diff --git a/cups-CVE-2008-0047.patch b/cups-CVE-2008-0047.patch new file mode 100644 index 0000000..433b12d --- /dev/null +++ b/cups-CVE-2008-0047.patch @@ -0,0 +1,14 @@ +diff -up cups-1.3.6/cgi-bin/search.c.CVE-2008-0047 cups-1.3.6/cgi-bin/search.c +--- cups-1.3.6/cgi-bin/search.c.CVE-2008-0047 2008-01-16 22:20:33.000000000 +0000 ++++ cups-1.3.6/cgi-bin/search.c 2008-04-01 16:41:30.000000000 +0100 +@@ -167,7 +167,9 @@ cgiCompileSearch(const char *query) /* I + * string + RE overhead... + */ + +- wlen = (sptr - s) + 4 * wlen + 2 * strlen(prefix) + 4; ++ wlen = (sptr - s) + 2 * 4 * wlen + 2 * strlen(prefix) + 11; ++ if (lword) ++ wlen += strlen(lword); + + if (wlen > slen) + { diff --git a/cups-CVE-2008-1373.patch b/cups-CVE-2008-1373.patch new file mode 100644 index 0000000..e712bae --- /dev/null +++ b/cups-CVE-2008-1373.patch @@ -0,0 +1,22 @@ +diff -up cups-1.3.6/filter/image-gif.c.CVE-2008-1373 cups-1.3.6/filter/image-gif.c +--- cups-1.3.6/filter/image-gif.c.CVE-2008-1373 2008-01-14 22:12:58.000000000 +0000 ++++ cups-1.3.6/filter/image-gif.c 2008-04-01 16:43:22.000000000 +0100 +@@ -38,6 +38,8 @@ + #define GIF_INTERLACE 0x40 + #define GIF_COLORMAP 0x80 + ++#define MAX_LWZ_BITS 12 ++ + typedef cups_ib_t gif_cmap_t[256][4]; + typedef short gif_table_t[4096]; + +@@ -465,6 +467,9 @@ gif_read_image(FILE *fp, /* I - + if (!pixels) + return (-1); + ++ if (code_size > MAX_LWZ_BITS) ++ return (-1); ++ + if (gif_read_lzw(fp, 1, code_size) < 0) + { + free(pixels); diff --git a/cups.spec b/cups.spec index 9662af5..73f9cef 100644 --- a/cups.spec +++ b/cups.spec @@ -7,7 +7,7 @@ Summary: Common Unix Printing System Name: cups Version: 1.3.6 -Release: 8%{?svn:.svn%{svn}}%{?dist} +Release: 9%{?svn:.svn%{svn}}%{?dist} License: GPLv2 Group: System Environment/Daemons Source: ftp://ftp.easysw.com/pub/cups/test//cups-%{version}%{?svn:svn-r%{svn}}-source.tar.bz2 @@ -48,6 +48,8 @@ Patch23: cups-logrotate.patch Patch25: cups-usb-paperout.patch Patch26: cups-str2715.patch Patch27: cups-str2727.patch +Patch28: cups-CVE-2008-0047.patch +Patch29: cups-CVE-2008-1373.patch Patch100: cups-lspp.patch Epoch: 1 Url: http://www.cups.org/ @@ -165,6 +167,8 @@ lpd emulation. %patch25 -p1 -b .usb-paperout %patch26 -p1 -b .str2715 %patch27 -p1 -b .str2727 +%patch28 -p1 -b .CVE-2008-0047 +%patch29 -p1 -b .CVE-2008-1373 %if %lspp %patch100 -p1 -b .lspp @@ -441,6 +445,11 @@ rm -rf $RPM_BUILD_ROOT %{cups_serverbin}/daemon/cups-lpd %changelog +* Thu Apr 1 2008 Tim Waugh 1:1.3.6-9 +- Applied patch to fix CVE-2008-1373 (GIF overflow, bug #438303). +- Applied patch to prevent heap-based buffer overflow in CUPS helper + program (bug #436153, CVE-2008-0047, STR #2729). + * Thu Apr 1 2008 Tim Waugh 1:1.3.6-8 - Ship a few doc files (bug #438598).