summaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended
diff options
context:
space:
mode:
authorStefan Ghinea <stefan.ghinea@windriver.com>2021-02-25 20:41:27 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2021-02-26 15:21:20 +0000
commit39a67849e9c932d3675702a2c966627988b4dbe4 (patch)
treecfbf3d0abfc8e41ada5d7c32e55f824d24bf6274 /meta/recipes-extended
parenta23b63bd716724830ced00876fec1f26e4be021d (diff)
downloadpoky-39a67849e9c932d3675702a2c966627988b4dbe4.tar.gz
cups: fix CVE-2020-10001
A buffer (read) overflow in the ippReadIO function. References: https://nvd.nist.gov/vuln/detail/CVE-2020-10001 Upstream patches: https://github.com/OpenPrinting/cups/commit/efbea1742bd30f842fbbfb87a473e5c84f4162f9 (From OE-Core rev: 90eba79bf6f623aa3021eafd0141dad1c3059001) Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended')
-rw-r--r--meta/recipes-extended/cups/cups.inc1
-rw-r--r--meta/recipes-extended/cups/cups/CVE-2020-10001.patch74
2 files changed, 75 insertions, 0 deletions
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index 4a1177467b..244c87001f 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -15,6 +15,7 @@ SRC_URI = "https://github.com/apple/cups/releases/download/v${PV}/${BP}-source.t
15 file://0004-cups-fix-multilib-install-file-conflicts.patch \ 15 file://0004-cups-fix-multilib-install-file-conflicts.patch \
16 file://volatiles.99_cups \ 16 file://volatiles.99_cups \
17 file://cups-volatiles.conf \ 17 file://cups-volatiles.conf \
18 file://CVE-2020-10001.patch \
18 " 19 "
19 20
20UPSTREAM_CHECK_URI = "https://github.com/apple/cups/releases" 21UPSTREAM_CHECK_URI = "https://github.com/apple/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2020-10001.patch b/meta/recipes-extended/cups/cups/CVE-2020-10001.patch
new file mode 100644
index 0000000000..09a0a5765d
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2020-10001.patch
@@ -0,0 +1,74 @@
1From efbea1742bd30f842fbbfb87a473e5c84f4162f9 Mon Sep 17 00:00:00 2001
2From: Michael R Sweet <msweet@msweet.org>
3Date: Mon, 1 Feb 2021 15:02:32 -0500
4Subject: [PATCH] Fix a buffer (read) overflow in ippReadIO (CVE-2020-10001)
5
6Upstream-Status: Backport
7CVE: CVE-2020-10001
8
9Reference to upstream patch:
10[https://github.com/OpenPrinting/cups/commit/efbea1742bd30f842fbbfb87a473e5c84f4162f9]
11
12[SG: Addapted for version 2.3.3]
13Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
14---
15 CHANGES.md | 2 ++
16 cups/ipp.c | 8 +++++---
17 2 files changed, 7 insertions(+), 3 deletions(-)
18
19diff --git a/CHANGES.md b/CHANGES.md
20index df72892..5ca12da 100644
21--- a/CHANGES.md
22+++ b/CHANGES.md
23@@ -4,6 +4,8 @@ CHANGES - 2.3.3 - 2020-04-24
24 Changes in CUPS v2.3.3
25 ----------------------
26
27+- Security: Fixed a buffer (read) overflow in the `ippReadIO` function
28+ (CVE-2020-10001)
29 - CVE-2020-3898: The `ppdOpen` function did not handle invalid UI
30 constraint. `ppdcSource::get_resolution` function did not handle
31 invalid resolution strings.
32diff --git a/cups/ipp.c b/cups/ipp.c
33index 3d52934..adbb26f 100644
34--- a/cups/ipp.c
35+++ b/cups/ipp.c
36@@ -2866,7 +2866,8 @@ ippReadIO(void *src, /* I - Data source */
37 unsigned char *buffer, /* Data buffer */
38 string[IPP_MAX_TEXT],
39 /* Small string buffer */
40- *bufptr; /* Pointer into buffer */
41+ *bufptr, /* Pointer into buffer */
42+ *bufend; /* End of buffer */
43 ipp_attribute_t *attr; /* Current attribute */
44 ipp_tag_t tag; /* Current tag */
45 ipp_tag_t value_tag; /* Current value tag */
46@@ -3441,6 +3442,7 @@ ippReadIO(void *src, /* I - Data source */
47 }
48
49 bufptr = buffer;
50+ bufend = buffer + n;
51
52 /*
53 * text-with-language and name-with-language are composite
54@@ -3454,7 +3456,7 @@ ippReadIO(void *src, /* I - Data source */
55
56 n = (bufptr[0] << 8) | bufptr[1];
57
58- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string))
59+ if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string))
60 {
61 _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
62 _("IPP language length overflows value."), 1);
63@@ -3481,7 +3483,7 @@ ippReadIO(void *src, /* I - Data source */
64 bufptr += 2 + n;
65 n = (bufptr[0] << 8) | bufptr[1];
66
67- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE))
68+ if ((bufptr + 2 + n) > bufend)
69 {
70 _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
71 _("IPP string length overflows value."), 1);
72--
732.17.1
74