diff options
Diffstat (limited to 'poky/meta/recipes-extended/cups')
-rw-r--r-- | poky/meta/recipes-extended/cups/cups.inc | 3 | ||||
-rw-r--r-- | poky/meta/recipes-extended/cups/cups/CVE-2020-10001.patch | 74 |
2 files changed, 77 insertions, 0 deletions
diff --git a/poky/meta/recipes-extended/cups/cups.inc b/poky/meta/recipes-extended/cups/cups.inc index e7a704134..244c87001 100644 --- a/poky/meta/recipes-extended/cups/cups.inc +++ b/poky/meta/recipes-extended/cups/cups.inc @@ -15,6 +15,7 @@ SRC_URI = "https://github.com/apple/cups/releases/download/v${PV}/${BP}-source.t file://0004-cups-fix-multilib-install-file-conflicts.patch \ file://volatiles.99_cups \ file://cups-volatiles.conf \ + file://CVE-2020-10001.patch \ " UPSTREAM_CHECK_URI = "https://github.com/apple/cups/releases" @@ -54,6 +55,8 @@ EXTRA_OECONF = " \ --enable-debug \ --disable-relro \ --enable-libusb \ + --with-system-groups=lpadmin \ + --with-cups-group=lp \ --with-domainsocket=/run/cups/cups.sock \ DSOFLAGS='${LDFLAGS}' \ " diff --git a/poky/meta/recipes-extended/cups/cups/CVE-2020-10001.patch b/poky/meta/recipes-extended/cups/cups/CVE-2020-10001.patch new file mode 100644 index 000000000..09a0a5765 --- /dev/null +++ b/poky/meta/recipes-extended/cups/cups/CVE-2020-10001.patch @@ -0,0 +1,74 @@ +From efbea1742bd30f842fbbfb87a473e5c84f4162f9 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet <msweet@msweet.org> +Date: Mon, 1 Feb 2021 15:02:32 -0500 +Subject: [PATCH] Fix a buffer (read) overflow in ippReadIO (CVE-2020-10001) + +Upstream-Status: Backport +CVE: CVE-2020-10001 + +Reference to upstream patch: +[https://github.com/OpenPrinting/cups/commit/efbea1742bd30f842fbbfb87a473e5c84f4162f9] + +[SG: Addapted for version 2.3.3] +Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> +--- + CHANGES.md | 2 ++ + cups/ipp.c | 8 +++++--- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/CHANGES.md b/CHANGES.md +index df72892..5ca12da 100644 +--- a/CHANGES.md ++++ b/CHANGES.md +@@ -4,6 +4,8 @@ CHANGES - 2.3.3 - 2020-04-24 + Changes in CUPS v2.3.3 + ---------------------- + ++- Security: Fixed a buffer (read) overflow in the `ippReadIO` function ++ (CVE-2020-10001) + - CVE-2020-3898: The `ppdOpen` function did not handle invalid UI + constraint. `ppdcSource::get_resolution` function did not handle + invalid resolution strings. +diff --git a/cups/ipp.c b/cups/ipp.c +index 3d52934..adbb26f 100644 +--- a/cups/ipp.c ++++ b/cups/ipp.c +@@ -2866,7 +2866,8 @@ ippReadIO(void *src, /* I - Data source */ + unsigned char *buffer, /* Data buffer */ + string[IPP_MAX_TEXT], + /* Small string buffer */ +- *bufptr; /* Pointer into buffer */ ++ *bufptr, /* Pointer into buffer */ ++ *bufend; /* End of buffer */ + ipp_attribute_t *attr; /* Current attribute */ + ipp_tag_t tag; /* Current tag */ + ipp_tag_t value_tag; /* Current value tag */ +@@ -3441,6 +3442,7 @@ ippReadIO(void *src, /* I - Data source */ + } + + bufptr = buffer; ++ bufend = buffer + n; + + /* + * text-with-language and name-with-language are composite +@@ -3454,7 +3456,7 @@ ippReadIO(void *src, /* I - Data source */ + + n = (bufptr[0] << 8) | bufptr[1]; + +- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string)) ++ if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string)) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, + _("IPP language length overflows value."), 1); +@@ -3481,7 +3483,7 @@ ippReadIO(void *src, /* I - Data source */ + bufptr += 2 + n; + n = (bufptr[0] << 8) | bufptr[1]; + +- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE)) ++ if ((bufptr + 2 + n) > bufend) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, + _("IPP string length overflows value."), 1); +-- +2.17.1 + |