diff --git a/cups-CVE-2010-2941.patch b/cups-CVE-2010-2941.patch new file mode 100644 index 0000000..0b83e36 --- /dev/null +++ b/cups-CVE-2010-2941.patch @@ -0,0 +1,47 @@ +diff -up cups-1.4.4/cups/ipp.c.CVE-2010-2941 cups-1.4.4/cups/ipp.c +--- cups-1.4.4/cups/ipp.c.CVE-2010-2941 2010-04-23 19:56:34.000000000 +0100 ++++ cups-1.4.4/cups/ipp.c 2010-11-11 11:30:28.566745595 +0000 +@@ -1275,7 +1275,9 @@ ippReadIO(void *src, /* I - Data + + attr->value_tag = tag; + } +- else if ((value_tag >= IPP_TAG_TEXTLANG && ++ else if (value_tag == IPP_TAG_TEXTLANG || ++ value_tag == IPP_TAG_NAMELANG || ++ (value_tag >= IPP_TAG_TEXT && + value_tag <= IPP_TAG_MIMETYPE)) + { + /* +@@ -1283,8 +1285,9 @@ ippReadIO(void *src, /* I - Data + * forms; accept sets of differing values... + */ + +- if ((tag < IPP_TAG_TEXTLANG || tag > IPP_TAG_MIMETYPE) && +- tag != IPP_TAG_NOVALUE) ++ if (tag != IPP_TAG_TEXTLANG && tag != IPP_TAG_NAMELANG && ++ (tag < IPP_TAG_TEXT || tag > IPP_TAG_MIMETYPE) && ++ tag != IPP_TAG_NOVALUE) + { + DEBUG_printf(("1ippReadIO: 1setOf value tag %x(%s) != %x(%s)", + value_tag, ippTagString(value_tag), tag, +@@ -2766,6 +2769,7 @@ _ippFreeAttr(ipp_attribute_t *attr) /* I + { + case IPP_TAG_TEXT : + case IPP_TAG_NAME : ++ case IPP_TAG_RESERVED_STRING : + case IPP_TAG_KEYWORD : + case IPP_TAG_URI : + case IPP_TAG_URISCHEME : +diff -up cups-1.4.4/cups/ipp.h.CVE-2010-2941 cups-1.4.4/cups/ipp.h +--- cups-1.4.4/cups/ipp.h.CVE-2010-2941 2010-04-23 19:56:34.000000000 +0100 ++++ cups-1.4.4/cups/ipp.h 2010-11-11 11:30:28.568745537 +0000 +@@ -93,7 +93,8 @@ typedef enum ipp_tag_e /**** Format ta + IPP_TAG_END_COLLECTION, /* End of collection value */ + IPP_TAG_TEXT = 0x41, /* Text value */ + IPP_TAG_NAME, /* Name value */ +- IPP_TAG_KEYWORD = 0x44, /* Keyword value */ ++ IPP_TAG_RESERVED_STRING, /* Reserved for future string value @private@ */ ++ IPP_TAG_KEYWORD, /* Keyword value */ + IPP_TAG_URI, /* URI value */ + IPP_TAG_URISCHEME, /* URI scheme value */ + IPP_TAG_CHARSET, /* Character set value */ diff --git a/cups-autotype-crash.patch b/cups-autotype-crash.patch new file mode 100644 index 0000000..ed6cb15 --- /dev/null +++ b/cups-autotype-crash.patch @@ -0,0 +1,15 @@ +diff -up cups-1.4.4/scheduler/ipp.c.autotype-crash cups-1.4.4/scheduler/ipp.c +--- cups-1.4.4/scheduler/ipp.c.autotype-crash 2010-10-15 15:25:15.093421917 +0100 ++++ cups-1.4.4/scheduler/ipp.c 2010-10-15 15:25:49.645296947 +0100 +@@ -10481,8 +10481,9 @@ send_document(cupsd_client_t *con, /* I + if (!filetype) + filetype = mimeType(MimeDatabase, super, type); + +- cupsdLogJob(job, CUPSD_LOG_DEBUG, "Request file type is %s/%s.", +- filetype->super, filetype->type); ++ if (filetype) ++ cupsdLogJob(job, CUPSD_LOG_DEBUG, "Request file type is %s/%s.", ++ filetype->super, filetype->type); + } + else + filetype = mimeType(MimeDatabase, super, type); diff --git a/cups.spec b/cups.spec index 68800fb..4764593 100644 --- a/cups.spec +++ b/cups.spec @@ -8,7 +8,7 @@ Summary: Common Unix Printing System Name: cups Version: 1.4.4 -Release: 10%{?dist} +Release: 11%{?dist} License: GPLv2 Group: System Environment/Daemons Source: http://ftp.easysw.com/pub/cups/%{version}/cups-%{version}-source.tar.bz2 @@ -67,10 +67,12 @@ Patch35: cups-dnssd-deviceid.patch Patch36: cups-ricoh-deviceid-oid.patch Patch37: cups-texttops-rotate-page.patch Patch38: cups-str3608.patch +Patch39: cups-autotype-crash.patch Patch100: cups-lspp.patch ## SECURITY PATCHES: +Patch200: cups-CVE-2010-2941.patch Epoch: 1 Url: http://www.cups.org/ @@ -279,6 +281,8 @@ module. # Avoid empty notify-subscribed-event attributes (bug #606909, STR # #3608). %patch38 -p1 -b .str3608 +# Don't crash when MIME database could not be loaded (bug #610088). +%patch39 -p1 -b .autotype-crash %if %lspp # LSPP support. @@ -286,6 +290,8 @@ module. %endif # SECURITY PATCHES: +# Fix cupsd memory corruption vulnerability (CVE-2010-2941, bug #652161). +%patch200 -p1 -b .CVE-2010-2941 sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in @@ -578,6 +584,11 @@ rm -rf $RPM_BUILD_ROOT %{php_extdir}/phpcups.so %changelog +* Thu Nov 11 2010 Tim Waugh 1:1.4.4-11 +- Applied patch to fix cupsd memory corruption vulnerability + (CVE-2010-2941, bug #652161). +- Don't crash when MIME database could not be loaded (bug #610088). + * Fri Sep 17 2010 Tim Waugh 1:1.4.4-10 - Perform locking for gnutls and avoid libgcrypt's broken locking (bug #607159).