diff options
Diffstat (limited to 'meta/recipes-extended/cups')
-rw-r--r-- | meta/recipes-extended/cups/cups.inc | 10 | ||||
-rw-r--r-- | meta/recipes-extended/cups/cups/CVE-2020-10001.patch | 74 |
2 files changed, 84 insertions, 0 deletions
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index 87870e4aba..244c87001f 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc | |||
@@ -15,11 +15,19 @@ SRC_URI = "https://github.com/apple/cups/releases/download/v${PV}/${BP}-source.t | |||
15 | file://0004-cups-fix-multilib-install-file-conflicts.patch \ | 15 | file://0004-cups-fix-multilib-install-file-conflicts.patch \ |
16 | file://volatiles.99_cups \ | 16 | file://volatiles.99_cups \ |
17 | file://cups-volatiles.conf \ | 17 | file://cups-volatiles.conf \ |
18 | file://CVE-2020-10001.patch \ | ||
18 | " | 19 | " |
19 | 20 | ||
20 | UPSTREAM_CHECK_URI = "https://github.com/apple/cups/releases" | 21 | UPSTREAM_CHECK_URI = "https://github.com/apple/cups/releases" |
21 | UPSTREAM_CHECK_REGEX = "cups-(?P<pver>\d+\.\d+(\.\d+)?)-source.tar" | 22 | UPSTREAM_CHECK_REGEX = "cups-(?P<pver>\d+\.\d+(\.\d+)?)-source.tar" |
22 | 23 | ||
24 | # Issue only applies to MacOS | ||
25 | CVE_CHECK_WHITELIST += "CVE-2008-1033" | ||
26 | # Issue affects pdfdistiller plugin used with but not part of cups | ||
27 | CVE_CHECK_WHITELIST += "CVE-2009-0032" | ||
28 | # This is an Ubuntu only issue. | ||
29 | CVE_CHECK_WHITELIST += "CVE-2018-6553" | ||
30 | |||
23 | LEAD_SONAME = "libcupsdriver.so" | 31 | LEAD_SONAME = "libcupsdriver.so" |
24 | 32 | ||
25 | CLEANBROKEN = "1" | 33 | CLEANBROKEN = "1" |
@@ -47,6 +55,8 @@ EXTRA_OECONF = " \ | |||
47 | --enable-debug \ | 55 | --enable-debug \ |
48 | --disable-relro \ | 56 | --disable-relro \ |
49 | --enable-libusb \ | 57 | --enable-libusb \ |
58 | --with-system-groups=lpadmin \ | ||
59 | --with-cups-group=lp \ | ||
50 | --with-domainsocket=/run/cups/cups.sock \ | 60 | --with-domainsocket=/run/cups/cups.sock \ |
51 | DSOFLAGS='${LDFLAGS}' \ | 61 | DSOFLAGS='${LDFLAGS}' \ |
52 | " | 62 | " |
diff --git a/meta/recipes-extended/cups/cups/CVE-2020-10001.patch b/meta/recipes-extended/cups/cups/CVE-2020-10001.patch new file mode 100644 index 0000000000..09a0a5765d --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2020-10001.patch | |||
@@ -0,0 +1,74 @@ | |||
1 | From efbea1742bd30f842fbbfb87a473e5c84f4162f9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael R Sweet <msweet@msweet.org> | ||
3 | Date: Mon, 1 Feb 2021 15:02:32 -0500 | ||
4 | Subject: [PATCH] Fix a buffer (read) overflow in ippReadIO (CVE-2020-10001) | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | CVE: CVE-2020-10001 | ||
8 | |||
9 | Reference to upstream patch: | ||
10 | [https://github.com/OpenPrinting/cups/commit/efbea1742bd30f842fbbfb87a473e5c84f4162f9] | ||
11 | |||
12 | [SG: Addapted for version 2.3.3] | ||
13 | Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> | ||
14 | --- | ||
15 | CHANGES.md | 2 ++ | ||
16 | cups/ipp.c | 8 +++++--- | ||
17 | 2 files changed, 7 insertions(+), 3 deletions(-) | ||
18 | |||
19 | diff --git a/CHANGES.md b/CHANGES.md | ||
20 | index df72892..5ca12da 100644 | ||
21 | --- a/CHANGES.md | ||
22 | +++ b/CHANGES.md | ||
23 | @@ -4,6 +4,8 @@ CHANGES - 2.3.3 - 2020-04-24 | ||
24 | Changes in CUPS v2.3.3 | ||
25 | ---------------------- | ||
26 | |||
27 | +- Security: Fixed a buffer (read) overflow in the `ippReadIO` function | ||
28 | + (CVE-2020-10001) | ||
29 | - CVE-2020-3898: The `ppdOpen` function did not handle invalid UI | ||
30 | constraint. `ppdcSource::get_resolution` function did not handle | ||
31 | invalid resolution strings. | ||
32 | diff --git a/cups/ipp.c b/cups/ipp.c | ||
33 | index 3d52934..adbb26f 100644 | ||
34 | --- a/cups/ipp.c | ||
35 | +++ b/cups/ipp.c | ||
36 | @@ -2866,7 +2866,8 @@ ippReadIO(void *src, /* I - Data source */ | ||
37 | unsigned char *buffer, /* Data buffer */ | ||
38 | string[IPP_MAX_TEXT], | ||
39 | /* Small string buffer */ | ||
40 | - *bufptr; /* Pointer into buffer */ | ||
41 | + *bufptr, /* Pointer into buffer */ | ||
42 | + *bufend; /* End of buffer */ | ||
43 | ipp_attribute_t *attr; /* Current attribute */ | ||
44 | ipp_tag_t tag; /* Current tag */ | ||
45 | ipp_tag_t value_tag; /* Current value tag */ | ||
46 | @@ -3441,6 +3442,7 @@ ippReadIO(void *src, /* I - Data source */ | ||
47 | } | ||
48 | |||
49 | bufptr = buffer; | ||
50 | + bufend = buffer + n; | ||
51 | |||
52 | /* | ||
53 | * text-with-language and name-with-language are composite | ||
54 | @@ -3454,7 +3456,7 @@ ippReadIO(void *src, /* I - Data source */ | ||
55 | |||
56 | n = (bufptr[0] << 8) | bufptr[1]; | ||
57 | |||
58 | - if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string)) | ||
59 | + if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string)) | ||
60 | { | ||
61 | _cupsSetError(IPP_STATUS_ERROR_INTERNAL, | ||
62 | _("IPP language length overflows value."), 1); | ||
63 | @@ -3481,7 +3483,7 @@ ippReadIO(void *src, /* I - Data source */ | ||
64 | bufptr += 2 + n; | ||
65 | n = (bufptr[0] << 8) | bufptr[1]; | ||
66 | |||
67 | - if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE)) | ||
68 | + if ((bufptr + 2 + n) > bufend) | ||
69 | { | ||
70 | _cupsSetError(IPP_STATUS_ERROR_INTERNAL, | ||
71 | _("IPP string length overflows value."), 1); | ||
72 | -- | ||
73 | 2.17.1 | ||
74 | |||