mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-25 22:08:16 -05:00
gnu: cups: Add replacement to fix CVE-2020-10001.
* gnu/packages/patches/cups-CVE-2020-10001.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/cups.scm (cups-minimal/fixed): New variable. (cups-minimal)[replacement]: Assign it to new field.
This commit is contained in:
parent
3694c0d4fe
commit
620669fd17
3 changed files with 54 additions and 0 deletions
|
@ -929,6 +929,7 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/crda-optional-gcrypt.patch \
|
||||
%D%/packages/patches/clucene-contribs-lib.patch \
|
||||
%D%/packages/patches/cube-nocheck.patch \
|
||||
%D%/packages/patches/cups-CVE-2020-10001.patch \
|
||||
%D%/packages/patches/curl-use-ssl-cert-env.patch \
|
||||
%D%/packages/patches/curl-7.76-use-ssl-cert-env.patch \
|
||||
%D%/packages/patches/curl-7.77-tls-priority-string.patch \
|
||||
|
|
|
@ -252,6 +252,7 @@ (define-public cups-minimal
|
|||
(package
|
||||
(name "cups-minimal")
|
||||
(version "2.3.3")
|
||||
(replacement cups-minimal/fixed)
|
||||
(source
|
||||
(origin
|
||||
(method url-fetch)
|
||||
|
@ -312,6 +313,11 @@ (define-public cups-minimal
|
|||
;; CUPS is Apache 2.0 with exceptions, see the NOTICE file.
|
||||
(license license:asl2.0)))
|
||||
|
||||
(define cups-minimal/fixed
|
||||
(package-with-extra-patches
|
||||
cups-minimal
|
||||
(search-patches "cups-CVE-2020-10001.patch")))
|
||||
|
||||
(define-public cups
|
||||
(package/inherit cups-minimal
|
||||
(name "cups")
|
||||
|
|
47
gnu/packages/patches/cups-CVE-2020-10001.patch
Normal file
47
gnu/packages/patches/cups-CVE-2020-10001.patch
Normal file
|
@ -0,0 +1,47 @@
|
|||
From efbea1742bd30f842fbbfb87a473e5c84f4162f9 Mon Sep 17 00:00:00 2001
|
||||
From: Michael R Sweet <msweet@msweet.org>
|
||||
Date: Mon, 1 Feb 2021 15:02:32 -0500
|
||||
Subject: [PATCH] Fix a buffer (read) overflow in ippReadIO (CVE-2020-10001)
|
||||
|
||||
---
|
||||
|
||||
diff --git a/cups/ipp.c b/cups/ipp.c
|
||||
index 3d529346c..adbb26fba 100644
|
||||
--- a/cups/ipp.c
|
||||
+++ b/cups/ipp.c
|
||||
@@ -2866,7 +2866,8 @@ ippReadIO(void *src, /* I - Data source */
|
||||
unsigned char *buffer, /* Data buffer */
|
||||
string[IPP_MAX_TEXT],
|
||||
/* Small string buffer */
|
||||
- *bufptr; /* Pointer into buffer */
|
||||
+ *bufptr, /* Pointer into buffer */
|
||||
+ *bufend; /* End of buffer */
|
||||
ipp_attribute_t *attr; /* Current attribute */
|
||||
ipp_tag_t tag; /* Current tag */
|
||||
ipp_tag_t value_tag; /* Current value tag */
|
||||
@@ -3441,6 +3442,7 @@ ippReadIO(void *src, /* I - Data source */
|
||||
}
|
||||
|
||||
bufptr = buffer;
|
||||
+ bufend = buffer + n;
|
||||
|
||||
/*
|
||||
* text-with-language and name-with-language are composite
|
||||
@@ -3454,7 +3456,7 @@ ippReadIO(void *src, /* I - Data source */
|
||||
|
||||
n = (bufptr[0] << 8) | bufptr[1];
|
||||
|
||||
- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string))
|
||||
+ if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string))
|
||||
{
|
||||
_cupsSetError(IPP_STATUS_ERROR_INTERNAL,
|
||||
_("IPP language length overflows value."), 1);
|
||||
@@ -3481,7 +3483,7 @@ ippReadIO(void *src, /* I - Data source */
|
||||
bufptr += 2 + n;
|
||||
n = (bufptr[0] << 8) | bufptr[1];
|
||||
|
||||
- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE))
|
||||
+ if ((bufptr + 2 + n) > bufend)
|
||||
{
|
||||
_cupsSetError(IPP_STATUS_ERROR_INTERNAL,
|
||||
_("IPP string length overflows value."), 1);
|
Loading…
Reference in a new issue