Wed Jun 16 18:18:26 2010 UTC ()
add some patches from upstream to fix security problems:
-use-after-free problem (CVE-2010-0302)
-information disclosure (CVE-2010-1748)
-unchecked memory allocation is texttops
-file overwrite problem
(I didn't find references from cups patches to CVE #s, or vice versa,
so the CVE #s are not certain.)
The missing http session check problem (CVE-2010-0540?) is not fixed,
this would be a large patch affecting tens of files.
bump PKGREVISION
(drochner)
diff -r1.166 -r1.167 pkgsrc/print/cups/Makefile
diff -r1.72 -r1.73 pkgsrc/print/cups/distinfo
diff -r0 -r1.3 pkgsrc/print/cups/patches/patch-ba
diff -r0 -r1.3 pkgsrc/print/cups/patches/patch-bc
diff -r0 -r1.3 pkgsrc/print/cups/patches/patch-bd
diff -r0 -r1.5 pkgsrc/print/cups/patches/patch-bb
--- pkgsrc/print/cups/Makefile 2010/06/13 22:45:14 1.166
+++ pkgsrc/print/cups/Makefile 2010/06/16 18:18:26 1.167
| @@ -1,24 +1,24 @@ | | | @@ -1,24 +1,24 @@ |
1 | # $NetBSD: Makefile,v 1.166 2010/06/13 22:45:14 wiz Exp $ | | 1 | # $NetBSD: Makefile,v 1.167 2010/06/16 18:18:26 drochner Exp $ |
2 | # | | 2 | # |
3 | # The CUPS author is very good about taking back changes into the main | | 3 | # The CUPS author is very good about taking back changes into the main |
4 | # CUPS distribution. The correct place to send patches or bug-fixes is: | | 4 | # CUPS distribution. The correct place to send patches or bug-fixes is: |
5 | # cups-bugs@cups.org. | | 5 | # cups-bugs@cups.org. |
6 | | | 6 | |
7 | DISTNAME= cups-${DIST_VERS}-source | | 7 | DISTNAME= cups-${DIST_VERS}-source |
8 | PKGNAME= cups-${DIST_VERS:S/-/./g} | | 8 | PKGNAME= cups-${DIST_VERS:S/-/./g} |
9 | BASE_VERS= 1.4.3 | | 9 | BASE_VERS= 1.4.3 |
10 | DIST_VERS= ${BASE_VERS} | | 10 | DIST_VERS= ${BASE_VERS} |
11 | PKGREVISION= 5 | | 11 | PKGREVISION= 6 |
12 | | | 12 | |
13 | CATEGORIES= print | | 13 | CATEGORIES= print |
14 | MASTER_SITES= http://ftp.easysw.com/pub/cups/${BASE_VERS}/ \ | | 14 | MASTER_SITES= http://ftp.easysw.com/pub/cups/${BASE_VERS}/ \ |
15 | ftp://ftp.easysw.com/pub/cups/${BASE_VERS}/ \ | | 15 | ftp://ftp.easysw.com/pub/cups/${BASE_VERS}/ \ |
16 | ftp://ftp.funet.fi/pub/mirrors/ftp.easysw.com/pub/cups/${BASE_VERS}/ | | 16 | ftp://ftp.funet.fi/pub/mirrors/ftp.easysw.com/pub/cups/${BASE_VERS}/ |
17 | EXTRACT_SUFX= .tar.bz2 | | 17 | EXTRACT_SUFX= .tar.bz2 |
18 | | | 18 | |
19 | MAINTAINER= sbd@NetBSD.org | | 19 | MAINTAINER= sbd@NetBSD.org |
20 | HOMEPAGE= http://www.cups.org/ | | 20 | HOMEPAGE= http://www.cups.org/ |
21 | COMMENT= Common UNIX Printing System | | 21 | COMMENT= Common UNIX Printing System |
22 | LICENSE= gnu-gpl-v2 AND gnu-lgpl-v2 | | 22 | LICENSE= gnu-gpl-v2 AND gnu-lgpl-v2 |
23 | | | 23 | |
24 | PKG_DESTDIR_SUPPORT= user-destdir | | 24 | PKG_DESTDIR_SUPPORT= user-destdir |
--- pkgsrc/print/cups/Attic/distinfo 2010/06/09 09:01:43 1.72
+++ pkgsrc/print/cups/Attic/distinfo 2010/06/16 18:18:26 1.73
| @@ -1,22 +1,26 @@ | | | @@ -1,22 +1,26 @@ |
1 | $NetBSD: distinfo,v 1.72 2010/06/09 09:01:43 sbd Exp $ | | 1 | $NetBSD: distinfo,v 1.73 2010/06/16 18:18:26 drochner Exp $ |
2 | | | 2 | |
3 | SHA1 (cups-1.4.3-source.tar.bz2) = 0dd9e3d709614d26cce77728b9263556c94c9559 | | 3 | SHA1 (cups-1.4.3-source.tar.bz2) = 0dd9e3d709614d26cce77728b9263556c94c9559 |
4 | RMD160 (cups-1.4.3-source.tar.bz2) = 6c5ab282405d6a1132163c727583f3a572307d88 | | 4 | RMD160 (cups-1.4.3-source.tar.bz2) = 6c5ab282405d6a1132163c727583f3a572307d88 |
5 | Size (cups-1.4.3-source.tar.bz2) = 4461101 bytes | | 5 | Size (cups-1.4.3-source.tar.bz2) = 4461101 bytes |
6 | SHA1 (patch-aa) = ddb088080d433b8b364ae9e0708cc79c249a1160 | | 6 | SHA1 (patch-aa) = ddb088080d433b8b364ae9e0708cc79c249a1160 |
7 | SHA1 (patch-ab) = 8269ed7f24bcd5b16c143353443d4689fef082b2 | | 7 | SHA1 (patch-ab) = 8269ed7f24bcd5b16c143353443d4689fef082b2 |
8 | SHA1 (patch-ac) = d99dfa6e71efdc5f069c2c3e73e1b29beebf5c9b | | 8 | SHA1 (patch-ac) = d99dfa6e71efdc5f069c2c3e73e1b29beebf5c9b |
9 | SHA1 (patch-ad) = 4ba06354ead85138340b87caabf87d153a15036a | | 9 | SHA1 (patch-ad) = 4ba06354ead85138340b87caabf87d153a15036a |
10 | SHA1 (patch-ae) = d89b47961d899f99b6c57be3ebdb6a7b34e55324 | | 10 | SHA1 (patch-ae) = d89b47961d899f99b6c57be3ebdb6a7b34e55324 |
11 | SHA1 (patch-af) = c05f7739d65c7b81cc712cbf6008d53568601f6a | | 11 | SHA1 (patch-af) = c05f7739d65c7b81cc712cbf6008d53568601f6a |
12 | SHA1 (patch-ag) = 680c1c7fb44d8153b5825252d2e297a5196ca98e | | 12 | SHA1 (patch-ag) = 680c1c7fb44d8153b5825252d2e297a5196ca98e |
13 | SHA1 (patch-ah) = 763220bdbc01c9ab323c62b7bc601a3082bd03e2 | | 13 | SHA1 (patch-ah) = 763220bdbc01c9ab323c62b7bc601a3082bd03e2 |
14 | SHA1 (patch-ai) = fae5b2b5e54ea947d92c89c0bdcdd86c7e3bad12 | | 14 | SHA1 (patch-ai) = fae5b2b5e54ea947d92c89c0bdcdd86c7e3bad12 |
15 | SHA1 (patch-aj) = 471a2738bd7bd6a00596dbeb120084ac37840b31 | | 15 | SHA1 (patch-aj) = 471a2738bd7bd6a00596dbeb120084ac37840b31 |
16 | SHA1 (patch-ak) = 0e8acff2df0034b741ef49093aca773174abb96b | | 16 | SHA1 (patch-ak) = 0e8acff2df0034b741ef49093aca773174abb96b |
17 | SHA1 (patch-al) = b5dd793efed46fc950f08bfbd5fb92180ba3be77 | | 17 | SHA1 (patch-al) = b5dd793efed46fc950f08bfbd5fb92180ba3be77 |
18 | SHA1 (patch-am) = b2cc09ac01e45c96247558667f875fd4a95b125f | | 18 | SHA1 (patch-am) = b2cc09ac01e45c96247558667f875fd4a95b125f |
19 | SHA1 (patch-an) = 231c871e31db279e8aeafba71506f93330e0a971 | | 19 | SHA1 (patch-an) = 231c871e31db279e8aeafba71506f93330e0a971 |
20 | SHA1 (patch-ao) = 7fe50080b9a6fd4dac186020f9351ef6000373c7 | | 20 | SHA1 (patch-ao) = 7fe50080b9a6fd4dac186020f9351ef6000373c7 |
21 | SHA1 (patch-ap) = 70c5fa4a19ca2812818844180ca9db9cb7cfd601 | | 21 | SHA1 (patch-ap) = 70c5fa4a19ca2812818844180ca9db9cb7cfd601 |
22 | SHA1 (patch-at) = aee1f0e8cbcd9e2dbcfa9af3fb675ea7ce1ce622 | | 22 | SHA1 (patch-at) = aee1f0e8cbcd9e2dbcfa9af3fb675ea7ce1ce622 |
| | | 23 | SHA1 (patch-ba) = a0c643a6d794a335e18155974123ef6e95a68743 |
| | | 24 | SHA1 (patch-bb) = 69fa95cdb1ee4ac6511dd8dfbba2349f625423a5 |
| | | 25 | SHA1 (patch-bc) = cf2e9458f31dd17ea65ebb12254e1ddeaf12e414 |
| | | 26 | SHA1 (patch-bd) = 885cd259b59d8a2c0d7c1cacfaf6fe2fe3f35053 |
$NetBSD: patch-ba,v 1.3 2010/06/16 18:18:26 drochner Exp $
--- scheduler/select.c.orig 2010-01-14 22:40:19.000000000 +0000
+++ scheduler/select.c
@@ -454,7 +454,8 @@ cupsdDoSelect(long timeout) /* I - Time
if (fdptr->read_cb && event->filter == EVFILT_READ)
(*(fdptr->read_cb))(fdptr->data);
- if (fdptr->use > 1 && fdptr->write_cb && event->filter == EVFILT_WRITE)
+ if (fdptr->use > 1 && fdptr->write_cb && event->filter == EVFILT_WRITE &&
+ !cupsArrayFind(cupsd_inactive_fds, fdptr))
(*(fdptr->write_cb))(fdptr->data);
release_fd(fdptr);
@@ -500,7 +501,8 @@ cupsdDoSelect(long timeout) /* I - Time
(*(fdptr->read_cb))(fdptr->data);
if (fdptr->use > 1 && fdptr->write_cb &&
- (event->events & (EPOLLOUT | EPOLLERR | EPOLLHUP)))
+ (event->events & (EPOLLOUT | EPOLLERR | EPOLLHUP)) &&
+ !cupsArrayFind(cupsd_inactive_fds, fdptr))
(*(fdptr->write_cb))(fdptr->data);
release_fd(fdptr);
$NetBSD: patch-bc,v 1.3 2010/06/16 18:18:26 drochner Exp $
--- filter/texttops.c.orig 2008-11-06 16:42:18.000000000 +0000
+++ filter/texttops.c
@@ -181,8 +181,20 @@ WriteProlog(const char *title, /* I - T
exit(1);
}
- Page = calloc(sizeof(lchar_t *), SizeLines);
- Page[0] = calloc(sizeof(lchar_t), SizeColumns * SizeLines);
+ if ((Page = calloc(sizeof(lchar_t *), SizeLines)) == NULL)
+ {
+ _cupsLangPrintf(stderr, _("ERROR: Unable to print %dx%d text page!\n"),
+ SizeColumns, SizeLines);
+ exit(1);
+ }
+
+ if ((Page[0] = calloc(sizeof(lchar_t), SizeColumns * SizeLines)) == NULL)
+ {
+ _cupsLangPrintf(stderr, _("ERROR: Unable to print %dx%d text page!\n"),
+ SizeColumns, SizeLines);
+ exit(1);
+ }
+
for (i = 1; i < SizeLines; i ++)
Page[i] = Page[0] + i * SizeColumns;
$NetBSD: patch-bd,v 1.3 2010/06/16 18:18:26 drochner Exp $
--- cups/file.c.orig 2009-05-14 21:18:35.000000000 +0000
+++ cups/file.c
@@ -59,6 +59,7 @@
*/
#include "file-private.h"
+#include <sys/stat.h>
/*
@@ -69,6 +70,7 @@
static ssize_t cups_compress(cups_file_t *fp, const char *buf, size_t bytes);
#endif /* HAVE_LIBZ */
static ssize_t cups_fill(cups_file_t *fp);
+static int cups_open(const char *filename, int mode);
static ssize_t cups_read(cups_file_t *fp, char *buf, size_t bytes);
static ssize_t cups_write(cups_file_t *fp, const char *buf, size_t bytes);
@@ -827,7 +829,8 @@ cupsFileOpen(const char *filename, /* I
switch (*mode)
{
case 'a' : /* Append file */
- fd = open(filename, O_RDWR | O_CREAT | O_APPEND | O_LARGEFILE | O_BINARY, 0666);
+ fd = cups_open(filename,
+ O_RDWR | O_CREAT | O_APPEND | O_LARGEFILE | O_BINARY);
break;
case 'r' : /* Read file */
@@ -835,7 +838,17 @@ cupsFileOpen(const char *filename, /* I
break;
case 'w' : /* Write file */
- fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT | O_LARGEFILE | O_BINARY, 0666);
+ fd = cups_open(filename, O_WRONLY | O_LARGEFILE | O_BINARY);
+ if (fd < 0 && errno == ENOENT)
+ {
+ fd = cups_open(filename,
+ O_WRONLY | O_CREAT | O_EXCL | O_LARGEFILE | O_BINARY);
+ if (fd < 0 && errno == EEXIST)
+ fd = cups_open(filename, O_WRONLY | O_LARGEFILE | O_BINARY);
+ }
+
+ if (fd >= 0)
+ ftruncate(fd, 0);
break;
case 's' : /* Read/write socket */
@@ -2207,6 +2220,86 @@ cups_fill(cups_file_t *fp) /* I - CUPS
return (bytes);
}
+/*
+ * 'cups_open()' - Safely open a file for writing.
+ *
+ * We don't allow appending to directories or files that are hard-linked or
+ * symlinked.
+ */
+
+static int /* O - File descriptor or -1 otherwise */
+cups_open(const char *filename, /* I - Filename */
+ int mode) /* I - Open mode */
+{
+ int fd; /* File descriptor */
+ struct stat fileinfo; /* File information */
+#ifndef WIN32
+ struct stat linkinfo; /* Link information */
+#endif /* !WIN32 */
+
+
+ /*
+ * Open the file...
+ */
+
+ if ((fd = open(filename, mode, 0666)) < 0)
+ return (-1);
+
+ /*
+ * Then verify that the file descriptor doesn't point to a directory or hard-
+ * linked file.
+ */
+
+ if (fstat(fd, &fileinfo))
+ {
+ close(fd);
+ return (-1);
+ }
+
+ if (fileinfo.st_nlink != 1)
+ {
+ close(fd);
+ errno = EPERM;
+ return (-1);
+ }
+
+ if (S_ISDIR(fileinfo.st_mode))
+ {
+ close(fd);
+ errno = EISDIR;
+ return (-1);
+ }
+
+#ifndef WIN32
+ /*
+ * Then use lstat to determine whether the filename is a symlink...
+ */
+
+ if (lstat(filename, &linkinfo))
+ {
+ close(fd);
+ return (-1);
+ }
+
+ if (S_ISLNK(linkinfo.st_mode) ||
+ fileinfo.st_dev != linkinfo.st_dev ||
+ fileinfo.st_ino != linkinfo.st_ino ||
+ fileinfo.st_gen != linkinfo.st_gen ||
+ fileinfo.st_nlink != linkinfo.st_nlink ||
+ fileinfo.st_mode != linkinfo.st_mode)
+ {
+ /*
+ * Yes, don't allow!
+ */
+
+ close(fd);
+ errno = EPERM;
+ return (-1);
+ }
+#endif /* !WIN32 */
+
+ return (fd);
+}
/*
* 'cups_read()' - Read from a file descriptor.
$NetBSD: patch-bb,v 1.5 2010/06/16 18:18:26 drochner Exp $
--- cgi-bin/var.c.orig 2010-02-08 17:33:31.000000000 +0000
+++ cgi-bin/var.c
@@ -927,6 +927,9 @@ cgi_initialize_string(const char *data)
* Read the hex code...
*/
+ if (!isxdigit(data[1] & 255) || !isxdigit(data[2] & 255))
+ return (0);
+
if (s < (value + sizeof(value) - 1))
{
data ++;