diff options
| author | Stefan Ghinea <stefan.ghinea@windriver.com> | 2021-02-25 20:41:27 +0200 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-02-26 15:21:20 +0000 |
| commit | 39a67849e9c932d3675702a2c966627988b4dbe4 (patch) | |
| tree | cfbf3d0abfc8e41ada5d7c32e55f824d24bf6274 /meta/recipes-extended | |
| parent | a23b63bd716724830ced00876fec1f26e4be021d (diff) | |
| download | poky-39a67849e9c932d3675702a2c966627988b4dbe4.tar.gz | |
cups: fix CVE-2020-10001
A buffer (read) overflow in the ippReadIO function.
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-10001
Upstream patches:
https://github.com/OpenPrinting/cups/commit/efbea1742bd30f842fbbfb87a473e5c84f4162f9
(From OE-Core rev: 90eba79bf6f623aa3021eafd0141dad1c3059001)
Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended')
| -rw-r--r-- | meta/recipes-extended/cups/cups.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-extended/cups/cups/CVE-2020-10001.patch | 74 |
2 files changed, 75 insertions, 0 deletions
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index 4a1177467b..244c87001f 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc | |||
| @@ -15,6 +15,7 @@ SRC_URI = "https://github.com/apple/cups/releases/download/v${PV}/${BP}-source.t | |||
| 15 | file://0004-cups-fix-multilib-install-file-conflicts.patch \ | 15 | file://0004-cups-fix-multilib-install-file-conflicts.patch \ |
| 16 | file://volatiles.99_cups \ | 16 | file://volatiles.99_cups \ |
| 17 | file://cups-volatiles.conf \ | 17 | file://cups-volatiles.conf \ |
| 18 | file://CVE-2020-10001.patch \ | ||
| 18 | " | 19 | " |
| 19 | 20 | ||
| 20 | UPSTREAM_CHECK_URI = "https://github.com/apple/cups/releases" | 21 | UPSTREAM_CHECK_URI = "https://github.com/apple/cups/releases" |
diff --git a/meta/recipes-extended/cups/cups/CVE-2020-10001.patch b/meta/recipes-extended/cups/cups/CVE-2020-10001.patch new file mode 100644 index 0000000000..09a0a5765d --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2020-10001.patch | |||
| @@ -0,0 +1,74 @@ | |||
| 1 | From efbea1742bd30f842fbbfb87a473e5c84f4162f9 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Michael R Sweet <msweet@msweet.org> | ||
| 3 | Date: Mon, 1 Feb 2021 15:02:32 -0500 | ||
| 4 | Subject: [PATCH] Fix a buffer (read) overflow in ippReadIO (CVE-2020-10001) | ||
| 5 | |||
| 6 | Upstream-Status: Backport | ||
| 7 | CVE: CVE-2020-10001 | ||
| 8 | |||
| 9 | Reference to upstream patch: | ||
| 10 | [https://github.com/OpenPrinting/cups/commit/efbea1742bd30f842fbbfb87a473e5c84f4162f9] | ||
| 11 | |||
| 12 | [SG: Addapted for version 2.3.3] | ||
| 13 | Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> | ||
| 14 | --- | ||
| 15 | CHANGES.md | 2 ++ | ||
| 16 | cups/ipp.c | 8 +++++--- | ||
| 17 | 2 files changed, 7 insertions(+), 3 deletions(-) | ||
| 18 | |||
| 19 | diff --git a/CHANGES.md b/CHANGES.md | ||
| 20 | index df72892..5ca12da 100644 | ||
| 21 | --- a/CHANGES.md | ||
| 22 | +++ b/CHANGES.md | ||
| 23 | @@ -4,6 +4,8 @@ CHANGES - 2.3.3 - 2020-04-24 | ||
| 24 | Changes in CUPS v2.3.3 | ||
| 25 | ---------------------- | ||
| 26 | |||
| 27 | +- Security: Fixed a buffer (read) overflow in the `ippReadIO` function | ||
| 28 | + (CVE-2020-10001) | ||
| 29 | - CVE-2020-3898: The `ppdOpen` function did not handle invalid UI | ||
| 30 | constraint. `ppdcSource::get_resolution` function did not handle | ||
| 31 | invalid resolution strings. | ||
| 32 | diff --git a/cups/ipp.c b/cups/ipp.c | ||
| 33 | index 3d52934..adbb26f 100644 | ||
| 34 | --- a/cups/ipp.c | ||
| 35 | +++ b/cups/ipp.c | ||
| 36 | @@ -2866,7 +2866,8 @@ ippReadIO(void *src, /* I - Data source */ | ||
| 37 | unsigned char *buffer, /* Data buffer */ | ||
| 38 | string[IPP_MAX_TEXT], | ||
| 39 | /* Small string buffer */ | ||
| 40 | - *bufptr; /* Pointer into buffer */ | ||
| 41 | + *bufptr, /* Pointer into buffer */ | ||
| 42 | + *bufend; /* End of buffer */ | ||
| 43 | ipp_attribute_t *attr; /* Current attribute */ | ||
| 44 | ipp_tag_t tag; /* Current tag */ | ||
| 45 | ipp_tag_t value_tag; /* Current value tag */ | ||
| 46 | @@ -3441,6 +3442,7 @@ ippReadIO(void *src, /* I - Data source */ | ||
| 47 | } | ||
| 48 | |||
| 49 | bufptr = buffer; | ||
| 50 | + bufend = buffer + n; | ||
| 51 | |||
| 52 | /* | ||
| 53 | * text-with-language and name-with-language are composite | ||
| 54 | @@ -3454,7 +3456,7 @@ ippReadIO(void *src, /* I - Data source */ | ||
| 55 | |||
| 56 | n = (bufptr[0] << 8) | bufptr[1]; | ||
| 57 | |||
| 58 | - if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string)) | ||
| 59 | + if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string)) | ||
| 60 | { | ||
| 61 | _cupsSetError(IPP_STATUS_ERROR_INTERNAL, | ||
| 62 | _("IPP language length overflows value."), 1); | ||
| 63 | @@ -3481,7 +3483,7 @@ ippReadIO(void *src, /* I - Data source */ | ||
| 64 | bufptr += 2 + n; | ||
| 65 | n = (bufptr[0] << 8) | bufptr[1]; | ||
| 66 | |||
| 67 | - if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE)) | ||
| 68 | + if ((bufptr + 2 + n) > bufend) | ||
| 69 | { | ||
| 70 | _cupsSetError(IPP_STATUS_ERROR_INTERNAL, | ||
| 71 | _("IPP string length overflows value."), 1); | ||
| 72 | -- | ||
| 73 | 2.17.1 | ||
| 74 | |||