diff options
Diffstat (limited to 'main/cups/str4609-1.7.patch')
| -rw-r--r-- | main/cups/str4609-1.7.patch | 497 |
1 files changed, 497 insertions, 0 deletions
diff --git a/main/cups/str4609-1.7.patch b/main/cups/str4609-1.7.patch new file mode 100644 index 0000000000..27d88ef471 --- /dev/null +++ b/main/cups/str4609-1.7.patch @@ -0,0 +1,497 @@ +* Improper Update of Reference Count -- CVE-2015-1158 +* Cross-Site Scripting -- CVE-2015-1159 + +Index: cgi-bin/template.c +=================================================================== +--- a/cgi-bin/template.c (revision 12548) ++++ b/cgi-bin/template.c (revision 12588) +@@ -659,39 +659,7 @@ + while (*s) + { + if (*s == '<') +- { +- /* +- * Pass <A HREF="url"> and </A>, otherwise quote it... +- */ +- +- if (!_cups_strncasecmp(s, "<A HREF=\"", 9)) +- { +- fputs("<A HREF=\"", out); +- s += 9; +- +- while (*s && *s != '\"') +- { +- if (*s == '&') +- fputs("&", out); +- else +- putc(*s, out); +- +- s ++; +- } +- +- if (*s) +- s ++; +- +- fputs("\">", out); +- } +- else if (!_cups_strncasecmp(s, "</A>", 4)) +- { +- fputs("</A>", out); +- s += 3; +- } +- else +- fputs("<", out); +- } ++ fputs("<", out); + else if (*s == '>') + fputs(">", out); + else if (*s == '\"') +Index: cgi-bin/ipp-var.c +=================================================================== +--- a/cgi-bin/ipp-var.c (revision 12548) ++++ b/cgi-bin/ipp-var.c (revision 12588) +@@ -1230,21 +1230,7 @@ + * Rewrite URIs... + */ + +- if (!strcmp(name, "member_uris")) +- { +- char url[1024]; /* URL for class member... */ +- +- +- cgiRewriteURL(attr->values[i].string.text, url, +- sizeof(url), NULL); +- +- snprintf(valptr, sizeof(value) - (valptr - value), +- "<A HREF=\"%s\">%s</A>", url, +- strrchr(attr->values[i].string.text, '/') + 1); +- } +- else +- cgiRewriteURL(attr->values[i].string.text, valptr, +- sizeof(value) - (valptr - value), NULL); ++ cgiRewriteURL(attr->values[i].string.text, valptr, sizeof(value) - (valptr - value), NULL); + break; + } + +Index: scheduler/ipp.c +=================================================================== +--- a/scheduler/ipp.c (revision 12548) ++++ b/scheduler/ipp.c (revision 12588) +@@ -3,7 +3,7 @@ + * + * IPP routines for the CUPS scheduler. + * +- * Copyright 2007-2014 by Apple Inc. ++ * Copyright 2007-2015 by Apple Inc. + * Copyright 1997-2007 by Easy Software Products, all rights reserved. + * + * This file contains Kerberos support code, copyright 2006 by +@@ -412,8 +412,7 @@ + * Remote unauthenticated user masquerading as local root... + */ + +- _cupsStrFree(username->values[0].string.text); +- username->values[0].string.text = _cupsStrAlloc(RemoteRoot); ++ ippSetString(con->request, &username, 0, RemoteRoot); + } + } + +@@ -1577,7 +1576,7 @@ + cupsdSetString(&job->username, con->username); + + if (attr) +- cupsdSetString(&attr->values[0].string.text, con->username); ++ ippSetString(job->attrs, &attr, 0, con->username); + } + else if (attr) + { +@@ -1595,9 +1594,8 @@ + "job-originating-user-name", NULL, job->username); + else + { +- attr->group_tag = IPP_TAG_JOB; +- _cupsStrFree(attr->name); +- attr->name = _cupsStrAlloc("job-originating-user-name"); ++ ippSetGroupTag(job->attrs, &attr, IPP_TAG_JOB); ++ ippSetName(job->attrs, &attr, "job-originating-user-name"); + } + + if (con->username[0] || auth_info) +@@ -1628,48 +1626,11 @@ + * Also, we can only have 1 value and it must be a name value. + */ + +- switch (attr->value_tag) +- { +- case IPP_TAG_STRING : +- case IPP_TAG_TEXTLANG : +- case IPP_TAG_NAMELANG : +- case IPP_TAG_TEXT : +- case IPP_TAG_NAME : +- case IPP_TAG_KEYWORD : +- case IPP_TAG_URI : +- case IPP_TAG_URISCHEME : +- case IPP_TAG_CHARSET : +- case IPP_TAG_LANGUAGE : +- case IPP_TAG_MIMETYPE : +- /* +- * Free old strings... +- */ +- +- for (i = 0; i < attr->num_values; i ++) +- { +- _cupsStrFree(attr->values[i].string.text); +- attr->values[i].string.text = NULL; +- if (attr->values[i].string.language) +- { +- _cupsStrFree(attr->values[i].string.language); +- attr->values[i].string.language = NULL; +- } +- } +- +- default : +- break; +- } +- +- /* +- * Use the default connection hostname instead... +- */ +- +- attr->value_tag = IPP_TAG_NAME; +- attr->num_values = 1; +- attr->values[0].string.text = _cupsStrAlloc(con->http.hostname); ++ ippDeleteAttribute(job->attrs, attr); ++ ippAddString(job->attrs, IPP_TAG_JOB, IPP_TAG_NAME, "job-originating-host-name", NULL, con->http.hostname); + } +- +- attr->group_tag = IPP_TAG_JOB; ++ else ++ ippSetGroupTag(job->attrs, &attr, IPP_TAG_JOB); + } + else + { +@@ -1766,8 +1727,8 @@ + + attr = ippAddStrings(job->attrs, IPP_TAG_JOB, IPP_TAG_NAME, "job-sheets", + 2, NULL, NULL); +- attr->values[0].string.text = _cupsStrRetain(printer->job_sheets[0]); +- attr->values[1].string.text = _cupsStrRetain(printer->job_sheets[1]); ++ ippSetString(job->attrs, &attr, 0, printer->job_sheets[0]); ++ ippSetString(job->attrs, &attr, 1, printer->job_sheets[1]); + } + + job->job_sheets = attr; +@@ -1793,7 +1754,7 @@ + * Force the leading banner to have the classification on it... + */ + +- cupsdSetString(&attr->values[0].string.text, Classification); ++ ippSetString(job->attrs, &attr, 0, Classification); + + cupsdLogJob(job, CUPSD_LOG_NOTICE, "CLASSIFICATION FORCED " + "job-sheets=\"%s,none\", " +@@ -1810,7 +1771,7 @@ + * Can't put two different security markings on the same document! + */ + +- cupsdSetString(&attr->values[1].string.text, attr->values[0].string.text); ++ ippSetString(job->attrs, &attr, 1, attr->values[0].string.text); + + cupsdLogJob(job, CUPSD_LOG_NOTICE, "CLASSIFICATION FORCED " + "job-sheets=\"%s,%s\", " +@@ -1850,18 +1811,18 @@ + if (attr->num_values > 1 && + !strcmp(attr->values[0].string.text, attr->values[1].string.text)) + { +- cupsdSetString(&(attr->values[0].string.text), Classification); +- cupsdSetString(&(attr->values[1].string.text), Classification); ++ ippSetString(job->attrs, &attr, 0, Classification); ++ ippSetString(job->attrs, &attr, 1, Classification); + } + else + { + if (attr->num_values == 1 || + strcmp(attr->values[0].string.text, "none")) +- cupsdSetString(&(attr->values[0].string.text), Classification); ++ ippSetString(job->attrs, &attr, 0, Classification); + + if (attr->num_values > 1 && + strcmp(attr->values[1].string.text, "none")) +- cupsdSetString(&(attr->values[1].string.text), Classification); ++ ippSetString(job->attrs, &attr, 1, Classification); + } + + if (attr->num_values > 1) +@@ -3089,8 +3050,8 @@ + + if (attr) + { +- attr->value_tag = IPP_TAG_KEYWORD; +- cupsdSetString(&(attr->values[0].string.text), "no-hold"); ++ ippSetValueTag(job->attrs, &attr, IPP_TAG_KEYWORD); ++ ippSetString(job->attrs, &attr, 0, "no-hold"); + } + + /* +@@ -8105,11 +8066,7 @@ + filetype->type); + + if (format) +- { +- _cupsStrFree(format->values[0].string.text); +- +- format->values[0].string.text = _cupsStrAlloc(mimetype); +- } ++ ippSetString(con->request, &format, 0, mimetype); + else + ippAddString(con->request, IPP_TAG_JOB, IPP_TAG_MIMETYPE, + "document-format", NULL, mimetype); +@@ -8645,11 +8602,9 @@ + + if (attr) + { +- _cupsStrFree(attr->values[0].string.text); ++ ippSetValueTag(job->attrs, &attr, IPP_TAG_KEYWORD); ++ ippSetString(job->attrs, &attr, 0, "no-hold"); + +- attr->value_tag = IPP_TAG_KEYWORD; +- attr->values[0].string.text = _cupsStrAlloc("no-hold"); +- + cupsdAddEvent(CUPSD_EVENT_JOB_CONFIG_CHANGED, cupsdFindDest(job->dest), job, + "Job job-hold-until value changed by user."); + ippSetString(job->attrs, &job->reasons, 0, "none"); +@@ -9341,11 +9296,7 @@ + + if ((jformat = ippFindAttribute(job->attrs, "document-format", + IPP_TAG_MIMETYPE)) != NULL) +- { +- _cupsStrFree(jformat->values[0].string.text); +- +- jformat->values[0].string.text = _cupsStrAlloc(mimetype); +- } ++ ippSetString(job->attrs, &jformat, 0, mimetype); + else + ippAddString(job->attrs, IPP_TAG_JOB, IPP_TAG_MIMETYPE, + "document-format", NULL, mimetype); +Index: scheduler/job.c +=================================================================== +--- a/scheduler/job.c (revision 12548) ++++ b/scheduler/job.c (revision 12588) +@@ -374,7 +374,7 @@ + + if ((attr = ippFindAttribute(job->attrs, "job-actual-printer-uri", + IPP_TAG_URI)) != NULL) +- cupsdSetString(&attr->values[0].string.text, printer->uri); ++ ippSetString(job->attrs, &attr, 0, printer->uri); + else + ippAddString(job->attrs, IPP_TAG_JOB, IPP_TAG_URI, + "job-actual-printer-uri", NULL, printer->uri); +@@ -2008,7 +2008,7 @@ + + if ((attr = ippFindAttribute(job->attrs, "job-printer-uri", + IPP_TAG_URI)) != NULL) +- cupsdSetString(&(attr->values[0].string.text), p->uri); ++ ippSetString(job->attrs, &attr, 0, p->uri); + + cupsdAddEvent(CUPSD_EVENT_JOB_STOPPED, p, job, + "Job #%d moved from %s to %s.", job->id, olddest, +@@ -2198,7 +2198,7 @@ + attr = ippFindAttribute(job->attrs, "job-hold-until", IPP_TAG_NAME); + + if (attr) +- cupsdSetString(&(attr->values[0].string.text), when); ++ ippSetString(job->attrs, &attr, 0, when); + else + attr = ippAddString(job->attrs, IPP_TAG_JOB, IPP_TAG_KEYWORD, + "job-hold-until", NULL, when); +@@ -2452,8 +2452,8 @@ + + if (attr) + { +- attr->value_tag = IPP_TAG_KEYWORD; +- cupsdSetString(&(attr->values[0].string.text), "no-hold"); ++ ippSetValueTag(job->attrs, &attr, IPP_TAG_KEYWORD); ++ ippSetString(job->attrs, &attr, 0, "no-hold"); + } + + default : +@@ -4442,7 +4442,7 @@ + "job-printer-state-message", + IPP_TAG_TEXT); + if (job->printer_message) +- cupsdSetString(&(job->printer_message->values[0].string.text), ""); ++ ippSetString(job->attrs, &job->printer_message, 0, ""); + + ippSetString(job->attrs, &job->reasons, 0, "job-printing"); + cupsdSetJobState(job, IPP_JOB_PROCESSING, CUPSD_JOB_DEFAULT, NULL); +@@ -5060,15 +5060,14 @@ + if (job->state_value != IPP_JOB_PROCESSING && + job->status_level == CUPSD_LOG_INFO) + { +- cupsdSetString(&(job->printer_message->values[0].string.text), ""); ++ ippSetString(job->attrs, &job->printer_message, 0, ""); + + job->dirty = 1; + cupsdMarkDirty(CUPSD_DIRTY_JOBS); + } + else if (job->printer->state_message[0] && do_message) + { +- cupsdSetString(&(job->printer_message->values[0].string.text), +- job->printer->state_message); ++ ippSetString(job->attrs, &job->printer_message, 0, job->printer->state_message); + + job->dirty = 1; + cupsdMarkDirty(CUPSD_DIRTY_JOBS); +Index: scheduler/client.c +=================================================================== +--- a/scheduler/client.c (revision 12548) ++++ b/scheduler/client.c (revision 12588) +@@ -3,7 +3,7 @@ + * + * Client routines for the CUPS scheduler. + * +- * Copyright 2007-2014 by Apple Inc. ++ * Copyright 2007-2015 by Apple Inc. + * Copyright 1997-2007 by Easy Software Products, all rights reserved. + * + * This file contains Kerberos support code, copyright 2006 by +@@ -598,7 +598,12 @@ + httpClearCookie(HTTP(con)); + httpClearFields(HTTP(con)); + +- cupsdClearString(&con->filename); ++ if (con->filename) ++ { ++ unlink(con->filename); ++ cupsdClearString(&con->filename); ++ } ++ + cupsdClearString(&con->command); + cupsdClearString(&con->options); + cupsdClearString(&con->query_string); +Index: scheduler/env.c +=================================================================== +--- a/scheduler/env.c (revision 12548) ++++ b/scheduler/env.c (revision 12588) +@@ -1,27 +1,16 @@ + /* + * "$Id$" + * +- * Environment management routines for the CUPS scheduler. ++ * Environment management routines for the CUPS scheduler. + * +- * Copyright 2007-2011 by Apple Inc. +- * Copyright 1997-2006 by Easy Software Products, all rights reserved. ++ * Copyright 2007-2014 by Apple Inc. ++ * Copyright 1997-2006 by Easy Software Products, all rights reserved. + * +- * These coded instructions, statements, and computer programs are the +- * property of Apple Inc. and are protected by Federal copyright +- * law. Distribution and use rights are outlined in the file "LICENSE.txt" +- * which should have been included with this file. If this file is +- * file is missing or damaged, see the license at "http://www.cups.org/". +- * +- * Contents: +- * +- * cupsdInitEnv() - Initialize the current environment with standard +- * variables. +- * cupsdLoadEnv() - Copy common environment variables into an array. +- * cupsdSetEnv() - Set a common environment variable. +- * cupsdSetEnvf() - Set a formatted common environment variable. +- * cupsdUpdateEnv() - Update the environment for the configured directories. +- * clear_env() - Clear common environment variables. +- * find_env() - Find a common environment variable. ++ * These coded instructions, statements, and computer programs are the ++ * property of Apple Inc. and are protected by Federal copyright ++ * law. Distribution and use rights are outlined in the file "LICENSE.txt" ++ * which should have been included with this file. If this file is ++ * file is missing or damaged, see the license at "http://www.cups.org/". + */ + + /* +@@ -131,6 +120,13 @@ + return; + + /* ++ * Do not allow dynamic linker variables when running as root... ++ */ ++ ++ if (!RunUser && (!strncmp(name, "DYLD_", 5) || !strncmp(name, "LD_", 3))) ++ return; ++ ++ /* + * See if this variable has already been defined... + */ + +Index: scheduler/main.c +=================================================================== +--- a/scheduler/main.c (revision 12548) ++++ b/scheduler/main.c (revision 12588) +@@ -3,7 +3,7 @@ + * + * Main loop for the CUPS scheduler. + * +- * Copyright 2007-2014 by Apple Inc. ++ * Copyright 2007-2015 by Apple Inc. + * Copyright 1997-2007 by Easy Software Products, all rights reserved. + * + * These coded instructions, statements, and computer programs are the +@@ -1144,8 +1144,8 @@ + if (!*a) + *a = cupsArrayNew3((cups_array_func_t)strcmp, NULL, + (cups_ahash_func_t)NULL, 0, +- (cups_acopy_func_t)_cupsStrAlloc, +- (cups_afree_func_t)_cupsStrFree); ++ (cups_acopy_func_t)strdup, ++ (cups_afree_func_t)free); + + return (cupsArrayAdd(*a, (char *)s)); + } +@@ -1175,7 +1175,7 @@ + { + if (s && *s) + { +- _cupsStrFree(*s); ++ free(*s); + *s = NULL; + } + } +@@ -1256,10 +1256,10 @@ + return; + + if (*s) +- _cupsStrFree(*s); ++ free(*s); + + if (v) +- *s = _cupsStrAlloc(v); ++ *s = strdup(v); + else + *s = NULL; + } +@@ -1290,13 +1290,13 @@ + vsnprintf(v, sizeof(v), f, ap); + va_end(ap); + +- *s = _cupsStrAlloc(v); ++ *s = strdup(v); + } + else + *s = NULL; + + if (olds) +- _cupsStrFree(olds); ++ free(olds); + } + + +@@ -1647,8 +1647,7 @@ + } + + if (job->printer_message) +- cupsdSetString(&(job->printer_message->values[0].string.text), +- message); ++ ippSetString(job->attrs, &job->printer_message, 0, message); + } + } + |