Applied patch to fix cupsd memory corruption vulnerability (CVE-2010-2941, bug #652161).

This commit is contained in:
Tim Waugh 2010-11-11 11:35:06 +00:00
parent eeb957badf
commit e2e55c5ec7
2 changed files with 55 additions and 1 deletions

47
cups-CVE-2010-2941.patch Normal file
View File

@ -0,0 +1,47 @@
diff -up cups-1.4.4/cups/ipp.c.CVE-2010-2941 cups-1.4.4/cups/ipp.c
--- cups-1.4.4/cups/ipp.c.CVE-2010-2941 2010-04-23 19:56:34.000000000 +0100
+++ cups-1.4.4/cups/ipp.c 2010-11-11 11:30:28.566745595 +0000
@@ -1275,7 +1275,9 @@ ippReadIO(void *src, /* I - Data
attr->value_tag = tag;
}
- else if ((value_tag >= IPP_TAG_TEXTLANG &&
+ else if (value_tag == IPP_TAG_TEXTLANG ||
+ value_tag == IPP_TAG_NAMELANG ||
+ (value_tag >= IPP_TAG_TEXT &&
value_tag <= IPP_TAG_MIMETYPE))
{
/*
@@ -1283,8 +1285,9 @@ ippReadIO(void *src, /* I - Data
* forms; accept sets of differing values...
*/
- if ((tag < IPP_TAG_TEXTLANG || tag > IPP_TAG_MIMETYPE) &&
- tag != IPP_TAG_NOVALUE)
+ if (tag != IPP_TAG_TEXTLANG && tag != IPP_TAG_NAMELANG &&
+ (tag < IPP_TAG_TEXT || tag > IPP_TAG_MIMETYPE) &&
+ tag != IPP_TAG_NOVALUE)
{
DEBUG_printf(("1ippReadIO: 1setOf value tag %x(%s) != %x(%s)",
value_tag, ippTagString(value_tag), tag,
@@ -2766,6 +2769,7 @@ _ippFreeAttr(ipp_attribute_t *attr) /* I
{
case IPP_TAG_TEXT :
case IPP_TAG_NAME :
+ case IPP_TAG_RESERVED_STRING :
case IPP_TAG_KEYWORD :
case IPP_TAG_URI :
case IPP_TAG_URISCHEME :
diff -up cups-1.4.4/cups/ipp.h.CVE-2010-2941 cups-1.4.4/cups/ipp.h
--- cups-1.4.4/cups/ipp.h.CVE-2010-2941 2010-04-23 19:56:34.000000000 +0100
+++ cups-1.4.4/cups/ipp.h 2010-11-11 11:30:28.568745537 +0000
@@ -93,7 +93,8 @@ typedef enum ipp_tag_e /**** Format ta
IPP_TAG_END_COLLECTION, /* End of collection value */
IPP_TAG_TEXT = 0x41, /* Text value */
IPP_TAG_NAME, /* Name value */
- IPP_TAG_KEYWORD = 0x44, /* Keyword value */
+ IPP_TAG_RESERVED_STRING, /* Reserved for future string value @private@ */
+ IPP_TAG_KEYWORD, /* Keyword value */
IPP_TAG_URI, /* URI value */
IPP_TAG_URISCHEME, /* URI scheme value */
IPP_TAG_CHARSET, /* Character set value */

View File

@ -8,7 +8,7 @@
Summary: Common Unix Printing System Summary: Common Unix Printing System
Name: cups Name: cups
Version: 1.4.4 Version: 1.4.4
Release: 10%{?dist} Release: 11%{?dist}
License: GPLv2 License: GPLv2
Group: System Environment/Daemons Group: System Environment/Daemons
Source: http://ftp.easysw.com/pub/cups/%{version}/cups-%{version}-source.tar.bz2 Source: http://ftp.easysw.com/pub/cups/%{version}/cups-%{version}-source.tar.bz2
@ -75,6 +75,7 @@ Patch39: cups-autotype-crash.patch
Patch100: cups-lspp.patch Patch100: cups-lspp.patch
## SECURITY PATCHES: ## SECURITY PATCHES:
Patch200: cups-CVE-2010-2941.patch
Epoch: 1 Epoch: 1
Url: http://www.cups.org/ Url: http://www.cups.org/
@ -292,6 +293,8 @@ module.
%endif %endif
# SECURITY PATCHES: # SECURITY PATCHES:
# Fix cupsd memory corruption vulnerability (CVE-2010-2941, bug #652161).
%patch200 -p1 -b .CVE-2010-2941
sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in
@ -588,6 +591,10 @@ rm -rf $RPM_BUILD_ROOT
%{php_extdir}/phpcups.so %{php_extdir}/phpcups.so
%changelog %changelog
* Thu Nov 11 2010 Tim Waugh <twaugh@redhat.com> 1:1.4.4-11
- Applied patch to fix cupsd memory corruption vulnerability
(CVE-2010-2941, bug #652161).
* Fri Oct 15 2010 Tim Waugh <twaugh@redhat.com> 1:1.4.4-10 * Fri Oct 15 2010 Tim Waugh <twaugh@redhat.com> 1:1.4.4-10
- Don't crash when MIME database could not be loaded (bug #610088). - Don't crash when MIME database could not be loaded (bug #610088).