From 3deff217e3476c45dd1a7663c46e57af9ec6682d Mon Sep 17 00:00:00 2001 From: Tim Waugh Date: Mon, 14 Mar 2011 14:47:32 +0000 Subject: [PATCH 1/2] Rebuilt to pick up Device IDs from new foomatic-db package. --- foomatic.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/foomatic.spec b/foomatic.spec index ee5b89b..2e975f1 100644 --- a/foomatic.spec +++ b/foomatic.spec @@ -4,7 +4,7 @@ Summary: Tools for using the foomatic database of printers and printer drivers Name: foomatic Version: %{enginever} -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Libraries @@ -193,6 +193,9 @@ rm -fr %buildroot $RPM_BUILD_DIR/%{name} %{_mandir}/man1/foomatic-rip.1* %changelog +* Mon Mar 14 2011 Tim Waugh - 4.0.7-2 +- Rebuilt to pick up Device IDs from new foomatic-db package. + * Mon Feb 21 2011 Jiri Popelka - 4.0.7-1 - 4.0.7 From b91dc0f404b9365005046f954c559261c60e26eb Mon Sep 17 00:00:00 2001 From: Tim Waugh Date: Wed, 20 Jul 2011 10:50:30 +0100 Subject: [PATCH 2/2] Fix improper sanitization of command line options (bug #721001, CVE-2011-2697). --- foomatic-filters-CVE-2011-2697.patch | 209 +++++++++++++++++++++++++++ foomatic.spec | 11 +- 2 files changed, 219 insertions(+), 1 deletion(-) create mode 100644 foomatic-filters-CVE-2011-2697.patch diff --git a/foomatic-filters-CVE-2011-2697.patch b/foomatic-filters-CVE-2011-2697.patch new file mode 100644 index 0000000..81f09c2 --- /dev/null +++ b/foomatic-filters-CVE-2011-2697.patch @@ -0,0 +1,209 @@ +diff -up foomatic-filters-4.0.7/foomaticrip.c.CVE-2011-2697 foomatic-filters-4.0.7/foomaticrip.c +--- foomatic-filters-4.0.7/foomaticrip.c.CVE-2011-2697 2011-07-20 10:41:15.825401233 +0100 ++++ foomatic-filters-4.0.7/foomaticrip.c 2011-07-20 10:42:22.784101806 +0100 +@@ -1239,8 +1239,11 @@ int main(int argc, char** argv) + } + + /* Check for LPRng first so we do not pick up bogus ppd files by the -ppd option */ +- if (arglist_remove_flag(arglist, "--lprng")) +- spooler = SPOOLER_LPRNG; ++ if (spooler != SPOOLER_CUPS && spooler != SPOOLER_PPR && ++ spooler != SPOOLER_PPR_INT) { ++ if (arglist_remove_flag(arglist, "--lprng")) ++ spooler = SPOOLER_LPRNG; ++ } + + /* 'PRINTCAP_ENTRY' environment variable is : LPRng + the :ppd=/path/to/ppdfile printcap entry should be used */ +@@ -1262,96 +1265,104 @@ int main(int argc, char** argv) + } + } + +- /* PPD file name given via the command line +- allow duplicates, and use the last specified one */ +- if (spooler != SPOOLER_LPRNG) { +- while ((str = arglist_get_value(arglist, "-p"))) { +- strncpy(job->ppdfile, str, 256); +- arglist_remove(arglist, "-p"); +- } +- } +- while ((str = arglist_get_value(arglist, "--ppd"))) { +- strncpy(job->ppdfile, str, 256); +- arglist_remove(arglist, "--ppd"); +- } +- +- /* Check for LPD/GNUlpr by typical options which the spooler puts onto +- the filter's command line (options "-w": text width, "-l": text +- length, "-i": indent, "-x", "-y": graphics size, "-c": raw printing, +- "-n": user name, "-h": host name) */ +- if ((str = arglist_get_value(arglist, "-h"))) { +- if (spooler != SPOOLER_GNULPR && spooler != SPOOLER_LPRNG) +- spooler = SPOOLER_LPD; +- strncpy(job->host, str, 127); +- job->host[127] = '\0'; +- arglist_remove(arglist, "-h"); +- } +- if ((str = arglist_get_value(arglist, "-n"))) { +- if (spooler != SPOOLER_GNULPR && spooler != SPOOLER_LPRNG) +- spooler = SPOOLER_LPD; +- +- strncpy(job->user, str, 127); +- job->user[127] = '\0'; +- arglist_remove(arglist, "-n"); +- } +- if (arglist_remove(arglist, "-w") || +- arglist_remove(arglist, "-l") || +- arglist_remove(arglist, "-x") || +- arglist_remove(arglist, "-y") || +- arglist_remove(arglist, "-i") || +- arglist_remove_flag(arglist, "-c")) { ++ /* CUPS calls foomatic-rip only with 5 or 6 positional parameters, ++ not with named options, like for example "-p ". Also PPR ++ does not used named options. */ ++ if (spooler != SPOOLER_CUPS && spooler != SPOOLER_PPR && ++ spooler != SPOOLER_PPR_INT) { ++ /* Check for LPD/GNUlpr by typical options which the spooler puts onto ++ the filter's command line (options "-w": text width, "-l": text ++ length, "-i": indent, "-x", "-y": graphics size, "-c": raw printing, ++ "-n": user name, "-h": host name) */ ++ if ((str = arglist_get_value(arglist, "-h"))) { ++ if (spooler != SPOOLER_GNULPR && spooler != SPOOLER_LPRNG) ++ spooler = SPOOLER_LPD; ++ strncpy(job->host, str, 127); ++ job->host[127] = '\0'; ++ arglist_remove(arglist, "-h"); ++ } ++ if ((str = arglist_get_value(arglist, "-n"))) { + if (spooler != SPOOLER_GNULPR && spooler != SPOOLER_LPRNG) + spooler = SPOOLER_LPD; +- } +- /* LPRng delivers the option settings via the "-Z" argument */ +- if ((str = arglist_get_value(arglist, "-Z"))) { +- spooler = SPOOLER_LPRNG; +- dstrcatf(job->optstr, "%s ", str); +- arglist_remove(arglist, "-Z"); +- } +- /* Job title and options for stock LPD */ +- if ((str = arglist_get_value(arglist, "-j")) || (str = arglist_get_value(arglist, "-J"))) { +- strncpy_omit(job->title, str, 128, omit_shellescapes); +- if (spooler == SPOOLER_LPD) +- dstrcatf(job->optstr, "%s ", job->title); +- if (!arglist_remove(arglist, "-j")) +- arglist_remove(arglist, "-J"); +- } +- /* Check for CPS */ +- if (arglist_remove_flag(arglist, "--cps") > 0) +- spooler = SPOOLER_CPS; +- +- /* Options for spooler-less printing, CPS, or PDQ */ +- while ((str = arglist_get_value(arglist, "-o"))) { +- strncpy_omit(tmp, str, 1024, omit_shellescapes); +- dstrcatf(job->optstr, "%s ", tmp); +- arglist_remove(arglist, "-o"); +- /* If we don't print as PPR RIP or as CPS filter, we print +- without spooler (we check for PDQ later) */ +- if (spooler != SPOOLER_PPR && spooler != SPOOLER_CPS) +- spooler = SPOOLER_DIRECT; +- } +- +- /* Printer for spooler-less printing or PDQ */ +- if ((str = arglist_get_value(arglist, "-d"))) { +- strncpy_omit(job->printer, str, 256, omit_shellescapes); +- arglist_remove(arglist, "-d"); +- } +- +- /* Printer for spooler-less printing, PDQ, or LPRng */ +- if ((str = arglist_get_value(arglist, "-P"))) { +- strncpy_omit(job->printer, str, 256, omit_shellescapes); +- arglist_remove(arglist, "-P"); +- } +- +- /* Were we called from a PDQ wrapper? */ +- if (arglist_remove_flag(arglist, "--pdq")) +- spooler = SPOOLER_PDQ; + +- /* Were we called to build the PDQ driver declaration file? */ +- genpdqfile = check_pdq_file(arglist); +- if (genpdqfile) +- spooler = SPOOLER_PDQ; ++ strncpy(job->user, str, 127); ++ job->user[127] = '\0'; ++ arglist_remove(arglist, "-n"); ++ } ++ if (arglist_remove(arglist, "-w") || ++ arglist_remove(arglist, "-l") || ++ arglist_remove(arglist, "-x") || ++ arglist_remove(arglist, "-y") || ++ arglist_remove(arglist, "-i") || ++ arglist_remove_flag(arglist, "-c")) { ++ if (spooler != SPOOLER_GNULPR && spooler != SPOOLER_LPRNG) ++ spooler = SPOOLER_LPD; ++ } ++ /* LPRng delivers the option settings via the "-Z" argument */ ++ if ((str = arglist_get_value(arglist, "-Z"))) { ++ spooler = SPOOLER_LPRNG; ++ dstrcatf(job->optstr, "%s ", str); ++ arglist_remove(arglist, "-Z"); ++ } ++ /* Job title and options for stock LPD */ ++ if ((str = arglist_get_value(arglist, "-j")) || (str = arglist_get_value(arglist, "-J"))) { ++ strncpy_omit(job->title, str, 128, omit_shellescapes); ++ if (spooler == SPOOLER_LPD) ++ dstrcatf(job->optstr, "%s ", job->title); ++ if (!arglist_remove(arglist, "-j")) ++ arglist_remove(arglist, "-J"); ++ } ++ ++ /* Check for CPS */ ++ if (arglist_remove_flag(arglist, "--cps") > 0) ++ spooler = SPOOLER_CPS; ++ ++ /* PPD file name given via the command line ++ allow duplicates, and use the last specified one */ ++ if (spooler != SPOOLER_GNULPR && spooler != SPOOLER_LPRNG && ++ spooler != SPOOLER_LPD) { ++ while ((str = arglist_get_value(arglist, "-p"))) { ++ strncpy(job->ppdfile, str, 256); ++ arglist_remove(arglist, "-p"); ++ } ++ while ((str = arglist_get_value(arglist, "--ppd"))) { ++ strncpy(job->ppdfile, str, 256); ++ arglist_remove(arglist, "--ppd"); ++ } ++ } ++ ++ /* Options for spooler-less printing, CPS, or PDQ */ ++ while ((str = arglist_get_value(arglist, "-o"))) { ++ strncpy_omit(tmp, str, 1024, omit_shellescapes); ++ dstrcatf(job->optstr, "%s ", tmp); ++ arglist_remove(arglist, "-o"); ++ /* If we don't print as PPR RIP or as CPS filter, we print ++ without spooler (we check for PDQ later) */ ++ if (spooler != SPOOLER_PPR && spooler != SPOOLER_CPS) ++ spooler = SPOOLER_DIRECT; ++ } ++ ++ /* Printer for spooler-less printing or PDQ */ ++ if ((str = arglist_get_value(arglist, "-d"))) { ++ strncpy_omit(job->printer, str, 256, omit_shellescapes); ++ arglist_remove(arglist, "-d"); ++ } ++ ++ /* Printer for spooler-less printing, PDQ, or LPRng */ ++ if ((str = arglist_get_value(arglist, "-P"))) { ++ strncpy_omit(job->printer, str, 256, omit_shellescapes); ++ arglist_remove(arglist, "-P"); ++ } ++ ++ /* Were we called from a PDQ wrapper? */ ++ if (arglist_remove_flag(arglist, "--pdq")) ++ spooler = SPOOLER_PDQ; ++ ++ /* Were we called to build the PDQ driver declaration file? */ ++ genpdqfile = check_pdq_file(arglist); ++ if (genpdqfile) ++ spooler = SPOOLER_PDQ; ++ } + + /* spooler specific initialization */ + switch (spooler) { diff --git a/foomatic.spec b/foomatic.spec index ef231a0..b8dfe0b 100644 --- a/foomatic.spec +++ b/foomatic.spec @@ -4,7 +4,7 @@ Summary: Tools for using the foomatic database of printers and printer drivers Name: foomatic Version: %{enginever} -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Libraries @@ -22,6 +22,10 @@ Patch1: foomatic-filters-libdir.patch # Use mkstemp, not mktemp. Patch2: foomatic-mkstemp.patch +# Fix improper sanitization of command line options (bug #721001, +# CVE-2011-2697). +Patch3: foomatic-filters-CVE-2011-2697.patch + ## PATCHES FOR FOOMATIC-DB-ENGINE (PATCHES 101 TO 200) # Use libdir. @@ -85,6 +89,7 @@ CUPS print filters for the foomatic package. pushd foomatic-filters-%{filtersver} %patch1 -p1 -b .libdir %patch2 -p1 -b .mkstemp +%patch3 -p1 -b .CVE-2011-2697 aclocal automake autoconf @@ -193,6 +198,10 @@ rm -fr %buildroot $RPM_BUILD_DIR/%{name} %{_mandir}/man1/foomatic-rip.1* %changelog +* Wed Jul 20 2011 Tim Waugh - 4.0.7-2 +- Fix improper sanitization of command line options (bug #721001, + CVE-2011-2697). + * Mon Feb 21 2011 Jiri Popelka - 4.0.7-1 - 4.0.7