rpms/cups/F-7 cups-CVE-2008-0047.patch, NONE, 1.1 cups-CVE-2008-0053.patch, NONE, 1.1 cups-CVE-2008-1373.patch, NONE, 1.1 cups.spec, 1.350, 1.351
Tim Waugh (twaugh)
fedora-extras-commits at redhat.com
Tue Apr 1 16:00:09 UTC 2008
Author: twaugh
Update of /cvs/pkgs/rpms/cups/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv30057
Modified Files:
cups.spec
Added Files:
cups-CVE-2008-0047.patch cups-CVE-2008-0053.patch
cups-CVE-2008-1373.patch
Log Message:
* Tue Apr 1 2008 Tim Waugh <twaugh at redhat.com> 1:1.2.12-10
- Applied patch to fix CVE-2008-1373 (GIF overflow, bug #438303).
- Applied patch to fix CVE-2008-0053 (HP-GL/2 input processing, bug #438117).
- Applied patch to prevent heap-based buffer overflow in CUPS helper
program (bug #436153, CVE-2008-0047, STR #2729).
cups-CVE-2008-0047.patch:
--- NEW FILE cups-CVE-2008-0047.patch ---
diff -up cups-1.2.12/cgi-bin/search.c.CVE-2008-0047 cups-1.2.12/cgi-bin/search.c
--- cups-1.2.12/cgi-bin/search.c.CVE-2008-0047 2006-09-17 20:01:47.000000000 +0100
+++ cups-1.2.12/cgi-bin/search.c 2008-04-01 16:55:01.000000000 +0100
@@ -171,7 +171,9 @@ cgiCompileSearch(const char *query) /* I
* string + RE overhead...
*/
- wlen = (sptr - s) + 4 * wlen + 2 * strlen(prefix) + 4;
+ wlen = (sptr - s) + 2 * 4 * wlen + 2 * strlen(prefix) + 11;
+ if (lword)
+ wlen += strlen(lword);
if (wlen > slen)
{
cups-CVE-2008-0053.patch:
--- NEW FILE cups-CVE-2008-0053.patch ---
diff -up cups-1.2.12/filter/hpgl-input.c.CVE-2008-0053 cups-1.2.12/filter/hpgl-input.c
--- cups-1.2.12/filter/hpgl-input.c.CVE-2008-0053 2007-07-06 23:39:54.000000000 +0100
+++ cups-1.2.12/filter/hpgl-input.c 2008-04-01 16:56:26.000000000 +0100
@@ -3,6 +3,7 @@
*
* HP-GL/2 input processing for the Common UNIX Printing System (CUPS).
*
+ * Copyright 2007-2008 by Apple Inc.
* Copyright 1993-2006 by Easy Software Products.
*
* These coded instructions, statements, and computer programs are the
@@ -56,6 +57,7 @@ ParseCommand(FILE *fp, /* I - File to
i; /* Looping var */
char buf[262144], /* String buffer */
*bufptr; /* Pointer into buffer */
+ float temp; /* Temporary parameter value */
static param_t p[MAX_PARAMS]; /* Parameter buffer */
@@ -220,10 +222,10 @@ ParseCommand(FILE *fp, /* I - File to
case '-' :
case '+' :
ungetc(ch, fp);
- fscanf(fp, "%f", &(p[num_params].value.number));
- if (num_params < MAX_PARAMS)
+ if (fscanf(fp, "%f", &temp) == 1 && num_params < MAX_PARAMS)
{
- p[num_params].type = PARAM_RELATIVE;
+ p[num_params].type = PARAM_RELATIVE;
+ p[num_params].value.number = temp;
num_params ++;
}
break;
@@ -239,10 +241,10 @@ ParseCommand(FILE *fp, /* I - File to
case '9' :
case '.' :
ungetc(ch, fp);
- fscanf(fp, "%f", &(p[num_params].value.number));
- if (num_params < MAX_PARAMS)
+ if (fscanf(fp, "%f", &temp) == 1 && num_params < MAX_PARAMS)
{
- p[num_params].type = PARAM_ABSOLUTE;
+ p[num_params].type = PARAM_ABSOLUTE;
+ p[num_params].value.number = temp;
num_params ++;
}
break;
cups-CVE-2008-1373.patch:
--- NEW FILE cups-CVE-2008-1373.patch ---
diff -up cups-1.2.12/filter/image-gif.c.CVE-2008-1373 cups-1.2.12/filter/image-gif.c
--- cups-1.2.12/filter/image-gif.c.CVE-2008-1373 2006-05-11 12:41:36.000000000 +0100
+++ cups-1.2.12/filter/image-gif.c 2008-04-01 16:57:58.000000000 +0100
@@ -47,6 +47,8 @@
#define GIF_INTERLACE 0x40
#define GIF_COLORMAP 0x80
+#define MAX_LWZ_BITS 12
+
typedef cups_ib_t gif_cmap_t[256][4];
typedef short gif_table_t[4096];
@@ -471,6 +473,9 @@ gif_read_image(FILE *fp, /* I -
pass = 0;
code_size = getc(fp);
+ if (code_size > MAX_LWZ_BITS)
+ return (-1);
+
if (gif_read_lzw(fp, 1, code_size) < 0)
return (-1);
Index: cups.spec
===================================================================
RCS file: /cvs/pkgs/rpms/cups/F-7/cups.spec,v
retrieving revision 1.350
retrieving revision 1.351
diff -u -r1.350 -r1.351
--- cups.spec 22 Feb 2008 13:32:22 -0000 1.350
+++ cups.spec 1 Apr 2008 15:59:28 -0000 1.351
@@ -6,7 +6,7 @@
Summary: Common Unix Printing System
Name: cups
Version: 1.2.12
-Release: 9%{?dist}
+Release: 10%{?dist}
License: GPL
Group: System Environment/Daemons
Source: ftp://ftp.easysw.com/pub/cups/%{version}/cups-%{version}-source.tar.bz2
@@ -52,6 +52,9 @@
Patch28: cups-CVE-2007-4352,5392,5393.patch
Patch29: cups-CVE-2007-4045.patch
Patch30: cups-str2656.patch
+Patch31: cups-CVE-2008-0047.patch
+Patch32: cups-CVE-2008-0053.patch
+Patch33: cups-CVE-2008-1373.patch
Patch100: cups-lspp.patch
Epoch: 1
Url: http://www.cups.org/
@@ -166,6 +169,9 @@
%patch28 -p1 -b .CVE-2007-4352,5392,5393
%patch29 -p1 -b .CVE-2007-4045
%patch30 -p1 -b .str2656
+%patch31 -p1 -b .CVE-2008-0047
+%patch32 -p1 -b .CVE-2008-0053
+%patch33 -p1 -b .CVE-2008-1373
%if %lspp
%patch100 -p1 -b .lspp
@@ -453,6 +459,12 @@
%{cups_serverbin}/daemon/cups-lpd
%changelog
+* Tue Apr 1 2008 Tim Waugh <twaugh at redhat.com> 1:1.2.12-10
+- Applied patch to fix CVE-2008-1373 (GIF overflow, bug #438303).
+- Applied patch to fix CVE-2008-0053 (HP-GL/2 input processing, bug #438117).
+- Applied patch to prevent heap-based buffer overflow in CUPS helper
+ program (bug #436153, CVE-2008-0047, STR #2729).
+
* Fri Feb 22 2008 Tim Waugh <twaugh at redhat.com> 1:1.2.12-9
- Prevent double-free when a browsed class has the same name as a printer
or vice versa (CVE-2008-0882, bug #433758, STR #2656).
More information about the fedora-extras-commits
mailing list