Applied patch to fix cupsd memory corruption vulnerability (CVE-2010-2941, bug #652161).
This commit is contained in:
parent
eeb957badf
commit
e2e55c5ec7
47
cups-CVE-2010-2941.patch
Normal file
47
cups-CVE-2010-2941.patch
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
diff -up cups-1.4.4/cups/ipp.c.CVE-2010-2941 cups-1.4.4/cups/ipp.c
|
||||||
|
--- cups-1.4.4/cups/ipp.c.CVE-2010-2941 2010-04-23 19:56:34.000000000 +0100
|
||||||
|
+++ cups-1.4.4/cups/ipp.c 2010-11-11 11:30:28.566745595 +0000
|
||||||
|
@@ -1275,7 +1275,9 @@ ippReadIO(void *src, /* I - Data
|
||||||
|
|
||||||
|
attr->value_tag = tag;
|
||||||
|
}
|
||||||
|
- else if ((value_tag >= IPP_TAG_TEXTLANG &&
|
||||||
|
+ else if (value_tag == IPP_TAG_TEXTLANG ||
|
||||||
|
+ value_tag == IPP_TAG_NAMELANG ||
|
||||||
|
+ (value_tag >= IPP_TAG_TEXT &&
|
||||||
|
value_tag <= IPP_TAG_MIMETYPE))
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
@@ -1283,8 +1285,9 @@ ippReadIO(void *src, /* I - Data
|
||||||
|
* forms; accept sets of differing values...
|
||||||
|
*/
|
||||||
|
|
||||||
|
- if ((tag < IPP_TAG_TEXTLANG || tag > IPP_TAG_MIMETYPE) &&
|
||||||
|
- tag != IPP_TAG_NOVALUE)
|
||||||
|
+ if (tag != IPP_TAG_TEXTLANG && tag != IPP_TAG_NAMELANG &&
|
||||||
|
+ (tag < IPP_TAG_TEXT || tag > IPP_TAG_MIMETYPE) &&
|
||||||
|
+ tag != IPP_TAG_NOVALUE)
|
||||||
|
{
|
||||||
|
DEBUG_printf(("1ippReadIO: 1setOf value tag %x(%s) != %x(%s)",
|
||||||
|
value_tag, ippTagString(value_tag), tag,
|
||||||
|
@@ -2766,6 +2769,7 @@ _ippFreeAttr(ipp_attribute_t *attr) /* I
|
||||||
|
{
|
||||||
|
case IPP_TAG_TEXT :
|
||||||
|
case IPP_TAG_NAME :
|
||||||
|
+ case IPP_TAG_RESERVED_STRING :
|
||||||
|
case IPP_TAG_KEYWORD :
|
||||||
|
case IPP_TAG_URI :
|
||||||
|
case IPP_TAG_URISCHEME :
|
||||||
|
diff -up cups-1.4.4/cups/ipp.h.CVE-2010-2941 cups-1.4.4/cups/ipp.h
|
||||||
|
--- cups-1.4.4/cups/ipp.h.CVE-2010-2941 2010-04-23 19:56:34.000000000 +0100
|
||||||
|
+++ cups-1.4.4/cups/ipp.h 2010-11-11 11:30:28.568745537 +0000
|
||||||
|
@@ -93,7 +93,8 @@ typedef enum ipp_tag_e /**** Format ta
|
||||||
|
IPP_TAG_END_COLLECTION, /* End of collection value */
|
||||||
|
IPP_TAG_TEXT = 0x41, /* Text value */
|
||||||
|
IPP_TAG_NAME, /* Name value */
|
||||||
|
- IPP_TAG_KEYWORD = 0x44, /* Keyword value */
|
||||||
|
+ IPP_TAG_RESERVED_STRING, /* Reserved for future string value @private@ */
|
||||||
|
+ IPP_TAG_KEYWORD, /* Keyword value */
|
||||||
|
IPP_TAG_URI, /* URI value */
|
||||||
|
IPP_TAG_URISCHEME, /* URI scheme value */
|
||||||
|
IPP_TAG_CHARSET, /* Character set value */
|
@ -8,7 +8,7 @@
|
|||||||
Summary: Common Unix Printing System
|
Summary: Common Unix Printing System
|
||||||
Name: cups
|
Name: cups
|
||||||
Version: 1.4.4
|
Version: 1.4.4
|
||||||
Release: 10%{?dist}
|
Release: 11%{?dist}
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
Source: http://ftp.easysw.com/pub/cups/%{version}/cups-%{version}-source.tar.bz2
|
Source: http://ftp.easysw.com/pub/cups/%{version}/cups-%{version}-source.tar.bz2
|
||||||
@ -75,6 +75,7 @@ Patch39: cups-autotype-crash.patch
|
|||||||
Patch100: cups-lspp.patch
|
Patch100: cups-lspp.patch
|
||||||
|
|
||||||
## SECURITY PATCHES:
|
## SECURITY PATCHES:
|
||||||
|
Patch200: cups-CVE-2010-2941.patch
|
||||||
|
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
Url: http://www.cups.org/
|
Url: http://www.cups.org/
|
||||||
@ -292,6 +293,8 @@ module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
# SECURITY PATCHES:
|
# SECURITY PATCHES:
|
||||||
|
# Fix cupsd memory corruption vulnerability (CVE-2010-2941, bug #652161).
|
||||||
|
%patch200 -p1 -b .CVE-2010-2941
|
||||||
|
|
||||||
sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in
|
sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in
|
||||||
|
|
||||||
@ -588,6 +591,10 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
%{php_extdir}/phpcups.so
|
%{php_extdir}/phpcups.so
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Nov 11 2010 Tim Waugh <twaugh@redhat.com> 1:1.4.4-11
|
||||||
|
- Applied patch to fix cupsd memory corruption vulnerability
|
||||||
|
(CVE-2010-2941, bug #652161).
|
||||||
|
|
||||||
* Fri Oct 15 2010 Tim Waugh <twaugh@redhat.com> 1:1.4.4-10
|
* Fri Oct 15 2010 Tim Waugh <twaugh@redhat.com> 1:1.4.4-10
|
||||||
- Don't crash when MIME database could not be loaded (bug #610088).
|
- Don't crash when MIME database could not be loaded (bug #610088).
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user