CVE-2019-2228: Fix ippSetValueTag validation of default language.

diff --git a/CHANGES.md b/CHANGES.md
index f8ce9f7f5c600ae12f22d30a9c38c9a0b197f80c..46bd6aa6aee4b2efe189b1e436c1088dc6a012bb 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,10 +1,12 @@
-CHANGES - 2.2.13 - 2019-12-04
+CHANGES - 2.2.13 - 2019-12-13
 =============================
 
 
 Changes in CUPS v2.2.13
 -----------------------
 
+- CVE-2019-2228: The `ippSetValuetag` function did not validate the default
+  language value.
 - Added a workaround for the scheduler's systemd support (Issue #5640)
 - Fixed spelling of "fold-accordion".
 - Fixed the default common name for TLS certificates used by `ippserver`.

diff --git a/cups/ipp.c b/cups/ipp.c
index 7e325beb2fa1835252a3289756c1897394b66357..dcc9d208b8c51262b9d14de6fc81e850eb658cfe 100644 (file)
--- a/cups/ipp.c
+++ b/cups/ipp.c
@@ -4568,7 +4568,7 @@ ippSetValueTag(
           return (0);
 
         if (ipp->attrs && ipp->attrs->next && ipp->attrs->next->name &&
-            !strcmp(ipp->attrs->next->name, "attributes-natural-language"))
+            !strcmp(ipp->attrs->next->name, "attributes-natural-language") && (ipp->attrs->next->value_tag & IPP_TAG_CUPS_MASK) == IPP_TAG_LANGUAGE)
         {
          /*
           * Use the language code from the IPP message...