HCoop / jackhill / guix / guix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
gnu: cups: Add replacement to fix CVE-2020-10001.
[jackhill/guix/guix.git] / gnu / packages / patches / cups-CVE-2020-10001.patch
1 From efbea1742bd30f842fbbfb87a473e5c84f4162f9 Mon Sep 17 00:00:00 2001
2 From: Michael R Sweet <msweet@msweet.org>
3 Date: Mon, 1 Feb 2021 15:02:32 -0500
4 Subject: [PATCH] Fix a buffer (read) overflow in ippReadIO (CVE-2020-10001)
5
6 ---
7
8 diff --git a/cups/ipp.c b/cups/ipp.c
9 index 3d529346c..adbb26fba 100644
10 --- a/cups/ipp.c
11 +++ b/cups/ipp.c
12 @@ -2866,7 +2866,8 @@ ippReadIO(void *src, /* I - Data source */
13 unsigned char *buffer, /* Data buffer */
14 string[IPP_MAX_TEXT],
15 /* Small string buffer */
16 - *bufptr; /* Pointer into buffer */
17 + *bufptr, /* Pointer into buffer */
18 + *bufend; /* End of buffer */
19 ipp_attribute_t *attr; /* Current attribute */
20 ipp_tag_t tag; /* Current tag */
21 ipp_tag_t value_tag; /* Current value tag */
22 @@ -3441,6 +3442,7 @@ ippReadIO(void *src, /* I - Data source */
23 }
24
25 bufptr = buffer;
26 + bufend = buffer + n;
27
28 /*
29 * text-with-language and name-with-language are composite
30 @@ -3454,7 +3456,7 @@ ippReadIO(void *src, /* I - Data source */
31
32 n = (bufptr[0] << 8) | bufptr[1];
33
34 - if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string))
35 + if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string))
36 {
37 _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
38 _("IPP language length overflows value."), 1);
39 @@ -3481,7 +3483,7 @@ ippReadIO(void *src, /* I - Data source */
40 bufptr += 2 + n;
41 n = (bufptr[0] << 8) | bufptr[1];
42
43 - if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE))
44 + if ((bufptr + 2 + n) > bufend)
45 {
46 _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
47 _("IPP string length overflows value."), 1);
jackhill's copy of GNU Guix: https://guix.gnu.org/