aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authordinoex <dinoex@FreeBSD.org>2007-11-12 19:47:58 +0800
committerdinoex <dinoex@FreeBSD.org>2007-11-12 19:47:58 +0800
commit1cc12476e2438cffacaf35629cb7409df9e12da5 (patch)
tree1ee388946099053786cd94b741eafd315663c1f2
parentaaf4ee93705ef50fd5ccbac8303f747b77af33e5 (diff)
downloadfreebsd-ports-gnome-1cc12476e2438cffacaf35629cb7409df9e12da5.tar.gz
freebsd-ports-gnome-1cc12476e2438cffacaf35629cb7409df9e12da5.tar.zst
freebsd-ports-gnome-1cc12476e2438cffacaf35629cb7409df9e12da5.zip
- Security patch to solve remote code execution
Security: http://secunia.com/advisories/27233/ Security: CVE-2007-4351 Approved by: portmgr (linimon) Obtained from: http://www.cups.org/strfiles/2561/str2561-cups13v2.patch
-rw-r--r--print/cups-base/Makefile2
-rw-r--r--print/cups-base/files/patch-CVE-2007-4351153
2 files changed, 154 insertions, 1 deletions
diff --git a/print/cups-base/Makefile b/print/cups-base/Makefile
index e278c9cd5431..8ae899791821 100644
--- a/print/cups-base/Makefile
+++ b/print/cups-base/Makefile
@@ -7,6 +7,7 @@
PORTNAME= cups
PORTVERSION= 1.3.3
+PORTREVISION= 1
DISTVERSIONSUFFIX= -source
CATEGORIES= print
MASTER_SITES= EASYSW/${PORTNAME}/${DISTVERSION}
@@ -20,7 +21,6 @@ LIB_DEPENDS= jpeg.9:${PORTSDIR}/graphics/jpeg \
tiff.4:${PORTSDIR}/graphics/tiff
CONFLICTS= LPRng-[0-9]*
-FORBIDDEN= remote execution of arbitrary code
USE_LDCONFIG= yes
USE_BZIP2= yes
diff --git a/print/cups-base/files/patch-CVE-2007-4351 b/print/cups-base/files/patch-CVE-2007-4351
new file mode 100644
index 000000000000..da0d07a14ad2
--- /dev/null
+++ b/print/cups-base/files/patch-CVE-2007-4351
@@ -0,0 +1,153 @@
+Index: ipp.c
+===================================================================
+--- cups/ipp.c (revision 7023)
++++ cups/ipp.c (working copy)
+@@ -1306,6 +1306,12 @@
+ {
+ case IPP_TAG_INTEGER :
+ case IPP_TAG_ENUM :
++ if (n != 4)
++ {
++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++ return (IPP_ERROR);
++ }
++
+ if ((*cb)(src, buffer, 4) < 4)
+ {
+ DEBUG_puts("ippReadIO: Unable to read integer value!");
+@@ -1318,6 +1324,12 @@
+ value->integer = n;
+ break;
+ case IPP_TAG_BOOLEAN :
++ if (n != 1)
++ {
++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++ return (IPP_ERROR);
++ }
++
+ if ((*cb)(src, buffer, 1) < 1)
+ {
+ DEBUG_puts("ippReadIO: Unable to read boolean value!");
+@@ -1335,6 +1347,12 @@
+ case IPP_TAG_CHARSET :
+ case IPP_TAG_LANGUAGE :
+ case IPP_TAG_MIMETYPE :
++ if (n >= sizeof(buffer))
++ {
++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++ return (IPP_ERROR);
++ }
++
+ if ((*cb)(src, buffer, n) < n)
+ {
+ DEBUG_puts("ippReadIO: unable to read name!");
+@@ -1347,6 +1365,12 @@
+ value->string.text));
+ break;
+ case IPP_TAG_DATE :
++ if (n != 11)
++ {
++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++ return (IPP_ERROR);
++ }
++
+ if ((*cb)(src, value->date, 11) < 11)
+ {
+ DEBUG_puts("ippReadIO: Unable to date integer value!");
+@@ -1354,6 +1378,12 @@
+ }
+ break;
+ case IPP_TAG_RESOLUTION :
++ if (n != 9)
++ {
++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++ return (IPP_ERROR);
++ }
++
+ if ((*cb)(src, buffer, 9) < 9)
+ {
+ DEBUG_puts("ippReadIO: Unable to read resolution value!");
+@@ -1370,6 +1400,12 @@
+ (ipp_res_t)buffer[8];
+ break;
+ case IPP_TAG_RANGE :
++ if (n != 8)
++ {
++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++ return (IPP_ERROR);
++ }
++
+ if ((*cb)(src, buffer, 8) < 8)
+ {
+ DEBUG_puts("ippReadIO: Unable to read range value!");
+@@ -1385,7 +1421,7 @@
+ break;
+ case IPP_TAG_TEXTLANG :
+ case IPP_TAG_NAMELANG :
+- if (n > sizeof(buffer) || n < 4)
++ if (n >= sizeof(buffer) || n < 4)
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+@@ -1411,22 +1447,27 @@
+
+ n = (bufptr[0] << 8) | bufptr[1];
+
+- if (n >= sizeof(string))
++ if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)) ||
++ n >= sizeof(string))
+ {
+- memcpy(string, bufptr + 2, sizeof(string) - 1);
+- string[sizeof(string) - 1] = '\0';
++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++ return (IPP_ERROR);
+ }
+- else
+- {
+- memcpy(string, bufptr + 2, n);
+- string[n] = '\0';
+- }
+
++ memcpy(string, bufptr + 2, n);
++ string[n] = '\0';
++
+ value->string.charset = _cupsStrAlloc((char *)string);
+
+ bufptr += 2 + n;
+ n = (bufptr[0] << 8) | bufptr[1];
+
++ if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)))
++ {
++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++ return (IPP_ERROR);
++ }
++
+ bufptr[2 + n] = '\0';
+ value->string.text = _cupsStrAlloc((char *)bufptr + 2);
+ break;
+@@ -1468,6 +1509,12 @@
+ * we need to carry over...
+ */
+
++ if (n >= sizeof(buffer))
++ {
++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++ return (IPP_ERROR);
++ }
++
+ if ((*cb)(src, buffer, n) < n)
+ {
+ DEBUG_puts("ippReadIO: Unable to read member name value!");
+@@ -1489,6 +1536,12 @@
+ break;
+
+ default : /* Other unsupported values */
++ if (n > sizeof(buffer))
++ {
++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++ return (IPP_ERROR);
++ }
++
+ value->unknown.length = n;
+ if (n > 0)
+ {