diff options
Diffstat (limited to 'meta/recipes-extended/cups/cups/CVE-2020-10001.patch')
-rw-r--r-- | meta/recipes-extended/cups/cups/CVE-2020-10001.patch | 74 |
1 files changed, 0 insertions, 74 deletions
diff --git a/meta/recipes-extended/cups/cups/CVE-2020-10001.patch b/meta/recipes-extended/cups/cups/CVE-2020-10001.patch deleted file mode 100644 index 09a0a5765d..0000000000 --- a/meta/recipes-extended/cups/cups/CVE-2020-10001.patch +++ /dev/null | |||
@@ -1,74 +0,0 @@ | |||
1 | From efbea1742bd30f842fbbfb87a473e5c84f4162f9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael R Sweet <msweet@msweet.org> | ||
3 | Date: Mon, 1 Feb 2021 15:02:32 -0500 | ||
4 | Subject: [PATCH] Fix a buffer (read) overflow in ippReadIO (CVE-2020-10001) | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | CVE: CVE-2020-10001 | ||
8 | |||
9 | Reference to upstream patch: | ||
10 | [https://github.com/OpenPrinting/cups/commit/efbea1742bd30f842fbbfb87a473e5c84f4162f9] | ||
11 | |||
12 | [SG: Addapted for version 2.3.3] | ||
13 | Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> | ||
14 | --- | ||
15 | CHANGES.md | 2 ++ | ||
16 | cups/ipp.c | 8 +++++--- | ||
17 | 2 files changed, 7 insertions(+), 3 deletions(-) | ||
18 | |||
19 | diff --git a/CHANGES.md b/CHANGES.md | ||
20 | index df72892..5ca12da 100644 | ||
21 | --- a/CHANGES.md | ||
22 | +++ b/CHANGES.md | ||
23 | @@ -4,6 +4,8 @@ CHANGES - 2.3.3 - 2020-04-24 | ||
24 | Changes in CUPS v2.3.3 | ||
25 | ---------------------- | ||
26 | |||
27 | +- Security: Fixed a buffer (read) overflow in the `ippReadIO` function | ||
28 | + (CVE-2020-10001) | ||
29 | - CVE-2020-3898: The `ppdOpen` function did not handle invalid UI | ||
30 | constraint. `ppdcSource::get_resolution` function did not handle | ||
31 | invalid resolution strings. | ||
32 | diff --git a/cups/ipp.c b/cups/ipp.c | ||
33 | index 3d52934..adbb26f 100644 | ||
34 | --- a/cups/ipp.c | ||
35 | +++ b/cups/ipp.c | ||
36 | @@ -2866,7 +2866,8 @@ ippReadIO(void *src, /* I - Data source */ | ||
37 | unsigned char *buffer, /* Data buffer */ | ||
38 | string[IPP_MAX_TEXT], | ||
39 | /* Small string buffer */ | ||
40 | - *bufptr; /* Pointer into buffer */ | ||
41 | + *bufptr, /* Pointer into buffer */ | ||
42 | + *bufend; /* End of buffer */ | ||
43 | ipp_attribute_t *attr; /* Current attribute */ | ||
44 | ipp_tag_t tag; /* Current tag */ | ||
45 | ipp_tag_t value_tag; /* Current value tag */ | ||
46 | @@ -3441,6 +3442,7 @@ ippReadIO(void *src, /* I - Data source */ | ||
47 | } | ||
48 | |||
49 | bufptr = buffer; | ||
50 | + bufend = buffer + n; | ||
51 | |||
52 | /* | ||
53 | * text-with-language and name-with-language are composite | ||
54 | @@ -3454,7 +3456,7 @@ ippReadIO(void *src, /* I - Data source */ | ||
55 | |||
56 | n = (bufptr[0] << 8) | bufptr[1]; | ||
57 | |||
58 | - if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string)) | ||
59 | + if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string)) | ||
60 | { | ||
61 | _cupsSetError(IPP_STATUS_ERROR_INTERNAL, | ||
62 | _("IPP language length overflows value."), 1); | ||
63 | @@ -3481,7 +3483,7 @@ ippReadIO(void *src, /* I - Data source */ | ||
64 | bufptr += 2 + n; | ||
65 | n = (bufptr[0] << 8) | bufptr[1]; | ||
66 | |||
67 | - if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE)) | ||
68 | + if ((bufptr + 2 + n) > bufend) | ||
69 | { | ||
70 | _cupsSetError(IPP_STATUS_ERROR_INTERNAL, | ||
71 | _("IPP string length overflows value."), 1); | ||
72 | -- | ||
73 | 2.17.1 | ||
74 | |||