diff options
Diffstat (limited to 'meta/recipes-extended/cups/cups/CVE-2020-10001.patch')
| -rw-r--r-- | meta/recipes-extended/cups/cups/CVE-2020-10001.patch | 74 |
1 files changed, 0 insertions, 74 deletions
diff --git a/meta/recipes-extended/cups/cups/CVE-2020-10001.patch b/meta/recipes-extended/cups/cups/CVE-2020-10001.patch deleted file mode 100644 index 09a0a5765d..0000000000 --- a/meta/recipes-extended/cups/cups/CVE-2020-10001.patch +++ /dev/null @@ -1,74 +0,0 @@ -From efbea1742bd30f842fbbfb87a473e5c84f4162f9 Mon Sep 17 00:00:00 2001 -From: Michael R Sweet <msweet@msweet.org> -Date: Mon, 1 Feb 2021 15:02:32 -0500 -Subject: [PATCH] Fix a buffer (read) overflow in ippReadIO (CVE-2020-10001) - -Upstream-Status: Backport -CVE: CVE-2020-10001 - -Reference to upstream patch: -[https://github.com/OpenPrinting/cups/commit/efbea1742bd30f842fbbfb87a473e5c84f4162f9] - -[SG: Addapted for version 2.3.3] -Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> ---- - CHANGES.md | 2 ++ - cups/ipp.c | 8 +++++--- - 2 files changed, 7 insertions(+), 3 deletions(-) - -diff --git a/CHANGES.md b/CHANGES.md -index df72892..5ca12da 100644 ---- a/CHANGES.md -+++ b/CHANGES.md -@@ -4,6 +4,8 @@ CHANGES - 2.3.3 - 2020-04-24 - Changes in CUPS v2.3.3 - ---------------------- - -+- Security: Fixed a buffer (read) overflow in the `ippReadIO` function -+ (CVE-2020-10001) - - CVE-2020-3898: The `ppdOpen` function did not handle invalid UI - constraint. `ppdcSource::get_resolution` function did not handle - invalid resolution strings. -diff --git a/cups/ipp.c b/cups/ipp.c -index 3d52934..adbb26f 100644 ---- a/cups/ipp.c -+++ b/cups/ipp.c -@@ -2866,7 +2866,8 @@ ippReadIO(void *src, /* I - Data source */ - unsigned char *buffer, /* Data buffer */ - string[IPP_MAX_TEXT], - /* Small string buffer */ -- *bufptr; /* Pointer into buffer */ -+ *bufptr, /* Pointer into buffer */ -+ *bufend; /* End of buffer */ - ipp_attribute_t *attr; /* Current attribute */ - ipp_tag_t tag; /* Current tag */ - ipp_tag_t value_tag; /* Current value tag */ -@@ -3441,6 +3442,7 @@ ippReadIO(void *src, /* I - Data source */ - } - - bufptr = buffer; -+ bufend = buffer + n; - - /* - * text-with-language and name-with-language are composite -@@ -3454,7 +3456,7 @@ ippReadIO(void *src, /* I - Data source */ - - n = (bufptr[0] << 8) | bufptr[1]; - -- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string)) -+ if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string)) - { - _cupsSetError(IPP_STATUS_ERROR_INTERNAL, - _("IPP language length overflows value."), 1); -@@ -3481,7 +3483,7 @@ ippReadIO(void *src, /* I - Data source */ - bufptr += 2 + n; - n = (bufptr[0] << 8) | bufptr[1]; - -- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE)) -+ if ((bufptr + 2 + n) > bufend) - { - _cupsSetError(IPP_STATUS_ERROR_INTERNAL, - _("IPP string length overflows value."), 1); --- -2.17.1 - |