add some patches from upstream to fix security problems: -use-after-free problem (CVE-2010-0302) -information disclosure (CVE-2010-1748) -unchecked memory allocation is texttops -file overwrite problem (I didn't find references from cups patches to CVE #s, or vice versa, so the CVE #s are not certain.) The missing http session check problem (CVE-2010-0540?) is not fixed, this would be a large patch affecting tens of files. bump PKGREVISION

(drochner)

 @@ -1,24 +1,24 @@
-# $NetBSD: Makefile,v 1.166 2010/06/13 22:45:14 wiz Exp $
+# $NetBSD: Makefile,v 1.167 2010/06/16 18:18:26 drochner Exp $
+#
 # The CUPS author is very good about taking back changes into the main
 # CUPS distribution.  The correct place to send patches or bug-fixes is:
 # cups-bugs@cups.org.
 DISTNAME=	cups-${DIST_VERS}-source
 PKGNAME=	cups-${DIST_VERS:S/-/./g}
 BASE_VERS=	1.4.3
 DIST_VERS=	${BASE_VERS}
-PKGREVISION=	5
+PKGREVISION=	6
 CATEGORIES=	print
 MASTER_SITES=	http://ftp.easysw.com/pub/cups/${BASE_VERS}/ \
 		ftp://ftp.easysw.com/pub/cups/${BASE_VERS}/ \
 		ftp://ftp.funet.fi/pub/mirrors/ftp.easysw.com/pub/cups/${BASE_VERS}/
 EXTRACT_SUFX=	.tar.bz2
 MAINTAINER=	sbd@NetBSD.org
 HOMEPAGE=	http://www.cups.org/
 COMMENT=	Common UNIX Printing System
 LICENSE=	gnu-gpl-v2 AND gnu-lgpl-v2
 PKG_DESTDIR_SUPPORT=	user-destdir

 @@ -1,22 +1,26 @@
-$NetBSD: distinfo,v 1.72 2010/06/09 09:01:43 sbd Exp $
+$NetBSD: distinfo,v 1.73 2010/06/16 18:18:26 drochner Exp $
 SHA1 (cups-1.4.3-source.tar.bz2) = 0dd9e3d709614d26cce77728b9263556c94c9559
 RMD160 (cups-1.4.3-source.tar.bz2) = 6c5ab282405d6a1132163c727583f3a572307d88
 Size (cups-1.4.3-source.tar.bz2) = 4461101 bytes
 SHA1 (patch-aa) = ddb088080d433b8b364ae9e0708cc79c249a1160
 SHA1 (patch-ab) = 8269ed7f24bcd5b16c143353443d4689fef082b2
 SHA1 (patch-ac) = d99dfa6e71efdc5f069c2c3e73e1b29beebf5c9b
 SHA1 (patch-ad) = 4ba06354ead85138340b87caabf87d153a15036a
 SHA1 (patch-ae) = d89b47961d899f99b6c57be3ebdb6a7b34e55324
 SHA1 (patch-af) = c05f7739d65c7b81cc712cbf6008d53568601f6a
 SHA1 (patch-ag) = 680c1c7fb44d8153b5825252d2e297a5196ca98e
 SHA1 (patch-ah) = 763220bdbc01c9ab323c62b7bc601a3082bd03e2
 SHA1 (patch-ai) = fae5b2b5e54ea947d92c89c0bdcdd86c7e3bad12
 SHA1 (patch-aj) = 471a2738bd7bd6a00596dbeb120084ac37840b31
 SHA1 (patch-ak) = 0e8acff2df0034b741ef49093aca773174abb96b
 SHA1 (patch-al) = b5dd793efed46fc950f08bfbd5fb92180ba3be77
 SHA1 (patch-am) = b2cc09ac01e45c96247558667f875fd4a95b125f
 SHA1 (patch-an) = 231c871e31db279e8aeafba71506f93330e0a971
 SHA1 (patch-ao) = 7fe50080b9a6fd4dac186020f9351ef6000373c7
 SHA1 (patch-ap) = 70c5fa4a19ca2812818844180ca9db9cb7cfd601
 SHA1 (patch-at) = aee1f0e8cbcd9e2dbcfa9af3fb675ea7ce1ce622
 SHA1 (patch-ba) = a0c643a6d794a335e18155974123ef6e95a68743
 SHA1 (patch-bb) = 69fa95cdb1ee4ac6511dd8dfbba2349f625423a5
 SHA1 (patch-bc) = cf2e9458f31dd17ea65ebb12254e1ddeaf12e414
 SHA1 (patch-bd) = 885cd259b59d8a2c0d7c1cacfaf6fe2fe3f35053

$NetBSD: patch-ba,v 1.3 2010/06/16 18:18:26 drochner Exp $ --- scheduler/select.c.orig 2010-01-14 22:40:19.000000000 +0000 +++ scheduler/select.c @@ -454,7 +454,8 @@ cupsdDoSelect(long timeout) /* I - Time if (fdptr->read_cb && event->filter == EVFILT_READ) (*(fdptr->read_cb))(fdptr->data); - if (fdptr->use > 1 && fdptr->write_cb && event->filter == EVFILT_WRITE) + if (fdptr->use > 1 && fdptr->write_cb && event->filter == EVFILT_WRITE && + !cupsArrayFind(cupsd_inactive_fds, fdptr)) (*(fdptr->write_cb))(fdptr->data); release_fd(fdptr); @@ -500,7 +501,8 @@ cupsdDoSelect(long timeout) /* I - Time (*(fdptr->read_cb))(fdptr->data); if (fdptr->use > 1 && fdptr->write_cb && - (event->events & (EPOLLOUT | EPOLLERR | EPOLLHUP))) + (event->events & (EPOLLOUT | EPOLLERR | EPOLLHUP)) && + !cupsArrayFind(cupsd_inactive_fds, fdptr)) (*(fdptr->write_cb))(fdptr->data); release_fd(fdptr);

$NetBSD: patch-bc,v 1.3 2010/06/16 18:18:26 drochner Exp $ --- filter/texttops.c.orig 2008-11-06 16:42:18.000000000 +0000 +++ filter/texttops.c @@ -181,8 +181,20 @@ WriteProlog(const char *title, /* I - T exit(1); } - Page = calloc(sizeof(lchar_t *), SizeLines); - Page[0] = calloc(sizeof(lchar_t), SizeColumns * SizeLines); + if ((Page = calloc(sizeof(lchar_t *), SizeLines)) == NULL) + { + _cupsLangPrintf(stderr, _("ERROR: Unable to print %dx%d text page!\n"), + SizeColumns, SizeLines); + exit(1); + } + + if ((Page[0] = calloc(sizeof(lchar_t), SizeColumns * SizeLines)) == NULL) + { + _cupsLangPrintf(stderr, _("ERROR: Unable to print %dx%d text page!\n"), + SizeColumns, SizeLines); + exit(1); + } + for (i = 1; i < SizeLines; i ++) Page[i] = Page[0] + i * SizeColumns;

$NetBSD: patch-bd,v 1.3 2010/06/16 18:18:26 drochner Exp $ --- cups/file.c.orig 2009-05-14 21:18:35.000000000 +0000 +++ cups/file.c @@ -59,6 +59,7 @@ */ #include "file-private.h" +#include <sys/stat.h> /* @@ -69,6 +70,7 @@ static ssize_t cups_compress(cups_file_t *fp, const char *buf, size_t bytes); #endif /* HAVE_LIBZ */ static ssize_t cups_fill(cups_file_t *fp); +static int cups_open(const char *filename, int mode); static ssize_t cups_read(cups_file_t *fp, char *buf, size_t bytes); static ssize_t cups_write(cups_file_t *fp, const char *buf, size_t bytes); @@ -827,7 +829,8 @@ cupsFileOpen(const char *filename, /* I switch (*mode) { case 'a' : /* Append file */ - fd = open(filename, O_RDWR | O_CREAT | O_APPEND | O_LARGEFILE | O_BINARY, 0666); + fd = cups_open(filename, + O_RDWR | O_CREAT | O_APPEND | O_LARGEFILE | O_BINARY); break; case 'r' : /* Read file */ @@ -835,7 +838,17 @@ cupsFileOpen(const char *filename, /* I break; case 'w' : /* Write file */ - fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT | O_LARGEFILE | O_BINARY, 0666); + fd = cups_open(filename, O_WRONLY | O_LARGEFILE | O_BINARY); + if (fd < 0 && errno == ENOENT) + { + fd = cups_open(filename, + O_WRONLY | O_CREAT | O_EXCL | O_LARGEFILE | O_BINARY); + if (fd < 0 && errno == EEXIST) + fd = cups_open(filename, O_WRONLY | O_LARGEFILE | O_BINARY); + } + + if (fd >= 0) + ftruncate(fd, 0); break; case 's' : /* Read/write socket */ @@ -2207,6 +2220,86 @@ cups_fill(cups_file_t *fp) /* I - CUPS return (bytes); } +/* + * 'cups_open()' - Safely open a file for writing. + * + * We don't allow appending to directories or files that are hard-linked or + * symlinked. + */ + +static int /* O - File descriptor or -1 otherwise */ +cups_open(const char *filename, /* I - Filename */ + int mode) /* I - Open mode */ +{ + int fd; /* File descriptor */ + struct stat fileinfo; /* File information */ +#ifndef WIN32 + struct stat linkinfo; /* Link information */ +#endif /* !WIN32 */ + + + /* + * Open the file... + */ + + if ((fd = open(filename, mode, 0666)) < 0) + return (-1); + + /* + * Then verify that the file descriptor doesn't point to a directory or hard- + * linked file. + */ + + if (fstat(fd, &fileinfo)) + { + close(fd); + return (-1); + } + + if (fileinfo.st_nlink != 1) + { + close(fd); + errno = EPERM; + return (-1); + } + + if (S_ISDIR(fileinfo.st_mode)) + { + close(fd); + errno = EISDIR; + return (-1); + } + +#ifndef WIN32 + /* + * Then use lstat to determine whether the filename is a symlink... + */ + + if (lstat(filename, &linkinfo)) + { + close(fd); + return (-1); + } + + if (S_ISLNK(linkinfo.st_mode) || + fileinfo.st_dev != linkinfo.st_dev || + fileinfo.st_ino != linkinfo.st_ino || + fileinfo.st_gen != linkinfo.st_gen || + fileinfo.st_nlink != linkinfo.st_nlink || + fileinfo.st_mode != linkinfo.st_mode) + { + /* + * Yes, don't allow! + */ + + close(fd); + errno = EPERM; + return (-1); + } +#endif /* !WIN32 */ + + return (fd); +} /* * 'cups_read()' - Read from a file descriptor.

$NetBSD: patch-bb,v 1.5 2010/06/16 18:18:26 drochner Exp $ --- cgi-bin/var.c.orig 2010-02-08 17:33:31.000000000 +0000 +++ cgi-bin/var.c @@ -927,6 +927,9 @@ cgi_initialize_string(const char *data) * Read the hex code... */ + if (!isxdigit(data[1] & 255) || !isxdigit(data[2] & 255)) + return (0); + if (s < (value + sizeof(value) - 1)) { data ++;