- Applied patch to fix CVE-2008-1373 (GIF overflow, bug #438303).

- Applied patch to prevent heap-based buffer overflow in CUPS helper
    program (bug #436153, CVE-2008-0047, STR #2729).
This commit is contained in:
Tim Waugh 2008-04-01 15:48:12 +00:00
parent 96894a57b6
commit a5bf04c3a5
3 changed files with 46 additions and 1 deletions

14
cups-CVE-2008-0047.patch Normal file
View File

@ -0,0 +1,14 @@
diff -up cups-1.3.6/cgi-bin/search.c.CVE-2008-0047 cups-1.3.6/cgi-bin/search.c
--- cups-1.3.6/cgi-bin/search.c.CVE-2008-0047 2008-01-16 22:20:33.000000000 +0000
+++ cups-1.3.6/cgi-bin/search.c 2008-04-01 16:41:30.000000000 +0100
@@ -167,7 +167,9 @@ cgiCompileSearch(const char *query) /* I
* string + RE overhead...
*/
- wlen = (sptr - s) + 4 * wlen + 2 * strlen(prefix) + 4;
+ wlen = (sptr - s) + 2 * 4 * wlen + 2 * strlen(prefix) + 11;
+ if (lword)
+ wlen += strlen(lword);
if (wlen > slen)
{

22
cups-CVE-2008-1373.patch Normal file
View File

@ -0,0 +1,22 @@
diff -up cups-1.3.6/filter/image-gif.c.CVE-2008-1373 cups-1.3.6/filter/image-gif.c
--- cups-1.3.6/filter/image-gif.c.CVE-2008-1373 2008-01-14 22:12:58.000000000 +0000
+++ cups-1.3.6/filter/image-gif.c 2008-04-01 16:43:22.000000000 +0100
@@ -38,6 +38,8 @@
#define GIF_INTERLACE 0x40
#define GIF_COLORMAP 0x80
+#define MAX_LWZ_BITS 12
+
typedef cups_ib_t gif_cmap_t[256][4];
typedef short gif_table_t[4096];
@@ -465,6 +467,9 @@ gif_read_image(FILE *fp, /* I -
if (!pixels)
return (-1);
+ if (code_size > MAX_LWZ_BITS)
+ return (-1);
+
if (gif_read_lzw(fp, 1, code_size) < 0)
{
free(pixels);

View File

@ -7,7 +7,7 @@
Summary: Common Unix Printing System Summary: Common Unix Printing System
Name: cups Name: cups
Version: 1.3.6 Version: 1.3.6
Release: 8%{?svn:.svn%{svn}}%{?dist} Release: 9%{?svn:.svn%{svn}}%{?dist}
License: GPLv2 License: GPLv2
Group: System Environment/Daemons Group: System Environment/Daemons
Source: ftp://ftp.easysw.com/pub/cups/test//cups-%{version}%{?svn:svn-r%{svn}}-source.tar.bz2 Source: ftp://ftp.easysw.com/pub/cups/test//cups-%{version}%{?svn:svn-r%{svn}}-source.tar.bz2
@ -48,6 +48,8 @@ Patch23: cups-logrotate.patch
Patch25: cups-usb-paperout.patch Patch25: cups-usb-paperout.patch
Patch26: cups-str2715.patch Patch26: cups-str2715.patch
Patch27: cups-str2727.patch Patch27: cups-str2727.patch
Patch28: cups-CVE-2008-0047.patch
Patch29: cups-CVE-2008-1373.patch
Patch100: cups-lspp.patch Patch100: cups-lspp.patch
Epoch: 1 Epoch: 1
Url: http://www.cups.org/ Url: http://www.cups.org/
@ -165,6 +167,8 @@ lpd emulation.
%patch25 -p1 -b .usb-paperout %patch25 -p1 -b .usb-paperout
%patch26 -p1 -b .str2715 %patch26 -p1 -b .str2715
%patch27 -p1 -b .str2727 %patch27 -p1 -b .str2727
%patch28 -p1 -b .CVE-2008-0047
%patch29 -p1 -b .CVE-2008-1373
%if %lspp %if %lspp
%patch100 -p1 -b .lspp %patch100 -p1 -b .lspp
@ -441,6 +445,11 @@ rm -rf $RPM_BUILD_ROOT
%{cups_serverbin}/daemon/cups-lpd %{cups_serverbin}/daemon/cups-lpd
%changelog %changelog
* Thu Apr 1 2008 Tim Waugh <twaugh@redhat.com> 1:1.3.6-9
- Applied patch to fix CVE-2008-1373 (GIF overflow, bug #438303).
- Applied patch to prevent heap-based buffer overflow in CUPS helper
program (bug #436153, CVE-2008-0047, STR #2729).
* Thu Apr 1 2008 Tim Waugh <twaugh@redhat.com> 1:1.3.6-8 * Thu Apr 1 2008 Tim Waugh <twaugh@redhat.com> 1:1.3.6-8
- Ship a few doc files (bug #438598). - Ship a few doc files (bug #438598).