diff options
author | simon <simon@FreeBSD.org> | 2005-01-18 01:40:22 +0800 |
---|---|---|
committer | simon <simon@FreeBSD.org> | 2005-01-18 01:40:22 +0800 |
commit | 079478e9887ab486b33be24dbf58bb6afb7fd376 (patch) | |
tree | 26ee1307f384744202a848aabdb7460b4eb0a3f6 /print | |
parent | d8553c20e7cf3f570f56ed9b6f56da6c0ac12854 (diff) | |
download | freebsd-ports-gnome-079478e9887ab486b33be24dbf58bb6afb7fd376.tar.gz freebsd-ports-gnome-079478e9887ab486b33be24dbf58bb6afb7fd376.tar.zst freebsd-ports-gnome-079478e9887ab486b33be24dbf58bb6afb7fd376.zip |
Fix remote arbitrary code execution vulnerability.
Note that this does not fix all the security vulnerabilities for CUPS,
but it fixes the most serious one.
With hat: secteam
VuXML: http://www.vuxml.org/freebsd/40a3bca2-6809-11d9-a9e7-0001020eed82.html
Obtained from: CUPS bug system - http://www.cups.org/str.php?L1024
Approved by: erwin (mentor)
Diffstat (limited to 'print')
-rw-r--r-- | print/cups-base/Makefile | 2 | ||||
-rw-r--r-- | print/cups-base/files/patch-hpgl-input.c | 50 |
2 files changed, 51 insertions, 1 deletions
diff --git a/print/cups-base/Makefile b/print/cups-base/Makefile index 8f8b1b8136d1..724eadf993fa 100644 --- a/print/cups-base/Makefile +++ b/print/cups-base/Makefile @@ -9,7 +9,7 @@ PORTNAME= cups-base PORTVERSION= ${CUPS_PORTVER} -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH= ${CUPS_PORTEPOCH} CATEGORIES= print MASTER_SITES= ${CUPS_MASTER_SITES} diff --git a/print/cups-base/files/patch-hpgl-input.c b/print/cups-base/files/patch-hpgl-input.c new file mode 100644 index 000000000000..9483b571daed --- /dev/null +++ b/print/cups-base/files/patch-hpgl-input.c @@ -0,0 +1,50 @@ +Index: hpgl-input.c +=================================================================== +RCS file: /development/cvs/cups/filter/hpgl-input.c,v +retrieving revision 1.16 +diff -u -r1.16 hpgl-input.c +--- filter/hpgl-input.c 25 Feb 2004 20:14:52 -0000 1.16 ++++ filter/hpgl-input.c 16 Dec 2004 19:38:12 -0000 +@@ -54,7 +54,8 @@ + ch, /* Current char */ + done, /* Non-zero when the current command is read */ + i; /* Looping var */ +- char buf[262144]; /* String buffer */ ++ char buf[262144], /* String buffer */ ++ *bufptr; /* Pointer into buffer */ + static param_t p[MAX_PARAMS]; /* Parameter buffer */ + + +@@ -128,9 +129,12 @@ + + if (strcasecmp(name, "LB") == 0) + { +- for (i = 0; (ch = getc(fp)) != StringTerminator; i ++) +- buf[i] = ch; +- buf[i] = '\0'; ++ bufptr = buf; ++ while ((ch = getc(fp)) != StringTerminator) ++ if (bufptr < (buf + sizeof(buf) - 1)) ++ *bufptr++ = ch; ++ *bufptr = '\0'; ++ + p[num_params].type = PARAM_STRING; + p[num_params].value.string = strdup(buf); + num_params ++; +@@ -155,11 +159,12 @@ + } + else if (strcasecmp(name, "PE") == 0) + { +- for (i = 0; i < (sizeof(buf) - 1); i ++) +- if ((buf[i] = getc(fp)) == ';') +- break; ++ bufptr = buf; ++ while ((ch = getc(fp)) != ';') ++ if (bufptr < (buf + sizeof(buf) - 1)) ++ *bufptr++ = ch; ++ *bufptr = '\0'; + +- buf[i] = '\0'; + p[num_params].type = PARAM_STRING; + p[num_params].value.string = strdup(buf); + num_params ++; |