diff options
Diffstat (limited to 'poky/meta/recipes-extended/cups/cups')
| -rw-r--r-- | poky/meta/recipes-extended/cups/cups/CVE-2023-32324.patch | 36 | ||||
| -rw-r--r-- | poky/meta/recipes-extended/cups/cups/CVE-2023-34241.patch | 70 |
2 files changed, 106 insertions, 0 deletions
diff --git a/poky/meta/recipes-extended/cups/cups/CVE-2023-32324.patch b/poky/meta/recipes-extended/cups/cups/CVE-2023-32324.patch new file mode 100644 index 0000000000..40b89c9899 --- /dev/null +++ b/poky/meta/recipes-extended/cups/cups/CVE-2023-32324.patch @@ -0,0 +1,36 @@ +From 07cbffd11107eed3aaf1c64e35552aec20f792da Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal <zdohnal@redhat.com> +Date: Thu, 1 Jun 2023 12:04:00 +0200 +Subject: [PATCH] cups/string.c: Return if `size` is 0 (fixes CVE-2023-32324) + +CVE: CVE-2023-32324 +Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/fd8bc2d32589] + +(cherry picked from commit fd8bc2d32589d1fd91fe1c0521be2a7c0462109e) +Signed-off-by: Sanjay Chitroda <schitrod@cisco.com> +--- + cups/string.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/cups/string.c b/cups/string.c +index 93cdad19..6ef58515 100644 +--- a/cups/string.c ++++ b/cups/string.c +@@ -1,6 +1,7 @@ + /* + * String functions for CUPS. + * ++ * Copyright © 2023 by OpenPrinting. + * Copyright © 2007-2019 by Apple Inc. + * Copyright © 1997-2007 by Easy Software Products. + * +@@ -730,6 +731,9 @@ _cups_strlcpy(char *dst, /* O - Destination string */ + size_t srclen; /* Length of source string */ + + ++ if (size == 0) ++ return (0); ++ + /* + * Figure out how much room is needed... + */ diff --git a/poky/meta/recipes-extended/cups/cups/CVE-2023-34241.patch b/poky/meta/recipes-extended/cups/cups/CVE-2023-34241.patch new file mode 100644 index 0000000000..4950ca341d --- /dev/null +++ b/poky/meta/recipes-extended/cups/cups/CVE-2023-34241.patch @@ -0,0 +1,70 @@ +From ffd290b4ab247f82722927ba9b21358daa16dbf1 Mon Sep 17 00:00:00 2001 +From: Rose <83477269+AtariDreams@users.noreply.github.com> +Date: Thu, 1 Jun 2023 11:33:39 -0400 +Subject: [PATCH] Log result of httpGetHostname BEFORE closing the connection + +httpClose frees the memory of con->http. This is problematic because httpGetHostname then tries to access the memory it points to. + +We have to log the hostname first. + +CVE: CVE-2023-34241 + +Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/9809947a959e18409dcf562a3466ef246cb90cb2] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + scheduler/client.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/scheduler/client.c b/scheduler/client.c +index 91e441188..327473a4d 100644 +--- a/scheduler/client.c ++++ b/scheduler/client.c +@@ -193,13 +193,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */ + /* + * Can't have an unresolved IP address with double-lookups enabled... + */ +- +- httpClose(con->http); +- + cupsdLogClient(con, CUPSD_LOG_WARN, +- "Name lookup failed - connection from %s closed!", ++ "Name lookup failed - closing connection from %s!", + httpGetHostname(con->http, NULL, 0)); + ++ httpClose(con->http); + free(con); + return; + } +@@ -235,11 +233,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */ + * with double-lookups enabled... + */ + +- httpClose(con->http); +- + cupsdLogClient(con, CUPSD_LOG_WARN, +- "IP lookup failed - connection from %s closed!", ++ "IP lookup failed - closing connection from %s!", + httpGetHostname(con->http, NULL, 0)); ++ ++ httpClose(con->http); + free(con); + return; + } +@@ -256,11 +254,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */ + + if (!hosts_access(&wrap_req)) + { +- httpClose(con->http); +- + cupsdLogClient(con, CUPSD_LOG_WARN, + "Connection from %s refused by /etc/hosts.allow and " + "/etc/hosts.deny rules.", httpGetHostname(con->http, NULL, 0)); ++ ++ httpClose(con->http); + free(con); + return; + } +-- +2.25.1 + |