diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2015-06-15 13:35:53 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2015-06-15 13:41:59 +0000 |
commit | 5f589ae6722e270d6297726d8ef6ab405dc22d93 (patch) | |
tree | 6cd9c9005dfa93070e3293d73cc8d8691e30ee88 | |
parent | ab2ca6142f8ba94f3f65218aa5c02658e542bb3d (diff) | |
download | aports-5f589ae6722e270d6297726d8ef6ab405dc22d93.tar.bz2 aports-5f589ae6722e270d6297726d8ef6ab405dc22d93.tar.xz |
main/cups: security fix for CVE-2015-1158,CVE-2015-1159
* Improper Update of Reference Count -- CVE-2015-1158
* Cross-Site Scripting -- CVE-2015-1159
fixes #4354
-rw-r--r-- | main/cups/APKBUILD | 12 | ||||
-rw-r--r-- | main/cups/str4609-1.7.patch | 497 |
2 files changed, 505 insertions, 4 deletions
diff --git a/main/cups/APKBUILD b/main/cups/APKBUILD index 11d83c9460..9a20c7ff90 100644 --- a/main/cups/APKBUILD +++ b/main/cups/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=cups pkgver=1.7.4 -pkgrel=1 +pkgrel=2 pkgdesc="The CUPS Printing System" url="http://www.cups.org/" arch="all" @@ -21,6 +21,7 @@ source="http://www.cups.org/software/$pkgver/cups-$pkgver-source.tar.bz2 cups-no-export-ssllibs.patch cups-httpAddrLength.patch CVE-2014-9679.patch + str4609-1.7.patch " _builddir="$srcdir"/$pkgname-$pkgver @@ -124,16 +125,19 @@ f861b18f4446c43918c8643dcbbd7f6d cups.logrotate 1154ed66fdcfa0523f929a369079f43c cupsd.initd 3ba9e3410df1dc3015463d615ef91b3b cups-no-export-ssllibs.patch 61d3cc673ee74016e76fc8ae88e2aa1f cups-httpAddrLength.patch -405bbe44191c628d7f1f1cbd30e242fa CVE-2014-9679.patch" +405bbe44191c628d7f1f1cbd30e242fa CVE-2014-9679.patch +7a2c98fd2503fb6286af39efa90d6f3c str4609-1.7.patch" sha256sums="358fc7f22395a9ba07efcfc0d34a057ab5e9182b6e3297f71263a6b68fb41378 cups-1.7.4-source.tar.bz2 b3308353504bc1cc0d5203ad3609bc98639ad9655b52e8ec8257286877532796 cups.logrotate 3ea71f13cf925736847ca44aa0f1a9ed944fb3d303c34af923140b20fd587e2b cupsd.initd ff3eb0782af0405f5dafe89e04b1b4ea7a49afc5496860d724343bd04f375832 cups-no-export-ssllibs.patch 6996a13f77d559e8566666764435c71c4dcf7d9af9aeed48f3c70f4f177a046a cups-httpAddrLength.patch -9a2ae9590348aea7d6c383a1ce5f2b08d259b44a1e0eb3ddb2201b81148c9fb9 CVE-2014-9679.patch" +9a2ae9590348aea7d6c383a1ce5f2b08d259b44a1e0eb3ddb2201b81148c9fb9 CVE-2014-9679.patch +0414ea36c717469f6884a81a8b077f86a3f195c54de4e36e169370fbc335cd2f str4609-1.7.patch" sha512sums="af86076cbaa008e2c4b9a144d2999a0f1a77d801a256fd4021d4d830bb59322542181e58b54b8b36d929215e1c0db1e3f79cf58a448df64361baf46c05f84d65 cups-1.7.4-source.tar.bz2 162fe69ee46962f7ce07a9a2a75154682088895c4749c9bcfc54bb2aa861f48d7d1a8e3223f78a197319a3a405626ffe996615f6eb23168afcefabab343d5be0 cups.logrotate 3c5f4017cb1faf3e63551db53da4cb8305601adf65358bc53e982c5a0dfdd2b455a8ce735760ae3cc5ef81cdfa2a3cfe4be4107d1858d7ab9d91b4b97d3bc73b cupsd.initd 7a8cd9ac33b0dd4627c72df4275db8ccd7cf8e201bce3833719b42f532f526bb347b842e3ea1ef0d61855b5c6e1088b5d20b68942f2c2c0acf504d8d9728efd3 cups-no-export-ssllibs.patch 210a0c5f445e2e116a8935142f6a067ffaa2a12f7a0f8ca6e3dd3da6adce4ce75e4953fca8ee4a6eda79a6338b027bc0a6afa65e17f2158abed4de2907565d52 cups-httpAddrLength.patch -69220ed540e9871ada0c94e7ceecca0a0d2f3236ed7263e0941f468091544343ff1866fb97d499c14b509f2b93e15b228861acf9c1d457ea2803d7be2ec1c037 CVE-2014-9679.patch" +69220ed540e9871ada0c94e7ceecca0a0d2f3236ed7263e0941f468091544343ff1866fb97d499c14b509f2b93e15b228861acf9c1d457ea2803d7be2ec1c037 CVE-2014-9679.patch +62b66b00827de0595b4443088cee36b6854cd38532e957ca2be2f02562ee5b68e55517958dc53cc59b7dabf4f8ae5320f9c89126d4e35090cdd0f94fa2128bd0 str4609-1.7.patch" diff --git a/main/cups/str4609-1.7.patch b/main/cups/str4609-1.7.patch new file mode 100644 index 0000000000..27d88ef471 --- /dev/null +++ b/main/cups/str4609-1.7.patch @@ -0,0 +1,497 @@ +* Improper Update of Reference Count -- CVE-2015-1158 +* Cross-Site Scripting -- CVE-2015-1159 + +Index: cgi-bin/template.c +=================================================================== +--- a/cgi-bin/template.c (revision 12548) ++++ b/cgi-bin/template.c (revision 12588) +@@ -659,39 +659,7 @@ + while (*s) + { + if (*s == '<') +- { +- /* +- * Pass <A HREF="url"> and </A>, otherwise quote it... +- */ +- +- if (!_cups_strncasecmp(s, "<A HREF=\"", 9)) +- { +- fputs("<A HREF=\"", out); +- s += 9; +- +- while (*s && *s != '\"') +- { +- if (*s == '&') +- fputs("&", out); +- else +- putc(*s, out); +- +- s ++; +- } +- +- if (*s) +- s ++; +- +- fputs("\">", out); +- } +- else if (!_cups_strncasecmp(s, "</A>", 4)) +- { +- fputs("</A>", out); +- s += 3; +- } +- else +- fputs("<", out); +- } ++ fputs("<", out); + else if (*s == '>') + fputs(">", out); + else if (*s == '\"') +Index: cgi-bin/ipp-var.c +=================================================================== +--- a/cgi-bin/ipp-var.c (revision 12548) ++++ b/cgi-bin/ipp-var.c (revision 12588) +@@ -1230,21 +1230,7 @@ + * Rewrite URIs... + */ + +- if (!strcmp(name, "member_uris")) +- { +- char url[1024]; /* URL for class member... */ +- +- +- cgiRewriteURL(attr->values[i].string.text, url, +- sizeof(url), NULL); +- +- snprintf(valptr, sizeof(value) - (valptr - value), +- "<A HREF=\"%s\">%s</A>", url, +- strrchr(attr->values[i].string.text, '/') + 1); +- } +- else +- cgiRewriteURL(attr->values[i].string.text, valptr, +- sizeof(value) - (valptr - value), NULL); ++ cgiRewriteURL(attr->values[i].string.text, valptr, sizeof(value) - (valptr - value), NULL); + break; + } + +Index: scheduler/ipp.c +=================================================================== +--- a/scheduler/ipp.c (revision 12548) ++++ b/scheduler/ipp.c (revision 12588) +@@ -3,7 +3,7 @@ + * + * IPP routines for the CUPS scheduler. + * +- * Copyright 2007-2014 by Apple Inc. ++ * Copyright 2007-2015 by Apple Inc. + * Copyright 1997-2007 by Easy Software Products, all rights reserved. + * + * This file contains Kerberos support code, copyright 2006 by +@@ -412,8 +412,7 @@ + * Remote unauthenticated user masquerading as local root... + */ + +- _cupsStrFree(username->values[0].string.text); +- username->values[0].string.text = _cupsStrAlloc(RemoteRoot); ++ ippSetString(con->request, &username, 0, RemoteRoot); + } + } + +@@ -1577,7 +1576,7 @@ + cupsdSetString(&job->username, con->username); + + if (attr) +- cupsdSetString(&attr->values[0].string.text, con->username); ++ ippSetString(job->attrs, &attr, 0, con->username); + } + else if (attr) + { +@@ -1595,9 +1594,8 @@ + "job-originating-user-name", NULL, job->username); + else + { +- attr->group_tag = IPP_TAG_JOB; +- _cupsStrFree(attr->name); +- attr->name = _cupsStrAlloc("job-originating-user-name"); ++ ippSetGroupTag(job->attrs, &attr, IPP_TAG_JOB); ++ ippSetName(job->attrs, &attr, "job-originating-user-name"); + } + + if (con->username[0] || auth_info) +@@ -1628,48 +1626,11 @@ + * Also, we can only have 1 value and it must be a name value. + */ + +- switch (attr->value_tag) +- { +- case IPP_TAG_STRING : +- case IPP_TAG_TEXTLANG : +- case IPP_TAG_NAMELANG : +- case IPP_TAG_TEXT : +- case IPP_TAG_NAME : +- case IPP_TAG_KEYWORD : +- case IPP_TAG_URI : +- case IPP_TAG_URISCHEME : +- case IPP_TAG_CHARSET : +- case IPP_TAG_LANGUAGE : +- case IPP_TAG_MIMETYPE : +- /* +- * Free old strings... +- */ +- +- for (i = 0; i < attr->num_values; i ++) +- { +- _cupsStrFree(attr->values[i].string.text); +- attr->values[i].string.text = NULL; +- if (attr->values[i].string.language) +- { +- _cupsStrFree(attr->values[i].string.language); +- attr->values[i].string.language = NULL; +- } +- } +- +- default : +- break; +- } +- +- /* +- * Use the default connection hostname instead... +- */ +- +- attr->value_tag = IPP_TAG_NAME; +- attr->num_values = 1; +- attr->values[0].string.text = _cupsStrAlloc(con->http.hostname); ++ ippDeleteAttribute(job->attrs, attr); ++ ippAddString(job->attrs, IPP_TAG_JOB, IPP_TAG_NAME, "job-originating-host-name", NULL, con->http.hostname); + } +- +- attr->group_tag = IPP_TAG_JOB; ++ else ++ ippSetGroupTag(job->attrs, &attr, IPP_TAG_JOB); + } + else + { +@@ -1766,8 +1727,8 @@ + + attr = ippAddStrings(job->attrs, IPP_TAG_JOB, IPP_TAG_NAME, "job-sheets", + 2, NULL, NULL); +- attr->values[0].string.text = _cupsStrRetain(printer->job_sheets[0]); +- attr->values[1].string.text = _cupsStrRetain(printer->job_sheets[1]); ++ ippSetString(job->attrs, &attr, 0, printer->job_sheets[0]); ++ ippSetString(job->attrs, &attr, 1, printer->job_sheets[1]); + } + + job->job_sheets = attr; +@@ -1793,7 +1754,7 @@ + * Force the leading banner to have the classification on it... + */ + +- cupsdSetString(&attr->values[0].string.text, Classification); ++ ippSetString(job->attrs, &attr, 0, Classification); + + cupsdLogJob(job, CUPSD_LOG_NOTICE, "CLASSIFICATION FORCED " + "job-sheets=\"%s,none\", " +@@ -1810,7 +1771,7 @@ + * Can't put two different security markings on the same document! + */ + +- cupsdSetString(&attr->values[1].string.text, attr->values[0].string.text); ++ ippSetString(job->attrs, &attr, 1, attr->values[0].string.text); + + cupsdLogJob(job, CUPSD_LOG_NOTICE, "CLASSIFICATION FORCED " + "job-sheets=\"%s,%s\", " +@@ -1850,18 +1811,18 @@ + if (attr->num_values > 1 && + !strcmp(attr->values[0].string.text, attr->values[1].string.text)) + { +- cupsdSetString(&(attr->values[0].string.text), Classification); +- cupsdSetString(&(attr->values[1].string.text), Classification); ++ ippSetString(job->attrs, &attr, 0, Classification); ++ ippSetString(job->attrs, &attr, 1, Classification); + } + else + { + if (attr->num_values == 1 || + strcmp(attr->values[0].string.text, "none")) +- cupsdSetString(&(attr->values[0].string.text), Classification); ++ ippSetString(job->attrs, &attr, 0, Classification); + + if (attr->num_values > 1 && + strcmp(attr->values[1].string.text, "none")) +- cupsdSetString(&(attr->values[1].string.text), Classification); ++ ippSetString(job->attrs, &attr, 1, Classification); + } + + if (attr->num_values > 1) +@@ -3089,8 +3050,8 @@ + + if (attr) + { +- attr->value_tag = IPP_TAG_KEYWORD; +- cupsdSetString(&(attr->values[0].string.text), "no-hold"); ++ ippSetValueTag(job->attrs, &attr, IPP_TAG_KEYWORD); ++ ippSetString(job->attrs, &attr, 0, "no-hold"); + } + + /* +@@ -8105,11 +8066,7 @@ + filetype->type); + + if (format) +- { +- _cupsStrFree(format->values[0].string.text); +- +- format->values[0].string.text = _cupsStrAlloc(mimetype); +- } ++ ippSetString(con->request, &format, 0, mimetype); + else + ippAddString(con->request, IPP_TAG_JOB, IPP_TAG_MIMETYPE, + "document-format", NULL, mimetype); +@@ -8645,11 +8602,9 @@ + + if (attr) + { +- _cupsStrFree(attr->values[0].string.text); ++ ippSetValueTag(job->attrs, &attr, IPP_TAG_KEYWORD); ++ ippSetString(job->attrs, &attr, 0, "no-hold"); + +- attr->value_tag = IPP_TAG_KEYWORD; +- attr->values[0].string.text = _cupsStrAlloc("no-hold"); +- + cupsdAddEvent(CUPSD_EVENT_JOB_CONFIG_CHANGED, cupsdFindDest(job->dest), job, + "Job job-hold-until value changed by user."); + ippSetString(job->attrs, &job->reasons, 0, "none"); +@@ -9341,11 +9296,7 @@ + + if ((jformat = ippFindAttribute(job->attrs, "document-format", + IPP_TAG_MIMETYPE)) != NULL) +- { +- _cupsStrFree(jformat->values[0].string.text); +- +- jformat->values[0].string.text = _cupsStrAlloc(mimetype); +- } ++ ippSetString(job->attrs, &jformat, 0, mimetype); + else + ippAddString(job->attrs, IPP_TAG_JOB, IPP_TAG_MIMETYPE, + "document-format", NULL, mimetype); +Index: scheduler/job.c +=================================================================== +--- a/scheduler/job.c (revision 12548) ++++ b/scheduler/job.c (revision 12588) +@@ -374,7 +374,7 @@ + + if ((attr = ippFindAttribute(job->attrs, "job-actual-printer-uri", + IPP_TAG_URI)) != NULL) +- cupsdSetString(&attr->values[0].string.text, printer->uri); ++ ippSetString(job->attrs, &attr, 0, printer->uri); + else + ippAddString(job->attrs, IPP_TAG_JOB, IPP_TAG_URI, + "job-actual-printer-uri", NULL, printer->uri); +@@ -2008,7 +2008,7 @@ + + if ((attr = ippFindAttribute(job->attrs, "job-printer-uri", + IPP_TAG_URI)) != NULL) +- cupsdSetString(&(attr->values[0].string.text), p->uri); ++ ippSetString(job->attrs, &attr, 0, p->uri); + + cupsdAddEvent(CUPSD_EVENT_JOB_STOPPED, p, job, + "Job #%d moved from %s to %s.", job->id, olddest, +@@ -2198,7 +2198,7 @@ + attr = ippFindAttribute(job->attrs, "job-hold-until", IPP_TAG_NAME); + + if (attr) +- cupsdSetString(&(attr->values[0].string.text), when); ++ ippSetString(job->attrs, &attr, 0, when); + else + attr = ippAddString(job->attrs, IPP_TAG_JOB, IPP_TAG_KEYWORD, + "job-hold-until", NULL, when); +@@ -2452,8 +2452,8 @@ + + if (attr) + { +- attr->value_tag = IPP_TAG_KEYWORD; +- cupsdSetString(&(attr->values[0].string.text), "no-hold"); ++ ippSetValueTag(job->attrs, &attr, IPP_TAG_KEYWORD); ++ ippSetString(job->attrs, &attr, 0, "no-hold"); + } + + default : +@@ -4442,7 +4442,7 @@ + "job-printer-state-message", + IPP_TAG_TEXT); + if (job->printer_message) +- cupsdSetString(&(job->printer_message->values[0].string.text), ""); ++ ippSetString(job->attrs, &job->printer_message, 0, ""); + + ippSetString(job->attrs, &job->reasons, 0, "job-printing"); + cupsdSetJobState(job, IPP_JOB_PROCESSING, CUPSD_JOB_DEFAULT, NULL); +@@ -5060,15 +5060,14 @@ + if (job->state_value != IPP_JOB_PROCESSING && + job->status_level == CUPSD_LOG_INFO) + { +- cupsdSetString(&(job->printer_message->values[0].string.text), ""); ++ ippSetString(job->attrs, &job->printer_message, 0, ""); + + job->dirty = 1; + cupsdMarkDirty(CUPSD_DIRTY_JOBS); + } + else if (job->printer->state_message[0] && do_message) + { +- cupsdSetString(&(job->printer_message->values[0].string.text), +- job->printer->state_message); ++ ippSetString(job->attrs, &job->printer_message, 0, job->printer->state_message); + + job->dirty = 1; + cupsdMarkDirty(CUPSD_DIRTY_JOBS); +Index: scheduler/client.c +=================================================================== +--- a/scheduler/client.c (revision 12548) ++++ b/scheduler/client.c (revision 12588) +@@ -3,7 +3,7 @@ + * + * Client routines for the CUPS scheduler. + * +- * Copyright 2007-2014 by Apple Inc. ++ * Copyright 2007-2015 by Apple Inc. + * Copyright 1997-2007 by Easy Software Products, all rights reserved. + * + * This file contains Kerberos support code, copyright 2006 by +@@ -598,7 +598,12 @@ + httpClearCookie(HTTP(con)); + httpClearFields(HTTP(con)); + +- cupsdClearString(&con->filename); ++ if (con->filename) ++ { ++ unlink(con->filename); ++ cupsdClearString(&con->filename); ++ } ++ + cupsdClearString(&con->command); + cupsdClearString(&con->options); + cupsdClearString(&con->query_string); +Index: scheduler/env.c +=================================================================== +--- a/scheduler/env.c (revision 12548) ++++ b/scheduler/env.c (revision 12588) +@@ -1,27 +1,16 @@ + /* + * "$Id$" + * +- * Environment management routines for the CUPS scheduler. ++ * Environment management routines for the CUPS scheduler. + * +- * Copyright 2007-2011 by Apple Inc. +- * Copyright 1997-2006 by Easy Software Products, all rights reserved. ++ * Copyright 2007-2014 by Apple Inc. ++ * Copyright 1997-2006 by Easy Software Products, all rights reserved. + * +- * These coded instructions, statements, and computer programs are the +- * property of Apple Inc. and are protected by Federal copyright +- * law. Distribution and use rights are outlined in the file "LICENSE.txt" +- * which should have been included with this file. If this file is +- * file is missing or damaged, see the license at "http://www.cups.org/". +- * +- * Contents: +- * +- * cupsdInitEnv() - Initialize the current environment with standard +- * variables. +- * cupsdLoadEnv() - Copy common environment variables into an array. +- * cupsdSetEnv() - Set a common environment variable. +- * cupsdSetEnvf() - Set a formatted common environment variable. +- * cupsdUpdateEnv() - Update the environment for the configured directories. +- * clear_env() - Clear common environment variables. +- * find_env() - Find a common environment variable. ++ * These coded instructions, statements, and computer programs are the ++ * property of Apple Inc. and are protected by Federal copyright ++ * law. Distribution and use rights are outlined in the file "LICENSE.txt" ++ * which should have been included with this file. If this file is ++ * file is missing or damaged, see the license at "http://www.cups.org/". + */ + + /* +@@ -131,6 +120,13 @@ + return; + + /* ++ * Do not allow dynamic linker variables when running as root... ++ */ ++ ++ if (!RunUser && (!strncmp(name, "DYLD_", 5) || !strncmp(name, "LD_", 3))) ++ return; ++ ++ /* + * See if this variable has already been defined... + */ + +Index: scheduler/main.c +=================================================================== +--- a/scheduler/main.c (revision 12548) ++++ b/scheduler/main.c (revision 12588) +@@ -3,7 +3,7 @@ + * + * Main loop for the CUPS scheduler. + * +- * Copyright 2007-2014 by Apple Inc. ++ * Copyright 2007-2015 by Apple Inc. + * Copyright 1997-2007 by Easy Software Products, all rights reserved. + * + * These coded instructions, statements, and computer programs are the +@@ -1144,8 +1144,8 @@ + if (!*a) + *a = cupsArrayNew3((cups_array_func_t)strcmp, NULL, + (cups_ahash_func_t)NULL, 0, +- (cups_acopy_func_t)_cupsStrAlloc, +- (cups_afree_func_t)_cupsStrFree); ++ (cups_acopy_func_t)strdup, ++ (cups_afree_func_t)free); + + return (cupsArrayAdd(*a, (char *)s)); + } +@@ -1175,7 +1175,7 @@ + { + if (s && *s) + { +- _cupsStrFree(*s); ++ free(*s); + *s = NULL; + } + } +@@ -1256,10 +1256,10 @@ + return; + + if (*s) +- _cupsStrFree(*s); ++ free(*s); + + if (v) +- *s = _cupsStrAlloc(v); ++ *s = strdup(v); + else + *s = NULL; + } +@@ -1290,13 +1290,13 @@ + vsnprintf(v, sizeof(v), f, ap); + va_end(ap); + +- *s = _cupsStrAlloc(v); ++ *s = strdup(v); + } + else + *s = NULL; + + if (olds) +- _cupsStrFree(olds); ++ free(olds); + } + + +@@ -1647,8 +1647,7 @@ + } + + if (job->printer_message) +- cupsdSetString(&(job->printer_message->values[0].string.text), +- message); ++ ippSetString(job->attrs, &job->printer_message, 0, message); + } + } + |