- Applied patch to fix CVE-2008-1373 (GIF overflow, bug #438303).

- Applied patch to prevent heap-based buffer overflow in CUPS helper program (bug #436153, CVE-2008-0047, STR #2729).
2008-04-01 15:48:12 +00:00 · 2008-04-01 15:48:12 +00:00 · a5bf04c3a5
commit a5bf04c3a5
parent 96894a57b6
3 changed files with 46 additions and 1 deletions
--- a/cups-CVE-2008-0047.patch
+++ b/cups-CVE-2008-0047.patch
@ -0,0 +1,14 @@
+diff -up cups-1.3.6/cgi-bin/search.c.CVE-2008-0047 cups-1.3.6/cgi-bin/search.c
+--- cups-1.3.6/cgi-bin/search.c.CVE-2008-0047	2008-01-16 22:20:33.000000000 +0000
+++ cups-1.3.6/cgi-bin/search.c	2008-04-01 16:41:30.000000000 +0100
+@@ -167,7 +167,9 @@ cgiCompileSearch(const char *query)	/* I
+       * string + RE overhead...
+       */
+ 
+-      wlen = (sptr - s) + 4 * wlen + 2 * strlen(prefix) + 4;
+      wlen = (sptr - s) + 2 * 4 * wlen + 2 * strlen(prefix) + 11;
+      if (lword)
+        wlen += strlen(lword);
+ 
+       if (wlen > slen)
+       {
--- a/cups-CVE-2008-1373.patch
+++ b/cups-CVE-2008-1373.patch
@ -0,0 +1,22 @@
+diff -up cups-1.3.6/filter/image-gif.c.CVE-2008-1373 cups-1.3.6/filter/image-gif.c
+--- cups-1.3.6/filter/image-gif.c.CVE-2008-1373	2008-01-14 22:12:58.000000000 +0000
+++ cups-1.3.6/filter/image-gif.c	2008-04-01 16:43:22.000000000 +0100
+@@ -38,6 +38,8 @@
+ #define GIF_INTERLACE	0x40
+ #define GIF_COLORMAP	0x80
+ 
+#define MAX_LWZ_BITS	12
+
+ typedef cups_ib_t	gif_cmap_t[256][4];
+ typedef short		gif_table_t[4096];
+ 
+@@ -465,6 +467,9 @@ gif_read_image(FILE         *fp,	/* I - 
+   if (!pixels)
+     return (-1);
+ 
+  if (code_size > MAX_LWZ_BITS)
+    return (-1);
+
+   if (gif_read_lzw(fp, 1, code_size) < 0)
+   {
+     free(pixels);
--- a/cups.spec
+++ b/cups.spec
@ -7,7 +7,7 @@
 Summary: Common Unix Printing System
 Name: cups
 Version: 1.3.6
-Release: 8%{?svn:.svn%{svn}}%{?dist}
+Release: 9%{?svn:.svn%{svn}}%{?dist}
 License: GPLv2
 Group: System Environment/Daemons
 Source: ftp://ftp.easysw.com/pub/cups/test//cups-%{version}%{?svn:svn-r%{svn}}-source.tar.bz2
@ -48,6 +48,8 @@ Patch23: cups-logrotate.patch
 Patch25: cups-usb-paperout.patch
 Patch26: cups-str2715.patch
 Patch27: cups-str2727.patch
+Patch28: cups-CVE-2008-0047.patch
+Patch29: cups-CVE-2008-1373.patch
 Patch100: cups-lspp.patch
 Epoch: 1
 Url: http://www.cups.org/
@ -165,6 +167,8 @@ lpd emulation.
 %patch25 -p1 -b .usb-paperout
 %patch26 -p1 -b .str2715
 %patch27 -p1 -b .str2727
+%patch28 -p1 -b .CVE-2008-0047
+%patch29 -p1 -b .CVE-2008-1373

 %if %lspp
 %patch100 -p1 -b .lspp
@ -441,6 +445,11 @@ rm -rf $RPM_BUILD_ROOT
 %{cups_serverbin}/daemon/cups-lpd

 %changelog
+* Thu Apr  1 2008 Tim Waugh <twaugh@redhat.com> 1:1.3.6-9
+- Applied patch to fix CVE-2008-1373 (GIF overflow, bug #438303).
+- Applied patch to prevent heap-based buffer overflow in CUPS helper
+  program (bug #436153, CVE-2008-0047, STR #2729).
+
 * Thu Apr  1 2008 Tim Waugh <twaugh@redhat.com> 1:1.3.6-8
 - Ship a few doc files (bug #438598).