CVE-2019-2228: Fix ippSetValueTag validation of default language.

diff --git a/CHANGES.md b/CHANGES.md
index 2afa7686a8771c8cfe64969dde528c2331d32d58..78ca1f98a8bc4f707679b14a96a3fb97f81229fe 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,4 +1,4 @@
-CHANGES - 2.3.1 - 2019-12-04
+CHANGES - 2.3.1 - 2019-12-13
 ============================
 
 
@@ -6,6 +6,8 @@ Changes in CUPS v2.3.1
 ----------------------
 
 - Documentation updates (Issue #5661, #5674, #5682)
+- CVE-2019-2228: The `ippSetValuetag` function did not validate the default
+  language value.
 - Fixed a crash bug in the web interface (Issue #5621)
 - The PPD cache code now looks up page sizes using their dimensions
   (Issue #5633)

diff --git a/cups/ipp.c b/cups/ipp.c
index d0cac8cfe198c97bd218f661018b21a6f7e48a3d..1595b8b6103e0c938dcb9f1a6172ea9b1c7d249e 100644 (file)
--- a/cups/ipp.c
+++ b/cups/ipp.c
@@ -4565,7 +4565,7 @@ ippSetValueTag(
           return (0);
 
         if (ipp->attrs && ipp->attrs->next && ipp->attrs->next->name &&
-            !strcmp(ipp->attrs->next->name, "attributes-natural-language"))
+            !strcmp(ipp->attrs->next->name, "attributes-natural-language") && (ipp->attrs->next->value_tag & IPP_TAG_CUPS_MASK) == IPP_TAG_LANGUAGE)
         {
          /*
           * Use the language code from the IPP message...