1826330 - CVE-2020-3898 cups: heap based buffer overflow in libcups's ppdFindOption() in ppd-mark.c

2020-04-22 09:43:23 +02:00 · 2020-04-22 09:43:23 +02:00 · c1920d09b8
commit c1920d09b8
parent 66b8b42030
2 changed files with 50 additions and 1 deletions
--- a/cups-ppdopen-heap-overflow.patch
+++ b/cups-ppdopen-heap-overflow.patch
@ -0,0 +1,42 @@
+diff --git a/cups/ppd.c b/cups/ppd.c
+index ff52df2e..199cf034 100644
+--- a/cups/ppd.c
+++ b/cups/ppd.c
+@@ -1719,8 +1719,7 @@ _ppdOpen(
+                      constraint->choice1, constraint->option2,
+ 		     constraint->choice2))
+       {
+-        case 0 : /* Error */
+-	case 1 : /* Error */
+        default : /* Error */
+ 	    pg->ppd_status = PPD_BAD_UI_CONSTRAINTS;
+ 	    goto error;
+ 
+diff --git a/ppdc/ppdc-source.cxx b/ppdc/ppdc-source.cxx
+index c25d4966..236c00db 100644
+--- a/ppdc/ppdc-source.cxx
+++ b/ppdc/ppdc-source.cxx
+@@ -1743,15 +1743,17 @@ ppdcSource::get_resolution(ppdcFile *fp)// I - File to read
+ 
+   switch (sscanf(name, "%dx%d", &xdpi, &ydpi))
+   {
+-    case 0 :
+-        _cupsLangPrintf(stderr,
+-	                _("ppdc: Bad resolution name \"%s\" on line %d of "
+-			  "%s."), name, fp->line, fp->filename);
+-        break;
+     case 1 :
+         ydpi = xdpi;
+ 	break;
+-  }
+    case 2 :
+        break;
+    default :
+        _cupsLangPrintf(stderr,
+                  _("ppdc: Bad resolution name \"%s\" on line %d of "
+        "%s."), name, fp->line, fp->filename);
+        break;
+}
+ 
+   // Create the necessary PS commands...
+   snprintf(command, sizeof(command),
--- a/cups.spec
+++ b/cups.spec
@ -15,7 +15,7 @@ Summary: CUPS printing system
 Name: cups
 Epoch: 1
 Version: 2.3.1
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: ASL 2.0 with exceptions for GPL2/LGPL2
 Url: http://www.cups.org/
 Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz
@ -95,6 +95,8 @@ Patch22: cups-autostart-when-enabled.patch
 Patch100: cups-lspp.patch

 #### UPSTREAM PATCHES ####
+# 1826330 - CVE-2020-3898 cups: heap based buffer overflow in libcups's ppdFindOption() in ppd-mark.c
+Patch23: cups-ppdopen-heap-overflow.patch

 ##### Patches removed because IMHO they aren't no longer needed
 ##### but still I'll leave them in git in case their removal
@ -301,6 +303,8 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
 %patch22 -p1 -b .autostart-when-enabled

 #### UPSTREAMED PATCHES ####
+# 1826330 - CVE-2020-3898 cups: heap based buffer overflow in libcups's ppdFindOption() in ppd-mark.c
+%patch23 -p1 -b .ppdopen-heap-overflow

 # removed dbus patch - seems breaking things
 # Fix implementation of com.redhat.PrinterSpooler D-Bus object.
@ -727,6 +731,9 @@ rm -f %{cups_serverbin}/backend/smb
 %{_mandir}/man7/ippevepcl.7.gz

 %changelog
+* Tue Apr 21 2020 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.1-9
+- 1826330 - CVE-2020-3898 cups: heap based buffer overflow in libcups's ppdFindOption() in ppd-mark.c
+
 * Wed Apr 08 2020 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.1-8
 - 1822154 - cups.service doesn't execute automatically on request