diff --git a/cups-CVE-2008-1722.patch b/cups-CVE-2008-1722.patch new file mode 100644 index 0000000..c1f1211 --- /dev/null +++ b/cups-CVE-2008-1722.patch @@ -0,0 +1,70 @@ +diff -up cups-1.2.12/filter/image-png.c.CVE-2008-1722 cups-1.2.12/filter/image-png.c +--- cups-1.2.12/filter/image-png.c.CVE-2008-1722 2006-05-11 12:41:36.000000000 +0100 ++++ cups-1.2.12/filter/image-png.c 2008-05-09 11:43:29.000000000 +0100 +@@ -3,6 +3,7 @@ + * + * PNG image routines for the Common UNIX Printing System (CUPS). + * ++ * Copyright 2007-2008 by Apple Inc. + * Copyright 1993-2006 by Easy Software Products. + * + * These coded instructions, statements, and computer programs are the +@@ -179,16 +180,56 @@ _cupsImageReadPNG( + * Interlaced images must be loaded all at once... + */ + ++ size_t bufsize; /* Size of buffer */ ++ ++ + if (color_type == PNG_COLOR_TYPE_GRAY || + color_type == PNG_COLOR_TYPE_GRAY_ALPHA) +- in = malloc(img->xsize * img->ysize); ++ { ++ bufsize = img->xsize * img->ysize; ++ ++ if ((bufsize / img->ysize) != img->xsize) ++ { ++ fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n", ++ (unsigned)img->xsize, (unsigned)img->ysize); ++ fclose(fp); ++ return (1); ++ } ++ } + else +- in = malloc(img->xsize * img->ysize * 3); ++ { ++ bufsize = img->xsize * img->ysize * 3; ++ ++ if ((bufsize / (img->ysize * 3)) != img->xsize) ++ { ++ fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n", ++ (unsigned)img->xsize, (unsigned)img->ysize); ++ fclose(fp); ++ return (1); ++ } ++ } ++ ++ in = malloc(bufsize); + } + + bpp = cupsImageGetDepth(img); + out = malloc(img->xsize * bpp); + ++ if (!in || !out) ++ { ++ fputs("DEBUG: Unable to allocate memory for PNG image!\n", stderr); ++ ++ if (in) ++ free(in); ++ ++ if (out) ++ free(out); ++ ++ fclose(fp); ++ ++ return (1); ++ } ++ + /* + * Read the image, interlacing as needed... + */ diff --git a/cups.spec b/cups.spec index e596bd8..53f9e06 100644 --- a/cups.spec +++ b/cups.spec @@ -6,7 +6,7 @@ Summary: Common Unix Printing System Name: cups Version: 1.2.12 -Release: 10%{?dist} +Release: 11%{?dist} License: GPL Group: System Environment/Daemons Source: ftp://ftp.easysw.com/pub/cups/%{version}/cups-%{version}-source.tar.bz2 @@ -55,6 +55,7 @@ Patch30: cups-str2656.patch Patch31: cups-CVE-2008-0047.patch Patch32: cups-CVE-2008-0053.patch Patch33: cups-CVE-2008-1373.patch +Patch34: cups-CVE-2008-1722.patch Patch100: cups-lspp.patch Epoch: 1 Url: http://www.cups.org/ @@ -172,6 +173,7 @@ lpd emulation. %patch31 -p1 -b .CVE-2008-0047 %patch32 -p1 -b .CVE-2008-0053 %patch33 -p1 -b .CVE-2008-1373 +%patch34 -p1 -b .CVE-2008-1722 %if %lspp %patch100 -p1 -b .lspp @@ -459,6 +461,10 @@ rm -rf $RPM_BUILD_ROOT %{cups_serverbin}/daemon/cups-lpd %changelog +* Fri May 9 2008 Tim Waugh 1:1.2.12-11 +- Applied patch to fix CVE-2008-1722 (integer overflow in image filter, + bug #441692, STR #2790). + * Tue Apr 1 2008 Tim Waugh 1:1.2.12-10 - Applied patch to fix CVE-2008-1373 (GIF overflow, bug #438303). - Applied patch to fix CVE-2008-0053 (HP-GL/2 input processing, bug #438117).