rpms / cups

Clone
Source Code
GIT

Blame SOURCES/cups-cve202010001.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   6d75f30ebfff9c80bec6c67ebbf69e38a323ec46
  2.   SOURCES
  3.   cups-cve202010001.patch
Blob History Raw
fbeb5e 
Fix for CVE-2020-10001, which is a bug in the CUPS ippReadIO function when it
fbeb5e 
reads tagged string values (nameWithLanguage and textWithLanguage).  The
fbeb5e 
previous code verified that the length of the sub-strings (language identifier
fbeb5e 
and name/text value) did not exceed the size of the allocated buffer (1 byte
fbeb5e 
larger than the maximum IPP value size of 32767 bytes), but did not validate
fbeb5e 
against the length of the actual IPP value.
fbeb5e
fbeb5e 
The issues introduced by this vulnerability include:
fbeb5e
fbeb5e 
- Potential information disclosure by copying uninitialized areas of memory into
fbeb5e 
  an IPP string value.
fbeb5e 
- Potential Denial of Service by supplying/using invalid string values when
fbeb5e 
  strict validation has been disabled by the system administrator.
fbeb5e
fbeb5e 
This change ensures that:
fbeb5e
fbeb5e 
1. The language identifier does not extend beyond the end of the IPP value.
fbeb5e 
2. The length of the name/text string is within the IPP value.
fbeb5e 
3. The name/text string is within the IPP value.
fbeb5e
fbeb5e 
diff --git a/cups/ipp.c b/cups/ipp.c
fbeb5e 
index 3d529346c..adbb26fba 100644
fbeb5e 
--- a/cups/ipp.c
fbeb5e 
+++ b/cups/ipp.c
fbeb5e 
@@ -2866,7 +2866,8 @@ ippReadIO(void       *src,		/* I - Data source */
fbeb5e 
   unsigned char		*buffer,	/* Data buffer */
fbeb5e 
 			string[IPP_MAX_TEXT],
fbeb5e 
 					/* Small string buffer */
fbeb5e 
-			*bufptr;	/* Pointer into buffer */
fbeb5e 
+			*bufptr,	/* Pointer into buffer */
fbeb5e 
+			*bufend;	/* End of buffer */
fbeb5e 
   ipp_attribute_t	*attr;		/* Current attribute */
fbeb5e 
   ipp_tag_t		tag;		/* Current tag */
fbeb5e 
   ipp_tag_t		value_tag;	/* Current value tag */
fbeb5e 
@@ -3441,6 +3442,7 @@ ippReadIO(void       *src,		/* I - Data source */
fbeb5e 
 		}
fbeb5e
fbeb5e 
                 bufptr = buffer;
fbeb5e 
+                bufend = buffer + n;
fbeb5e
fbeb5e 
 	       /*
fbeb5e 
 	        * text-with-language and name-with-language are composite
fbeb5e 
@@ -3454,7 +3456,7 @@ ippReadIO(void       *src,		/* I - Data source */
fbeb5e
fbeb5e 
 		n = (bufptr[0] << 8) | bufptr[1];
fbeb5e
fbeb5e 
-		if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string))
fbeb5e 
+		if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string))
fbeb5e 
 		{
fbeb5e 
 		  _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
fbeb5e 
 		                _("IPP language length overflows value."), 1);
fbeb5e 
@@ -3481,7 +3483,7 @@ ippReadIO(void       *src,		/* I - Data source */
fbeb5e 
                 bufptr += 2 + n;
fbeb5e 
 		n = (bufptr[0] << 8) | bufptr[1];
fbeb5e
fbeb5e 
-		if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE))
fbeb5e 
+		if ((bufptr + 2 + n) > bufend)
fbeb5e 
 		{
fbeb5e 
 		  _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
fbeb5e 
 		                _("IPP string length overflows value."), 1);
fbeb5e

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation