diff options
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-extended/cups/cups-1.4.6/cups-CVE-2011-3170.patch | 54 | ||||
-rw-r--r-- | meta/recipes-extended/cups/cups_1.4.6.bb | 3 |
2 files changed, 56 insertions, 1 deletions
diff --git a/meta/recipes-extended/cups/cups-1.4.6/cups-CVE-2011-3170.patch b/meta/recipes-extended/cups/cups-1.4.6/cups-CVE-2011-3170.patch new file mode 100644 index 0000000000..fd1b95847c --- /dev/null +++ b/meta/recipes-extended/cups/cups-1.4.6/cups-CVE-2011-3170.patch | |||
@@ -0,0 +1,54 @@ | |||
1 | cups CVE-2011-3170 | ||
2 | |||
3 | the patch come from: | ||
4 | http://cups.org/strfiles/3914/str3914.patch | ||
5 | |||
6 | The gif_read_lzw function in filter/image-gif.c in CUPS 1.4.8 and | ||
7 | earlier does not properly handle the first code word in an LZW stream, | ||
8 | which allows remote attackers to trigger a heap-based buffer overflow, | ||
9 | and possibly execute arbitrary code, via a crafted stream, a different | ||
10 | vulnerability than CVE-2011-2896. | ||
11 | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3170 | ||
12 | |||
13 | Integrated-by: Li Wang <li.wang@windriver.com> | ||
14 | --- | ||
15 | filter/image-gif.c | 14 +++++++++----- | ||
16 | 1 files changed, 9 insertions(+), 5 deletions(-) | ||
17 | |||
18 | diff --git a/filter/image-gif.c b/filter/image-gif.c | ||
19 | index 9542704..3857c21 100644 | ||
20 | --- a/filter/image-gif.c | ||
21 | +++ b/filter/image-gif.c | ||
22 | @@ -654,11 +654,13 @@ gif_read_lzw(FILE *fp, /* I - File to read from */ | ||
23 | |||
24 | if (code >= max_code) | ||
25 | { | ||
26 | - *sp++ = firstcode; | ||
27 | - code = oldcode; | ||
28 | + if (sp < (stack + 8192)) | ||
29 | + *sp++ = firstcode; | ||
30 | + | ||
31 | + code = oldcode; | ||
32 | } | ||
33 | |||
34 | - while (code >= clear_code) | ||
35 | + while (code >= clear_code && sp < (stack + 8192)) | ||
36 | { | ||
37 | *sp++ = table[1][code]; | ||
38 | if (code == table[0][code]) | ||
39 | @@ -667,8 +669,10 @@ gif_read_lzw(FILE *fp, /* I - File to read from */ | ||
40 | code = table[0][code]; | ||
41 | } | ||
42 | |||
43 | - *sp++ = firstcode = table[1][code]; | ||
44 | - code = max_code; | ||
45 | + if (sp < (stack + 8192)) | ||
46 | + *sp++ = firstcode = table[1][code]; | ||
47 | + | ||
48 | + code = max_code; | ||
49 | |||
50 | if (code < 4096) | ||
51 | { | ||
52 | -- | ||
53 | 1.7.0.5 | ||
54 | |||
diff --git a/meta/recipes-extended/cups/cups_1.4.6.bb b/meta/recipes-extended/cups/cups_1.4.6.bb index 7cecd7fc82..75c23d39e6 100644 --- a/meta/recipes-extended/cups/cups_1.4.6.bb +++ b/meta/recipes-extended/cups/cups_1.4.6.bb | |||
@@ -1,6 +1,6 @@ | |||
1 | require cups14.inc | 1 | require cups14.inc |
2 | 2 | ||
3 | PR = "r8" | 3 | PR = "r9" |
4 | DEPENDS += "libusb \ | 4 | DEPENDS += "libusb \ |
5 | ${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" | 5 | ${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" |
6 | 6 | ||
@@ -10,6 +10,7 @@ SRC_URI += " \ | |||
10 | file://0001-don-t-try-to-run-generated-binaries.patch \ | 10 | file://0001-don-t-try-to-run-generated-binaries.patch \ |
11 | file://cups_serverbin.patch \ | 11 | file://cups_serverbin.patch \ |
12 | file://cups-CVE-2011-2896.patch \ | 12 | file://cups-CVE-2011-2896.patch \ |
13 | file://cups-CVE-2011-3170.patch \ | ||
13 | file://cups-CVE-2012-5519.patch \ | 14 | file://cups-CVE-2012-5519.patch \ |
14 | " | 15 | " |
15 | 16 | ||