rpms / cups

Clone
Source Code
GIT

Files

  1.   54fdf3149d22224d5815cea2aed18e619621fc2b
  2.   cups-CVE-2008-5183.patch
Blob Blame History Raw 
diff -up cups-1.4b1/scheduler/ipp.c.CVE-2008-5183 cups-1.4b1/scheduler/ipp.c
--- cups-1.4b1/scheduler/ipp.c.CVE-2008-5183	2008-12-09 12:16:15.000000000 +0000
+++ cups-1.4b1/scheduler/ipp.c	2008-12-09 12:17:43.000000000 +0000
@@ -2392,24 +2392,25 @@ add_job_subscriptions(
     if (mask == CUPSD_EVENT_NONE)
       mask = CUPSD_EVENT_JOB_COMPLETED;
 
-    sub = cupsdAddSubscription(mask, cupsdFindDest(job->dest), job, recipient,
-                               0);
+    if ((sub = cupsdAddSubscription(mask, cupsdFindDest(job->dest), job,
+                                    recipient, 0)) != NULL)
+    {
+      sub->interval = interval;
 
-    sub->interval = interval;
+      cupsdSetString(&sub->owner, job->username);
 
-    cupsdSetString(&sub->owner, job->username);
+      if (user_data)
+      {
+	sub->user_data_len = user_data->values[0].unknown.length;
+	memcpy(sub->user_data, user_data->values[0].unknown.data,
+	       sub->user_data_len);
+      }
 
-    if (user_data)
-    {
-      sub->user_data_len = user_data->values[0].unknown.length;
-      memcpy(sub->user_data, user_data->values[0].unknown.data,
-             sub->user_data_len);
+      ippAddSeparator(con->response);
+      ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_INTEGER,
+		    "notify-subscription-id", sub->id);
     }
 
-    ippAddSeparator(con->response);
-    ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_INTEGER,
-                  "notify-subscription-id", sub->id);
-
     if (attr)
       attr = attr->next;
   }
@@ -6668,7 +6669,12 @@ create_subscription(
     else
       job = NULL;
 
-    sub = cupsdAddSubscription(mask, printer, job, recipient, 0);
+    if ((sub = cupsdAddSubscription(mask, printer, job, recipient, 0)) == NULL)
+    {
+      send_ipp_status(con, IPP_TOO_MANY_SUBSCRIPTIONS,
+		      _("There are too many subscriptions."));
+      return;
+    }
 
     if (job)
       cupsdLogMessage(CUPSD_LOG_DEBUG, "Added subscription %d for job %d",
diff -up cups-1.4b1/scheduler/subscriptions.c.CVE-2008-5183 cups-1.4b1/scheduler/subscriptions.c
--- cups-1.4b1/scheduler/subscriptions.c.CVE-2008-5183	2008-12-09 12:16:15.000000000 +0000
+++ cups-1.4b1/scheduler/subscriptions.c	2008-12-09 12:17:43.000000000 +0000
@@ -341,8 +341,54 @@ cupsdAddSubscription(
   * Limit the number of subscriptions...
   */
 
-  if (cupsArrayCount(Subscriptions) >= MaxSubscriptions)
+  if (MaxSubscriptions > 0 && cupsArrayCount(Subscriptions) >= MaxSubscriptions)
+  {
+    cupsdLogMessage(CUPSD_LOG_DEBUG,
+                    "cupsdAddSubscription: Reached MaxSubscriptions %d",
+		    MaxSubscriptions);
     return (NULL);
+  }
+
+  if (MaxSubscriptionsPerJob > 0 && job)
+  {
+    int	count;				/* Number of job subscriptions */
+
+    for (temp = (cupsd_subscription_t *)cupsArrayFirst(Subscriptions),
+             count = 0;
+         temp;
+	 temp = (cupsd_subscription_t *)cupsArrayNext(Subscriptions))
+      if (temp->job == job)
+        count ++;
+
+    if (count >= MaxSubscriptionsPerJob)
+    {
+      cupsdLogMessage(CUPSD_LOG_DEBUG,
+		      "cupsdAddSubscription: Reached MaxSubscriptionsPerJob %d "
+		      "for job #%d", MaxSubscriptionsPerJob, job->id);
+      return (NULL);
+    }
+  }
+
+  if (MaxSubscriptionsPerPrinter > 0 && dest)
+  {
+    int	count;				/* Number of printer subscriptions */
+
+    for (temp = (cupsd_subscription_t *)cupsArrayFirst(Subscriptions),
+             count = 0;
+         temp;
+	 temp = (cupsd_subscription_t *)cupsArrayNext(Subscriptions))
+      if (temp->dest == dest)
+        count ++;
+
+    if (count >= MaxSubscriptionsPerPrinter)
+    {
+      cupsdLogMessage(CUPSD_LOG_DEBUG,
+		      "cupsdAddSubscription: Reached "
+		      "MaxSubscriptionsPerPrinter %d for %s",
+		      MaxSubscriptionsPerPrinter, dest->name);
+      return (NULL);
+    }
+  }
 
  /*
   * Allocate memory for this subscription...
@@ -765,7 +811,6 @@ cupsdLoadAllSubscriptions(void)
       cupsdLogMessage(CUPSD_LOG_ERROR,
                       "Syntax error on line %d of subscriptions.conf.",
 	              linenum);
-      break;
     }
     else if (!strcasecmp(line, "Events"))
     {
diff -up cups-1.4b1/test/4.4-subscription-ops.test.CVE-2008-5183 cups-1.4b1/test/4.4-subscription-ops.test
--- cups-1.4b1/test/4.4-subscription-ops.test.CVE-2008-5183	2007-07-09 21:34:48.000000000 +0100
+++ cups-1.4b1/test/4.4-subscription-ops.test	2008-12-09 12:17:43.000000000 +0000
@@ -116,6 +116,32 @@
 	EXPECT notify-events
 	DISPLAY notify-events
 }
+{
+	# The name of the test...
+	NAME "Check MaxSubscriptions limits"
+
+	# The operation to use
+	OPERATION Create-Printer-Subscription
+	RESOURCE /
+
+	# The attributes to send
+	GROUP operation
+	ATTR charset attributes-charset utf-8
+	ATTR language attributes-natural-language en
+	ATTR uri printer-uri $method://$hostname:$port/printers/Test1
+
+        GROUP subscription
+	ATTR uri notify-recipient-uri testnotify://
+	ATTR keyword notify-events printer-state-changed
+	ATTR integer notify-lease-duration 5
+
+	# What statuses are OK?
+	STATUS client-error-too-many-subscriptions
+
+	# What attributes do we expect?
+	EXPECT attributes-charset
+	EXPECT attributes-natural-language
+}
 
 #
 # End of "$Id: 4.4-subscription-ops.test 6635 2007-07-09 20:34:48Z mike $"
diff -up cups-1.4b1/test/run-stp-tests.sh.CVE-2008-5183 cups-1.4b1/test/run-stp-tests.sh
--- cups-1.4b1/test/run-stp-tests.sh.CVE-2008-5183	2008-10-02 00:56:42.000000000 +0100
+++ cups-1.4b1/test/run-stp-tests.sh	2008-12-09 12:17:43.000000000 +0000
@@ -326,6 +326,7 @@ PassEnv LOCALEDIR
 DocumentRoot $root/doc
 RequestRoot /tmp/cups-$user/spool
 TempDir /tmp/cups-$user/spool/temp
+MaxSubscriptions 3
 MaxLogSize 0
 AccessLog /tmp/cups-$user/log/access_log
 ErrorLog /tmp/cups-$user/log/error_log
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.