diff options
author | Leonardo Arena <rnalrd@alpinelinux.org> | 2014-06-18 11:15:08 +0000 |
---|---|---|
committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2014-06-18 11:18:25 +0000 |
commit | d55a9f01b6894e54eaadb528fd3c1eb058268774 (patch) | |
tree | 24f99f5d77a8a60b773fe610097e2f40b2b2de31 | |
parent | add245d6403f69aefdfda3821428d3b59799ba20 (diff) | |
download | aports-d55a9f01b6894e54eaadb528fd3c1eb058268774.tar.bz2 aports-d55a9f01b6894e54eaadb528fd3c1eb058268774.tar.xz |
main/cups: security fix (CVE-2014-2856). Fixes #2949
-rw-r--r-- | main/cups/APKBUILD | 8 | ||||
-rw-r--r-- | main/cups/CVE-2014-2856.patch | 19 |
2 files changed, 24 insertions, 3 deletions
diff --git a/main/cups/APKBUILD b/main/cups/APKBUILD index 1cf3effc38..20a723615e 100644 --- a/main/cups/APKBUILD +++ b/main/cups/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=cups pkgver=1.6.1 -pkgrel=0 +pkgrel=1 pkgdesc="The CUPS Printing System" url="http://www.cups.org/" arch="all" @@ -15,9 +15,10 @@ install="cups.pre-install" pkggroups="lp lpadmin" pkgusers="lp" replaces="cups-doc" -source="ftp://ftp.easysw.com/pub/$pkgname/$pkgver/$pkgname-$pkgver-source.tar.bz2 +source="http://www.cups.org/software/$pkgver/$pkgname-$pkgver-source.tar.bz2 $pkgname.logrotate cupsd.initd + CVE-2014-2856.patch " @@ -113,4 +114,5 @@ client() { md5sums="87ade07e3d1efd03c9c3add949cf9c00 cups-1.6.1-source.tar.bz2 f861b18f4446c43918c8643dcbbd7f6d cups.logrotate -1154ed66fdcfa0523f929a369079f43c cupsd.initd" +1154ed66fdcfa0523f929a369079f43c cupsd.initd +09c0def850cf68d5f0bd4adcb39192ba CVE-2014-2856.patch" diff --git a/main/cups/CVE-2014-2856.patch b/main/cups/CVE-2014-2856.patch new file mode 100644 index 0000000000..977d2fcafc --- /dev/null +++ b/main/cups/CVE-2014-2856.patch @@ -0,0 +1,19 @@ +Index: scheduler/client.c +=================================================================== +--- a/scheduler/client.c (revision 11597) ++++ b/scheduler/client.c (working copy) +@@ -3316,6 +3316,14 @@ + return (0); + + /* ++ * Check for "<" or quotes in the path and reject since this is probably ++ * someone trying to inject HTML... ++ */ ++ ++ if (strchr(path, '<') != NULL || strchr(path, '\"') != NULL || strchr(path, '\'') != NULL) ++ return (0); ++ ++ /* + * Check for "/.." in the path... + */ + |