From 923852c9522b15ffda9885a38a174ada61c90528 Mon Sep 17 00:00:00 2001 From: Li Wang Date: Mon, 7 Jan 2013 11:10:01 +0000 Subject: cups CVE-2011-3170 the patch come from: http://cups.org/strfiles/3914/str3914.patch The gif_read_lzw function in filter/image-gif.c in CUPS 1.4.8 and earlier does not properly handle the first code word in an LZW stream, which allows remote attackers to trigger a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted stream, a different vulnerability than CVE-2011-2896. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3170 [YOCTO #3583] [ CQID: WIND00299594 ] Upstream-Status: Backport (From OE-Core rev: c82517bb667484854eaa05b6e9efd9ee0f164fec) (From OE-Core rev: 1f555a6a45eb68011cbe759acf486ac507a6599c) Signed-off-by: Li Wang Signed-off-by: Saul Wold Signed-off-by: Richard Purdie --- .../cups/cups-1.4.6/cups-CVE-2011-3170.patch | 54 ++++++++++++++++++++++ meta/recipes-extended/cups/cups_1.4.6.bb | 3 +- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-extended/cups/cups-1.4.6/cups-CVE-2011-3170.patch diff --git a/meta/recipes-extended/cups/cups-1.4.6/cups-CVE-2011-3170.patch b/meta/recipes-extended/cups/cups-1.4.6/cups-CVE-2011-3170.patch new file mode 100644 index 0000000000..fd1b95847c --- /dev/null +++ b/meta/recipes-extended/cups/cups-1.4.6/cups-CVE-2011-3170.patch @@ -0,0 +1,54 @@ +cups CVE-2011-3170 + +the patch come from: +http://cups.org/strfiles/3914/str3914.patch + +The gif_read_lzw function in filter/image-gif.c in CUPS 1.4.8 and +earlier does not properly handle the first code word in an LZW stream, +which allows remote attackers to trigger a heap-based buffer overflow, +and possibly execute arbitrary code, via a crafted stream, a different +vulnerability than CVE-2011-2896. +http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3170 + +Integrated-by: Li Wang +--- + filter/image-gif.c | 14 +++++++++----- + 1 files changed, 9 insertions(+), 5 deletions(-) + +diff --git a/filter/image-gif.c b/filter/image-gif.c +index 9542704..3857c21 100644 +--- a/filter/image-gif.c ++++ b/filter/image-gif.c +@@ -654,11 +654,13 @@ gif_read_lzw(FILE *fp, /* I - File to read from */ + + if (code >= max_code) + { +- *sp++ = firstcode; +- code = oldcode; ++ if (sp < (stack + 8192)) ++ *sp++ = firstcode; ++ ++ code = oldcode; + } + +- while (code >= clear_code) ++ while (code >= clear_code && sp < (stack + 8192)) + { + *sp++ = table[1][code]; + if (code == table[0][code]) +@@ -667,8 +669,10 @@ gif_read_lzw(FILE *fp, /* I - File to read from */ + code = table[0][code]; + } + +- *sp++ = firstcode = table[1][code]; +- code = max_code; ++ if (sp < (stack + 8192)) ++ *sp++ = firstcode = table[1][code]; ++ ++ code = max_code; + + if (code < 4096) + { +-- +1.7.0.5 + diff --git a/meta/recipes-extended/cups/cups_1.4.6.bb b/meta/recipes-extended/cups/cups_1.4.6.bb index 7cecd7fc82..75c23d39e6 100644 --- a/meta/recipes-extended/cups/cups_1.4.6.bb +++ b/meta/recipes-extended/cups/cups_1.4.6.bb @@ -1,6 +1,6 @@ require cups14.inc -PR = "r8" +PR = "r9" DEPENDS += "libusb \ ${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" @@ -10,6 +10,7 @@ SRC_URI += " \ file://0001-don-t-try-to-run-generated-binaries.patch \ file://cups_serverbin.patch \ file://cups-CVE-2011-2896.patch \ + file://cups-CVE-2011-3170.patch \ file://cups-CVE-2012-5519.patch \ " -- cgit v1.2.3-54-g00ecf