rpms/cups/F-7 cups-CVE-2008-0047.patch, NONE, 1.1 cups-CVE-2008-0053.patch, NONE, 1.1 cups-CVE-2008-1373.patch, NONE, 1.1 cups.spec, 1.350, 1.351

Tim Waugh (twaugh) fedora-extras-commits at redhat.com
Tue Apr 1 16:00:09 UTC 2008 

Author: twaugh

Update of /cvs/pkgs/rpms/cups/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv30057

Modified Files:
	cups.spec 
Added Files:
	cups-CVE-2008-0047.patch cups-CVE-2008-0053.patch 
	cups-CVE-2008-1373.patch 
Log Message:
* Tue Apr  1 2008 Tim Waugh <twaugh at redhat.com> 1:1.2.12-10
- Applied patch to fix CVE-2008-1373 (GIF overflow, bug #438303).
- Applied patch to fix CVE-2008-0053 (HP-GL/2 input processing, bug #438117).
- Applied patch to prevent heap-based buffer overflow in CUPS helper
  program (bug #436153, CVE-2008-0047, STR #2729).


cups-CVE-2008-0047.patch:

--- NEW FILE cups-CVE-2008-0047.patch ---
diff -up cups-1.2.12/cgi-bin/search.c.CVE-2008-0047 cups-1.2.12/cgi-bin/search.c
--- cups-1.2.12/cgi-bin/search.c.CVE-2008-0047	2006-09-17 20:01:47.000000000 +0100
+++ cups-1.2.12/cgi-bin/search.c	2008-04-01 16:55:01.000000000 +0100
@@ -171,7 +171,9 @@ cgiCompileSearch(const char *query)	/* I
       * string + RE overhead...
       */
 
-      wlen = (sptr - s) + 4 * wlen + 2 * strlen(prefix) + 4;
+      wlen = (sptr - s) + 2 * 4 * wlen + 2 * strlen(prefix) + 11;
+      if (lword)
+        wlen += strlen(lword);
 
       if (wlen > slen)
       {

cups-CVE-2008-0053.patch:

--- NEW FILE cups-CVE-2008-0053.patch ---
diff -up cups-1.2.12/filter/hpgl-input.c.CVE-2008-0053 cups-1.2.12/filter/hpgl-input.c
--- cups-1.2.12/filter/hpgl-input.c.CVE-2008-0053	2007-07-06 23:39:54.000000000 +0100
+++ cups-1.2.12/filter/hpgl-input.c	2008-04-01 16:56:26.000000000 +0100
@@ -3,6 +3,7 @@
  *
  *   HP-GL/2 input processing for the Common UNIX Printing System (CUPS).
  *
+ *   Copyright 2007-2008 by Apple Inc.
  *   Copyright 1993-2006 by Easy Software Products.
  *
  *   These coded instructions, statements, and computer programs are the
@@ -56,6 +57,7 @@ ParseCommand(FILE    *fp,	/* I - File to
 		i;		/* Looping var */
   char		buf[262144],	/* String buffer */
 		*bufptr;	/* Pointer into buffer */
+  float		temp;		/* Temporary parameter value */
   static param_t p[MAX_PARAMS];	/* Parameter buffer */
 
 
@@ -220,10 +222,10 @@ ParseCommand(FILE    *fp,	/* I - File to
       case '-' :
       case '+' :
           ungetc(ch, fp);
-          fscanf(fp, "%f", &(p[num_params].value.number));
-          if (num_params < MAX_PARAMS)
+          if (fscanf(fp, "%f", &temp) == 1 && num_params < MAX_PARAMS)
           {
-            p[num_params].type = PARAM_RELATIVE;
+            p[num_params].type         = PARAM_RELATIVE;
+            p[num_params].value.number = temp;
             num_params ++;
           }
           break;
@@ -239,10 +241,10 @@ ParseCommand(FILE    *fp,	/* I - File to
       case '9' :
       case '.' :
           ungetc(ch, fp);
-          fscanf(fp, "%f", &(p[num_params].value.number));
-          if (num_params < MAX_PARAMS)
+          if (fscanf(fp, "%f", &temp) == 1 && num_params < MAX_PARAMS)
           {
-            p[num_params].type = PARAM_ABSOLUTE;
+            p[num_params].type         = PARAM_ABSOLUTE;
+            p[num_params].value.number = temp;
             num_params ++;
           }
           break;

cups-CVE-2008-1373.patch:

--- NEW FILE cups-CVE-2008-1373.patch ---
diff -up cups-1.2.12/filter/image-gif.c.CVE-2008-1373 cups-1.2.12/filter/image-gif.c
--- cups-1.2.12/filter/image-gif.c.CVE-2008-1373	2006-05-11 12:41:36.000000000 +0100
+++ cups-1.2.12/filter/image-gif.c	2008-04-01 16:57:58.000000000 +0100
@@ -47,6 +47,8 @@
 #define GIF_INTERLACE	0x40
 #define GIF_COLORMAP	0x80
 
+#define MAX_LWZ_BITS	12
+
 typedef cups_ib_t	gif_cmap_t[256][4];
 typedef short		gif_table_t[4096];
 
@@ -471,6 +473,9 @@ gif_read_image(FILE         *fp,	/* I - 
   pass      = 0;
   code_size = getc(fp);
 
+  if (code_size > MAX_LWZ_BITS)
+    return (-1);
+
   if (gif_read_lzw(fp, 1, code_size) < 0)
     return (-1);
 


Index: cups.spec
===================================================================
RCS file: /cvs/pkgs/rpms/cups/F-7/cups.spec,v
retrieving revision 1.350
retrieving revision 1.351
diff -u -r1.350 -r1.351
--- cups.spec	22 Feb 2008 13:32:22 -0000	1.350
+++ cups.spec	1 Apr 2008 15:59:28 -0000	1.351
@@ -6,7 +6,7 @@
 Summary: Common Unix Printing System
 Name: cups
 Version: 1.2.12
-Release: 9%{?dist}
+Release: 10%{?dist}
 License: GPL
 Group: System Environment/Daemons
 Source: ftp://ftp.easysw.com/pub/cups/%{version}/cups-%{version}-source.tar.bz2
@@ -52,6 +52,9 @@
 Patch28: cups-CVE-2007-4352,5392,5393.patch
 Patch29: cups-CVE-2007-4045.patch
 Patch30: cups-str2656.patch
+Patch31: cups-CVE-2008-0047.patch
+Patch32: cups-CVE-2008-0053.patch
+Patch33: cups-CVE-2008-1373.patch
 Patch100: cups-lspp.patch
 Epoch: 1
 Url: http://www.cups.org/
@@ -166,6 +169,9 @@
 %patch28 -p1 -b .CVE-2007-4352,5392,5393
 %patch29 -p1 -b .CVE-2007-4045
 %patch30 -p1 -b .str2656
+%patch31 -p1 -b .CVE-2008-0047
+%patch32 -p1 -b .CVE-2008-0053
+%patch33 -p1 -b .CVE-2008-1373
 
 %if %lspp
 %patch100 -p1 -b .lspp
@@ -453,6 +459,12 @@
 %{cups_serverbin}/daemon/cups-lpd
 
 %changelog
+* Tue Apr  1 2008 Tim Waugh <twaugh at redhat.com> 1:1.2.12-10
+- Applied patch to fix CVE-2008-1373 (GIF overflow, bug #438303).
+- Applied patch to fix CVE-2008-0053 (HP-GL/2 input processing, bug #438117).
+- Applied patch to prevent heap-based buffer overflow in CUPS helper
+  program (bug #436153, CVE-2008-0047, STR #2729).
+
 * Fri Feb 22 2008 Tim Waugh <twaugh at redhat.com> 1:1.2.12-9
 - Prevent double-free when a browsed class has the same name as a printer
   or vice versa (CVE-2008-0882, bug #433758, STR #2656).

More information about the fedora-extras-commits mailing list