Bug#448866: patch for off-by-one error

[Steffen Joeris <steffen.joeris@skolelinux.de>]

tags 448866 patch
thanks

Hi

Attached you will find an upstream patch from the 1.3 branch. I think the 
patch should be complete. I am not sure, but I guess Red Hat missed some 
parts in its advisory. I still have to test it properly, but feel free to 
review.

Cheers
Steffen

diff -u cupsys-1.3.2/debian/changelog cupsys-1.3.2/debian/changelog
--- cupsys-1.3.2/debian/changelog
+++ cupsys-1.3.2/debian/changelog
@@ -1,3 +1,12 @@
+cupsys (1.3.2-1.1) unstable; urgency=high
+
+  * Non-maintainer upload by the testing-security team
+  * Include patch to fix off-by-one error in cups/ipp.c to prevent
+    possible DoS attack (Closes: #448866)
+    Fixes: CVE-2007-4351
+
+ -- Steffen Joeris <white@debian.org>  Sat, 03 Nov 2007 06:43:25 +0000
+
 cupsys (1.3.2-1) unstable; urgency=low
 
   * New upstream bug fix release.
diff -u cupsys-1.3.2/debian/patches/00list cupsys-1.3.2/debian/patches/00list
--- cupsys-1.3.2/debian/patches/00list
+++ cupsys-1.3.2/debian/patches/00list
@@ -15,0 +16 @@
+CVE-2007-4351.dpatch
only in patch2:
unchanged:
--- cupsys-1.3.2.orig/debian/patches/CVE-2007-4351.dpatch
+++ cupsys-1.3.2/debian/patches/CVE-2007-4351.dpatch
@@ -0,0 +1,230 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2007-4351.dpatch
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fixes off-by-one error
+
+@DPATCH@
+--- cupsys-1.3.2/cups/ipp.c	2007-07-11 21:46:42.000000000 +0000
++++ cupsys-1.3.2/cups/ipp.c	2007-10-31 18:35:56.000000000 +0000
+@@ -1,5 +1,5 @@
+ /*
+- * "$Id: ipp.c 6649 2007-07-11 21:46:42Z mike $"
++ * "$Id$"
+  *
+  *   Internet Printing Protocol support functions for the Common UNIX
+  *   Printing System (CUPS).
+@@ -1014,8 +1014,10 @@
+           ipp_t      *ipp)		/* I - IPP data */
+ {
+   int			n;		/* Length of data */
+-  unsigned char		buffer[32768],	/* Data buffer */
+-			string[255],	/* Small string buffer */
++  unsigned char		buffer[IPP_MAX_LENGTH],
++					/* Data buffer */
++			string[IPP_MAX_NAME],
++					/* Small string buffer */
+ 			*bufptr;	/* Pointer into buffer */
+   ipp_attribute_t	*attr;		/* Current attribute */
+   ipp_tag_t		tag;		/* Current tag */
+@@ -1306,6 +1308,12 @@
+ 	  {
+ 	    case IPP_TAG_INTEGER :
+ 	    case IPP_TAG_ENUM :
++		if (n != 4)
++		{
++		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++		  return (IPP_ERROR);
++		}
++
+ 	        if ((*cb)(src, buffer, 4) < 4)
+ 		{
+ 	          DEBUG_puts("ippReadIO: Unable to read integer value!");
+@@ -1318,6 +1326,12 @@
+                 value->integer = n;
+ 	        break;
+ 	    case IPP_TAG_BOOLEAN :
++		if (n != 1)
++		{
++		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++		  return (IPP_ERROR);
++		}
++
+ 	        if ((*cb)(src, buffer, 1) < 1)
+ 		{
+ 	          DEBUG_puts("ippReadIO: Unable to read boolean value!");
+@@ -1335,6 +1349,12 @@
+ 	    case IPP_TAG_CHARSET :
+ 	    case IPP_TAG_LANGUAGE :
+ 	    case IPP_TAG_MIMETYPE :
++		if (n >= sizeof(buffer))
++		{
++		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++		  return (IPP_ERROR);
++		}
++
+ 		if ((*cb)(src, buffer, n) < n)
+ 		{
+ 		  DEBUG_puts("ippReadIO: unable to read name!");
+@@ -1347,6 +1367,12 @@
+ 		              value->string.text));
+ 	        break;
+ 	    case IPP_TAG_DATE :
++		if (n != 11)
++		{
++		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++		  return (IPP_ERROR);
++		}
++
+ 	        if ((*cb)(src, value->date, 11) < 11)
+ 		{
+ 	          DEBUG_puts("ippReadIO: Unable to date integer value!");
+@@ -1354,6 +1380,12 @@
+ 		}
+ 	        break;
+ 	    case IPP_TAG_RESOLUTION :
++		if (n != 9)
++		{
++		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++		  return (IPP_ERROR);
++		}
++
+ 	        if ((*cb)(src, buffer, 9) < 9)
+ 		{
+ 	          DEBUG_puts("ippReadIO: Unable to read resolution value!");
+@@ -1370,6 +1402,12 @@
+ 		    (ipp_res_t)buffer[8];
+ 	        break;
+ 	    case IPP_TAG_RANGE :
++		if (n != 8)
++		{
++		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++		  return (IPP_ERROR);
++		}
++
+ 	        if ((*cb)(src, buffer, 8) < 8)
+ 		{
+ 	          DEBUG_puts("ippReadIO: Unable to read range value!");
+@@ -1385,7 +1423,7 @@
+ 	        break;
+ 	    case IPP_TAG_TEXTLANG :
+ 	    case IPP_TAG_NAMELANG :
+-	        if (n > sizeof(buffer) || n < 4)
++	        if (n >= sizeof(buffer) || n < 4)
+ 		{
+ 		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ 		  return (IPP_ERROR);
+@@ -1411,22 +1449,27 @@
+ 
+ 		n = (bufptr[0] << 8) | bufptr[1];
+ 
+-                if (n >= sizeof(string))
++		if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)) ||
++		    n >= sizeof(string))
+ 		{
+-		  memcpy(string, bufptr + 2, sizeof(string) - 1);
+-		  string[sizeof(string) - 1] = '\0';
++		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++		  return (IPP_ERROR);
+ 		}
+-		else
+-		{
+-		  memcpy(string, bufptr + 2, n);
+-		  string[n] = '\0';
+-                }
++
++		memcpy(string, bufptr + 2, n);
++		string[n] = '\0';
+ 
+ 		value->string.charset = _cupsStrAlloc((char *)string);
+ 
+                 bufptr += 2 + n;
+ 		n = (bufptr[0] << 8) | bufptr[1];
+ 
++		if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)))
++		{
++		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++		  return (IPP_ERROR);
++		}
++
+ 		bufptr[2 + n] = '\0';
+                 value->string.text = _cupsStrAlloc((char *)bufptr + 2);
+ 	        break;
+@@ -1468,6 +1511,12 @@
+ 		* we need to carry over...
+ 		*/
+ 
++		if (n >= sizeof(buffer))
++		{
++		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++		  return (IPP_ERROR);
++		}
++
+ 	        if ((*cb)(src, buffer, n) < n)
+ 		{
+ 	          DEBUG_puts("ippReadIO: Unable to read member name value!");
+@@ -1489,6 +1538,12 @@
+ 		break;
+ 
+             default : /* Other unsupported values */
++		if (n > sizeof(buffer))
++		{
++		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++		  return (IPP_ERROR);
++		}
++
+                 value->unknown.length = n;
+ 	        if (n > 0)
+ 		{
+@@ -1627,7 +1682,8 @@
+ {
+   int			i;		/* Looping var */
+   int			n;		/* Length of data */
+-  unsigned char		buffer[32768],	/* Data buffer */
++  unsigned char		buffer[IPP_MAX_LENGTH + 2],
++					/* Data buffer + length bytes */
+ 			*bufptr;	/* Pointer into buffer */
+   ipp_attribute_t	*attr;		/* Current attribute */
+   ipp_value_t		*value;		/* Current value */
+@@ -1947,7 +2003,7 @@
+ 		 /*
+ 		  * All simple strings consist of the 2-byte length and
+ 		  * character data without the trailing nul normally found
+-		  * in C strings.  Also, strings cannot be longer than 32767
++		  * in C strings.  Also, strings cannot be longer than IPP_MAX_LENGTH
+ 		  * bytes since the 2-byte length is a signed (twos-complement)
+ 		  * value.
+ 		  *
+@@ -2826,5 +2882,5 @@
+ 
+ 
+ /*
+- * End of "$Id: ipp.c 6649 2007-07-11 21:46:42Z mike $".
++ * End of "$Id$".
+  */
+--- cupsys-1.3.2/cups/ipp.h	2007-07-11 21:46:42.000000000 +0000
++++ cupsys-1.3.2/cups/ipp.h	2007-10-31 18:35:56.000000000 +0000
+@@ -1,5 +1,5 @@
+ /*
+- * "$Id: ipp.h 6649 2007-07-11 21:46:42Z mike $"
++ * "$Id$"
+  *
+  *   Internet Printing Protocol definitions for the Common UNIX Printing
+  *   System (CUPS).
+@@ -55,7 +55,8 @@
+  * Common limits...
+  */
+ 
+-#  define IPP_MAX_NAME		256
++#  define IPP_MAX_LENGTH	32767	/* Maximum size of any single value */
++#  define IPP_MAX_NAME		256	/* Maximum length of common name values */
+ #  define IPP_MAX_VALUES	8	/* Power-of-2 allocation increment */
+ 
+ 
+@@ -492,5 +493,5 @@
+ #endif /* !_CUPS_IPP_H_ */
+ 
+ /*
+- * End of "$Id: ipp.h 6649 2007-07-11 21:46:42Z mike $".
++ * End of "$Id$".
+  */

Attachment: signature.asc
Description: This is a digitally signed message part.