diff options
author | Tobias Geerinckx-Rice <me@tobias.gr> | 2021-06-23 12:52:21 +0200 |
---|---|---|
committer | Tobias Geerinckx-Rice <me@tobias.gr> | 2021-06-23 18:41:23 +0200 |
commit | 620669fd17306c2edb21c64a99fa47160fefb319 (patch) | |
tree | 89d41b5a75198d1c5a36afde07465425bc2d5924 | |
parent | 3694c0d4fee0f7faf130ecd9386ea45932a19543 (diff) | |
download | guix-620669fd17306c2edb21c64a99fa47160fefb319.tar.gz guix-620669fd17306c2edb21c64a99fa47160fefb319.zip |
gnu: cups: Add replacement to fix CVE-2020-10001.
* gnu/packages/patches/cups-CVE-2020-10001.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/cups.scm (cups-minimal/fixed): New variable.
(cups-minimal)[replacement]: Assign it to new field.
-rw-r--r-- | gnu/local.mk | 1 | ||||
-rw-r--r-- | gnu/packages/cups.scm | 6 | ||||
-rw-r--r-- | gnu/packages/patches/cups-CVE-2020-10001.patch | 47 |
3 files changed, 54 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index f7ff9af997..fb6c25d6f9 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -929,6 +929,7 @@ dist_patch_DATA = \ %D%/packages/patches/crda-optional-gcrypt.patch \ %D%/packages/patches/clucene-contribs-lib.patch \ %D%/packages/patches/cube-nocheck.patch \ + %D%/packages/patches/cups-CVE-2020-10001.patch \ %D%/packages/patches/curl-use-ssl-cert-env.patch \ %D%/packages/patches/curl-7.76-use-ssl-cert-env.patch \ %D%/packages/patches/curl-7.77-tls-priority-string.patch \ diff --git a/gnu/packages/cups.scm b/gnu/packages/cups.scm index 5a15cd51b6..2dab881ae6 100644 --- a/gnu/packages/cups.scm +++ b/gnu/packages/cups.scm @@ -252,6 +252,7 @@ filters for the PDF-centric printing workflow introduced by OpenPrinting.") (package (name "cups-minimal") (version "2.3.3") + (replacement cups-minimal/fixed) (source (origin (method url-fetch) @@ -312,6 +313,11 @@ device-specific programs to convert and print many types of files.") ;; CUPS is Apache 2.0 with exceptions, see the NOTICE file. (license license:asl2.0))) +(define cups-minimal/fixed + (package-with-extra-patches + cups-minimal + (search-patches "cups-CVE-2020-10001.patch"))) + (define-public cups (package/inherit cups-minimal (name "cups") diff --git a/gnu/packages/patches/cups-CVE-2020-10001.patch b/gnu/packages/patches/cups-CVE-2020-10001.patch new file mode 100644 index 0000000000..1b16c7d97c --- /dev/null +++ b/gnu/packages/patches/cups-CVE-2020-10001.patch @@ -0,0 +1,47 @@ +From efbea1742bd30f842fbbfb87a473e5c84f4162f9 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet <msweet@msweet.org> +Date: Mon, 1 Feb 2021 15:02:32 -0500 +Subject: [PATCH] Fix a buffer (read) overflow in ippReadIO (CVE-2020-10001) + +--- + +diff --git a/cups/ipp.c b/cups/ipp.c +index 3d529346c..adbb26fba 100644 +--- a/cups/ipp.c ++++ b/cups/ipp.c +@@ -2866,7 +2866,8 @@ ippReadIO(void *src, /* I - Data source */ + unsigned char *buffer, /* Data buffer */ + string[IPP_MAX_TEXT], + /* Small string buffer */ +- *bufptr; /* Pointer into buffer */ ++ *bufptr, /* Pointer into buffer */ ++ *bufend; /* End of buffer */ + ipp_attribute_t *attr; /* Current attribute */ + ipp_tag_t tag; /* Current tag */ + ipp_tag_t value_tag; /* Current value tag */ +@@ -3441,6 +3442,7 @@ ippReadIO(void *src, /* I - Data source */ + } + + bufptr = buffer; ++ bufend = buffer + n; + + /* + * text-with-language and name-with-language are composite +@@ -3454,7 +3456,7 @@ ippReadIO(void *src, /* I - Data source */ + + n = (bufptr[0] << 8) | bufptr[1]; + +- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string)) ++ if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string)) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, + _("IPP language length overflows value."), 1); +@@ -3481,7 +3483,7 @@ ippReadIO(void *src, /* I - Data source */ + bufptr += 2 + n; + n = (bufptr[0] << 8) | bufptr[1]; + +- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE)) ++ if ((bufptr + 2 + n) > bufend) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, + _("IPP string length overflows value."), 1); |