Martin Pitt [2008-10-11 13:10 +0200]: > cups (1.3.8-1lenny2) unstable; urgency=high Whoops, forgot to attach debdiff, here it comes. Martin -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
diff -u cups-1.3.8/debian/changelog cups-1.3.8/debian/changelog --- cups-1.3.8/debian/changelog +++ cups-1.3.8/debian/changelog @@ -1,3 +1,26 @@ +cups (1.3.8-1lenny2) unstable; urgency=high + + * Urgency high due to security fixes. + * debian/control: Package development moved to bzr, update Vcs- tags. + * Add CVE-2008-3641_hpgl_filter_overflow.dpatch: Fix buffer overflow + triggered by invalid number of pens in the HPGL filter. (CVE-2008-3641, + STR #2911) + * Add CVE-2008-3639_sgi_filter_overflow.dpatch: Fix buffer overflow due to + unchecked boundary in the SGI filter. (CVE-2008-3639, STR #2918) + * Add CVE-2008-3640_texttops_overflow.dpatch: Fix buffer overflow by + specifying invalidly large or negative page metrics. (CVE-2008-3640, + STR #2919) + * Add hpgl-regression.dpatch: Revert the SP_select_pen() enumeration change + introduced in STR #2911, because it changes the color mapping (e. g. "SP1" + would now select a white pen instead of a black one, and "SP0" would not + be valid at all any more). Also fix a remaining off-by-one loop. (STR + #2966) + * Add admin-fr-translation.dpatch: Update the French admin.tmpl, to have the + missing "Find new printer" button and the "Subscriptions" section. Thanks + to Yves-Alexis Perez! (Closes: #475270) + + -- Martin Pitt <mpitt@debian.org> Sat, 11 Oct 2008 12:53:30 +0200 + cups (1.3.8-1lenny1) unstable; urgency=medium Cherrypick bug fixes from trunk/experimental which need to go into Lenny. diff -u cups-1.3.8/debian/control cups-1.3.8/debian/control --- cups-1.3.8/debian/control +++ cups-1.3.8/debian/control @@ -13,8 +13,8 @@ Martin Pitt <mpitt@debian.org>, Roger Leigh <rleigh@debian.org>, Martin-Éric Racine <q-funk@iki.fi>, Masayuki Hatta (mhatta) <mhatta@debian.org>, Jeff Licquia <licquia@debian.org> -Vcs-Svn: svn://svn.debian.org/svn/pkg-cups/cupsys/trunk -Vcs-Browser: http://svn.debian.org/wsvn/pkg-cups/cupsys/trunk +Vcs-Bzr: bzr+ssh://bzr.debian.org/pkg-cups/cups/lenny +Vcs-Browser: http://bazaar.launchpad.net/~pitti/cups/debian-lenny Package: libcups2 Priority: optional diff -u cups-1.3.8/debian/patches/00list cups-1.3.8/debian/patches/00list --- cups-1.3.8/debian/patches/00list +++ cups-1.3.8/debian/patches/00list @@ -2,6 +2,9 @@ manpage-typos.dpatch pdftops-cups-1.4.dpatch pdftops-dont_fail_on_cancel.dpatch +CVE-2008-3641_hpgl_filter_overflow.dpatch +CVE-2008-3639_sgi_filter_overflow.dpatch +CVE-2008-3640_texttops_overflow.dpatch # patches accepted and committed upstream freebsd.dpatch @@ -11,6 +14,8 @@ ppd-poll-with-client-conf.dpatch # no answer yet, po4a might not be appropriate manpage-translations.dpatch +admin-fr-translation.dpatch +hpgl-regression.dpatch # Debian patches removecvstag.dpatch only in patch2: unchanged: --- cups-1.3.8.orig/debian/patches/admin-fr-translation.dpatch +++ cups-1.3.8/debian/patches/admin-fr-translation.dpatch @@ -0,0 +1,63 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## admin-fr-translation.dpatch by Yves-Alexis Perez <corsac@debian.org> +## +## DP: Update the French admin.tmpl, to have the missing "Find new printer" +## DP: button and the "Subscriptions" section. (Debian #475270, STR #2963) +@DPATCH@ +diff -urNad trunk~/templates/fr/admin.tmpl trunk/templates/fr/admin.tmpl +--- trunk~/templates/fr/admin.tmpl 2007-03-19 17:01:28.000000000 +0100 ++++ trunk/templates/fr/admin.tmpl 2008-10-09 10:25:11.000000000 +0200 +@@ -6,6 +6,9 @@ + <P> + <A HREF="/admin?op=add-printer"><IMG + SRC="/images/button-add-printer.gif" ALT="Ajouter une imprimante" CLASS="button"></A> ++<A HREF="/admin?op=find-new-printers"><IMG ++SRC="/images/button-find-new-printers.gif" ++ALT="Trouver de nouvelles imprimantes" CLASS="button"></A> + <A HREF="/printers/"><IMG SRC="/images/button-manage-printers.gif" + ALT="Administrer les imprimantes" CLASS="button"></A> + {have_samba?<A HREF="/admin/?op=export-samba"><IMG +@@ -13,13 +16,6 @@ + CLASS="button"></A>:} + </P> + +-{#device_uri=0?:<P><B>Nouvelles imprimantes détectées:</B></P><UL>{[device_uri] +-<LI><A HREF="/admin?op=add-printer&{device_options}"><IMG +-SRC="/images/button-add-this-printer.gif" ALT="Ajouter cette imprimante" CLASS="button" +-ALIGN="MIDDLE"></A> +-{device_make_and_model} ({device_info})</LI> +-}</UL>} +- + <H2 CLASS="title">Classes</H2> + + <P> +@@ -67,10 +63,10 @@ + imprimantes partagées par d'autres systèmes<BR> + <INPUT TYPE="CHECKBOX" NAME="SHARE_PRINTERS" {?share_printers}> Partager les + imprimantes publiques connectées à ce système<BR> +- <INPUT TYPE="CHECKBOX" NAME="REMOTE_ANY" {?remote_any}> Allow printing from the Internet<BR> ++ <INPUT TYPE="CHECKBOX" NAME="REMOTE_ANY" {?remote_any}> Autoriser l'impression depuis Internet<BR> + <INPUT TYPE="CHECKBOX" NAME="REMOTE_ADMIN" {?remote_admin}> Autoriser + l'administration à distance<BR> +-{have_gssapi?<INPUT TYPE="CHECKBOX" NAME="KERBEROS" {?kerberos}> Use Kerberos authentication<BR>:} ++{have_gssapi?<INPUT TYPE="CHECKBOX" NAME="KERBEROS" {?kerberos}> Utiliser l'identification par Kerberos<BR>:} + <INPUT TYPE="CHECKBOX" NAME="USER_CANCEL_ANY" {?user_cancel_any}> Autoriser les + utilisateurs à annuler n'importe quelle tâche ( pas seulement les leurs )<BR> + <INPUT TYPE="CHECKBOX" NAME="DEBUG_LOGGING" {?debug_logging}> Enregistrer les +@@ -83,3 +79,16 @@ + + </TD></TR> + </TABLE> ++ ++<H2 CLASS="title">Abonnements</H2> ++ ++<P> ++<A HREF="/admin/?op=add-rss-subscription"><IMG SRC="/images/button-add-rss-subscription.gif" ALT="S'abonner au RSS" CLASS="button"></A> ++</P> ++ ++{notify_subscription_id?<TABLE WIDTH="100%" CELLSPACING="0" CELLPADDING="0" SUMMARY="Abonnements RSS"> ++<THEAD><TR CLASS="data"><TH>ID</TH><TH>Nom</TH><TH>?v?nements</TH><TH>File</TH></TR></THEAD> ++<TBODY>{[notify_subscription_id] ++<TR><TD><A HREF="{notify_recipient_uri}">{notify_subscription_id}</A></TD><TD NOWRAP><A HREF="{notify_recipient_uri}">{notify_recipient_name}</A> <A HREF="/admin/?op=cancel-subscription&notify_subscription_id={notify_subscription_id}"><IMG SRC="/images/button-cancel-subscription.gif" CLASS="button" ALT="Cancel RSS Subscription"></A> </TD><TD>{notify_events}</TD><TD NOWRAP> {notify_printer_name?{notify_printer_name}:All Queues}</TD></TR>} ++</TBODY> ++</TABLE>:} only in patch2: unchanged: --- cups-1.3.8.orig/debian/patches/hpgl-regression.dpatch +++ cups-1.3.8/debian/patches/hpgl-regression.dpatch @@ -0,0 +1,29 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## hpgl-regression.dpatch by Martin Pitt <mpitt@debian.org> +## +## DP: Revert the SP_select_pen() enumeration change introduced in STR #2911, +## DP: because it changes the color mapping (e. g. "SP1" would now select a +## DP: white pen instead of a black one, and "SP0" would not be valid at all +## DP: any more). Also fix a remaining off-by-one loop. (STR #2966) +@DPATCH@ +diff -urNad trunk~/filter/hpgl-attr.c trunk/filter/hpgl-attr.c +--- trunk~/filter/hpgl-attr.c 2008-10-09 22:12:03.000000000 +0200 ++++ trunk/filter/hpgl-attr.c 2008-10-10 10:55:46.000000000 +0200 +@@ -214,7 +214,7 @@ + "DEBUG: HP-GL/2 \'NP\' command with invalid number of " + "parameters (%d)!\n", num_params); + +- for (i = 0; i <= PenCount; i ++) ++ for (i = 0; i < PenCount; i ++) + Pens[i].width = PenWidth; + + PC_pen_color(0, NULL); +@@ -433,7 +433,7 @@ + fprintf(stderr, "DEBUG: HP-GL/2 \'SP\' command with invalid pen (%d)!\n", + (int)params[0].value.number); + else +- PenNumber = (int)params[0].value.number - 1; ++ PenNumber = (int)params[0].value.number; + + if (PageDirty) + printf("%.3f %.3f %.3f %.2f SP\n", Pens[PenNumber].rgb[0], only in patch2: unchanged: --- cups-1.3.8.orig/debian/patches/CVE-2008-3640_texttops_overflow.dpatch +++ cups-1.3.8/debian/patches/CVE-2008-3640_texttops_overflow.dpatch @@ -0,0 +1,90 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## CVE-2008-3640_texttops_overflow.dpatch by Martin Pitt <mpitt@debian.org> +## +## DP: Fix buffer overflow by specifying invalidly large or negative page +## DP: metrics. (CVE-2008-3640, STR #2919) + +@DPATCH@ +diff -urNad lenny~/filter/textcommon.c lenny/filter/textcommon.c +--- lenny~/filter/textcommon.c 2008-07-12 00:48:49.000000000 +0200 ++++ lenny/filter/textcommon.c 2008-10-08 09:15:55.000000000 +0200 +@@ -3,7 +3,7 @@ + * + * Common text filter routines for the Common UNIX Printing System (CUPS). + * +- * Copyright 2007 by Apple Inc. ++ * Copyright 2007-2008 by Apple Inc. + * Copyright 1997-2007 by Easy Software Products. + * + * These coded instructions, statements, and computer programs are the +@@ -605,14 +605,38 @@ + !strcasecmp(val, "yes"); + + if ((val = cupsGetOption("columns", num_options, options)) != NULL) ++ { + PageColumns = atoi(val); + ++ if (PageColumns < 1) ++ { ++ _cupsLangPrintf(stderr, _("ERROR: Bad columns value %d!\n"), PageColumns); ++ return (1); ++ } ++ } ++ + if ((val = cupsGetOption("cpi", num_options, options)) != NULL) ++ { + CharsPerInch = atof(val); + ++ if (CharsPerInch <= 0.0) ++ { ++ _cupsLangPrintf(stderr, _("ERROR: Bad cpi value %f!\n"), CharsPerInch); ++ return (1); ++ } ++ } ++ + if ((val = cupsGetOption("lpi", num_options, options)) != NULL) ++ { + LinesPerInch = atof(val); + ++ if (LinesPerInch <= 0.0) ++ { ++ _cupsLangPrintf(stderr, _("ERROR: Bad lpi value %f!\n"), LinesPerInch); ++ return (1); ++ } ++ } ++ + if (PrettyPrint) + PageTop -= 216.0f / LinesPerInch; + +diff -urNad lenny~/filter/texttops.c lenny/filter/texttops.c +--- lenny~/filter/texttops.c 2008-07-12 00:48:49.000000000 +0200 ++++ lenny/filter/texttops.c 2008-10-08 09:15:55.000000000 +0200 +@@ -173,6 +173,14 @@ + SizeColumns = (PageRight - PageLeft) / 72.0 * CharsPerInch; + SizeLines = (PageTop - PageBottom) / 72.0 * LinesPerInch; + ++ if (SizeColumns <= 0 || SizeColumns > 32767 || ++ SizeLines <= 0 || SizeLines > 32767) ++ { ++ _cupsLangPrintf(stderr, _("ERROR: Unable to print %dx%d text page!\n"), ++ SizeColumns, SizeLines); ++ exit(1); ++ } ++ + Page = calloc(sizeof(lchar_t *), SizeLines); + Page[0] = calloc(sizeof(lchar_t), SizeColumns * SizeLines); + for (i = 1; i < SizeLines; i ++) +@@ -187,6 +195,13 @@ + else + ColumnWidth = SizeColumns; + ++ if (ColumnWidth <= 0) ++ { ++ _cupsLangPrintf(stderr, _("ERROR: Unable to print %d text columns!\n"), ++ PageColumns); ++ exit(1); ++ } ++ + /* + * Output the DSC header... + */ only in patch2: unchanged: --- cups-1.3.8.orig/debian/patches/CVE-2008-3641_hpgl_filter_overflow.dpatch +++ cups-1.3.8/debian/patches/CVE-2008-3641_hpgl_filter_overflow.dpatch @@ -0,0 +1,136 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## CVE-2008-3641_hpgl_filter_overflow.dpatch by Martin Pitt <mpitt@debian.org> +## +## DP: Fix buffer overflow triggered by invalid number of pens in the HPGL +## DP: filter. (CVE-2008-3641, STR #2911) + +@DPATCH@ +diff -urNad lenny~/filter/hpgl-attr.c lenny/filter/hpgl-attr.c +--- lenny~/filter/hpgl-attr.c 2008-07-12 00:48:49.000000000 +0200 ++++ lenny/filter/hpgl-attr.c 2008-10-08 08:58:40.000000000 +0200 +@@ -197,8 +197,18 @@ + + if (num_params == 0) + PenCount = 8; +- else if (num_params == 1 && params[0].value.number <= 1024) +- PenCount = (int)params[0].value.number; ++ else if (num_params == 1) ++ { ++ if (params[0].value.number < 1 || params[0].value.number > MAX_PENS) ++ { ++ fprintf(stderr, ++ "DEBUG: HP-GL/2 \'NP\' command with invalid number of " ++ "pens (%d)!\n", (int)params[0].value.number); ++ PenCount = 8; ++ } ++ else ++ PenCount = (int)params[0].value.number; ++ } + else + fprintf(stderr, + "DEBUG: HP-GL/2 \'NP\' command with invalid number of " +@@ -235,7 +245,7 @@ + + if (num_params == 0) + { +- for (i = 0; i <= PenCount; i ++) ++ for (i = 0; i < PenCount; i ++) + if (i < 8) + { + Pens[i].rgb[0] = standard_colors[i][0]; +@@ -256,7 +266,14 @@ + } + else if (num_params == 1 || num_params == 4) + { +- i = (int)params[0].value.number; ++ i = (int)params[0].value.number - 1; ++ ++ if (i < 0 || i >= PenCount) ++ { ++ fprintf(stderr, ++ "DEBUG: HP-GL/2 \'PC\' command with invalid pen (%d)!\n", i + 1); ++ return; ++ } + + if (num_params == 1) + { +@@ -330,7 +347,15 @@ + + if (num_params == 2) + { +- pen = (int)params[1].value.number; ++ pen = (int)params[1].value.number - 1; ++ ++ if (pen < 0 || pen >= PenCount) ++ { ++ fprintf(stderr, ++ "DEBUG: HP-GL/2 \'PW\' command with invalid pen (%d)!\n", ++ pen + 1); ++ return; ++ } + + Pens[pen].width = w; + +@@ -345,7 +370,7 @@ + * Set width for all pens... + */ + +- for (pen = 0; pen <= PenCount; pen ++) ++ for (pen = 0; pen < PenCount; pen ++) + Pens[pen].width = w; + + if (PageDirty) +@@ -399,14 +424,16 @@ + param_t *params) /* I - Parameters */ + { + if (num_params == 0) +- PenNumber = 1; +- else if (params[0].value.number <= PenCount) +- PenNumber = (int)params[0].value.number; +- else ++ PenNumber = 0; ++ else if (num_params > 1) + fprintf(stderr, +- "DEBUG: HP-GL/2 \'SP\' command with invalid number or value " +- "of parameters (%d, %d)!\n", num_params, ++ "DEBUG: HP-GL/2 \'SP\' command with invalid number of parameters " ++ "(%d)!\n", num_params); ++ else if (params[0].value.number <= 0 || params[0].value.number >= PenCount) ++ fprintf(stderr, "DEBUG: HP-GL/2 \'SP\' command with invalid pen (%d)!\n", + (int)params[0].value.number); ++ else ++ PenNumber = (int)params[0].value.number - 1; + + if (PageDirty) + printf("%.3f %.3f %.3f %.2f SP\n", Pens[PenNumber].rgb[0], +diff -urNad lenny~/filter/hpgltops.h lenny/filter/hpgltops.h +--- lenny~/filter/hpgltops.h 2008-07-12 00:48:49.000000000 +0200 ++++ lenny/filter/hpgltops.h 2008-10-08 08:58:40.000000000 +0200 +@@ -26,6 +26,14 @@ + # define M_PI 3.14159265358979323846 + #endif /* M_PI */ + ++ ++/* ++ * Maximum number of pens we emulate... ++ */ ++ ++#define MAX_PENS 1024 ++ ++ + /* + * Parameter value structure... + */ +@@ -108,10 +116,10 @@ + /* Current pen position */ + PenScaling VALUE(1.0f), /* Pen width scaling factor */ + PenWidth VALUE(1.0f); /* Default pen width */ +-VAR pen_t Pens[1024]; /* State of each pen */ ++VAR pen_t Pens[MAX_PENS]; /* State of each pen */ + VAR int PenMotion VALUE(0), /* 0 = absolute, 1 = relative */ + PenValid VALUE(0), /* 1 = valid position, 0 = undefined */ +- PenNumber VALUE(1), /* Current pen number */ ++ PenNumber VALUE(0), /* Current pen number */ + PenCount VALUE(8), /* Number of pens */ + PenDown VALUE(0), /* 0 = pen up, 1 = pen down */ + PolygonMode VALUE(0), /* Drawing polygons? */ only in patch2: unchanged: --- cups-1.3.8.orig/debian/patches/CVE-2008-3639_sgi_filter_overflow.dpatch +++ cups-1.3.8/debian/patches/CVE-2008-3639_sgi_filter_overflow.dpatch @@ -0,0 +1,43 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## CVE-2008-3639_sgi_filter_overflow.dpatch by Martin Pitt <mpitt@debian.org> +## +## DP: Fix buffer overflow due to unchecked boundary in the SGI filter. +## DP: (CVE-2008-3639, STR #2918) +@DPATCH@ +diff -urNad lenny~/filter/image-sgilib.c lenny/filter/image-sgilib.c +--- lenny~/filter/image-sgilib.c 2008-07-12 00:48:49.000000000 +0200 ++++ lenny/filter/image-sgilib.c 2008-10-08 09:07:25.000000000 +0200 +@@ -640,13 +640,14 @@ + if (ch & 128) + { + for (i = 0; i < count; i ++, row ++, xsize --, length ++) +- *row = getc(fp); ++ if (xsize > 0) ++ *row = getc(fp); + } + else + { + ch = getc(fp); + length ++; +- for (i = 0; i < count; i ++, row ++, xsize --) ++ for (i = 0; i < count && xsize > 0; i ++, row ++, xsize --) + *row = ch; + } + } +@@ -685,13 +686,14 @@ + if (ch & 128) + { + for (i = 0; i < count; i ++, row ++, xsize --, length ++) +- *row = getshort(fp); ++ if (xsize > 0) ++ *row = getshort(fp); + } + else + { + ch = getshort(fp); + length ++; +- for (i = 0; i < count; i ++, row ++, xsize --) ++ for (i = 0; i < count && xsize > 0; i ++, row ++, xsize --) + *row = ch; + } + }
Attachment:
signature.asc
Description: Digital signature