From b720e702885654c142baaff07e3f9a8979c78d5c Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 14 Jul 2015 17:15:00 +0200 Subject: [PATCH] cups: Update to 1.7.5 and fix for CVE-2015-1158 and CVE-2015-1159 Signed-off-by: Michael Tremer --- lfs/cups | 7 +- src/patches/cups-str4609.patch | 423 +++++++++++++++++++++++++++++++++ 2 files changed, 427 insertions(+), 3 deletions(-) create mode 100644 src/patches/cups-str4609.patch diff --git a/lfs/cups b/lfs/cups index 60f7e214e4..0c51687712 100644 --- a/lfs/cups +++ b/lfs/cups @@ -24,7 +24,7 @@ include Config -VER = 1.7.0 +VER = 1.7.5 THISAPP = cups-$(VER) DL_FILE = $(THISAPP)-source.tar.bz2 @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/cups-$(VER) TARGET = $(DIR_INFO)/$(THISAPP) PROG = cups -PAK_VER = 10 +PAK_VER = 11 DEPS = "ghostscript" @@ -44,7 +44,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 5ab496a2ce27017fcdb3d7ec4818a75a +$(DL_FILE)_MD5 = 5d893edc2957005f78e2b2423fdace2e install : $(TARGET) @@ -77,6 +77,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/cups-str4609.patch cd $(DIR_APP) && \ ./configure \ --prefix=/usr \ diff --git a/src/patches/cups-str4609.patch b/src/patches/cups-str4609.patch new file mode 100644 index 0000000000..2a9761b208 --- /dev/null +++ b/src/patches/cups-str4609.patch @@ -0,0 +1,423 @@ +diff -up cups-1.7.5/cgi-bin/ipp-var.c.str4609 cups-1.7.5/cgi-bin/ipp-var.c +--- cups-1.7.5/cgi-bin/ipp-var.c.str4609 2014-05-22 15:59:21.000000000 +0200 ++++ cups-1.7.5/cgi-bin/ipp-var.c 2015-06-10 10:31:45.297965345 +0200 +@@ -1206,21 +1206,7 @@ cgiSetIPPObjectVars( + * Rewrite URIs... + */ + +- if (!strcmp(name, "member_uris")) +- { +- char url[1024]; /* URL for class member... */ +- +- +- cgiRewriteURL(attr->values[i].string.text, url, +- sizeof(url), NULL); +- +- snprintf(valptr, sizeof(value) - (valptr - value), +- "%s", url, +- strrchr(attr->values[i].string.text, '/') + 1); +- } +- else +- cgiRewriteURL(attr->values[i].string.text, valptr, +- sizeof(value) - (valptr - value), NULL); ++ cgiRewriteURL(attr->values[i].string.text, valptr, sizeof(value) - (valptr - value), NULL); + break; + } + +diff -up cups-1.7.5/cgi-bin/template.c.str4609 cups-1.7.5/cgi-bin/template.c +--- cups-1.7.5/cgi-bin/template.c.str4609 2014-03-05 22:11:32.000000000 +0100 ++++ cups-1.7.5/cgi-bin/template.c 2015-06-10 10:31:45.297965345 +0200 +@@ -659,39 +659,7 @@ cgi_puts(const char *s, /* I - String + while (*s) + { + if (*s == '<') +- { +- /* +- * Pass and , otherwise quote it... +- */ +- +- if (!_cups_strncasecmp(s, "", out); +- } +- else if (!_cups_strncasecmp(s, "", 4)) +- { +- fputs("", out); +- s += 3; +- } +- else +- fputs("<", out); +- } ++ fputs("<", out); + else if (*s == '>') + fputs(">", out); + else if (*s == '\"') +diff -up cups-1.7.5/scheduler/client.c.str4609 cups-1.7.5/scheduler/client.c +--- cups-1.7.5/scheduler/client.c.str4609 2015-06-10 10:31:45.280965399 +0200 ++++ cups-1.7.5/scheduler/client.c 2015-06-10 10:31:45.300965335 +0200 +@@ -598,7 +598,12 @@ cupsdCloseClient(cupsd_client_t *con) /* + httpClearCookie(HTTP(con)); + httpClearFields(HTTP(con)); + +- cupsdClearString(&con->filename); ++ if (con->filename) ++ { ++ unlink(con->filename); ++ cupsdClearString(&con->filename); ++ } ++ + cupsdClearString(&con->command); + cupsdClearString(&con->options); + cupsdClearString(&con->query_string); +diff -up cups-1.7.5/scheduler/env.c.str4609 cups-1.7.5/scheduler/env.c +--- cups-1.7.5/scheduler/env.c.str4609 2015-06-10 10:31:45.208965629 +0200 ++++ cups-1.7.5/scheduler/env.c 2015-06-10 10:31:45.300965335 +0200 +@@ -131,6 +131,13 @@ cupsdSetEnv(const char *name, /* I - Na + return; + + /* ++ * Do not allow dynamic linker variables when running as root... ++ */ ++ ++ if (!RunUser && (!strncmp(name, "DYLD_", 5) || !strncmp(name, "LD_", 3))) ++ return; ++ ++ /* + * See if this variable has already been defined... + */ + +diff -up cups-1.7.5/scheduler/ipp.c.str4609 cups-1.7.5/scheduler/ipp.c +--- cups-1.7.5/scheduler/ipp.c.str4609 2015-06-10 10:31:45.287965377 +0200 ++++ cups-1.7.5/scheduler/ipp.c 2015-06-10 10:31:45.299965339 +0200 +@@ -412,8 +412,7 @@ cupsdProcessIPPRequest( + * Remote unauthenticated user masquerading as local root... + */ + +- _cupsStrFree(username->values[0].string.text); +- username->values[0].string.text = _cupsStrAlloc(RemoteRoot); ++ ippSetString(con->request, &username, 0, RemoteRoot); + } + } + +@@ -1576,7 +1575,7 @@ add_job(cupsd_client_t *con, /* I - Cl + cupsdSetString(&job->username, con->username); + + if (attr) +- cupsdSetString(&attr->values[0].string.text, con->username); ++ ippSetString(job->attrs, &attr, 0, con->username); + } + else if (attr) + { +@@ -1594,9 +1593,8 @@ add_job(cupsd_client_t *con, /* I - Cl + "job-originating-user-name", NULL, job->username); + else + { +- attr->group_tag = IPP_TAG_JOB; +- _cupsStrFree(attr->name); +- attr->name = _cupsStrAlloc("job-originating-user-name"); ++ ippSetGroupTag(job->attrs, &attr, IPP_TAG_JOB); ++ ippSetName(job->attrs, &attr, "job-originating-user-name"); + } + + if (con->username[0] || auth_info) +@@ -1630,48 +1628,11 @@ add_job(cupsd_client_t *con, /* I - Cl + * Also, we can only have 1 value and it must be a name value. + */ + +- switch (attr->value_tag) +- { +- case IPP_TAG_STRING : +- case IPP_TAG_TEXTLANG : +- case IPP_TAG_NAMELANG : +- case IPP_TAG_TEXT : +- case IPP_TAG_NAME : +- case IPP_TAG_KEYWORD : +- case IPP_TAG_URI : +- case IPP_TAG_URISCHEME : +- case IPP_TAG_CHARSET : +- case IPP_TAG_LANGUAGE : +- case IPP_TAG_MIMETYPE : +- /* +- * Free old strings... +- */ +- +- for (i = 0; i < attr->num_values; i ++) +- { +- _cupsStrFree(attr->values[i].string.text); +- attr->values[i].string.text = NULL; +- if (attr->values[i].string.language) +- { +- _cupsStrFree(attr->values[i].string.language); +- attr->values[i].string.language = NULL; +- } +- } +- +- default : +- break; +- } +- +- /* +- * Use the default connection hostname instead... +- */ +- +- attr->value_tag = IPP_TAG_NAME; +- attr->num_values = 1; +- attr->values[0].string.text = _cupsStrAlloc(con->http.hostname); ++ ippDeleteAttribute(job->attrs, attr); ++ ippAddString(job->attrs, IPP_TAG_JOB, IPP_TAG_NAME, "job-originating-host-name", NULL, con->http.hostname); + } +- +- attr->group_tag = IPP_TAG_JOB; ++ else ++ ippSetGroupTag(job->attrs, &attr, IPP_TAG_JOB); + } + else + { +@@ -1767,8 +1728,8 @@ add_job(cupsd_client_t *con, /* I - Cl + + attr = ippAddStrings(job->attrs, IPP_TAG_JOB, IPP_TAG_NAME, "job-sheets", + 2, NULL, NULL); +- attr->values[0].string.text = _cupsStrRetain(printer->job_sheets[0]); +- attr->values[1].string.text = _cupsStrRetain(printer->job_sheets[1]); ++ ippSetString(job->attrs, &attr, 0, printer->job_sheets[0]); ++ ippSetString(job->attrs, &attr, 1, printer->job_sheets[1]); + } + + job->job_sheets = attr; +@@ -1794,7 +1755,7 @@ add_job(cupsd_client_t *con, /* I - Cl + * Force the leading banner to have the classification on it... + */ + +- cupsdSetString(&attr->values[0].string.text, Classification); ++ ippSetString(job->attrs, &attr, 0, Classification); + + cupsdLogJob(job, CUPSD_LOG_NOTICE, "CLASSIFICATION FORCED " + "job-sheets=\"%s,none\", " +@@ -1811,7 +1772,7 @@ add_job(cupsd_client_t *con, /* I - Cl + * Can't put two different security markings on the same document! + */ + +- cupsdSetString(&attr->values[1].string.text, attr->values[0].string.text); ++ ippSetString(job->attrs, &attr, 1, attr->values[0].string.text); + + cupsdLogJob(job, CUPSD_LOG_NOTICE, "CLASSIFICATION FORCED " + "job-sheets=\"%s,%s\", " +@@ -1851,18 +1812,18 @@ add_job(cupsd_client_t *con, /* I - Cl + if (attr->num_values > 1 && + !strcmp(attr->values[0].string.text, attr->values[1].string.text)) + { +- cupsdSetString(&(attr->values[0].string.text), Classification); +- cupsdSetString(&(attr->values[1].string.text), Classification); ++ ippSetString(job->attrs, &attr, 0, Classification); ++ ippSetString(job->attrs, &attr, 1, Classification); + } + else + { + if (attr->num_values == 1 || + strcmp(attr->values[0].string.text, "none")) +- cupsdSetString(&(attr->values[0].string.text), Classification); ++ ippSetString(job->attrs, &attr, 0, Classification); + + if (attr->num_values > 1 && + strcmp(attr->values[1].string.text, "none")) +- cupsdSetString(&(attr->values[1].string.text), Classification); ++ ippSetString(job->attrs, &attr, 1, Classification); + } + + if (attr->num_values > 1) +@@ -3098,8 +3059,8 @@ authenticate_job(cupsd_client_t *con, / + + if (attr) + { +- attr->value_tag = IPP_TAG_KEYWORD; +- cupsdSetString(&(attr->values[0].string.text), "no-hold"); ++ ippSetValueTag(job->attrs, &attr, IPP_TAG_KEYWORD); ++ ippSetString(job->attrs, &attr, 0, "no-hold"); + } + + /* +@@ -8224,11 +8185,7 @@ print_job(cupsd_client_t *con, /* I - + filetype->type); + + if (format) +- { +- _cupsStrFree(format->values[0].string.text); +- +- format->values[0].string.text = _cupsStrAlloc(mimetype); +- } ++ ippSetString(con->request, &format, 0, mimetype); + else + ippAddString(con->request, IPP_TAG_JOB, IPP_TAG_MIMETYPE, + "document-format", NULL, mimetype); +@@ -8765,10 +8722,8 @@ release_job(cupsd_client_t *con, /* I - + + if (attr) + { +- _cupsStrFree(attr->values[0].string.text); +- +- attr->value_tag = IPP_TAG_KEYWORD; +- attr->values[0].string.text = _cupsStrAlloc("no-hold"); ++ ippSetValueTag(job->attrs, &attr, IPP_TAG_KEYWORD); ++ ippSetString(job->attrs, &attr, 0, "no-hold"); + + cupsdAddEvent(CUPSD_EVENT_JOB_CONFIG_CHANGED, cupsdFindDest(job->dest), job, + "Job job-hold-until value changed by user."); +@@ -9461,11 +9416,7 @@ send_document(cupsd_client_t *con, /* I + + if ((jformat = ippFindAttribute(job->attrs, "document-format", + IPP_TAG_MIMETYPE)) != NULL) +- { +- _cupsStrFree(jformat->values[0].string.text); +- +- jformat->values[0].string.text = _cupsStrAlloc(mimetype); +- } ++ ippSetString(job->attrs, &jformat, 0, mimetype); + else + ippAddString(job->attrs, IPP_TAG_JOB, IPP_TAG_MIMETYPE, + "document-format", NULL, mimetype); +diff -up cups-1.7.5/scheduler/job.c.str4609 cups-1.7.5/scheduler/job.c +--- cups-1.7.5/scheduler/job.c.str4609 2015-06-10 10:31:45.288965374 +0200 ++++ cups-1.7.5/scheduler/job.c 2015-06-10 10:31:45.299965339 +0200 +@@ -375,7 +375,7 @@ cupsdCheckJobs(void) + + if ((attr = ippFindAttribute(job->attrs, "job-actual-printer-uri", + IPP_TAG_URI)) != NULL) +- cupsdSetString(&attr->values[0].string.text, printer->uri); ++ ippSetString(job->attrs, &attr, 0, printer->uri); + else + ippAddString(job->attrs, IPP_TAG_JOB, IPP_TAG_URI, + "job-actual-printer-uri", NULL, printer->uri); +@@ -2109,7 +2109,7 @@ cupsdMoveJob(cupsd_job_t *job, /* I + + if ((attr = ippFindAttribute(job->attrs, "job-printer-uri", + IPP_TAG_URI)) != NULL) +- cupsdSetString(&(attr->values[0].string.text), p->uri); ++ ippSetString(job->attrs, &attr, 0, p->uri); + + cupsdAddEvent(CUPSD_EVENT_JOB_STOPPED, p, job, + "Job #%d moved from %s to %s.", job->id, olddest, +@@ -2306,7 +2306,7 @@ cupsdSetJobHoldUntil(cupsd_job_t *job, / + attr = ippFindAttribute(job->attrs, "job-hold-until", IPP_TAG_NAME); + + if (attr) +- cupsdSetString(&(attr->values[0].string.text), when); ++ ippSetString(job->attrs, &attr, 0, when); + else + attr = ippAddString(job->attrs, IPP_TAG_JOB, IPP_TAG_KEYWORD, + "job-hold-until", NULL, when); +@@ -2560,8 +2560,8 @@ cupsdSetJobState( + + if (attr) + { +- attr->value_tag = IPP_TAG_KEYWORD; +- cupsdSetString(&(attr->values[0].string.text), "no-hold"); ++ ippSetValueTag(job->attrs, &attr, IPP_TAG_KEYWORD); ++ ippSetString(job->attrs, &attr, 0, "no-hold"); + } + + default : +@@ -4598,7 +4598,7 @@ start_job(cupsd_job_t *job, /* I - + "job-printer-state-message", + IPP_TAG_TEXT); + if (job->printer_message) +- cupsdSetString(&(job->printer_message->values[0].string.text), ""); ++ ippSetString(job->attrs, &job->printer_message, 0, ""); + + ippSetString(job->attrs, &job->reasons, 0, "job-printing"); + cupsdSetJobState(job, IPP_JOB_PROCESSING, CUPSD_JOB_DEFAULT, NULL); +@@ -5216,15 +5216,14 @@ update_job_attrs(cupsd_job_t *job, /* I + if (job->state_value != IPP_JOB_PROCESSING && + job->status_level == CUPSD_LOG_INFO) + { +- cupsdSetString(&(job->printer_message->values[0].string.text), ""); ++ ippSetString(job->attrs, &job->printer_message, 0, ""); + + job->dirty = 1; + cupsdMarkDirty(CUPSD_DIRTY_JOBS); + } + else if (job->printer->state_message[0] && do_message) + { +- cupsdSetString(&(job->printer_message->values[0].string.text), +- job->printer->state_message); ++ ippSetString(job->attrs, &job->printer_message, 0, job->printer->state_message); + + job->dirty = 1; + cupsdMarkDirty(CUPSD_DIRTY_JOBS); +diff -up cups-1.7.5/scheduler/main.c.str4609 cups-1.7.5/scheduler/main.c +--- cups-1.7.5/scheduler/main.c.str4609 2015-06-10 10:31:45.265965447 +0200 ++++ cups-1.7.5/scheduler/main.c 2015-06-10 10:31:45.300965335 +0200 +@@ -1205,8 +1205,8 @@ cupsdAddString(cups_array_t **a, /* IO - + if (!*a) + *a = cupsArrayNew3((cups_array_func_t)strcmp, NULL, + (cups_ahash_func_t)NULL, 0, +- (cups_acopy_func_t)_cupsStrAlloc, +- (cups_afree_func_t)_cupsStrFree); ++ (cups_acopy_func_t)strdup, ++ (cups_afree_func_t)free); + + return (cupsArrayAdd(*a, (char *)s)); + } +@@ -1236,7 +1236,7 @@ cupsdClearString(char **s) /* O - Strin + { + if (s && *s) + { +- _cupsStrFree(*s); ++ free(*s); + *s = NULL; + } + } +@@ -1317,10 +1317,10 @@ cupsdSetString(char **s, /* O - N + return; + + if (*s) +- _cupsStrFree(*s); ++ free(*s); + + if (v) +- *s = _cupsStrAlloc(v); ++ *s = strdup(v); + else + *s = NULL; + } +@@ -1351,13 +1351,13 @@ cupsdSetStringf(char **s, /* O - + vsnprintf(v, sizeof(v), f, ap); + va_end(ap); + +- *s = _cupsStrAlloc(v); ++ *s = strdup(v); + } + else + *s = NULL; + + if (olds) +- _cupsStrFree(olds); ++ free(olds); + } + + +@@ -1804,8 +1804,7 @@ process_children(void) + } + + if (job->printer_message) +- cupsdSetString(&(job->printer_message->values[0].string.text), +- message); ++ ippSetString(job->attrs, &job->printer_message, 0, message); + } + } + -- 2.39.2