aboutsummaryrefslogtreecommitdiffstats
path: root/print
diff options
context:
space:
mode:
authorsimon <simon@FreeBSD.org>2005-01-18 01:40:22 +0800
committersimon <simon@FreeBSD.org>2005-01-18 01:40:22 +0800
commit079478e9887ab486b33be24dbf58bb6afb7fd376 (patch)
tree26ee1307f384744202a848aabdb7460b4eb0a3f6 /print
parentd8553c20e7cf3f570f56ed9b6f56da6c0ac12854 (diff)
downloadfreebsd-ports-gnome-079478e9887ab486b33be24dbf58bb6afb7fd376.tar.gz
freebsd-ports-gnome-079478e9887ab486b33be24dbf58bb6afb7fd376.tar.zst
freebsd-ports-gnome-079478e9887ab486b33be24dbf58bb6afb7fd376.zip
Fix remote arbitrary code execution vulnerability.
Note that this does not fix all the security vulnerabilities for CUPS, but it fixes the most serious one. With hat: secteam VuXML: http://www.vuxml.org/freebsd/40a3bca2-6809-11d9-a9e7-0001020eed82.html Obtained from: CUPS bug system - http://www.cups.org/str.php?L1024 Approved by: erwin (mentor)
Diffstat (limited to 'print')
-rw-r--r--print/cups-base/Makefile2
-rw-r--r--print/cups-base/files/patch-hpgl-input.c50
2 files changed, 51 insertions, 1 deletions
diff --git a/print/cups-base/Makefile b/print/cups-base/Makefile
index 8f8b1b8136d1..724eadf993fa 100644
--- a/print/cups-base/Makefile
+++ b/print/cups-base/Makefile
@@ -9,7 +9,7 @@
PORTNAME= cups-base
PORTVERSION= ${CUPS_PORTVER}
-PORTREVISION= 1
+PORTREVISION= 2
PORTEPOCH= ${CUPS_PORTEPOCH}
CATEGORIES= print
MASTER_SITES= ${CUPS_MASTER_SITES}
diff --git a/print/cups-base/files/patch-hpgl-input.c b/print/cups-base/files/patch-hpgl-input.c
new file mode 100644
index 000000000000..9483b571daed
--- /dev/null
+++ b/print/cups-base/files/patch-hpgl-input.c
@@ -0,0 +1,50 @@
+Index: hpgl-input.c
+===================================================================
+RCS file: /development/cvs/cups/filter/hpgl-input.c,v
+retrieving revision 1.16
+diff -u -r1.16 hpgl-input.c
+--- filter/hpgl-input.c 25 Feb 2004 20:14:52 -0000 1.16
++++ filter/hpgl-input.c 16 Dec 2004 19:38:12 -0000
+@@ -54,7 +54,8 @@
+ ch, /* Current char */
+ done, /* Non-zero when the current command is read */
+ i; /* Looping var */
+- char buf[262144]; /* String buffer */
++ char buf[262144], /* String buffer */
++ *bufptr; /* Pointer into buffer */
+ static param_t p[MAX_PARAMS]; /* Parameter buffer */
+
+
+@@ -128,9 +129,12 @@
+
+ if (strcasecmp(name, "LB") == 0)
+ {
+- for (i = 0; (ch = getc(fp)) != StringTerminator; i ++)
+- buf[i] = ch;
+- buf[i] = '\0';
++ bufptr = buf;
++ while ((ch = getc(fp)) != StringTerminator)
++ if (bufptr < (buf + sizeof(buf) - 1))
++ *bufptr++ = ch;
++ *bufptr = '\0';
++
+ p[num_params].type = PARAM_STRING;
+ p[num_params].value.string = strdup(buf);
+ num_params ++;
+@@ -155,11 +159,12 @@
+ }
+ else if (strcasecmp(name, "PE") == 0)
+ {
+- for (i = 0; i < (sizeof(buf) - 1); i ++)
+- if ((buf[i] = getc(fp)) == ';')
+- break;
++ bufptr = buf;
++ while ((ch = getc(fp)) != ';')
++ if (bufptr < (buf + sizeof(buf) - 1))
++ *bufptr++ = ch;
++ *bufptr = '\0';
+
+- buf[i] = '\0';
+ p[num_params].type = PARAM_STRING;
+ p[num_params].value.string = strdup(buf);
+ num_params ++;