2 files changed, 84 insertions, 0 deletions
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index 87870e4aba..244c87001f 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -15,11 +15,19 @@ SRC_URI = "https://github.com/apple/cups/releases/download/v${PV}/${BP}-source.t
           file://0004-cups-fix-multilib-install-file-conflicts.patch \
           file://volatiles.99_cups \
           file://cups-volatiles.conf \
+           file://CVE-2020-10001.patch \
           "
 UPSTREAM_CHECK_URI = "https://github.com/apple/cups/releases"
 UPSTREAM_CHECK_REGEX = "cups-(?P<pver>\d+\.\d+(\.\d+)?)-source.tar"
+# Issue only applies to MacOS
+CVE_CHECK_WHITELIST += "CVE-2008-1033"
+# Issue affects pdfdistiller plugin used with but not part of cups
+CVE_CHECK_WHITELIST += "CVE-2009-0032"
+# This is an Ubuntu only issue.
+CVE_CHECK_WHITELIST += "CVE-2018-6553"
 LEAD_SONAME = "libcupsdriver.so"
 CLEANBROKEN = "1"
@@ -47,6 +55,8 @@ EXTRA_OECONF = " \
               --enable-debug \
               --disable-relro \
               --enable-libusb \
+               --with-system-groups=lpadmin \
+               --with-cups-group=lp \
               --with-domainsocket=/run/cups/cups.sock \
               DSOFLAGS='${LDFLAGS}' \
               "
diff --git a/meta/recipes-extended/cups/cups/CVE-2020-10001.patch b/meta/recipes-extended/cups/cups/CVE-2020-10001.patch
new file mode 100644
index 0000000000..09a0a5765d
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2020-10001.patch
@@ -0,0 +1,74 @@
+From efbea1742bd30f842fbbfb87a473e5c84f4162f9 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Mon, 1 Feb 2021 15:02:32 -0500
+Subject: [PATCH] Fix a buffer (read) overflow in ippReadIO (CVE-2020-10001)
+Upstream-Status: Backport
+CVE: CVE-2020-10001
+Reference to upstream patch:
+[https://github.com/OpenPrinting/cups/commit/efbea1742bd30f842fbbfb87a473e5c84f4162f9]
+[SG: Addapted for version 2.3.3]
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ CHANGES.md | 2 ++
+ cups/ipp.c | 8 +++++---
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+diff --git a/CHANGES.md b/CHANGES.md
+index df72892..5ca12da 100644
+--- a/CHANGES.md
+++ b/CHANGES.md
+@@ -4,6 +4,8 @@ CHANGES - 2.3.3 - 2020-04-24
+ Changes in CUPS v2.3.3
+ ----------------------
+ 
+- Security: Fixed a buffer (read) overflow in the `ippReadIO` function
+  (CVE-2020-10001)
+ - CVE-2020-3898: The `ppdOpen` function did not handle invalid UI
+   constraint.  `ppdcSource::get_resolution` function did not handle
+   invalid resolution strings.
+diff --git a/cups/ipp.c b/cups/ipp.c
+index 3d52934..adbb26f 100644
+--- a/cups/ipp.c
+++ b/cups/ipp.c
+@@ -2866,7 +2866,8 @@ ippReadIO(void       *src,                /* I - Data source */
+   unsigned char                *buffer,        /* Data buffer */
+                        string[IPP_MAX_TEXT],
+                                        /* Small string buffer */
+-                       *bufptr;        /* Pointer into buffer */
+                       *bufptr,        /* Pointer into buffer */
+                       *bufend;        /* End of buffer */
+   ipp_attribute_t      *attr;          /* Current attribute */
+   ipp_tag_t            tag;            /* Current tag */
+   ipp_tag_t            value_tag;      /* Current value tag */
+@@ -3441,6 +3442,7 @@ ippReadIO(void       *src,                /* I - Data source */
+                }
+ 
+                 bufptr = buffer;
+                bufend = buffer + n;
+ 
+               /*
+                * text-with-language and name-with-language are composite
+@@ -3454,7 +3456,7 @@ ippReadIO(void       *src,                /* I - Data source */
+ 
+                n = (bufptr[0] << 8) | bufptr[1];
+ 
+-               if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string))
+               if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string))
+                {
+                  _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
+                                _("IPP language length overflows value."), 1);
+@@ -3481,7 +3483,7 @@ ippReadIO(void       *src,                /* I - Data source */
+                 bufptr += 2 + n;
+                n = (bufptr[0] << 8) | bufptr[1];
+ 
+-               if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE))
+               if ((bufptr + 2 + n) > bufend)
+                {
+                  _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
+                                _("IPP string length overflows value."), 1);
+-- 
+2.17.1

diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index 87870e4aba..244c87001f 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc
@@ -15,11 +15,19 @@ SRC_URI = "https://github.com/apple/cups/releases/download/v${PV}/${BP}-source.t
15	file://0004-cups-fix-multilib-install-file-conflicts.patch \	15	file://0004-cups-fix-multilib-install-file-conflicts.patch \
16	file://volatiles.99_cups \	16	file://volatiles.99_cups \
17	file://cups-volatiles.conf \	17	file://cups-volatiles.conf \
		18	file://CVE-2020-10001.patch \
18	"	19	"
19		20
20	UPSTREAM_CHECK_URI = "https://github.com/apple/cups/releases"	21	UPSTREAM_CHECK_URI = "https://github.com/apple/cups/releases"
21	UPSTREAM_CHECK_REGEX = "cups-(?P<pver>\d+\.\d+(\.\d+)?)-source.tar"	22	UPSTREAM_CHECK_REGEX = "cups-(?P<pver>\d+\.\d+(\.\d+)?)-source.tar"
22		23
		24	# Issue only applies to MacOS
		25	CVE_CHECK_WHITELIST += "CVE-2008-1033"
		26	# Issue affects pdfdistiller plugin used with but not part of cups
		27	CVE_CHECK_WHITELIST += "CVE-2009-0032"
		28	# This is an Ubuntu only issue.
		29	CVE_CHECK_WHITELIST += "CVE-2018-6553"
		30
23	LEAD_SONAME = "libcupsdriver.so"	31	LEAD_SONAME = "libcupsdriver.so"
24		32
25	CLEANBROKEN = "1"	33	CLEANBROKEN = "1"
@@ -47,6 +55,8 @@ EXTRA_OECONF = " \
47	--enable-debug \	55	--enable-debug \
48	--disable-relro \	56	--disable-relro \
49	--enable-libusb \	57	--enable-libusb \
		58	--with-system-groups=lpadmin \
		59	--with-cups-group=lp \
50	--with-domainsocket=/run/cups/cups.sock \	60	--with-domainsocket=/run/cups/cups.sock \
51	DSOFLAGS='${LDFLAGS}' \	61	DSOFLAGS='${LDFLAGS}' \
52	"	62	"


diff --git a/meta/recipes-extended/cups/cups/CVE-2020-10001.patch b/meta/recipes-extended/cups/cups/CVE-2020-10001.patch new file mode 100644 index 0000000000..09a0a5765d --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2020-10001.patch
@@ -0,0 +1,74 @@
		1	From efbea1742bd30f842fbbfb87a473e5c84f4162f9 Mon Sep 17 00:00:00 2001
		2	From: Michael R Sweet <msweet@msweet.org>
		3	Date: Mon, 1 Feb 2021 15:02:32 -0500
		4	Subject: [PATCH] Fix a buffer (read) overflow in ippReadIO (CVE-2020-10001)
		5
		6	Upstream-Status: Backport
		7	CVE: CVE-2020-10001
		8
		9	Reference to upstream patch:
		10	[https://github.com/OpenPrinting/cups/commit/efbea1742bd30f842fbbfb87a473e5c84f4162f9]
		11
		12	[SG: Addapted for version 2.3.3]
		13	Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
		14	---
		15	CHANGES.md \| 2 ++
		16	cups/ipp.c \| 8 +++++---
		17	2 files changed, 7 insertions(+), 3 deletions(-)
		18
		19	diff --git a/CHANGES.md b/CHANGES.md
		20	index df72892..5ca12da 100644
		21	--- a/CHANGES.md
		22	+++ b/CHANGES.md
		23	@@ -4,6 +4,8 @@ CHANGES - 2.3.3 - 2020-04-24
		24	Changes in CUPS v2.3.3
		25	----------------------
		26
		27	+- Security: Fixed a buffer (read) overflow in the `ippReadIO` function
		28	+ (CVE-2020-10001)
		29	- CVE-2020-3898: The `ppdOpen` function did not handle invalid UI
		30	constraint. `ppdcSource::get_resolution` function did not handle
		31	invalid resolution strings.
		32	diff --git a/cups/ipp.c b/cups/ipp.c
		33	index 3d52934..adbb26f 100644
		34	--- a/cups/ipp.c
		35	+++ b/cups/ipp.c
		36	@@ -2866,7 +2866,8 @@ ippReadIO(void src, / I - Data source */
		37	unsigned char buffer, / Data buffer */
		38	string[IPP_MAX_TEXT],
		39	/* Small string buffer */
		40	- bufptr; / Pointer into buffer */
		41	+ bufptr, / Pointer into buffer */
		42	+ bufend; / End of buffer */
		43	ipp_attribute_t attr; / Current attribute */
		44	ipp_tag_t tag; /* Current tag */
		45	ipp_tag_t value_tag; /* Current value tag */
		46	@@ -3441,6 +3442,7 @@ ippReadIO(void src, / I - Data source */
		47	}
		48
		49	bufptr = buffer;
		50	+ bufend = buffer + n;
		51
		52	/*
		53	* text-with-language and name-with-language are composite
		54	@@ -3454,7 +3456,7 @@ ippReadIO(void src, / I - Data source */
		55
		56	n = (bufptr[0] << 8) \| bufptr[1];
		57
		58	- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) \|\| n >= (int)sizeof(string))
		59	+ if ((bufptr + 2 + n + 2) > bufend \|\| n >= (int)sizeof(string))
		60	{
		61	_cupsSetError(IPP_STATUS_ERROR_INTERNAL,
		62	_("IPP language length overflows value."), 1);
		63	@@ -3481,7 +3483,7 @@ ippReadIO(void src, / I - Data source */
		64	bufptr += 2 + n;
		65	n = (bufptr[0] << 8) \| bufptr[1];
		66
		67	- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE))
		68	+ if ((bufptr + 2 + n) > bufend)
		69	{
		70	_cupsSetError(IPP_STATUS_ERROR_INTERNAL,
		71	_("IPP string length overflows value."), 1);
		72	--
		73	2.17.1
		74