From c1920d09b842bd2d0611559d00d595abd8aa2424 Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Wed, 22 Apr 2020 09:43:23 +0200 Subject: [PATCH] 1826330 - CVE-2020-3898 cups: heap based buffer overflow in libcups's ppdFindOption() in ppd-mark.c --- cups-ppdopen-heap-overflow.patch | 42 ++++++++++++++++++++++++++++++++ cups.spec | 9 ++++++- 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 cups-ppdopen-heap-overflow.patch diff --git a/cups-ppdopen-heap-overflow.patch b/cups-ppdopen-heap-overflow.patch new file mode 100644 index 0000000..4b725e1 --- /dev/null +++ b/cups-ppdopen-heap-overflow.patch @@ -0,0 +1,42 @@ +diff --git a/cups/ppd.c b/cups/ppd.c +index ff52df2e..199cf034 100644 +--- a/cups/ppd.c ++++ b/cups/ppd.c +@@ -1719,8 +1719,7 @@ _ppdOpen( + constraint->choice1, constraint->option2, + constraint->choice2)) + { +- case 0 : /* Error */ +- case 1 : /* Error */ ++ default : /* Error */ + pg->ppd_status = PPD_BAD_UI_CONSTRAINTS; + goto error; + +diff --git a/ppdc/ppdc-source.cxx b/ppdc/ppdc-source.cxx +index c25d4966..236c00db 100644 +--- a/ppdc/ppdc-source.cxx ++++ b/ppdc/ppdc-source.cxx +@@ -1743,15 +1743,17 @@ ppdcSource::get_resolution(ppdcFile *fp)// I - File to read + + switch (sscanf(name, "%dx%d", &xdpi, &ydpi)) + { +- case 0 : +- _cupsLangPrintf(stderr, +- _("ppdc: Bad resolution name \"%s\" on line %d of " +- "%s."), name, fp->line, fp->filename); +- break; + case 1 : + ydpi = xdpi; + break; +- } ++ case 2 : ++ break; ++ default : ++ _cupsLangPrintf(stderr, ++ _("ppdc: Bad resolution name \"%s\" on line %d of " ++ "%s."), name, fp->line, fp->filename); ++ break; ++} + + // Create the necessary PS commands... + snprintf(command, sizeof(command), diff --git a/cups.spec b/cups.spec index 10b7f05..d98329a 100644 --- a/cups.spec +++ b/cups.spec @@ -15,7 +15,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 2.3.1 -Release: 8%{?dist} +Release: 9%{?dist} License: ASL 2.0 with exceptions for GPL2/LGPL2 Url: http://www.cups.org/ Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz @@ -95,6 +95,8 @@ Patch22: cups-autostart-when-enabled.patch Patch100: cups-lspp.patch #### UPSTREAM PATCHES #### +# 1826330 - CVE-2020-3898 cups: heap based buffer overflow in libcups's ppdFindOption() in ppd-mark.c +Patch23: cups-ppdopen-heap-overflow.patch ##### Patches removed because IMHO they aren't no longer needed ##### but still I'll leave them in git in case their removal @@ -301,6 +303,8 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in %patch22 -p1 -b .autostart-when-enabled #### UPSTREAMED PATCHES #### +# 1826330 - CVE-2020-3898 cups: heap based buffer overflow in libcups's ppdFindOption() in ppd-mark.c +%patch23 -p1 -b .ppdopen-heap-overflow # removed dbus patch - seems breaking things # Fix implementation of com.redhat.PrinterSpooler D-Bus object. @@ -727,6 +731,9 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man7/ippevepcl.7.gz %changelog +* Tue Apr 21 2020 Zdenek Dohnal - 1:2.3.1-9 +- 1826330 - CVE-2020-3898 cups: heap based buffer overflow in libcups's ppdFindOption() in ppd-mark.c + * Wed Apr 08 2020 Zdenek Dohnal - 1:2.3.1-8 - 1822154 - cups.service doesn't execute automatically on request