- Applied patch to fix RSS subscription limiting (bug #473901,

CVE-2008-5183).
2008-12-09 12:19:10 +00:00 · 2008-12-09 12:19:10 +00:00 · 54fdf3149d
commit 54fdf3149d
parent 277864519c
2 changed files with 174 additions and 0 deletions
--- a/cups-CVE-2008-5183.patch
+++ b/cups-CVE-2008-5183.patch
@ -0,0 +1,170 @@
+diff -up cups-1.4b1/scheduler/ipp.c.CVE-2008-5183 cups-1.4b1/scheduler/ipp.c
+--- cups-1.4b1/scheduler/ipp.c.CVE-2008-5183	2008-12-09 12:16:15.000000000 +0000
+++ cups-1.4b1/scheduler/ipp.c	2008-12-09 12:17:43.000000000 +0000
+@@ -2392,24 +2392,25 @@ add_job_subscriptions(
+     if (mask == CUPSD_EVENT_NONE)
+       mask = CUPSD_EVENT_JOB_COMPLETED;
+ 
+-    sub = cupsdAddSubscription(mask, cupsdFindDest(job->dest), job, recipient,
+-                               0);
+    if ((sub = cupsdAddSubscription(mask, cupsdFindDest(job->dest), job,
+                                    recipient, 0)) != NULL)
+    {
+      sub->interval = interval;
+ 
+-    sub->interval = interval;
+      cupsdSetString(&sub->owner, job->username);
+ 
+-    cupsdSetString(&sub->owner, job->username);
+      if (user_data)
+      {
+	sub->user_data_len = user_data->values[0].unknown.length;
+	memcpy(sub->user_data, user_data->values[0].unknown.data,
+	       sub->user_data_len);
+      }
+ 
+-    if (user_data)
+-    {
+-      sub->user_data_len = user_data->values[0].unknown.length;
+-      memcpy(sub->user_data, user_data->values[0].unknown.data,
+-             sub->user_data_len);
+      ippAddSeparator(con->response);
+      ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_INTEGER,
+		    "notify-subscription-id", sub->id);
+     }
+ 
+-    ippAddSeparator(con->response);
+-    ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_INTEGER,
+-                  "notify-subscription-id", sub->id);
+-
+     if (attr)
+       attr = attr->next;
+   }
+@@ -6668,7 +6669,12 @@ create_subscription(
+     else
+       job = NULL;
+ 
+-    sub = cupsdAddSubscription(mask, printer, job, recipient, 0);
+    if ((sub = cupsdAddSubscription(mask, printer, job, recipient, 0)) == NULL)
+    {
+      send_ipp_status(con, IPP_TOO_MANY_SUBSCRIPTIONS,
+		      _("There are too many subscriptions."));
+      return;
+    }
+ 
+     if (job)
+       cupsdLogMessage(CUPSD_LOG_DEBUG, "Added subscription %d for job %d",
+diff -up cups-1.4b1/scheduler/subscriptions.c.CVE-2008-5183 cups-1.4b1/scheduler/subscriptions.c
+--- cups-1.4b1/scheduler/subscriptions.c.CVE-2008-5183	2008-12-09 12:16:15.000000000 +0000
+++ cups-1.4b1/scheduler/subscriptions.c	2008-12-09 12:17:43.000000000 +0000
+@@ -341,8 +341,54 @@ cupsdAddSubscription(
+   * Limit the number of subscriptions...
+   */
+ 
+-  if (cupsArrayCount(Subscriptions) >= MaxSubscriptions)
+  if (MaxSubscriptions > 0 && cupsArrayCount(Subscriptions) >= MaxSubscriptions)
+  {
+    cupsdLogMessage(CUPSD_LOG_DEBUG,
+                    "cupsdAddSubscription: Reached MaxSubscriptions %d",
+		    MaxSubscriptions);
+     return (NULL);
+  }
+
+  if (MaxSubscriptionsPerJob > 0 && job)
+  {
+    int	count;				/* Number of job subscriptions */
+
+    for (temp = (cupsd_subscription_t *)cupsArrayFirst(Subscriptions),
+             count = 0;
+         temp;
+	 temp = (cupsd_subscription_t *)cupsArrayNext(Subscriptions))
+      if (temp->job == job)
+        count ++;
+
+    if (count >= MaxSubscriptionsPerJob)
+    {
+      cupsdLogMessage(CUPSD_LOG_DEBUG,
+		      "cupsdAddSubscription: Reached MaxSubscriptionsPerJob %d "
+		      "for job #%d", MaxSubscriptionsPerJob, job->id);
+      return (NULL);
+    }
+  }
+
+  if (MaxSubscriptionsPerPrinter > 0 && dest)
+  {
+    int	count;				/* Number of printer subscriptions */
+
+    for (temp = (cupsd_subscription_t *)cupsArrayFirst(Subscriptions),
+             count = 0;
+         temp;
+	 temp = (cupsd_subscription_t *)cupsArrayNext(Subscriptions))
+      if (temp->dest == dest)
+        count ++;
+
+    if (count >= MaxSubscriptionsPerPrinter)
+    {
+      cupsdLogMessage(CUPSD_LOG_DEBUG,
+		      "cupsdAddSubscription: Reached "
+		      "MaxSubscriptionsPerPrinter %d for %s",
+		      MaxSubscriptionsPerPrinter, dest->name);
+      return (NULL);
+    }
+  }
+ 
+  /*
+   * Allocate memory for this subscription...
+@@ -765,7 +811,6 @@ cupsdLoadAllSubscriptions(void)
+       cupsdLogMessage(CUPSD_LOG_ERROR,
+                       "Syntax error on line %d of subscriptions.conf.",
+ 	              linenum);
+-      break;
+     }
+     else if (!strcasecmp(line, "Events"))
+     {
+diff -up cups-1.4b1/test/4.4-subscription-ops.test.CVE-2008-5183 cups-1.4b1/test/4.4-subscription-ops.test
+--- cups-1.4b1/test/4.4-subscription-ops.test.CVE-2008-5183	2007-07-09 21:34:48.000000000 +0100
+++ cups-1.4b1/test/4.4-subscription-ops.test	2008-12-09 12:17:43.000000000 +0000
+@@ -116,6 +116,32 @@
+ 	EXPECT notify-events
+ 	DISPLAY notify-events
+ }
+{
+	# The name of the test...
+	NAME "Check MaxSubscriptions limits"
+
+	# The operation to use
+	OPERATION Create-Printer-Subscription
+	RESOURCE /
+
+	# The attributes to send
+	GROUP operation
+	ATTR charset attributes-charset utf-8
+	ATTR language attributes-natural-language en
+	ATTR uri printer-uri $method://$hostname:$port/printers/Test1
+
+        GROUP subscription
+	ATTR uri notify-recipient-uri testnotify://
+	ATTR keyword notify-events printer-state-changed
+	ATTR integer notify-lease-duration 5
+
+	# What statuses are OK?
+	STATUS client-error-too-many-subscriptions
+
+	# What attributes do we expect?
+	EXPECT attributes-charset
+	EXPECT attributes-natural-language
+}
+ 
+ #
+ # End of "$Id: 4.4-subscription-ops.test 6635 2007-07-09 20:34:48Z mike $"
+diff -up cups-1.4b1/test/run-stp-tests.sh.CVE-2008-5183 cups-1.4b1/test/run-stp-tests.sh
+--- cups-1.4b1/test/run-stp-tests.sh.CVE-2008-5183	2008-10-02 00:56:42.000000000 +0100
+++ cups-1.4b1/test/run-stp-tests.sh	2008-12-09 12:17:43.000000000 +0000
+@@ -326,6 +326,7 @@ PassEnv LOCALEDIR
+ DocumentRoot $root/doc
+ RequestRoot /tmp/cups-$user/spool
+ TempDir /tmp/cups-$user/spool/temp
+MaxSubscriptions 3
+ MaxLogSize 0
+ AccessLog /tmp/cups-$user/log/access_log
+ ErrorLog /tmp/cups-$user/log/error_log
--- a/cups.spec
+++ b/cups.spec
@ -28,6 +28,7 @@ Patch1: cups-no-gzip-man.patch
 Patch2: cups-1.1.16-system-auth.patch
 Patch3: cups-multilib.patch
 Patch4: cups-str2831.patch
+Patch5: cups-CVE-2008-5183.patch
 Patch6: cups-banners.patch
 Patch7: cups-serverbin-compat.patch
 Patch8: cups-no-export-ssllibs.patch
@ -168,6 +169,7 @@ module.
 %patch2 -p1 -b .system-auth
 %patch3 -p1 -b .multilib
 %patch4 -p1 -b .str2831
+%patch5 -p1 -b .CVE-2008-5183
 %patch6 -p1 -b .banners
 %patch7 -p1 -b .serverbin-compat
 %patch8 -p1 -b .no-export-ssllibs
@ -449,6 +451,8 @@ rm -rf $RPM_BUILD_ROOT

 %changelog
 * Tue Dec  9 2008 Tim Waugh <twaugh@redhat.com> 1:1.4-0.b1.5
+- Applied patch to fix RSS subscription limiting (bug #473901,
+  CVE-2008-5183).
 - Attempt to unbreak the fix for STR #2831 (bug #474742).

 * Sun Nov 30 2008 Tim Waugh <twaugh@redhat.com> 1:1.4-0.b1.4