,6 +3442,7 @@ ippReadIO(void *src, /* I - Data source */ + } + + bufptr = buffer; ++ bufend = buffer + n; + + /* + * text-with-language and name-with-language are composite +@@ -3454,7 +3456,7 @@ ippReadIO(void *src, /* I - Data source */ + + n = (bufptr[0] << 8) | bufptr[1]; + +- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string)) ++ if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string)) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, + _("IPP language length overflows value."), 1); +@@ -3481,7 +3483,7 @@ ippReadIO(void *src, /* I - Data source */ + bufptr += 2 + n; + n = (bufptr[0] << 8) | bufptr[1]; + +- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE)) ++ if ((bufptr + 2 + n) > bufend) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, + _("IPP string length overflows value."), 1); +