cups: Update to 1.7.5 and fix for CVE-2015-1158 and CVE-2015-1159

author Michael Tremer <michael.tremer@ipfire.org>

Tue, 14 Jul 2015 15:15:00 +0000 (17:15 +0200)

committer Michael Tremer <michael.tremer@ipfire.org>

Tue, 14 Jul 2015 15:15:00 +0000 (17:15 +0200)
author Michael Tremer <michael.tremer@ipfire.org>
Tue, 14 Jul 2015 15:15:00 +0000 (17:15 +0200)
committer Michael Tremer <michael.tremer@ipfire.org>
Tue, 14 Jul 2015 15:15:00 +0000 (17:15 +0200)
diff --git a/lfs/cups b/lfs/cups

index 60f7e214e40964c5bdb49391924ed316d78e2c9a..0c51687712c134121d6b3311100e28817a97a02a 100644 (file)
--- a/lfs/cups
+++ b/lfs/cups
@@ -24,7 +24,7 @@
  
  include Config
  
-VER        = 1.7.0
+VER        = 1.7.5
  
  THISAPP    = cups-$(VER)
  DL_FILE    = $(THISAPP)-source.tar.bz2
@@ -32,7 +32,7 @@ DL_FROM    = $(URL_IPFIRE)
  DIR_APP    = $(DIR_SRC)/cups-$(VER)
  TARGET     = $(DIR_INFO)/$(THISAPP)
  PROG       = cups
-PAK_VER    = 10
+PAK_VER    = 11
  
  DEPS       = "ghostscript"
  
@@ -44,7 +44,7 @@ objects = $(DL_FILE)
  
  $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
  
-$(DL_FILE)_MD5 = 5ab496a2ce27017fcdb3d7ec4818a75a
+$(DL_FILE)_MD5 = 5d893edc2957005f78e2b2423fdace2e
  
  install : $(TARGET)
  
@@ -77,6 +77,7 @@ $(subst %,%_MD5,$(objects)) :
  $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
         @$(PREBUILD)
         @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE)
+       cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/cups-str4609.patch
         cd $(DIR_APP) && \
                 ./configure \
                         --prefix=/usr \
diff --git a/src/patches/cups-str4609.patch b/src/patches/cups-str4609.patch

new file mode 100644 (file)

index 0000000..2a9761b
--- /dev/null
+++ b/src/patches/cups-str4609.patch
@@ -0,0 +1,423 @@
+diff -up cups-1.7.5/cgi-bin/ipp-var.c.str4609 cups-1.7.5/cgi-bin/ipp-var.c
+--- cups-1.7.5/cgi-bin/ipp-var.c.str4609       2014-05-22 15:59:21.000000000 +0200
++++ cups-1.7.5/cgi-bin/ipp-var.c       2015-06-10 10:31:45.297965345 +0200
+@@ -1206,21 +1206,7 @@ cgiSetIPPObjectVars(
+             * Rewrite URIs...
+             */
+ 
+-              if (!strcmp(name, "member_uris"))
+-            {
+-              char    url[1024];      /* URL for class member... */
+-
+-
+-              cgiRewriteURL(attr->values[i].string.text, url,
+-                            sizeof(url), NULL);
+-
+-                snprintf(valptr, sizeof(value) - (valptr - value),
+-                       "<A HREF=\"%s\">%s</A>", url,
+-                       strrchr(attr->values[i].string.text, '/') + 1);
+-            }
+-            else
+-              cgiRewriteURL(attr->values[i].string.text, valptr,
+-                            sizeof(value) - (valptr - value), NULL);
++            cgiRewriteURL(attr->values[i].string.text, valptr, sizeof(value) - (valptr - value), NULL);
+               break;
+             }
+ 
+diff -up cups-1.7.5/cgi-bin/template.c.str4609 cups-1.7.5/cgi-bin/template.c
+--- cups-1.7.5/cgi-bin/template.c.str4609      2014-03-05 22:11:32.000000000 +0100
++++ cups-1.7.5/cgi-bin/template.c      2015-06-10 10:31:45.297965345 +0200
+@@ -659,39 +659,7 @@ cgi_puts(const char *s,                   /* I - String
+   while (*s)
+   {
+     if (*s == '<')
+-    {
+-     /*
+-      * Pass <A HREF="url"> and </A>, otherwise quote it...
+-      */
+-
+-      if (!_cups_strncasecmp(s, "<A HREF=\"", 9))
+-      {
+-        fputs("<A HREF=\"", out);
+-      s += 9;
+-
+-      while (*s && *s != '\"')
+-      {
+-          if (*s == '&')
+-            fputs("&amp;", out);
+-        else
+-          putc(*s, out);
+-
+-        s ++;
+-      }
+-
+-        if (*s)
+-        s ++;
+-
+-      fputs("\">", out);
+-      }
+-      else if (!_cups_strncasecmp(s, "</A>", 4))
+-      {
+-        fputs("</A>", out);
+-      s += 3;
+-      }
+-      else
+-        fputs("&lt;", out);
+-    }
++      fputs("&lt;", out);
+     else if (*s == '>')
+       fputs("&gt;", out);
+     else if (*s == '\"')
+diff -up cups-1.7.5/scheduler/client.c.str4609 cups-1.7.5/scheduler/client.c
+--- cups-1.7.5/scheduler/client.c.str4609      2015-06-10 10:31:45.280965399 +0200
++++ cups-1.7.5/scheduler/client.c      2015-06-10 10:31:45.300965335 +0200
+@@ -598,7 +598,12 @@ cupsdCloseClient(cupsd_client_t *con)     /*
+     httpClearCookie(HTTP(con));
+     httpClearFields(HTTP(con));
+ 
+-    cupsdClearString(&con->filename);
++    if (con->filename)
++    {
++      unlink(con->filename);
++      cupsdClearString(&con->filename);
++    }
++
+     cupsdClearString(&con->command);
+     cupsdClearString(&con->options);
+     cupsdClearString(&con->query_string);
+diff -up cups-1.7.5/scheduler/env.c.str4609 cups-1.7.5/scheduler/env.c
+--- cups-1.7.5/scheduler/env.c.str4609 2015-06-10 10:31:45.208965629 +0200
++++ cups-1.7.5/scheduler/env.c 2015-06-10 10:31:45.300965335 +0200
+@@ -131,6 +131,13 @@ cupsdSetEnv(const char *name,             /* I - Na
+     return;
+ 
+  /*
++  * Do not allow dynamic linker variables when running as root...
++  */
++
++  if (!RunUser && (!strncmp(name, "DYLD_", 5) || !strncmp(name, "LD_", 3)))
++    return;
++
++ /*
+   * See if this variable has already been defined...
+   */
+ 
+diff -up cups-1.7.5/scheduler/ipp.c.str4609 cups-1.7.5/scheduler/ipp.c
+--- cups-1.7.5/scheduler/ipp.c.str4609 2015-06-10 10:31:45.287965377 +0200
++++ cups-1.7.5/scheduler/ipp.c 2015-06-10 10:31:45.299965339 +0200
+@@ -412,8 +412,7 @@ cupsdProcessIPPRequest(
+           * Remote unauthenticated user masquerading as local root...
+           */
+ 
+-          _cupsStrFree(username->values[0].string.text);
+-          username->values[0].string.text = _cupsStrAlloc(RemoteRoot);
++            ippSetString(con->request, &username, 0, RemoteRoot);
+         }
+       }
+ 
+@@ -1576,7 +1575,7 @@ add_job(cupsd_client_t  *con,            /* I - Cl
+     cupsdSetString(&job->username, con->username);
+ 
+     if (attr)
+-      cupsdSetString(&attr->values[0].string.text, con->username);
++      ippSetString(job->attrs, &attr, 0, con->username);
+   }
+   else if (attr)
+   {
+@@ -1594,9 +1593,8 @@ add_job(cupsd_client_t  *con,            /* I - Cl
+                  "job-originating-user-name", NULL, job->username);
+   else
+   {
+-    attr->group_tag = IPP_TAG_JOB;
+-    _cupsStrFree(attr->name);
+-    attr->name = _cupsStrAlloc("job-originating-user-name");
++    ippSetGroupTag(job->attrs, &attr, IPP_TAG_JOB);
++    ippSetName(job->attrs, &attr, "job-originating-user-name");
+   }
+ 
+   if (con->username[0] || auth_info)
+@@ -1630,48 +1628,11 @@ add_job(cupsd_client_t  *con,          /* I - Cl
+       * Also, we can only have 1 value and it must be a name value.
+       */
+ 
+-      switch (attr->value_tag)
+-      {
+-        case IPP_TAG_STRING :
+-      case IPP_TAG_TEXTLANG :
+-      case IPP_TAG_NAMELANG :
+-      case IPP_TAG_TEXT :
+-      case IPP_TAG_NAME :
+-      case IPP_TAG_KEYWORD :
+-      case IPP_TAG_URI :
+-      case IPP_TAG_URISCHEME :
+-      case IPP_TAG_CHARSET :
+-      case IPP_TAG_LANGUAGE :
+-      case IPP_TAG_MIMETYPE :
+-         /*
+-          * Free old strings...
+-          */
+-
+-          for (i = 0; i < attr->num_values; i ++)
+-          {
+-            _cupsStrFree(attr->values[i].string.text);
+-            attr->values[i].string.text = NULL;
+-            if (attr->values[i].string.language)
+-            {
+-              _cupsStrFree(attr->values[i].string.language);
+-              attr->values[i].string.language = NULL;
+-            }
+-            }
+-
+-      default :
+-            break;
+-      }
+-
+-     /*
+-      * Use the default connection hostname instead...
+-      */
+-
+-      attr->value_tag             = IPP_TAG_NAME;
+-      attr->num_values            = 1;
+-      attr->values[0].string.text = _cupsStrAlloc(con->http.hostname);
++      ippDeleteAttribute(job->attrs, attr);
++      ippAddString(job->attrs, IPP_TAG_JOB, IPP_TAG_NAME, "job-originating-host-name", NULL, con->http.hostname);
+     }
+-
+-    attr->group_tag = IPP_TAG_JOB;
++    else
++      ippSetGroupTag(job->attrs, &attr, IPP_TAG_JOB);
+   }
+   else
+   {
+@@ -1767,8 +1728,8 @@ add_job(cupsd_client_t  *con,            /* I - Cl
+ 
+       attr = ippAddStrings(job->attrs, IPP_TAG_JOB, IPP_TAG_NAME, "job-sheets",
+                            2, NULL, NULL);
+-      attr->values[0].string.text = _cupsStrRetain(printer->job_sheets[0]);
+-      attr->values[1].string.text = _cupsStrRetain(printer->job_sheets[1]);
++      ippSetString(job->attrs, &attr, 0, printer->job_sheets[0]);
++      ippSetString(job->attrs, &attr, 1, printer->job_sheets[1]);
+     }
+ 
+     job->job_sheets = attr;
+@@ -1794,7 +1755,7 @@ add_job(cupsd_client_t  *con,            /* I - Cl
+           * Force the leading banner to have the classification on it...
+         */
+ 
+-          cupsdSetString(&attr->values[0].string.text, Classification);
++          ippSetString(job->attrs, &attr, 0, Classification);
+ 
+         cupsdLogJob(job, CUPSD_LOG_NOTICE, "CLASSIFICATION FORCED "
+                                            "job-sheets=\"%s,none\", "
+@@ -1811,7 +1772,7 @@ add_job(cupsd_client_t  *con,            /* I - Cl
+         * Can't put two different security markings on the same document!
+         */
+ 
+-          cupsdSetString(&attr->values[1].string.text, attr->values[0].string.text);
++          ippSetString(job->attrs, &attr, 1, attr->values[0].string.text);
+ 
+         cupsdLogJob(job, CUPSD_LOG_NOTICE, "CLASSIFICATION FORCED "
+                                            "job-sheets=\"%s,%s\", "
+@@ -1851,18 +1812,18 @@ add_job(cupsd_client_t  *con,          /* I - Cl
+         if (attr->num_values > 1 &&
+           !strcmp(attr->values[0].string.text, attr->values[1].string.text))
+       {
+-          cupsdSetString(&(attr->values[0].string.text), Classification);
+-          cupsdSetString(&(attr->values[1].string.text), Classification);
++          ippSetString(job->attrs, &attr, 0, Classification);
++          ippSetString(job->attrs, &attr, 1, Classification);
+       }
+         else
+       {
+           if (attr->num_values == 1 ||
+             strcmp(attr->values[0].string.text, "none"))
+-            cupsdSetString(&(attr->values[0].string.text), Classification);
++            ippSetString(job->attrs, &attr, 0, Classification);
+ 
+           if (attr->num_values > 1 &&
+             strcmp(attr->values[1].string.text, "none"))
+-            cupsdSetString(&(attr->values[1].string.text), Classification);
++          ippSetString(job->attrs, &attr, 1, Classification);
+         }
+ 
+         if (attr->num_values > 1)
+@@ -3098,8 +3059,8 @@ authenticate_job(cupsd_client_t  *con,   /
+ 
+   if (attr)
+   {
+-    attr->value_tag = IPP_TAG_KEYWORD;
+-    cupsdSetString(&(attr->values[0].string.text), "no-hold");
++    ippSetValueTag(job->attrs, &attr, IPP_TAG_KEYWORD);
++    ippSetString(job->attrs, &attr, 0, "no-hold");
+   }
+ 
+  /*
+@@ -8224,11 +8185,7 @@ print_job(cupsd_client_t  *con,         /* I -
+              filetype->type);
+ 
+     if (format)
+-    {
+-      _cupsStrFree(format->values[0].string.text);
+-
+-      format->values[0].string.text = _cupsStrAlloc(mimetype);
+-    }
++      ippSetString(con->request, &format, 0, mimetype);
+     else
+       ippAddString(con->request, IPP_TAG_JOB, IPP_TAG_MIMETYPE,
+                  "document-format", NULL, mimetype);
+@@ -8765,10 +8722,8 @@ release_job(cupsd_client_t  *con,       /* I -
+ 
+   if (attr)
+   {
+-    _cupsStrFree(attr->values[0].string.text);
+-
+-    attr->value_tag = IPP_TAG_KEYWORD;
+-    attr->values[0].string.text = _cupsStrAlloc("no-hold");
++    ippSetValueTag(job->attrs, &attr, IPP_TAG_KEYWORD);
++    ippSetString(job->attrs, &attr, 0, "no-hold");
+ 
+     cupsdAddEvent(CUPSD_EVENT_JOB_CONFIG_CHANGED, cupsdFindDest(job->dest), job,
+                   "Job job-hold-until value changed by user.");
+@@ -9461,11 +9416,7 @@ send_document(cupsd_client_t  *con,     /* I
+ 
+     if ((jformat = ippFindAttribute(job->attrs, "document-format",
+                                     IPP_TAG_MIMETYPE)) != NULL)
+-    {
+-      _cupsStrFree(jformat->values[0].string.text);
+-
+-      jformat->values[0].string.text = _cupsStrAlloc(mimetype);
+-    }
++      ippSetString(job->attrs, &jformat, 0, mimetype);
+     else
+       ippAddString(job->attrs, IPP_TAG_JOB, IPP_TAG_MIMETYPE,
+                  "document-format", NULL, mimetype);
+diff -up cups-1.7.5/scheduler/job.c.str4609 cups-1.7.5/scheduler/job.c
+--- cups-1.7.5/scheduler/job.c.str4609 2015-06-10 10:31:45.288965374 +0200
++++ cups-1.7.5/scheduler/job.c 2015-06-10 10:31:45.299965339 +0200
+@@ -375,7 +375,7 @@ cupsdCheckJobs(void)
+ 
+           if ((attr = ippFindAttribute(job->attrs, "job-actual-printer-uri",
+                                      IPP_TAG_URI)) != NULL)
+-            cupsdSetString(&attr->values[0].string.text, printer->uri);
++            ippSetString(job->attrs, &attr, 0, printer->uri);
+         else
+           ippAddString(job->attrs, IPP_TAG_JOB, IPP_TAG_URI,
+                        "job-actual-printer-uri", NULL, printer->uri);
+@@ -2109,7 +2109,7 @@ cupsdMoveJob(cupsd_job_t     *job,       /* I
+ 
+   if ((attr = ippFindAttribute(job->attrs, "job-printer-uri",
+                                IPP_TAG_URI)) != NULL)
+-    cupsdSetString(&(attr->values[0].string.text), p->uri);
++    ippSetString(job->attrs, &attr, 0, p->uri);
+ 
+   cupsdAddEvent(CUPSD_EVENT_JOB_STOPPED, p, job,
+                 "Job #%d moved from %s to %s.", job->id, olddest,
+@@ -2306,7 +2306,7 @@ cupsdSetJobHoldUntil(cupsd_job_t *job,   /
+       attr = ippFindAttribute(job->attrs, "job-hold-until", IPP_TAG_NAME);
+ 
+     if (attr)
+-      cupsdSetString(&(attr->values[0].string.text), when);
++      ippSetString(job->attrs, &attr, 0, when);
+     else
+       attr = ippAddString(job->attrs, IPP_TAG_JOB, IPP_TAG_KEYWORD,
+                           "job-hold-until", NULL, when);
+@@ -2560,8 +2560,8 @@ cupsdSetJobState(
+ 
+       if (attr)
+       {
+-        attr->value_tag = IPP_TAG_KEYWORD;
+-        cupsdSetString(&(attr->values[0].string.text), "no-hold");
++        ippSetValueTag(job->attrs, &attr, IPP_TAG_KEYWORD);
++        ippSetString(job->attrs, &attr, 0, "no-hold");
+       }
+ 
+     default :
+@@ -4598,7 +4598,7 @@ start_job(cupsd_job_t     *job,          /* I -
+                                             "job-printer-state-message",
+                                             IPP_TAG_TEXT);
+   if (job->printer_message)
+-    cupsdSetString(&(job->printer_message->values[0].string.text), "");
++    ippSetString(job->attrs, &job->printer_message, 0, "");
+ 
+   ippSetString(job->attrs, &job->reasons, 0, "job-printing");
+   cupsdSetJobState(job, IPP_JOB_PROCESSING, CUPSD_JOB_DEFAULT, NULL);
+@@ -5216,15 +5216,14 @@ update_job_attrs(cupsd_job_t *job,     /* I
+   if (job->state_value != IPP_JOB_PROCESSING &&
+       job->status_level == CUPSD_LOG_INFO)
+   {
+-    cupsdSetString(&(job->printer_message->values[0].string.text), "");
++    ippSetString(job->attrs, &job->printer_message, 0, "");
+ 
+     job->dirty = 1;
+     cupsdMarkDirty(CUPSD_DIRTY_JOBS);
+   }
+   else if (job->printer->state_message[0] && do_message)
+   {
+-    cupsdSetString(&(job->printer_message->values[0].string.text),
+-                 job->printer->state_message);
++    ippSetString(job->attrs, &job->printer_message, 0, job->printer->state_message);
+ 
+     job->dirty = 1;
+     cupsdMarkDirty(CUPSD_DIRTY_JOBS);
+diff -up cups-1.7.5/scheduler/main.c.str4609 cups-1.7.5/scheduler/main.c
+--- cups-1.7.5/scheduler/main.c.str4609        2015-06-10 10:31:45.265965447 +0200
++++ cups-1.7.5/scheduler/main.c        2015-06-10 10:31:45.300965335 +0200
+@@ -1205,8 +1205,8 @@ cupsdAddString(cups_array_t **a, /* IO -
+   if (!*a)
+     *a = cupsArrayNew3((cups_array_func_t)strcmp, NULL,
+                      (cups_ahash_func_t)NULL, 0,
+-                     (cups_acopy_func_t)_cupsStrAlloc,
+-                     (cups_afree_func_t)_cupsStrFree);
++                     (cups_acopy_func_t)strdup,
++                     (cups_afree_func_t)free);
+ 
+   return (cupsArrayAdd(*a, (char *)s));
+ }
+@@ -1236,7 +1236,7 @@ cupsdClearString(char **s)               /* O - Strin
+ {
+   if (s && *s)
+   {
+-    _cupsStrFree(*s);
++    free(*s);
+     *s = NULL;
+   }
+ }
+@@ -1317,10 +1317,10 @@ cupsdSetString(char       **s,         /* O - N
+     return;
+ 
+   if (*s)
+-    _cupsStrFree(*s);
++    free(*s);
+ 
+   if (v)
+-    *s = _cupsStrAlloc(v);
++    *s = strdup(v);
+   else
+     *s = NULL;
+ }
+@@ -1351,13 +1351,13 @@ cupsdSetStringf(char       **s,                /* O -
+     vsnprintf(v, sizeof(v), f, ap);
+     va_end(ap);
+ 
+-    *s = _cupsStrAlloc(v);
++    *s = strdup(v);
+   }
+   else
+     *s = NULL;
+ 
+   if (olds)
+-    _cupsStrFree(olds);
++    free(olds);
+ }
+ 
+ 
+@@ -1804,8 +1804,7 @@ process_children(void)
+           }
+ 
+           if (job->printer_message)
+-            cupsdSetString(&(job->printer_message->values[0].string.text),
+-                           message);
++            ippSetString(job->attrs, &job->printer_message, 0, message);
+         }
+       }
+
author	Michael Tremer <michael.tremer@ipfire.org>
	Tue, 14 Jul 2015 15:15:00 +0000 (17:15 +0200)
committer	Michael Tremer <michael.tremer@ipfire.org>
	Tue, 14 Jul 2015 15:15:00 +0000 (17:15 +0200)
lfs/cups		patch \| blob \| blame \| history
src/patches/cups-str4609.patch	[new file with mode: 0644]	patch \| blob