diff options
| -rw-r--r-- | main/cups-filters/APKBUILD | 23 | ||||
| -rw-r--r-- | main/cups-filters/CVE-2015-2265.patch | 21 | ||||
| -rw-r--r-- | main/cups-filters/CVE-2015-3279.patch | 103 | ||||
| -rw-r--r-- | main/cups-filters/CVE-2015-8327.patch | 19 |
4 files changed, 161 insertions, 5 deletions
diff --git a/main/cups-filters/APKBUILD b/main/cups-filters/APKBUILD index 2d4c62f7bf..e852f5f05e 100644 --- a/main/cups-filters/APKBUILD +++ b/main/cups-filters/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=cups-filters pkgver=1.0.61 -pkgrel=1 +pkgrel=2 pkgdesc="OpenPrinting CUPS filters and backends" url="http://www.linuxfoundation.org/collaborate/workgroups/openprinting/pdf_as_standard_print_job_format" arch="all" @@ -16,7 +16,11 @@ makedepends="$depends_dev cups-dev libjpeg-turbo-dev poppler-dev zlib-dev qpdf-dev avahi-dev dbus-dev" install="" subpackages="$pkgname-dev $pkgname-doc $pkgname-libs" -source="http://www.openprinting.org/download/cups-filters/cups-filters-$pkgver.tar.xz" +source="http://www.openprinting.org/download/cups-filters/cups-filters-$pkgver.tar.xz + CVE-2015-8327.patch + CVE-2015-3279.patch + CVE-2015-2265.patch + " _builddir="$srcdir"/cups-filters-$pkgver prepare() { @@ -70,6 +74,15 @@ libs() { mv "$pkgdir"/usr/lib/lib*.so.* "$subpkgdir"/usr/lib/ } -md5sums="f16a422bf3135e90b83f969c13a259cf cups-filters-1.0.61.tar.xz" -sha256sums="f5285e3ee436ea42f2986cddfb8020d240ca8b0d7f8dc4b0718b6695ad4504af cups-filters-1.0.61.tar.xz" -sha512sums="7d538d71e6c8342e521f4366c443e767b64e324ed1689bb56c15e70211c91ea89e819c7ae142a9f6d86a111c6a5a4d44ba7b8aa2e5d0d71247fc2d3771c1598d cups-filters-1.0.61.tar.xz" +md5sums="f16a422bf3135e90b83f969c13a259cf cups-filters-1.0.61.tar.xz +d3048ef67d12dd313bcc7b9ad732c754 CVE-2015-8327.patch +6080c982f59fa74e4cf318322e8f799d CVE-2015-3279.patch +7fe40fc0a04958f93f6eee2f4672a39f CVE-2015-2265.patch" +sha256sums="f5285e3ee436ea42f2986cddfb8020d240ca8b0d7f8dc4b0718b6695ad4504af cups-filters-1.0.61.tar.xz +9e7d091a53dd2cf212362778b697962bfeb55d1020f9d2e58d0c635e9a8587b8 CVE-2015-8327.patch +01f637bb11f68cf13af4e461efc9e06a1be54b878a4d415f66b03693826eaed6 CVE-2015-3279.patch +5f24d4799ae0e61c413bcc7376a49678ce52de3e68d20a519fe81fc3af48fe7e CVE-2015-2265.patch" +sha512sums="7d538d71e6c8342e521f4366c443e767b64e324ed1689bb56c15e70211c91ea89e819c7ae142a9f6d86a111c6a5a4d44ba7b8aa2e5d0d71247fc2d3771c1598d cups-filters-1.0.61.tar.xz +1f6558b585c5f8080287f93c3b182102aa9f96bbbfd4ca4a4b9c32219b68b87c37a19dd5d1009046869c273818c2f3aa21937d9a75c5e57ca26f3f72d174d8a3 CVE-2015-8327.patch +5d600246f4d2d94da4e6cada458eb44edd7abcf1e09caa25cefeee50680f6e0f22a6ebb6a35005a7233836cc15e647ea110b69911dab2a9ab24ff1d6f4a1533a CVE-2015-3279.patch +c16d7598be3eaaaeee8014f2b8e6a1f42ac5fde6a3798270dca8a70fb34228f7f28096db1400a750d56ffa1693c5810713aab2cd7a399eb7e55f65ec8441ff45 CVE-2015-2265.patch" diff --git a/main/cups-filters/CVE-2015-2265.patch b/main/cups-filters/CVE-2015-2265.patch new file mode 100644 index 0000000000..f4cf6fa0da --- /dev/null +++ b/main/cups-filters/CVE-2015-2265.patch @@ -0,0 +1,21 @@ +Description: cups-browsed: SECURITY FIX: Fixed a bug in the remove_bad_chars() + failing to reliably filter out illegal characters if there are two + or more subsequent illegal characters, allowing execution of + arbitrary commands with the rights of the "lp" user, using forged + print service announcements on DNS-SD servers (Bug #1265). +Author: Till Kamppeter <till.kamppeter@gmail.com> +Last-Update: 2015-02-27 +Origin: upstream +Bug-CVE: CVE-2015-2265 +Bug-Debian: https://bugs.debian.org/780267 + +--- a/utils/cups-browsed.c ++++ b/utils/cups-browsed.c +@@ -634,6 +634,7 @@ + str[i] == '.' || str[i] == ','))) { + /* Letter or number, keep it */ + havedash = 0; ++ str[j] = str[i]; + } else { + /* Replace all other characters by a single '-' */ + if (havedash == 1) diff --git a/main/cups-filters/CVE-2015-3279.patch b/main/cups-filters/CVE-2015-3279.patch new file mode 100644 index 0000000000..deb92f400b --- /dev/null +++ b/main/cups-filters/CVE-2015-3279.patch @@ -0,0 +1,103 @@ +Description: SECURITY FIX: texttopdf: Fixed buffer overflow on size allocation of texttopdf when working with extremely small line sizes, which causes the size calculation to result in 0. +Author: Tim Waugh <twaugh@redhat.com> +Bug-CVE: CVE-2015-3258 +Bug-CVE: CVE-2015-3279 +Origin: upstream +Last-Update: 2015-07-03 + +--- a/filter/textcommon.c ++++ b/filter/textcommon.c +@@ -26,6 +26,7 @@ + */ + + #include "textcommon.h" ++#include <limits.h> + + + /* +@@ -644,6 +645,45 @@ + if (PrettyPrint) + PageTop -= 216.0f / LinesPerInch; + ++ /* ++ * Allocate memory for the page... ++ */ ++ ++ SizeColumns = (PageRight - PageLeft) / 72.0 * CharsPerInch; ++ SizeLines = (PageTop - PageBottom) / 72.0 * LinesPerInch; ++ ++ /* ++ * Enforce minimum size... ++ */ ++ if (SizeColumns < 1) ++ SizeColumns = 1; ++ if (SizeLines < 1) ++ SizeLines = 1; ++ ++ if (SizeLines >= INT_MAX / SizeColumns / sizeof(lchar_t)) ++ { ++ fprintf(stderr, "ERROR: bad page size\n"); ++ exit(1); ++ } ++ ++ Page = calloc(sizeof(lchar_t *), SizeLines); ++ if (!Page) ++ { ++ fprintf(stderr, "ERROR: cannot allocate memory for page\n"); ++ exit(1); ++ } ++ ++ Page[0] = calloc(sizeof(lchar_t), SizeColumns * SizeLines); ++ if (!Page[0]) ++ { ++ free(Page); ++ fprintf(stderr, "ERROR: cannot allocate memory for page\n"); ++ exit(1); ++ } ++ ++ for (i = 1; i < SizeLines; i ++) ++ Page[i] = Page[0] + i * SizeColumns; ++ + Copies = atoi(argv[4]); + + WriteProlog(argv[3], argv[2], getenv("CLASSIFICATION"), +@@ -1122,6 +1162,8 @@ + if (ppd != NULL) + ppdClose(ppd); + ++ free(Page[0]); ++ free(Page); + return (0); + } + +--- a/filter/texttopdf.c ++++ b/filter/texttopdf.c +@@ -172,9 +172,6 @@ + { "FN","FB","FI" }; + int i,j; + +- free(Page[0]); +- free(Page); +- + // embed fonts + for (i = PrettyPrint ? 2 : 1; i >= 0; i --) { + for (j = 0; j < NumFonts; j ++) +@@ -333,18 +330,6 @@ + PageTop -= 36; + } + +- /* +- * Allocate memory for the page... +- */ +- +- SizeColumns = (PageRight - PageLeft) / 72.0 * CharsPerInch; +- SizeLines = (PageTop - PageBottom) / 72.0 * LinesPerInch; +- +- Page = calloc(sizeof(lchar_t *), SizeLines); +- Page[0] = calloc(sizeof(lchar_t), SizeColumns * SizeLines); +- for (i = 1; i < SizeLines; i ++) +- Page[i] = Page[0] + i * SizeColumns; +- + if (PageColumns > 1) + { + ColumnGutter = CharsPerInch / 2; diff --git a/main/cups-filters/CVE-2015-8327.patch b/main/cups-filters/CVE-2015-8327.patch new file mode 100644 index 0000000000..45fe9c408d --- /dev/null +++ b/main/cups-filters/CVE-2015-8327.patch @@ -0,0 +1,19 @@ +Description: foomatic-rip: SECURITY FIX: Also consider the back tick ('`') as + an illegal shell escape character. Thanks to Michal Kowalczyk from the Google + Security Team for the hint. +Author: Till Kamppeter <till.kamppeter@gmail.com> +Bug-CVE: CVE-2015-8327 +Origin: upstream +Last-Update: 2015-11-26 + +--- a/filter/foomatic-rip/util.c ++++ b/filter/foomatic-rip/util.c +@@ -31,7 +31,7 @@ + #include <assert.h> + + +-const char* shellescapes = "|<>&!$\'\"#*?()[]{}"; ++const char* shellescapes = "|<>&!$\'\"`#*?()[]{}"; + + const char * temp_dir() + { |