Martin Pitt [2008-10-11 13:10 +0200]: > cups (1.3.8-1lenny2) unstable; urgency=high Whoops, forgot to attach debdiff, here it comes. Martin -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
diff -u cups-1.3.8/debian/changelog cups-1.3.8/debian/changelog
--- cups-1.3.8/debian/changelog
+++ cups-1.3.8/debian/changelog
@@ -1,3 +1,26 @@
+cups (1.3.8-1lenny2) unstable; urgency=high
+
+ * Urgency high due to security fixes.
+ * debian/control: Package development moved to bzr, update Vcs- tags.
+ * Add CVE-2008-3641_hpgl_filter_overflow.dpatch: Fix buffer overflow
+ triggered by invalid number of pens in the HPGL filter. (CVE-2008-3641,
+ STR #2911)
+ * Add CVE-2008-3639_sgi_filter_overflow.dpatch: Fix buffer overflow due to
+ unchecked boundary in the SGI filter. (CVE-2008-3639, STR #2918)
+ * Add CVE-2008-3640_texttops_overflow.dpatch: Fix buffer overflow by
+ specifying invalidly large or negative page metrics. (CVE-2008-3640,
+ STR #2919)
+ * Add hpgl-regression.dpatch: Revert the SP_select_pen() enumeration change
+ introduced in STR #2911, because it changes the color mapping (e. g. "SP1"
+ would now select a white pen instead of a black one, and "SP0" would not
+ be valid at all any more). Also fix a remaining off-by-one loop. (STR
+ #2966)
+ * Add admin-fr-translation.dpatch: Update the French admin.tmpl, to have the
+ missing "Find new printer" button and the "Subscriptions" section. Thanks
+ to Yves-Alexis Perez! (Closes: #475270)
+
+ -- Martin Pitt <mpitt@debian.org> Sat, 11 Oct 2008 12:53:30 +0200
+
cups (1.3.8-1lenny1) unstable; urgency=medium
Cherrypick bug fixes from trunk/experimental which need to go into Lenny.
diff -u cups-1.3.8/debian/control cups-1.3.8/debian/control
--- cups-1.3.8/debian/control
+++ cups-1.3.8/debian/control
@@ -13,8 +13,8 @@
Martin Pitt <mpitt@debian.org>, Roger Leigh <rleigh@debian.org>,
Martin-Éric Racine <q-funk@iki.fi>, Masayuki Hatta (mhatta) <mhatta@debian.org>,
Jeff Licquia <licquia@debian.org>
-Vcs-Svn: svn://svn.debian.org/svn/pkg-cups/cupsys/trunk
-Vcs-Browser: http://svn.debian.org/wsvn/pkg-cups/cupsys/trunk
+Vcs-Bzr: bzr+ssh://bzr.debian.org/pkg-cups/cups/lenny
+Vcs-Browser: http://bazaar.launchpad.net/~pitti/cups/debian-lenny
Package: libcups2
Priority: optional
diff -u cups-1.3.8/debian/patches/00list cups-1.3.8/debian/patches/00list
--- cups-1.3.8/debian/patches/00list
+++ cups-1.3.8/debian/patches/00list
@@ -2,6 +2,9 @@
manpage-typos.dpatch
pdftops-cups-1.4.dpatch
pdftops-dont_fail_on_cancel.dpatch
+CVE-2008-3641_hpgl_filter_overflow.dpatch
+CVE-2008-3639_sgi_filter_overflow.dpatch
+CVE-2008-3640_texttops_overflow.dpatch
# patches accepted and committed upstream
freebsd.dpatch
@@ -11,6 +14,8 @@
ppd-poll-with-client-conf.dpatch
# no answer yet, po4a might not be appropriate
manpage-translations.dpatch
+admin-fr-translation.dpatch
+hpgl-regression.dpatch
# Debian patches
removecvstag.dpatch
only in patch2:
unchanged:
--- cups-1.3.8.orig/debian/patches/admin-fr-translation.dpatch
+++ cups-1.3.8/debian/patches/admin-fr-translation.dpatch
@@ -0,0 +1,63 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## admin-fr-translation.dpatch by Yves-Alexis Perez <corsac@debian.org>
+##
+## DP: Update the French admin.tmpl, to have the missing "Find new printer"
+## DP: button and the "Subscriptions" section. (Debian #475270, STR #2963)
+@DPATCH@
+diff -urNad trunk~/templates/fr/admin.tmpl trunk/templates/fr/admin.tmpl
+--- trunk~/templates/fr/admin.tmpl 2007-03-19 17:01:28.000000000 +0100
++++ trunk/templates/fr/admin.tmpl 2008-10-09 10:25:11.000000000 +0200
+@@ -6,6 +6,9 @@
+ <P>
+ <A HREF="/admin?op=add-printer"><IMG
+ SRC="/images/button-add-printer.gif" ALT="Ajouter une imprimante" CLASS="button"></A>
++<A HREF="/admin?op=find-new-printers"><IMG
++SRC="/images/button-find-new-printers.gif"
++ALT="Trouver de nouvelles imprimantes" CLASS="button"></A>
+ <A HREF="/printers/"><IMG SRC="/images/button-manage-printers.gif"
+ ALT="Administrer les imprimantes" CLASS="button"></A>
+ {have_samba?<A HREF="/admin/?op=export-samba"><IMG
+@@ -13,13 +16,6 @@
+ CLASS="button"></A>:}
+ </P>
+
+-{#device_uri=0?:<P><B>Nouvelles imprimantes détectées:</B></P><UL>{[device_uri]
+-<LI><A HREF="/admin?op=add-printer&{device_options}"><IMG
+-SRC="/images/button-add-this-printer.gif" ALT="Ajouter cette imprimante" CLASS="button"
+-ALIGN="MIDDLE"></A>
+-{device_make_and_model} ({device_info})</LI>
+-}</UL>}
+-
+ <H2 CLASS="title">Classes</H2>
+
+ <P>
+@@ -67,10 +63,10 @@
+ imprimantes partagées par d'autres systèmes<BR>
+ <INPUT TYPE="CHECKBOX" NAME="SHARE_PRINTERS" {?share_printers}> Partager les
+ imprimantes publiques connectées à ce système<BR>
+- <INPUT TYPE="CHECKBOX" NAME="REMOTE_ANY" {?remote_any}> Allow printing from the Internet<BR>
++ <INPUT TYPE="CHECKBOX" NAME="REMOTE_ANY" {?remote_any}> Autoriser l'impression depuis Internet<BR>
+ <INPUT TYPE="CHECKBOX" NAME="REMOTE_ADMIN" {?remote_admin}> Autoriser
+ l'administration à distance<BR>
+-{have_gssapi?<INPUT TYPE="CHECKBOX" NAME="KERBEROS" {?kerberos}> Use Kerberos authentication<BR>:}
++{have_gssapi?<INPUT TYPE="CHECKBOX" NAME="KERBEROS" {?kerberos}> Utiliser l'identification par Kerberos<BR>:}
+ <INPUT TYPE="CHECKBOX" NAME="USER_CANCEL_ANY" {?user_cancel_any}> Autoriser les
+ utilisateurs à annuler n'importe quelle tâche ( pas seulement les leurs )<BR>
+ <INPUT TYPE="CHECKBOX" NAME="DEBUG_LOGGING" {?debug_logging}> Enregistrer les
+@@ -83,3 +79,16 @@
+
+ </TD></TR>
+ </TABLE>
++
++<H2 CLASS="title">Abonnements</H2>
++
++<P>
++<A HREF="/admin/?op=add-rss-subscription"><IMG SRC="/images/button-add-rss-subscription.gif" ALT="S'abonner au RSS" CLASS="button"></A>
++</P>
++
++{notify_subscription_id?<TABLE WIDTH="100%" CELLSPACING="0" CELLPADDING="0" SUMMARY="Abonnements RSS">
++<THEAD><TR CLASS="data"><TH>ID</TH><TH>Nom</TH><TH>?v?nements</TH><TH>File</TH></TR></THEAD>
++<TBODY>{[notify_subscription_id]
++<TR><TD><A HREF="{notify_recipient_uri}">{notify_subscription_id}</A></TD><TD NOWRAP><A HREF="{notify_recipient_uri}">{notify_recipient_name}</A> <A HREF="/admin/?op=cancel-subscription&notify_subscription_id={notify_subscription_id}"><IMG SRC="/images/button-cancel-subscription.gif" CLASS="button" ALT="Cancel RSS Subscription"></A> </TD><TD>{notify_events}</TD><TD NOWRAP> {notify_printer_name?{notify_printer_name}:All Queues}</TD></TR>}
++</TBODY>
++</TABLE>:}
only in patch2:
unchanged:
--- cups-1.3.8.orig/debian/patches/hpgl-regression.dpatch
+++ cups-1.3.8/debian/patches/hpgl-regression.dpatch
@@ -0,0 +1,29 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## hpgl-regression.dpatch by Martin Pitt <mpitt@debian.org>
+##
+## DP: Revert the SP_select_pen() enumeration change introduced in STR #2911,
+## DP: because it changes the color mapping (e. g. "SP1" would now select a
+## DP: white pen instead of a black one, and "SP0" would not be valid at all
+## DP: any more). Also fix a remaining off-by-one loop. (STR #2966)
+@DPATCH@
+diff -urNad trunk~/filter/hpgl-attr.c trunk/filter/hpgl-attr.c
+--- trunk~/filter/hpgl-attr.c 2008-10-09 22:12:03.000000000 +0200
++++ trunk/filter/hpgl-attr.c 2008-10-10 10:55:46.000000000 +0200
+@@ -214,7 +214,7 @@
+ "DEBUG: HP-GL/2 \'NP\' command with invalid number of "
+ "parameters (%d)!\n", num_params);
+
+- for (i = 0; i <= PenCount; i ++)
++ for (i = 0; i < PenCount; i ++)
+ Pens[i].width = PenWidth;
+
+ PC_pen_color(0, NULL);
+@@ -433,7 +433,7 @@
+ fprintf(stderr, "DEBUG: HP-GL/2 \'SP\' command with invalid pen (%d)!\n",
+ (int)params[0].value.number);
+ else
+- PenNumber = (int)params[0].value.number - 1;
++ PenNumber = (int)params[0].value.number;
+
+ if (PageDirty)
+ printf("%.3f %.3f %.3f %.2f SP\n", Pens[PenNumber].rgb[0],
only in patch2:
unchanged:
--- cups-1.3.8.orig/debian/patches/CVE-2008-3640_texttops_overflow.dpatch
+++ cups-1.3.8/debian/patches/CVE-2008-3640_texttops_overflow.dpatch
@@ -0,0 +1,90 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2008-3640_texttops_overflow.dpatch by Martin Pitt <mpitt@debian.org>
+##
+## DP: Fix buffer overflow by specifying invalidly large or negative page
+## DP: metrics. (CVE-2008-3640, STR #2919)
+
+@DPATCH@
+diff -urNad lenny~/filter/textcommon.c lenny/filter/textcommon.c
+--- lenny~/filter/textcommon.c 2008-07-12 00:48:49.000000000 +0200
++++ lenny/filter/textcommon.c 2008-10-08 09:15:55.000000000 +0200
+@@ -3,7 +3,7 @@
+ *
+ * Common text filter routines for the Common UNIX Printing System (CUPS).
+ *
+- * Copyright 2007 by Apple Inc.
++ * Copyright 2007-2008 by Apple Inc.
+ * Copyright 1997-2007 by Easy Software Products.
+ *
+ * These coded instructions, statements, and computer programs are the
+@@ -605,14 +605,38 @@
+ !strcasecmp(val, "yes");
+
+ if ((val = cupsGetOption("columns", num_options, options)) != NULL)
++ {
+ PageColumns = atoi(val);
+
++ if (PageColumns < 1)
++ {
++ _cupsLangPrintf(stderr, _("ERROR: Bad columns value %d!\n"), PageColumns);
++ return (1);
++ }
++ }
++
+ if ((val = cupsGetOption("cpi", num_options, options)) != NULL)
++ {
+ CharsPerInch = atof(val);
+
++ if (CharsPerInch <= 0.0)
++ {
++ _cupsLangPrintf(stderr, _("ERROR: Bad cpi value %f!\n"), CharsPerInch);
++ return (1);
++ }
++ }
++
+ if ((val = cupsGetOption("lpi", num_options, options)) != NULL)
++ {
+ LinesPerInch = atof(val);
+
++ if (LinesPerInch <= 0.0)
++ {
++ _cupsLangPrintf(stderr, _("ERROR: Bad lpi value %f!\n"), LinesPerInch);
++ return (1);
++ }
++ }
++
+ if (PrettyPrint)
+ PageTop -= 216.0f / LinesPerInch;
+
+diff -urNad lenny~/filter/texttops.c lenny/filter/texttops.c
+--- lenny~/filter/texttops.c 2008-07-12 00:48:49.000000000 +0200
++++ lenny/filter/texttops.c 2008-10-08 09:15:55.000000000 +0200
+@@ -173,6 +173,14 @@
+ SizeColumns = (PageRight - PageLeft) / 72.0 * CharsPerInch;
+ SizeLines = (PageTop - PageBottom) / 72.0 * LinesPerInch;
+
++ if (SizeColumns <= 0 || SizeColumns > 32767 ||
++ SizeLines <= 0 || SizeLines > 32767)
++ {
++ _cupsLangPrintf(stderr, _("ERROR: Unable to print %dx%d text page!\n"),
++ SizeColumns, SizeLines);
++ exit(1);
++ }
++
+ Page = calloc(sizeof(lchar_t *), SizeLines);
+ Page[0] = calloc(sizeof(lchar_t), SizeColumns * SizeLines);
+ for (i = 1; i < SizeLines; i ++)
+@@ -187,6 +195,13 @@
+ else
+ ColumnWidth = SizeColumns;
+
++ if (ColumnWidth <= 0)
++ {
++ _cupsLangPrintf(stderr, _("ERROR: Unable to print %d text columns!\n"),
++ PageColumns);
++ exit(1);
++ }
++
+ /*
+ * Output the DSC header...
+ */
only in patch2:
unchanged:
--- cups-1.3.8.orig/debian/patches/CVE-2008-3641_hpgl_filter_overflow.dpatch
+++ cups-1.3.8/debian/patches/CVE-2008-3641_hpgl_filter_overflow.dpatch
@@ -0,0 +1,136 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2008-3641_hpgl_filter_overflow.dpatch by Martin Pitt <mpitt@debian.org>
+##
+## DP: Fix buffer overflow triggered by invalid number of pens in the HPGL
+## DP: filter. (CVE-2008-3641, STR #2911)
+
+@DPATCH@
+diff -urNad lenny~/filter/hpgl-attr.c lenny/filter/hpgl-attr.c
+--- lenny~/filter/hpgl-attr.c 2008-07-12 00:48:49.000000000 +0200
++++ lenny/filter/hpgl-attr.c 2008-10-08 08:58:40.000000000 +0200
+@@ -197,8 +197,18 @@
+
+ if (num_params == 0)
+ PenCount = 8;
+- else if (num_params == 1 && params[0].value.number <= 1024)
+- PenCount = (int)params[0].value.number;
++ else if (num_params == 1)
++ {
++ if (params[0].value.number < 1 || params[0].value.number > MAX_PENS)
++ {
++ fprintf(stderr,
++ "DEBUG: HP-GL/2 \'NP\' command with invalid number of "
++ "pens (%d)!\n", (int)params[0].value.number);
++ PenCount = 8;
++ }
++ else
++ PenCount = (int)params[0].value.number;
++ }
+ else
+ fprintf(stderr,
+ "DEBUG: HP-GL/2 \'NP\' command with invalid number of "
+@@ -235,7 +245,7 @@
+
+ if (num_params == 0)
+ {
+- for (i = 0; i <= PenCount; i ++)
++ for (i = 0; i < PenCount; i ++)
+ if (i < 8)
+ {
+ Pens[i].rgb[0] = standard_colors[i][0];
+@@ -256,7 +266,14 @@
+ }
+ else if (num_params == 1 || num_params == 4)
+ {
+- i = (int)params[0].value.number;
++ i = (int)params[0].value.number - 1;
++
++ if (i < 0 || i >= PenCount)
++ {
++ fprintf(stderr,
++ "DEBUG: HP-GL/2 \'PC\' command with invalid pen (%d)!\n", i + 1);
++ return;
++ }
+
+ if (num_params == 1)
+ {
+@@ -330,7 +347,15 @@
+
+ if (num_params == 2)
+ {
+- pen = (int)params[1].value.number;
++ pen = (int)params[1].value.number - 1;
++
++ if (pen < 0 || pen >= PenCount)
++ {
++ fprintf(stderr,
++ "DEBUG: HP-GL/2 \'PW\' command with invalid pen (%d)!\n",
++ pen + 1);
++ return;
++ }
+
+ Pens[pen].width = w;
+
+@@ -345,7 +370,7 @@
+ * Set width for all pens...
+ */
+
+- for (pen = 0; pen <= PenCount; pen ++)
++ for (pen = 0; pen < PenCount; pen ++)
+ Pens[pen].width = w;
+
+ if (PageDirty)
+@@ -399,14 +424,16 @@
+ param_t *params) /* I - Parameters */
+ {
+ if (num_params == 0)
+- PenNumber = 1;
+- else if (params[0].value.number <= PenCount)
+- PenNumber = (int)params[0].value.number;
+- else
++ PenNumber = 0;
++ else if (num_params > 1)
+ fprintf(stderr,
+- "DEBUG: HP-GL/2 \'SP\' command with invalid number or value "
+- "of parameters (%d, %d)!\n", num_params,
++ "DEBUG: HP-GL/2 \'SP\' command with invalid number of parameters "
++ "(%d)!\n", num_params);
++ else if (params[0].value.number <= 0 || params[0].value.number >= PenCount)
++ fprintf(stderr, "DEBUG: HP-GL/2 \'SP\' command with invalid pen (%d)!\n",
+ (int)params[0].value.number);
++ else
++ PenNumber = (int)params[0].value.number - 1;
+
+ if (PageDirty)
+ printf("%.3f %.3f %.3f %.2f SP\n", Pens[PenNumber].rgb[0],
+diff -urNad lenny~/filter/hpgltops.h lenny/filter/hpgltops.h
+--- lenny~/filter/hpgltops.h 2008-07-12 00:48:49.000000000 +0200
++++ lenny/filter/hpgltops.h 2008-10-08 08:58:40.000000000 +0200
+@@ -26,6 +26,14 @@
+ # define M_PI 3.14159265358979323846
+ #endif /* M_PI */
+
++
++/*
++ * Maximum number of pens we emulate...
++ */
++
++#define MAX_PENS 1024
++
++
+ /*
+ * Parameter value structure...
+ */
+@@ -108,10 +116,10 @@
+ /* Current pen position */
+ PenScaling VALUE(1.0f), /* Pen width scaling factor */
+ PenWidth VALUE(1.0f); /* Default pen width */
+-VAR pen_t Pens[1024]; /* State of each pen */
++VAR pen_t Pens[MAX_PENS]; /* State of each pen */
+ VAR int PenMotion VALUE(0), /* 0 = absolute, 1 = relative */
+ PenValid VALUE(0), /* 1 = valid position, 0 = undefined */
+- PenNumber VALUE(1), /* Current pen number */
++ PenNumber VALUE(0), /* Current pen number */
+ PenCount VALUE(8), /* Number of pens */
+ PenDown VALUE(0), /* 0 = pen up, 1 = pen down */
+ PolygonMode VALUE(0), /* Drawing polygons? */
only in patch2:
unchanged:
--- cups-1.3.8.orig/debian/patches/CVE-2008-3639_sgi_filter_overflow.dpatch
+++ cups-1.3.8/debian/patches/CVE-2008-3639_sgi_filter_overflow.dpatch
@@ -0,0 +1,43 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2008-3639_sgi_filter_overflow.dpatch by Martin Pitt <mpitt@debian.org>
+##
+## DP: Fix buffer overflow due to unchecked boundary in the SGI filter.
+## DP: (CVE-2008-3639, STR #2918)
+@DPATCH@
+diff -urNad lenny~/filter/image-sgilib.c lenny/filter/image-sgilib.c
+--- lenny~/filter/image-sgilib.c 2008-07-12 00:48:49.000000000 +0200
++++ lenny/filter/image-sgilib.c 2008-10-08 09:07:25.000000000 +0200
+@@ -640,13 +640,14 @@
+ if (ch & 128)
+ {
+ for (i = 0; i < count; i ++, row ++, xsize --, length ++)
+- *row = getc(fp);
++ if (xsize > 0)
++ *row = getc(fp);
+ }
+ else
+ {
+ ch = getc(fp);
+ length ++;
+- for (i = 0; i < count; i ++, row ++, xsize --)
++ for (i = 0; i < count && xsize > 0; i ++, row ++, xsize --)
+ *row = ch;
+ }
+ }
+@@ -685,13 +686,14 @@
+ if (ch & 128)
+ {
+ for (i = 0; i < count; i ++, row ++, xsize --, length ++)
+- *row = getshort(fp);
++ if (xsize > 0)
++ *row = getshort(fp);
+ }
+ else
+ {
+ ch = getshort(fp);
+ length ++;
+- for (i = 0; i < count; i ++, row ++, xsize --)
++ for (i = 0; i < count && xsize > 0; i ++, row ++, xsize --)
+ *row = ch;
+ }
+ }
Attachment:
signature.asc
Description: Digital signature