poky/meta/recipes-extended/cups/cups/CVE-2020-10001.patch - stefanberger/openbmc - Gitiles

 From efbea1742bd30f842fbbfb87a473e5c84f4162f9 Mon Sep 17 00:00:00 2001
 From: Michael R Sweet <msweet@msweet.org>
 Date: Mon, 1 Feb 2021 15:02:32 -0500
 Subject: [PATCH] Fix a buffer (read) overflow in ippReadIO (CVE-2020-10001)

 Upstream-Status: Backport
 CVE: CVE-2020-10001

 Reference to upstream patch:
 [https://github.com/OpenPrinting/cups/commit/efbea1742bd30f842fbbfb87a473e5c84f4162f9]

 [SG: Addapted for version 2.3.3]
 Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
 ---
  CHANGES.md | 2 ++
  cups/ipp.c | 8 +++++---
  2 files changed, 7 insertions(+), 3 deletions(-)

 diff --git a/CHANGES.md b/CHANGES.md
 index df72892..5ca12da 100644
 --- a/CHANGES.md
 +++ b/CHANGES.md
 @@ -4,6 +4,8 @@ CHANGES - 2.3.3 - 2020-04-24
  Changes in CUPS v2.3.3
  ----------------------

 +- Security: Fixed a buffer (read) overflow in the `ippReadIO` function
 +  (CVE-2020-10001)
  - CVE-2020-3898: The `ppdOpen` function did not handle invalid UI
    constraint.  `ppdcSource::get_resolution` function did not handle
    invalid resolution strings.
 diff --git a/cups/ipp.c b/cups/ipp.c
 index 3d52934..adbb26f 100644
 --- a/cups/ipp.c
 +++ b/cups/ipp.c
 @@ -2866,7 +2866,8 @@ ippReadIO(void       *src,		/* I - Data source */
    unsigned char		*buffer,	/* Data buffer */
  			string[IPP_MAX_TEXT],
  					/* Small string buffer */
 -			*bufptr;	/* Pointer into buffer */
 +			*bufptr,	/* Pointer into buffer */
 +			*bufend;	/* End of buffer */
    ipp_attribute_t	*attr;		/* Current attribute */
    ipp_tag_t		tag;		/* Current tag */
    ipp_tag_t		value_tag;	/* Current value tag */
 @@ -3441,6 +3442,7 @@ ippReadIO(void       *src,		/* I - Data source */
  		}

                  bufptr = buffer;
 +                bufend = buffer + n;

  	       /*
  	        * text-with-language and name-with-language are composite
 @@ -3454,7 +3456,7 @@ ippReadIO(void       *src,		/* I - Data source */

  		n = (bufptr[0] << 8) | bufptr[1];

 -		if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string))
 +		if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string))
  		{
  		  _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
  		                _("IPP language length overflows value."), 1);
 @@ -3481,7 +3483,7 @@ ippReadIO(void       *src,		/* I - Data source */
                  bufptr += 2 + n;
  		n = (bufptr[0] << 8) | bufptr[1];

 -		if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE))
 +		if ((bufptr + 2 + n) > bufend)
  		{
  		  _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
  		                _("IPP string length overflows value."), 1);
 --
 2.17.1
	From efbea1742bd30f842fbbfb87a473e5c84f4162f9 Mon Sep 17 00:00:00 2001
	From: Michael R Sweet <msweet@msweet.org>
	Date: Mon, 1 Feb 2021 15:02:32 -0500
	Subject: [PATCH] Fix a buffer (read) overflow in ippReadIO (CVE-2020-10001)

	Upstream-Status: Backport
	CVE: CVE-2020-10001

	Reference to upstream patch:
	[https://github.com/OpenPrinting/cups/commit/efbea1742bd30f842fbbfb87a473e5c84f4162f9]

	[SG: Addapted for version 2.3.3]
	Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
	---
	CHANGES.md \| 2 ++
	cups/ipp.c \| 8 +++++---
	2 files changed, 7 insertions(+), 3 deletions(-)

	diff --git a/CHANGES.md b/CHANGES.md
	index df72892..5ca12da 100644
	--- a/CHANGES.md
	+++ b/CHANGES.md
	@@ -4,6 +4,8 @@ CHANGES - 2.3.3 - 2020-04-24
	Changes in CUPS v2.3.3
	----------------------

	+- Security: Fixed a buffer (read) overflow in the `ippReadIO` function
	+ (CVE-2020-10001)
	- CVE-2020-3898: The `ppdOpen` function did not handle invalid UI
	constraint. `ppdcSource::get_resolution` function did not handle
	invalid resolution strings.
	diff --git a/cups/ipp.c b/cups/ipp.c
	index 3d52934..adbb26f 100644
	--- a/cups/ipp.c
	+++ b/cups/ipp.c
	@@ -2866,7 +2866,8 @@ ippReadIO(void src, / I - Data source */
	unsigned char buffer, / Data buffer */
	string[IPP_MAX_TEXT],
	/* Small string buffer */
	- bufptr; / Pointer into buffer */
	+ bufptr, / Pointer into buffer */
	+ bufend; / End of buffer */
	ipp_attribute_t attr; / Current attribute */
	ipp_tag_t tag; /* Current tag */
	ipp_tag_t value_tag; /* Current value tag */
	@@ -3441,6 +3442,7 @@ ippReadIO(void src, / I - Data source */
	}

	bufptr = buffer;
	+ bufend = buffer + n;

	/*
	* text-with-language and name-with-language are composite
	@@ -3454,7 +3456,7 @@ ippReadIO(void src, / I - Data source */

	n = (bufptr[0] << 8) \| bufptr[1];

	- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) \|\| n >= (int)sizeof(string))
	+ if ((bufptr + 2 + n + 2) > bufend \|\| n >= (int)sizeof(string))
	{
	_cupsSetError(IPP_STATUS_ERROR_INTERNAL,
	_("IPP language length overflows value."), 1);
	@@ -3481,7 +3483,7 @@ ippReadIO(void src, / I - Data source */
	bufptr += 2 + n;
	n = (bufptr[0] << 8) \| bufptr[1];

	- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE))
	+ if ((bufptr + 2 + n) > bufend)
	{
	_cupsSetError(IPP_STATUS_ERROR_INTERNAL,
	_("IPP string length overflows value."), 1);
	--
	2.17.1