1 files changed, 74 insertions, 0 deletions
diff --git a/meta/recipes-extended/cups/cups/CVE-2020-10001.patch b/meta/recipes-extended/cups/cups/CVE-2020-10001.patch
new file mode 100644
index 0000000000..09a0a5765d
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2020-10001.patch
@@ -0,0 +1,74 @@
+From efbea1742bd30f842fbbfb87a473e5c84f4162f9 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Mon, 1 Feb 2021 15:02:32 -0500
+Subject: [PATCH] Fix a buffer (read) overflow in ippReadIO (CVE-2020-10001)
+Upstream-Status: Backport
+CVE: CVE-2020-10001
+Reference to upstream patch:
+[https://github.com/OpenPrinting/cups/commit/efbea1742bd30f842fbbfb87a473e5c84f4162f9]
+[SG: Addapted for version 2.3.3]
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ CHANGES.md | 2 ++
+ cups/ipp.c | 8 +++++---
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+diff --git a/CHANGES.md b/CHANGES.md
+index df72892..5ca12da 100644
+--- a/CHANGES.md
+++ b/CHANGES.md
+@@ -4,6 +4,8 @@ CHANGES - 2.3.3 - 2020-04-24
+ Changes in CUPS v2.3.3
+ ----------------------
+ 
+- Security: Fixed a buffer (read) overflow in the `ippReadIO` function
+  (CVE-2020-10001)
+ - CVE-2020-3898: The `ppdOpen` function did not handle invalid UI
+   constraint.  `ppdcSource::get_resolution` function did not handle
+   invalid resolution strings.
+diff --git a/cups/ipp.c b/cups/ipp.c
+index 3d52934..adbb26f 100644
+--- a/cups/ipp.c
+++ b/cups/ipp.c
+@@ -2866,7 +2866,8 @@ ippReadIO(void       *src,                /* I - Data source */
+   unsigned char                *buffer,        /* Data buffer */
+                        string[IPP_MAX_TEXT],
+                                        /* Small string buffer */
+-                       *bufptr;        /* Pointer into buffer */
+                       *bufptr,        /* Pointer into buffer */
+                       *bufend;        /* End of buffer */
+   ipp_attribute_t      *attr;          /* Current attribute */
+   ipp_tag_t            tag;            /* Current tag */
+   ipp_tag_t            value_tag;      /* Current value tag */
+@@ -3441,6 +3442,7 @@ ippReadIO(void       *src,                /* I - Data source */
+                }
+ 
+                 bufptr = buffer;
+                bufend = buffer + n;
+ 
+               /*
+                * text-with-language and name-with-language are composite
+@@ -3454,7 +3456,7 @@ ippReadIO(void       *src,                /* I - Data source */
+ 
+                n = (bufptr[0] << 8) | bufptr[1];
+ 
+-               if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string))
+               if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string))
+                {
+                  _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
+                                _("IPP language length overflows value."), 1);
+@@ -3481,7 +3483,7 @@ ippReadIO(void       *src,                /* I - Data source */
+                 bufptr += 2 + n;
+                n = (bufptr[0] << 8) | bufptr[1];
+ 
+-               if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE))
+               if ((bufptr + 2 + n) > bufend)
+                {
+                  _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
+                                _("IPP string length overflows value."), 1);
+-- 
+2.17.1

diff --git a/meta/recipes-extended/cups/cups/CVE-2020-10001.patch b/meta/recipes-extended/cups/cups/CVE-2020-10001.patch new file mode 100644 index 0000000000..09a0a5765d --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2020-10001.patch
@@ -0,0 +1,74 @@
	1	From efbea1742bd30f842fbbfb87a473e5c84f4162f9 Mon Sep 17 00:00:00 2001
	2	From: Michael R Sweet <msweet@msweet.org>
	3	Date: Mon, 1 Feb 2021 15:02:32 -0500
	4	Subject: [PATCH] Fix a buffer (read) overflow in ippReadIO (CVE-2020-10001)
	5
	6	Upstream-Status: Backport
	7	CVE: CVE-2020-10001
	8
	9	Reference to upstream patch:
	10	[https://github.com/OpenPrinting/cups/commit/efbea1742bd30f842fbbfb87a473e5c84f4162f9]
	11
	12	[SG: Addapted for version 2.3.3]
	13	Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
	14	---
	15	CHANGES.md \| 2 ++
	16	cups/ipp.c \| 8 +++++---
	17	2 files changed, 7 insertions(+), 3 deletions(-)
	18
	19	diff --git a/CHANGES.md b/CHANGES.md
	20	index df72892..5ca12da 100644
	21	--- a/CHANGES.md
	22	+++ b/CHANGES.md
	23	@@ -4,6 +4,8 @@ CHANGES - 2.3.3 - 2020-04-24
	24	Changes in CUPS v2.3.3
	25	----------------------
	26
	27	+- Security: Fixed a buffer (read) overflow in the `ippReadIO` function
	28	+ (CVE-2020-10001)
	29	- CVE-2020-3898: The `ppdOpen` function did not handle invalid UI
	30	constraint. `ppdcSource::get_resolution` function did not handle
	31	invalid resolution strings.
	32	diff --git a/cups/ipp.c b/cups/ipp.c
	33	index 3d52934..adbb26f 100644
	34	--- a/cups/ipp.c
	35	+++ b/cups/ipp.c
	36	@@ -2866,7 +2866,8 @@ ippReadIO(void src, / I - Data source */
	37	unsigned char buffer, / Data buffer */
	38	string[IPP_MAX_TEXT],
	39	/* Small string buffer */
	40	- bufptr; / Pointer into buffer */
	41	+ bufptr, / Pointer into buffer */
	42	+ bufend; / End of buffer */
	43	ipp_attribute_t attr; / Current attribute */
	44	ipp_tag_t tag; /* Current tag */
	45	ipp_tag_t value_tag; /* Current value tag */
	46	@@ -3441,6 +3442,7 @@ ippReadIO(void src, / I - Data source */
	47	}
	48
	49	bufptr = buffer;
	50	+ bufend = buffer + n;
	51
	52	/*
	53	* text-with-language and name-with-language are composite
	54	@@ -3454,7 +3456,7 @@ ippReadIO(void src, / I - Data source */
	55
	56	n = (bufptr[0] << 8) \| bufptr[1];
	57
	58	- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) \|\| n >= (int)sizeof(string))
	59	+ if ((bufptr + 2 + n + 2) > bufend \|\| n >= (int)sizeof(string))
	60	{
	61	_cupsSetError(IPP_STATUS_ERROR_INTERNAL,
	62	_("IPP language length overflows value."), 1);
	63	@@ -3481,7 +3483,7 @@ ippReadIO(void src, / I - Data source */
	64	bufptr += 2 + n;
	65	n = (bufptr[0] << 8) \| bufptr[1];
	66
	67	- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE))
	68	+ if ((bufptr + 2 + n) > bufend)
	69	{
	70	_cupsSetError(IPP_STATUS_ERROR_INTERNAL,
	71	_("IPP string length overflows value."), 1);
	72	--
	73	2.17.1
	74