Applied patch to fix cupsd memory corruption vulnerability (CVE-2010-2941, bug #652161).

2010-11-11 11:35:06 +00:00 · 2010-11-11 11:35:06 +00:00 · e2e55c5ec7
commit e2e55c5ec7
parent eeb957badf
2 changed files with 55 additions and 1 deletions
--- a/cups-CVE-2010-2941.patch
+++ b/cups-CVE-2010-2941.patch
@ -0,0 +1,47 @@
+diff -up cups-1.4.4/cups/ipp.c.CVE-2010-2941 cups-1.4.4/cups/ipp.c
+--- cups-1.4.4/cups/ipp.c.CVE-2010-2941	2010-04-23 19:56:34.000000000 +0100
+++ cups-1.4.4/cups/ipp.c	2010-11-11 11:30:28.566745595 +0000
+@@ -1275,7 +1275,9 @@ ippReadIO(void       *src,		/* I - Data 
+ 
+ 	      attr->value_tag = tag;
+ 	    }
+-	    else if ((value_tag >= IPP_TAG_TEXTLANG &&
+	    else if (value_tag == IPP_TAG_TEXTLANG ||
+	             value_tag == IPP_TAG_NAMELANG ||
+		     (value_tag >= IPP_TAG_TEXT &&
+ 		      value_tag <= IPP_TAG_MIMETYPE))
+             {
+ 	     /*
+@@ -1283,8 +1285,9 @@ ippReadIO(void       *src,		/* I - Data 
+ 	      * forms; accept sets of differing values...
+ 	      */
+ 
+-	      if ((tag < IPP_TAG_TEXTLANG || tag > IPP_TAG_MIMETYPE) &&
+-	          tag != IPP_TAG_NOVALUE)
+	      if (tag != IPP_TAG_TEXTLANG && tag != IPP_TAG_NAMELANG &&
+	          (tag < IPP_TAG_TEXT || tag > IPP_TAG_MIMETYPE) &&
+		  tag != IPP_TAG_NOVALUE)
+ 	      {
+ 		DEBUG_printf(("1ippReadIO: 1setOf value tag %x(%s) != %x(%s)",
+ 			      value_tag, ippTagString(value_tag), tag,
+@@ -2766,6 +2769,7 @@ _ippFreeAttr(ipp_attribute_t *attr)	/* I
+   {
+     case IPP_TAG_TEXT :
+     case IPP_TAG_NAME :
+    case IPP_TAG_RESERVED_STRING :
+     case IPP_TAG_KEYWORD :
+     case IPP_TAG_URI :
+     case IPP_TAG_URISCHEME :
+diff -up cups-1.4.4/cups/ipp.h.CVE-2010-2941 cups-1.4.4/cups/ipp.h
+--- cups-1.4.4/cups/ipp.h.CVE-2010-2941	2010-04-23 19:56:34.000000000 +0100
+++ cups-1.4.4/cups/ipp.h	2010-11-11 11:30:28.568745537 +0000
+@@ -93,7 +93,8 @@ typedef enum ipp_tag_e			/**** Format ta
+   IPP_TAG_END_COLLECTION,		/* End of collection value */
+   IPP_TAG_TEXT = 0x41,			/* Text value */
+   IPP_TAG_NAME,				/* Name value */
+-  IPP_TAG_KEYWORD = 0x44,		/* Keyword value */
+  IPP_TAG_RESERVED_STRING,		/* Reserved for future string value @private@ */
+  IPP_TAG_KEYWORD,			/* Keyword value */
+   IPP_TAG_URI,				/* URI value */
+   IPP_TAG_URISCHEME,			/* URI scheme value */
+   IPP_TAG_CHARSET,			/* Character set value */
--- a/cups.spec
+++ b/cups.spec
@ -8,7 +8,7 @@
 Summary: Common Unix Printing System
 Name: cups
 Version: 1.4.4
-Release: 10%{?dist}
+Release: 11%{?dist}
 License: GPLv2
 Group: System Environment/Daemons
 Source: http://ftp.easysw.com/pub/cups/%{version}/cups-%{version}-source.tar.bz2
@ -75,6 +75,7 @@ Patch39: cups-autotype-crash.patch
 Patch100: cups-lspp.patch

 ## SECURITY PATCHES:
+Patch200: cups-CVE-2010-2941.patch

 Epoch: 1
 Url: http://www.cups.org/
@ -292,6 +293,8 @@ module.
 %endif

 # SECURITY PATCHES:
+# Fix cupsd memory corruption vulnerability (CVE-2010-2941, bug #652161).
+%patch200 -p1 -b .CVE-2010-2941

 sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in

@ -588,6 +591,10 @@ rm -rf $RPM_BUILD_ROOT
 %{php_extdir}/phpcups.so

 %changelog
+* Thu Nov 11 2010 Tim Waugh <twaugh@redhat.com> 1:1.4.4-11
+- Applied patch to fix cupsd memory corruption vulnerability
+  (CVE-2010-2941, bug #652161).
+
 * Fri Oct 15 2010 Tim Waugh <twaugh@redhat.com> 1:1.4.4-10
 - Don't crash when MIME database could not be loaded (bug #610088).