add some patches from upstream to fix security problems:

-use-after-free problem (CVE-2010-0302) -information disclosure (CVE-2010-1748) -unchecked memory allocation is texttops -file overwrite problem (I didn't find references from cups patches to CVE #s, or vice versa, so the CVE #s are not certain.) The missing http session check problem (CVE-2010-0540?) is not fixed, this would be a large patch affecting tens of files. bump PKGREVISION
2010-06-16 18:18:26 +00:00 · 2010-06-16 18:18:26 +00:00 · 085f81e3d3
commit 085f81e3d3
parent 1c79201caf
6 changed files with 208 additions and 3 deletions
--- a/print/cups/Makefile
+++ b/print/cups/Makefile
@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.166 2010/06/13 22:45:14 wiz Exp $
+# $NetBSD: Makefile,v 1.167 2010/06/16 18:18:26 drochner Exp $
 #
 # The CUPS author is very good about taking back changes into the main
 # CUPS distribution.  The correct place to send patches or bug-fixes is:
@ -8,7 +8,7 @@ DISTNAME=	cups-${DIST_VERS}-source
 PKGNAME=	cups-${DIST_VERS:S/-/./g}
 BASE_VERS=	1.4.3
 DIST_VERS=	${BASE_VERS}
-PKGREVISION=	5
+PKGREVISION=	6

 CATEGORIES=	print
 MASTER_SITES=	http://ftp.easysw.com/pub/cups/${BASE_VERS}/ \
--- a/print/cups/distinfo
+++ b/print/cups/distinfo
@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.72 2010/06/09 09:01:43 sbd Exp $
+$NetBSD: distinfo,v 1.73 2010/06/16 18:18:26 drochner Exp $

 SHA1 (cups-1.4.3-source.tar.bz2) = 0dd9e3d709614d26cce77728b9263556c94c9559
 RMD160 (cups-1.4.3-source.tar.bz2) = 6c5ab282405d6a1132163c727583f3a572307d88
@ -20,3 +20,7 @@ SHA1 (patch-an) = 231c871e31db279e8aeafba71506f93330e0a971
 SHA1 (patch-ao) = 7fe50080b9a6fd4dac186020f9351ef6000373c7
 SHA1 (patch-ap) = 70c5fa4a19ca2812818844180ca9db9cb7cfd601
 SHA1 (patch-at) = aee1f0e8cbcd9e2dbcfa9af3fb675ea7ce1ce622
+SHA1 (patch-ba) = a0c643a6d794a335e18155974123ef6e95a68743
+SHA1 (patch-bb) = 69fa95cdb1ee4ac6511dd8dfbba2349f625423a5
+SHA1 (patch-bc) = cf2e9458f31dd17ea65ebb12254e1ddeaf12e414
+SHA1 (patch-bd) = 885cd259b59d8a2c0d7c1cacfaf6fe2fe3f35053
--- a/print/cups/patches/patch-ba
+++ b/print/cups/patches/patch-ba
@ -0,0 +1,24 @@
+$NetBSD: patch-ba,v 1.3 2010/06/16 18:18:26 drochner Exp $
+
+--- scheduler/select.c.orig	2010-01-14 22:40:19.000000000 +0000
+++ scheduler/select.c
+@@ -454,7 +454,8 @@ cupsdDoSelect(long timeout)		/* I - Time
+     if (fdptr->read_cb && event->filter == EVFILT_READ)
+       (*(fdptr->read_cb))(fdptr->data);
+ 
+-    if (fdptr->use > 1 && fdptr->write_cb && event->filter == EVFILT_WRITE)
+    if (fdptr->use > 1 && fdptr->write_cb && event->filter == EVFILT_WRITE &&
+	!cupsArrayFind(cupsd_inactive_fds, fdptr))
+       (*(fdptr->write_cb))(fdptr->data);
+ 
+     release_fd(fdptr);
+@@ -500,7 +501,8 @@ cupsdDoSelect(long timeout)		/* I - Time
+ 	  (*(fdptr->read_cb))(fdptr->data);
+ 
+ 	if (fdptr->use > 1 && fdptr->write_cb &&
+-	    (event->events & (EPOLLOUT | EPOLLERR | EPOLLHUP)))
+	    (event->events & (EPOLLOUT | EPOLLERR | EPOLLHUP)) &&
+	    !cupsArrayFind(cupsd_inactive_fds, fdptr))
+ 	  (*(fdptr->write_cb))(fdptr->data);
+ 
+ 	release_fd(fdptr);
--- a/print/cups/patches/patch-bb
+++ b/print/cups/patches/patch-bb
@ -0,0 +1,14 @@
+$NetBSD: patch-bb,v 1.5 2010/06/16 18:18:26 drochner Exp $
+
+--- cgi-bin/var.c.orig	2010-02-08 17:33:31.000000000 +0000
+++ cgi-bin/var.c
+@@ -927,6 +927,9 @@ cgi_initialize_string(const char *data)	
+ 	    * Read the hex code...
+ 	    */
+ 
+	    if (!isxdigit(data[1] & 255) || !isxdigit(data[2] & 255))
+		return (0);
+
+             if (s < (value + sizeof(value) - 1))
+ 	    {
+               data ++;
--- a/print/cups/patches/patch-bc
+++ b/print/cups/patches/patch-bc
@ -0,0 +1,27 @@
+$NetBSD: patch-bc,v 1.3 2010/06/16 18:18:26 drochner Exp $
+
+--- filter/texttops.c.orig	2008-11-06 16:42:18.000000000 +0000
+++ filter/texttops.c
+@@ -181,8 +181,20 @@ WriteProlog(const char *title,		/* I - T
+     exit(1);
+   }
+ 
+-  Page    = calloc(sizeof(lchar_t *), SizeLines);
+-  Page[0] = calloc(sizeof(lchar_t), SizeColumns * SizeLines);
+  if ((Page = calloc(sizeof(lchar_t *), SizeLines)) == NULL)
+  {
+    _cupsLangPrintf(stderr, _("ERROR: Unable to print %dx%d text page!\n"),
+		    SizeColumns, SizeLines);
+    exit(1);
+  }
+
+  if ((Page[0] = calloc(sizeof(lchar_t), SizeColumns * SizeLines)) == NULL)
+  {
+    _cupsLangPrintf(stderr, _("ERROR: Unable to print %dx%d text page!\n"),
+		    SizeColumns, SizeLines);
+    exit(1);
+  }
+
+   for (i = 1; i < SizeLines; i ++)
+     Page[i] = Page[0] + i * SizeColumns;
+ 
--- a/print/cups/patches/patch-bd
+++ b/print/cups/patches/patch-bd
@ -0,0 +1,136 @@
+$NetBSD: patch-bd,v 1.3 2010/06/16 18:18:26 drochner Exp $
+
+--- cups/file.c.orig	2009-05-14 21:18:35.000000000 +0000
+++ cups/file.c
+@@ -59,6 +59,7 @@
+  */
+ 
+ #include "file-private.h"
+#include <sys/stat.h>
+ 
+ 
+ /*
+@@ -69,6 +70,7 @@
+ static ssize_t	cups_compress(cups_file_t *fp, const char *buf, size_t bytes);
+ #endif /* HAVE_LIBZ */
+ static ssize_t	cups_fill(cups_file_t *fp);
+static int cups_open(const char *filename, int mode);
+ static ssize_t	cups_read(cups_file_t *fp, char *buf, size_t bytes);
+ static ssize_t	cups_write(cups_file_t *fp, const char *buf, size_t bytes);
+ 
+@@ -827,7 +829,8 @@ cupsFileOpen(const char *filename,	/* I 
+   switch (*mode)
+   {
+     case 'a' : /* Append file */
+-        fd = open(filename, O_RDWR | O_CREAT | O_APPEND | O_LARGEFILE | O_BINARY, 0666);
+        fd = cups_open(filename,
+	O_RDWR | O_CREAT | O_APPEND | O_LARGEFILE | O_BINARY);
+         break;
+ 
+     case 'r' : /* Read file */
+@@ -835,7 +838,17 @@ cupsFileOpen(const char *filename,	/* I 
+ 	break;
+ 
+     case 'w' : /* Write file */
+-        fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT | O_LARGEFILE | O_BINARY, 0666);
+        fd = cups_open(filename, O_WRONLY | O_LARGEFILE | O_BINARY);
+ if (fd < 0 && errno == ENOENT)
+ {
+   fd = cups_open(filename,
+		  O_WRONLY | O_CREAT | O_EXCL | O_LARGEFILE | O_BINARY);
+   if (fd < 0 && errno == EEXIST)
+     fd = cups_open(filename, O_WRONLY | O_LARGEFILE | O_BINARY);
+ }
+
+ if (fd >= 0)
+   ftruncate(fd, 0);
+         break;
+ 
+     case 's' : /* Read/write socket */
+@@ -2207,6 +2220,86 @@ cups_fill(cups_file_t *fp)		/* I - CUPS 
+   return (bytes);
+ }
+ 
+/*
+ * 'cups_open()' - Safely open a file for writing.
+ *
+ * We don't allow appending to directories or files that are hard-linked or
+ * symlinked.
+ */
+
+static int /* O - File descriptor or -1 otherwise */
+cups_open(const char *filename, /* I - Filename */
+   int        mode) /* I - Open mode */
+{
+  int fd; /* File descriptor */
+  struct stat fileinfo; /* File information */
+#ifndef WIN32
+  struct stat linkinfo; /* Link information */
+#endif /* !WIN32 */
+
+
+ /*
+  * Open the file...
+  */
+
+  if ((fd = open(filename, mode, 0666)) < 0)
+    return (-1);
+
+ /*
+  * Then verify that the file descriptor doesn't point to a directory or hard-
+  * linked file.
+  */
+
+  if (fstat(fd, &fileinfo))
+  {
+    close(fd);
+    return (-1);
+  }
+
+  if (fileinfo.st_nlink != 1)
+  {
+    close(fd);
+    errno = EPERM;
+    return (-1);
+  }
+
+  if (S_ISDIR(fileinfo.st_mode))
+  {
+    close(fd);
+    errno = EISDIR;
+    return (-1);
+  }
+
+#ifndef WIN32
+ /*
+  * Then use lstat to determine whether the filename is a symlink...
+  */
+
+  if (lstat(filename, &linkinfo))
+  {
+    close(fd);
+    return (-1);
+  }
+
+  if (S_ISLNK(linkinfo.st_mode) ||
+      fileinfo.st_dev != linkinfo.st_dev ||
+      fileinfo.st_ino != linkinfo.st_ino ||
+      fileinfo.st_gen != linkinfo.st_gen ||
+      fileinfo.st_nlink != linkinfo.st_nlink ||
+      fileinfo.st_mode != linkinfo.st_mode)
+  {
+   /*
+    * Yes, don't allow!
+    */
+
+    close(fd);
+    errno = EPERM;
+    return (-1);
+  }
+#endif /* !WIN32 */
+
+  return (fd);
+}
+ 
+ /*
+  * 'cups_read()' - Read from a file descriptor.