gnu: cups: Add replacement to fix CVE-2020-10001.

* gnu/packages/patches/cups-CVE-2020-10001.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/cups.scm (cups-minimal/fixed): New variable. (cups-minimal)[replacement]: Assign it to new field.
2021-06-23 12:52:21 +02:00 · 2021-06-23 12:52:21 +02:00 · 620669fd17
parent 3694c0d4fe
commit 620669fd17
3 changed files with 54 additions and 0 deletions
--- a/gnu/local.mk
+++ b/gnu/local.mk
@ -929,6 +929,7 @@ dist_patch_DATA =						\
  %D%/packages/patches/crda-optional-gcrypt.patch		\
  %D%/packages/patches/clucene-contribs-lib.patch               \
  %D%/packages/patches/cube-nocheck.patch			\
+  %D%/packages/patches/cups-CVE-2020-10001.patch		\
  %D%/packages/patches/curl-use-ssl-cert-env.patch		\
  %D%/packages/patches/curl-7.76-use-ssl-cert-env.patch	\
  %D%/packages/patches/curl-7.77-tls-priority-string.patch	\
--- a/gnu/packages/cups.scm
+++ b/gnu/packages/cups.scm
@ -252,6 +252,7 @@ filters for the PDF-centric printing workflow introduced by OpenPrinting.")
  (package
    (name "cups-minimal")
    (version "2.3.3")
+    (replacement cups-minimal/fixed)
    (source
     (origin
       (method url-fetch)
@ -312,6 +313,11 @@ device-specific programs to convert and print many types of files.")
    ;; CUPS is Apache 2.0 with exceptions, see the NOTICE file.
    (license license:asl2.0)))

+(define cups-minimal/fixed
+  (package-with-extra-patches
+   cups-minimal
+   (search-patches "cups-CVE-2020-10001.patch")))
+
 (define-public cups
  (package/inherit cups-minimal
    (name "cups")
--- a/gnu/packages/patches/cups-CVE-2020-10001.patch
+++ b/gnu/packages/patches/cups-CVE-2020-10001.patch
@ -0,0 +1,47 @@
+From efbea1742bd30f842fbbfb87a473e5c84f4162f9 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Mon, 1 Feb 2021 15:02:32 -0500
+Subject: [PATCH] Fix a buffer (read) overflow in ippReadIO (CVE-2020-10001)
+
+---
+
+diff --git a/cups/ipp.c b/cups/ipp.c
+index 3d529346c..adbb26fba 100644
+--- a/cups/ipp.c
+++ b/cups/ipp.c
+@@ -2866,7 +2866,8 @@ ippReadIO(void       *src,		/* I - Data source */
+   unsigned char		*buffer,	/* Data buffer */
+ 			string[IPP_MAX_TEXT],
+ 					/* Small string buffer */
+-			*bufptr;	/* Pointer into buffer */
+			*bufptr,	/* Pointer into buffer */
+			*bufend;	/* End of buffer */
+   ipp_attribute_t	*attr;		/* Current attribute */
+   ipp_tag_t		tag;		/* Current tag */
+   ipp_tag_t		value_tag;	/* Current value tag */
+@@ -3441,6 +3442,7 @@ ippReadIO(void       *src,		/* I - Data source */
+ 		}
+ 
+                 bufptr = buffer;
+                bufend = buffer + n;
+ 
+ 	       /*
+ 	        * text-with-language and name-with-language are composite
+@@ -3454,7 +3456,7 @@ ippReadIO(void       *src,		/* I - Data source */
+ 
+ 		n = (bufptr[0] << 8) | bufptr[1];
+ 
+-		if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string))
+		if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string))
+ 		{
+ 		  _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
+ 		                _("IPP language length overflows value."), 1);
+@@ -3481,7 +3483,7 @@ ippReadIO(void       *src,		/* I - Data source */
+                 bufptr += 2 + n;
+ 		n = (bufptr[0] << 8) | bufptr[1];
+ 
+-		if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE))
+		if ((bufptr + 2 + n) > bufend)
+ 		{
+ 		  _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
+ 		                _("IPP string length overflows value."), 1);