summaryrefslogtreecommitdiff
path: root/gnu/packages
diff options
context:
space:
mode:
authorTobias Geerinckx-Rice <me@tobias.gr>2021-06-23 12:52:21 +0200
committerTobias Geerinckx-Rice <me@tobias.gr>2021-06-23 18:41:23 +0200
commit620669fd17306c2edb21c64a99fa47160fefb319 (patch)
tree89d41b5a75198d1c5a36afde07465425bc2d5924 /gnu/packages
parent3694c0d4fee0f7faf130ecd9386ea45932a19543 (diff)
gnu: cups: Add replacement to fix CVE-2020-10001.
* gnu/packages/patches/cups-CVE-2020-10001.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/cups.scm (cups-minimal/fixed): New variable. (cups-minimal)[replacement]: Assign it to new field.
Diffstat (limited to 'gnu/packages')
-rw-r--r--gnu/packages/cups.scm6
-rw-r--r--gnu/packages/patches/cups-CVE-2020-10001.patch47
2 files changed, 53 insertions, 0 deletions
diff --git a/gnu/packages/cups.scm b/gnu/packages/cups.scm
index 5a15cd51b6..2dab881ae6 100644
--- a/gnu/packages/cups.scm
+++ b/gnu/packages/cups.scm
@@ -252,6 +252,7 @@ filters for the PDF-centric printing workflow introduced by OpenPrinting.")
(package
(name "cups-minimal")
(version "2.3.3")
+ (replacement cups-minimal/fixed)
(source
(origin
(method url-fetch)
@@ -312,6 +313,11 @@ device-specific programs to convert and print many types of files.")
;; CUPS is Apache 2.0 with exceptions, see the NOTICE file.
(license license:asl2.0)))
+(define cups-minimal/fixed
+ (package-with-extra-patches
+ cups-minimal
+ (search-patches "cups-CVE-2020-10001.patch")))
+
(define-public cups
(package/inherit cups-minimal
(name "cups")
diff --git a/gnu/packages/patches/cups-CVE-2020-10001.patch b/gnu/packages/patches/cups-CVE-2020-10001.patch
new file mode 100644
index 0000000000..1b16c7d97c
--- /dev/null
+++ b/gnu/packages/patches/cups-CVE-2020-10001.patch
@@ -0,0 +1,47 @@
+From efbea1742bd30f842fbbfb87a473e5c84f4162f9 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Mon, 1 Feb 2021 15:02:32 -0500
+Subject: [PATCH] Fix a buffer (read) overflow in ippReadIO (CVE-2020-10001)
+
+---
+
+diff --git a/cups/ipp.c b/cups/ipp.c
+index 3d529346c..adbb26fba 100644
+--- a/cups/ipp.c
++++ b/cups/ipp.c
+@@ -2866,7 +2866,8 @@ ippReadIO(void *src, /* I - Data source */
+ unsigned char *buffer, /* Data buffer */
+ string[IPP_MAX_TEXT],
+ /* Small string buffer */
+- *bufptr; /* Pointer into buffer */
++ *bufptr, /* Pointer into buffer */
++ *bufend; /* End of buffer */
+ ipp_attribute_t *attr; /* Current attribute */
+ ipp_tag_t tag; /* Current tag */
+ ipp_tag_t value_tag; /* Current value tag */
+@@ -3441,6 +3442,7 @@ ippReadIO(void *src, /* I - Data source */
+ }
+
+ bufptr = buffer;
++ bufend = buffer + n;
+
+ /*
+ * text-with-language and name-with-language are composite
+@@ -3454,7 +3456,7 @@ ippReadIO(void *src, /* I - Data source */
+
+ n = (bufptr[0] << 8) | bufptr[1];
+
+- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string))
++ if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string))
+ {
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
+ _("IPP language length overflows value."), 1);
+@@ -3481,7 +3483,7 @@ ippReadIO(void *src, /* I - Data source */
+ bufptr += 2 + n;
+ n = (bufptr[0] << 8) | bufptr[1];
+
+- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE))
++ if ((bufptr + 2 + n) > bufend)
+ {
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
+ _("IPP string length overflows value."), 1);