rpms/foomatic
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix improper sanitization of command line options (bug #721001, CVE-2011-2697).

Browse Source
This commit is contained in:
Tim Waugh 2011-07-20 10:50:30 +01:00
parent 03e5635ade
commit b91dc0f404
2 changed files with 219 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

209
foomatic-filters-CVE-2011-2697.patch Normal file
View File

@ -0,0 +1,209 @@
diff -up foomatic-filters-4.0.7/foomaticrip.c.CVE-2011-2697 foomatic-filters-4.0.7/foomaticrip.c
--- foomatic-filters-4.0.7/foomaticrip.c.CVE-2011-2697 2011-07-20 10:41:15.825401233 +0100
+++ foomatic-filters-4.0.7/foomaticrip.c 2011-07-20 10:42:22.784101806 +0100
@@ -1239,8 +1239,11 @@ int main(int argc, char** argv)
}
/* Check for LPRng first so we do not pick up bogus ppd files by the -ppd option */
- if (arglist_remove_flag(arglist, "--lprng"))
- spooler = SPOOLER_LPRNG;
+ if (spooler != SPOOLER_CUPS && spooler != SPOOLER_PPR &&
+ spooler != SPOOLER_PPR_INT) {
+ if (arglist_remove_flag(arglist, "--lprng"))
+ spooler = SPOOLER_LPRNG;
+ }
/* 'PRINTCAP_ENTRY' environment variable is : LPRng
the :ppd=/path/to/ppdfile printcap entry should be used */
@@ -1262,96 +1265,104 @@ int main(int argc, char** argv)
}
}
- /* PPD file name given via the command line
- allow duplicates, and use the last specified one */
- if (spooler != SPOOLER_LPRNG) {
- while ((str = arglist_get_value(arglist, "-p"))) {
- strncpy(job->ppdfile, str, 256);
- arglist_remove(arglist, "-p");
- }
- }
- while ((str = arglist_get_value(arglist, "--ppd"))) {
- strncpy(job->ppdfile, str, 256);
- arglist_remove(arglist, "--ppd");
- }
-
- /* Check for LPD/GNUlpr by typical options which the spooler puts onto
- the filter's command line (options "-w": text width, "-l": text
- length, "-i": indent, "-x", "-y": graphics size, "-c": raw printing,
- "-n": user name, "-h": host name) */
- if ((str = arglist_get_value(arglist, "-h"))) {
- if (spooler != SPOOLER_GNULPR && spooler != SPOOLER_LPRNG)
- spooler = SPOOLER_LPD;
- strncpy(job->host, str, 127);
- job->host[127] = '\0';
- arglist_remove(arglist, "-h");
- }
- if ((str = arglist_get_value(arglist, "-n"))) {
- if (spooler != SPOOLER_GNULPR && spooler != SPOOLER_LPRNG)
- spooler = SPOOLER_LPD;
-
- strncpy(job->user, str, 127);
- job->user[127] = '\0';
- arglist_remove(arglist, "-n");
- }
- if (arglist_remove(arglist, "-w") ||
- arglist_remove(arglist, "-l") ||
- arglist_remove(arglist, "-x") ||
- arglist_remove(arglist, "-y") ||
- arglist_remove(arglist, "-i") ||
- arglist_remove_flag(arglist, "-c")) {
+ /* CUPS calls foomatic-rip only with 5 or 6 positional parameters,
+ not with named options, like for example "-p <string>". Also PPR
+ does not used named options. */
+ if (spooler != SPOOLER_CUPS && spooler != SPOOLER_PPR &&
+ spooler != SPOOLER_PPR_INT) {
+ /* Check for LPD/GNUlpr by typical options which the spooler puts onto
+ the filter's command line (options "-w": text width, "-l": text
+ length, "-i": indent, "-x", "-y": graphics size, "-c": raw printing,
+ "-n": user name, "-h": host name) */
+ if ((str = arglist_get_value(arglist, "-h"))) {
+ if (spooler != SPOOLER_GNULPR && spooler != SPOOLER_LPRNG)
+ spooler = SPOOLER_LPD;
+ strncpy(job->host, str, 127);
+ job->host[127] = '\0';
+ arglist_remove(arglist, "-h");
+ }
+ if ((str = arglist_get_value(arglist, "-n"))) {
if (spooler != SPOOLER_GNULPR && spooler != SPOOLER_LPRNG)
spooler = SPOOLER_LPD;
- }
- /* LPRng delivers the option settings via the "-Z" argument */
- if ((str = arglist_get_value(arglist, "-Z"))) {
- spooler = SPOOLER_LPRNG;
- dstrcatf(job->optstr, "%s ", str);
- arglist_remove(arglist, "-Z");
- }
- /* Job title and options for stock LPD */
- if ((str = arglist_get_value(arglist, "-j")) || (str = arglist_get_value(arglist, "-J"))) {
- strncpy_omit(job->title, str, 128, omit_shellescapes);
- if (spooler == SPOOLER_LPD)
- dstrcatf(job->optstr, "%s ", job->title);
- if (!arglist_remove(arglist, "-j"))
- arglist_remove(arglist, "-J");
- }
- /* Check for CPS */
- if (arglist_remove_flag(arglist, "--cps") > 0)
- spooler = SPOOLER_CPS;
-
- /* Options for spooler-less printing, CPS, or PDQ */
- while ((str = arglist_get_value(arglist, "-o"))) {
- strncpy_omit(tmp, str, 1024, omit_shellescapes);
- dstrcatf(job->optstr, "%s ", tmp);
- arglist_remove(arglist, "-o");
- /* If we don't print as PPR RIP or as CPS filter, we print
- without spooler (we check for PDQ later) */
- if (spooler != SPOOLER_PPR && spooler != SPOOLER_CPS)
- spooler = SPOOLER_DIRECT;
- }
-
- /* Printer for spooler-less printing or PDQ */
- if ((str = arglist_get_value(arglist, "-d"))) {
- strncpy_omit(job->printer, str, 256, omit_shellescapes);
- arglist_remove(arglist, "-d");
- }
-
- /* Printer for spooler-less printing, PDQ, or LPRng */
- if ((str = arglist_get_value(arglist, "-P"))) {
- strncpy_omit(job->printer, str, 256, omit_shellescapes);
- arglist_remove(arglist, "-P");
- }
-
- /* Were we called from a PDQ wrapper? */
- if (arglist_remove_flag(arglist, "--pdq"))
- spooler = SPOOLER_PDQ;
- /* Were we called to build the PDQ driver declaration file? */
- genpdqfile = check_pdq_file(arglist);
- if (genpdqfile)
- spooler = SPOOLER_PDQ;
+ strncpy(job->user, str, 127);
+ job->user[127] = '\0';
+ arglist_remove(arglist, "-n");
+ }
+ if (arglist_remove(arglist, "-w") ||
+ arglist_remove(arglist, "-l") ||
+ arglist_remove(arglist, "-x") ||
+ arglist_remove(arglist, "-y") ||
+ arglist_remove(arglist, "-i") ||
+ arglist_remove_flag(arglist, "-c")) {
+ if (spooler != SPOOLER_GNULPR && spooler != SPOOLER_LPRNG)
+ spooler = SPOOLER_LPD;
+ }
+ /* LPRng delivers the option settings via the "-Z" argument */
+ if ((str = arglist_get_value(arglist, "-Z"))) {
+ spooler = SPOOLER_LPRNG;
+ dstrcatf(job->optstr, "%s ", str);
+ arglist_remove(arglist, "-Z");
+ }
+ /* Job title and options for stock LPD */
+ if ((str = arglist_get_value(arglist, "-j")) || (str = arglist_get_value(arglist, "-J"))) {
+ strncpy_omit(job->title, str, 128, omit_shellescapes);
+ if (spooler == SPOOLER_LPD)
+ dstrcatf(job->optstr, "%s ", job->title);
+ if (!arglist_remove(arglist, "-j"))
+ arglist_remove(arglist, "-J");
+ }
+
+ /* Check for CPS */
+ if (arglist_remove_flag(arglist, "--cps") > 0)
+ spooler = SPOOLER_CPS;
+
+ /* PPD file name given via the command line
+ allow duplicates, and use the last specified one */
+ if (spooler != SPOOLER_GNULPR && spooler != SPOOLER_LPRNG &&
+ spooler != SPOOLER_LPD) {
+ while ((str = arglist_get_value(arglist, "-p"))) {
+ strncpy(job->ppdfile, str, 256);
+ arglist_remove(arglist, "-p");
+ }
+ while ((str = arglist_get_value(arglist, "--ppd"))) {
+ strncpy(job->ppdfile, str, 256);
+ arglist_remove(arglist, "--ppd");
+ }
+ }
+
+ /* Options for spooler-less printing, CPS, or PDQ */
+ while ((str = arglist_get_value(arglist, "-o"))) {
+ strncpy_omit(tmp, str, 1024, omit_shellescapes);
+ dstrcatf(job->optstr, "%s ", tmp);
+ arglist_remove(arglist, "-o");
+ /* If we don't print as PPR RIP or as CPS filter, we print
+ without spooler (we check for PDQ later) */
+ if (spooler != SPOOLER_PPR && spooler != SPOOLER_CPS)
+ spooler = SPOOLER_DIRECT;
+ }
+
+ /* Printer for spooler-less printing or PDQ */
+ if ((str = arglist_get_value(arglist, "-d"))) {
+ strncpy_omit(job->printer, str, 256, omit_shellescapes);
+ arglist_remove(arglist, "-d");
+ }
+
+ /* Printer for spooler-less printing, PDQ, or LPRng */
+ if ((str = arglist_get_value(arglist, "-P"))) {
+ strncpy_omit(job->printer, str, 256, omit_shellescapes);
+ arglist_remove(arglist, "-P");
+ }
+
+ /* Were we called from a PDQ wrapper? */
+ if (arglist_remove_flag(arglist, "--pdq"))
+ spooler = SPOOLER_PDQ;
+
+ /* Were we called to build the PDQ driver declaration file? */
+ genpdqfile = check_pdq_file(arglist);
+ if (genpdqfile)
+ spooler = SPOOLER_PDQ;
+ }
/* spooler specific initialization */
switch (spooler) {

11
foomatic.spec
View File

@ -4,7 +4,7 @@
Summary: Tools for using the foomatic database of printers and printer drivers
Name: foomatic
Version: %{enginever}
Release: 1%{?dist}
Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Libraries
@ -22,6 +22,10 @@ Patch1: foomatic-filters-libdir.patch
# Use mkstemp, not mktemp.
Patch2: foomatic-mkstemp.patch
# Fix improper sanitization of command line options (bug #721001,
# CVE-2011-2697).
Patch3: foomatic-filters-CVE-2011-2697.patch
## PATCHES FOR FOOMATIC-DB-ENGINE (PATCHES 101 TO 200)
# Use libdir.
@ -85,6 +89,7 @@ CUPS print filters for the foomatic package.
pushd foomatic-filters-%{filtersver}
%patch1 -p1 -b .libdir
%patch2 -p1 -b .mkstemp
%patch3 -p1 -b .CVE-2011-2697
aclocal
automake
autoconf
@ -193,6 +198,10 @@ rm -fr %buildroot $RPM_BUILD_DIR/%{name}
%{_mandir}/man1/foomatic-rip.1*
%changelog
* Wed Jul 20 2011 Tim Waugh <twaugh@redhat.com> - 4.0.7-2
- Fix improper sanitization of command line options (bug #721001,
CVE-2011-2697).
* Mon Feb 21 2011 Jiri Popelka <jpopelka@redhat.com> - 4.0.7-1
- 4.0.7