Commit 29d8db2c authored by Apertis CI's avatar Apertis CI

Merge updates from debian/buster

parents 35958874 78878a13
Pipeline #106731 canceled with stage
# see git-dpm(1) from git-dpm package
9615ef5f2b8374bfe2816f8ff4314234362ce841
9615ef5f2b8374bfe2816f8ff4314234362ce841
9af82602a9fe2523ceeef46f2d6e6378e2dc7eb7
9af82602a9fe2523ceeef46f2d6e6378e2dc7eb7
25b2338346ef3abbb93ea88476887cba7b2b86f8
25b2338346ef3abbb93ea88476887cba7b2b86f8
cups_2.2.10.orig.tar.gz
......
cups (2.2.10-6+deb10u1co1) UNRELEASED; urgency=medium
* PLEASE SUMMARIZE remaining Apertis changes
-- root <ritesh.sarraf@collabora.co.uk> Sun, 06 Oct 2019 04:45:31 +0000
cups (2.2.10-6+deb10u1) buster; urgency=medium
* Fix multiple security/disclosure issues (Closes: #934957)
- CVE-2019-8696 and CVE-2019-8675: Fixed SNMP buffer overflows
- Fixed IPP buffer overflow
- Fixed memory disclosure issue in the scheduler
- Fixed DoS issues in the scheduler
-- Didier Raboud <odyx@debian.org> Wed, 21 Aug 2019 09:43:13 +0200
cups (2.2.10-6co1) apertis; urgency=medium
* Sync changes from Debian Buster
......
From 9af82602a9fe2523ceeef46f2d6e6378e2dc7eb7 Mon Sep 17 00:00:00 2001
From: Michael R Sweet <michael.r.sweet@gmail.com>
Date: Thu, 15 Aug 2019 14:08:31 -0400
Subject: Fix multiple security/disclosure issues:
- CVE-2019-8696 and CVE-2019-8675: Fixed SNMP buffer overflows (rdar://51685251)
- Fixed IPP buffer overflow (rdar://50035411)
- Fixed memory disclosure issue in the scheduler (rdar://51373853)
- Fixed DoS issues in the scheduler (rdar://51373929)
This is a backport of f24e6cf6a39300ad0c3726a41a4aab51ad54c109 on top of 2.2.10.
---
cups/http.c | 9 +++++++--
cups/ipp.c | 9 ++-------
cups/snmp.c | 20 +++++++++++++++++++-
scheduler/client.c | 23 ++++++++++++-----------
4 files changed, 40 insertions(+), 21 deletions(-)
diff --git a/cups/http.c b/cups/http.c
index 5c14ef68e..3fadb5acb 100644
--- a/cups/http.c
+++ b/cups/http.c
@@ -1905,7 +1905,7 @@ httpPrintf(http_t *http, /* I - HTTP connection */
...) /* I - Additional args as needed */
{
ssize_t bytes; /* Number of bytes to write */
- char buf[16384]; /* Buffer for formatted string */
+ char buf[65536]; /* Buffer for formatted string */
va_list ap; /* Variable argument pointer */
@@ -1917,7 +1917,12 @@ httpPrintf(http_t *http, /* I - HTTP connection */
DEBUG_printf(("3httpPrintf: (" CUPS_LLFMT " bytes) %s", CUPS_LLCAST bytes, buf));
- if (http->data_encoding == HTTP_ENCODING_FIELDS)
+ if (bytes > (ssize_t)(sizeof(buf) - 1))
+ {
+ http->error = ENOMEM;
+ return (-1);
+ }
+ else if (http->data_encoding == HTTP_ENCODING_FIELDS)
return ((int)httpWrite2(http, buf, (size_t)bytes));
else
{
diff --git a/cups/ipp.c b/cups/ipp.c
index 2c09f2703..cc9c6af50 100644
--- a/cups/ipp.c
+++ b/cups/ipp.c
@@ -4548,9 +4548,7 @@ ippSetValueTag(
break;
case IPP_TAG_NAME :
- if (temp_tag != IPP_TAG_KEYWORD && temp_tag != IPP_TAG_URI &&
- temp_tag != IPP_TAG_URISCHEME && temp_tag != IPP_TAG_LANGUAGE &&
- temp_tag != IPP_TAG_MIMETYPE)
+ if (temp_tag != IPP_TAG_KEYWORD)
return (0);
(*attr)->value_tag = (ipp_tag_t)(IPP_TAG_NAME | ((*attr)->value_tag & IPP_TAG_CUPS_CONST));
@@ -4558,10 +4556,7 @@ ippSetValueTag(
case IPP_TAG_NAMELANG :
case IPP_TAG_TEXTLANG :
- if (value_tag == IPP_TAG_NAMELANG &&
- (temp_tag != IPP_TAG_NAME && temp_tag != IPP_TAG_KEYWORD &&
- temp_tag != IPP_TAG_URI && temp_tag != IPP_TAG_URISCHEME &&
- temp_tag != IPP_TAG_LANGUAGE && temp_tag != IPP_TAG_MIMETYPE))
+ if (value_tag == IPP_TAG_NAMELANG && (temp_tag != IPP_TAG_NAME && temp_tag != IPP_TAG_KEYWORD))
return (0);
if (value_tag == IPP_TAG_TEXTLANG && temp_tag != IPP_TAG_TEXT)
diff --git a/cups/snmp.c b/cups/snmp.c
index 8437528dd..fc9396177 100644
--- a/cups/snmp.c
+++ b/cups/snmp.c
@@ -1233,6 +1233,9 @@ asn1_get_integer(
int value; /* Integer value */
+ if (*buffer >= bufend)
+ return (0);
+
if (length > sizeof(int))
{
(*buffer) += length;
@@ -1259,6 +1262,9 @@ asn1_get_length(unsigned char **buffer, /* IO - Pointer in buffer */
unsigned length; /* Length */
+ if (*buffer >= bufend)
+ return (0);
+
length = **buffer;
(*buffer) ++;
@@ -1301,6 +1307,9 @@ asn1_get_oid(
int number; /* OID number */
+ if (*buffer >= bufend)
+ return (0);
+
valend = *buffer + length;
oidptr = oid;
oidend = oid + oidsize - 1;
@@ -1349,9 +1358,12 @@ asn1_get_packed(
int value; /* Value */
+ if (*buffer >= bufend)
+ return (0);
+
value = 0;
- while ((**buffer & 128) && *buffer < bufend)
+ while (*buffer < bufend && (**buffer & 128))
{
value = (value << 7) | (**buffer & 127);
(*buffer) ++;
@@ -1379,6 +1391,9 @@ asn1_get_string(
char *string, /* I - String buffer */
size_t strsize) /* I - String buffer size */
{
+ if (*buffer >= bufend)
+ return (NULL);
+
if (length > (unsigned)(bufend - *buffer))
length = (unsigned)(bufend - *buffer);
@@ -1421,6 +1436,9 @@ asn1_get_type(unsigned char **buffer, /* IO - Pointer in buffer */
int type; /* Type */
+ if (*buffer >= bufend)
+ return (0);
+
type = **buffer;
(*buffer) ++;
diff --git a/scheduler/client.c b/scheduler/client.c
index a21b909a8..680508047 100644
--- a/scheduler/client.c
+++ b/scheduler/client.c
@@ -568,6 +568,17 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */
cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cupsdReadClient: error=%d, used=%d, state=%s, data_encoding=HTTP_ENCODING_%s, data_remaining=" CUPS_LLFMT ", request=%p(%s), file=%d", httpError(con->http), (int)httpGetReady(con->http), httpStateString(httpGetState(con->http)), httpIsChunked(con->http) ? "CHUNKED" : "LENGTH", CUPS_LLCAST httpGetRemaining(con->http), con->request, con->request ? ippStateString(ippGetState(con->request)) : "", con->file);
+ if (httpError(con->http) == EPIPE && !httpGetReady(con->http) && recv(httpGetFd(con->http), buf, 1, MSG_PEEK) < 1)
+ {
+ /*
+ * Connection closed...
+ */
+
+ cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing on EOF.");
+ cupsdCloseClient(con);
+ return;
+ }
+
if (httpGetState(con->http) == HTTP_STATE_GET_SEND ||
httpGetState(con->http) == HTTP_STATE_POST_SEND ||
httpGetState(con->http) == HTTP_STATE_STATUS)
@@ -577,17 +588,6 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */
* connection and we need to shut it down...
*/
- if (!httpGetReady(con->http) && recv(httpGetFd(con->http), buf, 1, MSG_PEEK) < 1)
- {
- /*
- * Connection closed...
- */
-
- cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing on EOF.");
- cupsdCloseClient(con);
- return;
- }
-
cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing on unexpected HTTP read state %s.", httpStateString(httpGetState(con->http)));
cupsdCloseClient(con);
return;
@@ -2209,6 +2209,7 @@ cupsdSendError(cupsd_client_t *con, /* I - Connection */
strlcpy(location, httpGetField(con->http, HTTP_FIELD_LOCATION), sizeof(location));
httpClearFields(con->http);
+ httpClearCookie(con->http);
httpSetField(con->http, HTTP_FIELD_LOCATION, location);
......@@ -44,3 +44,4 @@ debianize_cups-config.patch
0044-Fix-potential-unaligned-accesses-in-the-string-pool-.patch
0045-Fix-an-issue-with-PreserveJobHistory-and-time-values.patch
manpage-translations.patch
0047-Fix-multiple-security-disclosure-issues.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment