diff --git a/.gitignore b/.gitignore index fac2d0d..30cd92a 100644 --- a/.gitignore +++ b/.gitignore @@ -94,3 +94,4 @@ cups-1.4.4-source.tar.bz2 /cups-2.3.1-source.tar.gz /cups-2.3.3-source.tar.gz /cups-2.3.3op1-source.tar.gz +/cups-2.3.3op2-source.tar.gz diff --git a/0001-Add-check-for-whether-option-variable-exists-or-not-.patch b/0001-Add-check-for-whether-option-variable-exists-or-not-.patch deleted file mode 100644 index f93498d..0000000 --- a/0001-Add-check-for-whether-option-variable-exists-or-not-.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 96a6f61db6eb0fc450e00168903b795c57b033cb Mon Sep 17 00:00:00 2001 -From: = -Date: Sat, 23 Jan 2021 00:44:09 +0530 -Subject: [PATCH] Add check for whether 'option' variable exists or not for - closeUI and JCLCloseUI lines in ppd.c - ---- - cups/ppd.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/cups/ppd.c b/cups/ppd.c -index ae411cb3a..a82c8a584 100644 ---- a/cups/ppd.c -+++ b/cups/ppd.c -@@ -1496,7 +1496,7 @@ _ppdOpen( - goto error; - } - -- if (!_cups_strcasecmp(option->defchoice, "custom") || !_cups_strncasecmp(option->defchoice, "custom.", 7)) -+ if (option && (!_cups_strcasecmp(option->defchoice, "custom") || !_cups_strncasecmp(option->defchoice, "custom.", 7))) - { - /* - * "*DefaultOption: Custom..." may set the default to a custom value -@@ -1531,7 +1531,7 @@ _ppdOpen( - goto error; - } - -- if (!_cups_strcasecmp(option->defchoice, "custom") || !_cups_strncasecmp(option->defchoice, "custom.", 7)) -+ if (option && (!_cups_strcasecmp(option->defchoice, "custom") || !_cups_strncasecmp(option->defchoice, "custom.", 7))) - { - /* - * "*DefaultOption: Custom..." may set the default to a custom value --- -2.26.2 - diff --git a/cups-2.2.8-source.tar.gz.sig b/cups-2.2.8-source.tar.gz.sig deleted file mode 100644 index 278cb83..0000000 Binary files a/cups-2.2.8-source.tar.gz.sig and /dev/null differ diff --git a/cups-2.3.3op2-source.tar.gz.sig b/cups-2.3.3op2-source.tar.gz.sig new file mode 100644 index 0000000..360376c Binary files /dev/null and b/cups-2.3.3op2-source.tar.gz.sig differ diff --git a/cups-helpcgi-segfault.patch b/cups-helpcgi-segfault.patch deleted file mode 100644 index 67f48cc..0000000 --- a/cups-helpcgi-segfault.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/cgi-bin/help-index.c b/cgi-bin/help-index.c -index ce97e47..3da1010 100644 ---- a/cgi-bin/help-index.c -+++ b/cgi-bin/help-index.c -@@ -579,7 +579,7 @@ helpSearchIndex(help_index_t *hi, /* I - Index */ - */ - - for (; node; node = (help_node_t *)cupsArrayNext(hi->nodes)) -- if (section && strcmp(node->section, section)) -+ if (node->section && section && strcmp(node->section, section)) - continue; - else if (filename && strcmp(node->filename, filename)) - continue; diff --git a/cups.spec b/cups.spec index 63b0bd3..d62f548 100644 --- a/cups.spec +++ b/cups.spec @@ -11,13 +11,13 @@ #%%global VERSION %%{version}%%{prever} %global VERSION %{version} # Openprinting version -%global OP_VER op1 +%global OP_VER op2 Summary: CUPS printing system Name: cups Epoch: 1 Version: 2.3.3%{OP_VER} -Release: 4%{?dist} +Release: 1%{?dist} License: ASL 2.0 Url: http://www.cups.org/ # Apple stopped uploading the new versions into github, use OpenPrinting fork @@ -69,15 +69,6 @@ Patch100: cups-lspp.patch %endif #### UPSTREAM PATCHES (starts with 1000) #### -# backported from upstream -Patch1000: cve-2020-10001-ippReadIO-buffer.patch -# 1921881 - [abrt] cups: __strcmp_avx2(): help.cgi killed by SIGSEGV -# help.cgi segfaulted because it compared NULL in strcmp() -# backported from upstream https://github.com/OpenPrinting/cups/pull/81 -Patch1001: cups-helpcgi-segfault.patch -# 1909980 - cupsd crashes on parsing malformed Brother PPD -# backported from upstream https://github.com/OpenPrinting/cups/pull/78 -Patch1002: 0001-Add-check-for-whether-option-variable-exists-or-not-.patch ##### Patches removed because IMHO they aren't no longer needed ##### but still I'll leave them in git in case their removal @@ -278,13 +269,6 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in %patch13 -p1 -b .dymo-deviceid # UPSTREAM PATCHES -# cve-2020-10001 -%patch1000 -p1 -b .cve2020-10001 -# 1921881 - [abrt] cups: __strcmp_avx2(): help.cgi killed by SIGSEGV -%patch1001 -p1 -b .helpcgi-segfault -# 1909980 - cupsd crashes on parsing malformed Brother PPD -%patch1002 -p1 -b .malformed-ppd-crash - %if %{lspp} @@ -691,6 +675,9 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man7/ippeveps.7.gz %changelog +* Tue Feb 02 2021 Zdenek Dohnal - 1:2.3.3op2-1 +- 1923828 - cups-2.3.3op2 is available + * Mon Feb 01 2021 Zdenek Dohnal - 1:2.3.3op1-4 - fix for CVE-2020-10001 - recommend nss-mdns for Fedora to have a working default for now diff --git a/cve-2020-10001-ippReadIO-buffer.patch b/cve-2020-10001-ippReadIO-buffer.patch deleted file mode 100644 index efc6492..0000000 --- a/cve-2020-10001-ippReadIO-buffer.patch +++ /dev/null @@ -1,61 +0,0 @@ -Fix for CVE-2020-10001, which is a bug in the CUPS ippReadIO function when it -reads tagged string values (nameWithLanguage and textWithLanguage). The -previous code verified that the length of the sub-strings (language identifier -and name/text value) did not exceed the size of the allocated buffer (1 byte -larger than the maximum IPP value size of 32767 bytes), but did not validate -against the length of the actual IPP value. - -The issues introduced by this vulnerability include: - -- Potential information disclosure by copying uninitialized areas of memory into - an IPP string value. -- Potential Denial of Service by supplying/using invalid string values when - strict validation has been disabled by the system administrator. - -This change ensures that: - -1. The language identifier does not extend beyond the end of the IPP value. -2. The length of the name/text string is within the IPP value. -3. The name/text string is within the IPP value. - -diff --git a/cups/ipp.c b/cups/ipp.c -index 3d529346c..adbb26fba 100644 ---- a/cups/ipp.c -+++ b/cups/ipp.c -@@ -2866,7 +2866,8 @@ ippReadIO(void *src, /* I - Data source */ - unsigned char *buffer, /* Data buffer */ - string[IPP_MAX_TEXT], - /* Small string buffer */ -- *bufptr; /* Pointer into buffer */ -+ *bufptr, /* Pointer into buffer */ -+ *bufend; /* End of buffer */ - ipp_attribute_t *attr; /* Current attribute */ - ipp_tag_t tag; /* Current tag */ - ipp_tag_t value_tag; /* Current value tag */ -@@ -3441,6 +3442,7 @@ ippReadIO(void *src, /* I - Data source */ - } - - bufptr = buffer; -+ bufend = buffer + n; - - /* - * text-with-language and name-with-language are composite -@@ -3454,7 +3456,7 @@ ippReadIO(void *src, /* I - Data source */ - - n = (bufptr[0] << 8) | bufptr[1]; - -- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string)) -+ if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string)) - { - _cupsSetError(IPP_STATUS_ERROR_INTERNAL, - _("IPP language length overflows value."), 1); -@@ -3481,7 +3483,7 @@ ippReadIO(void *src, /* I - Data source */ - bufptr += 2 + n; - n = (bufptr[0] << 8) | bufptr[1]; - -- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE)) -+ if ((bufptr + 2 + n) > bufend) - { - _cupsSetError(IPP_STATUS_ERROR_INTERNAL, - _("IPP string length overflows value."), 1); - diff --git a/sources b/sources index 47d80ab..4eafbc3 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (cups-2.3.3op1-source.tar.gz) = 89949b4190288d5464f425cbff6b854e9da96ba3071e4e0d595ad581797b2db4724f49d884f3ea43e372ed4d0faec72839b0b7182cdde13b96f2824d619a4843 +SHA512 (cups-2.3.3op2-source.tar.gz) = db27dd6fb616bd7ad895b2bdf4ea7b010501358a50dc8f2e7e29558d1cfc088a572b1b35ac512654d3ed410c84df87dc34ca636533a4499117253915d4763117