diff options
| author | Simon L. B. Nielsen <simon@FreeBSD.org> | 2005-01-17 17:40:22 +0000 |
|---|---|---|
| committer | Simon L. B. Nielsen <simon@FreeBSD.org> | 2005-01-17 17:40:22 +0000 |
| commit | ec1d8095eaaa85cfdf10bf339756a4f187987c45 (patch) | |
| tree | 14c4af90f15f8b13fda5f7df908615d2190bc767 /print/cups-base | |
| parent | ee01ad175724fc3fcc5c4951e35dc64bd0250805 (diff) | |
| download | ports-ec1d8095eaaa85cfdf10bf339756a4f187987c45.tar.gz ports-ec1d8095eaaa85cfdf10bf339756a4f187987c45.zip | |
Fix remote arbitrary code execution vulnerability.
Note that this does not fix all the security vulnerabilities for CUPS,
but it fixes the most serious one.
With hat: secteam
VuXML: http://www.vuxml.org/freebsd/40a3bca2-6809-11d9-a9e7-0001020eed82.html
Obtained from: CUPS bug system - http://www.cups.org/str.php?L1024
Approved by: erwin (mentor)
Notes
Notes:
svn path=/head/; revision=126657
Diffstat (limited to 'print/cups-base')
| -rw-r--r-- | print/cups-base/Makefile | 2 | ||||
| -rw-r--r-- | print/cups-base/files/patch-hpgl-input.c | 50 |
2 files changed, 51 insertions, 1 deletions
diff --git a/print/cups-base/Makefile b/print/cups-base/Makefile index 8f8b1b8136d1..724eadf993fa 100644 --- a/print/cups-base/Makefile +++ b/print/cups-base/Makefile @@ -9,7 +9,7 @@ PORTNAME= cups-base PORTVERSION= ${CUPS_PORTVER} -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH= ${CUPS_PORTEPOCH} CATEGORIES= print MASTER_SITES= ${CUPS_MASTER_SITES} diff --git a/print/cups-base/files/patch-hpgl-input.c b/print/cups-base/files/patch-hpgl-input.c new file mode 100644 index 000000000000..9483b571daed --- /dev/null +++ b/print/cups-base/files/patch-hpgl-input.c @@ -0,0 +1,50 @@ +Index: hpgl-input.c +=================================================================== +RCS file: /development/cvs/cups/filter/hpgl-input.c,v +retrieving revision 1.16 +diff -u -r1.16 hpgl-input.c +--- filter/hpgl-input.c 25 Feb 2004 20:14:52 -0000 1.16 ++++ filter/hpgl-input.c 16 Dec 2004 19:38:12 -0000 +@@ -54,7 +54,8 @@ + ch, /* Current char */ + done, /* Non-zero when the current command is read */ + i; /* Looping var */ +- char buf[262144]; /* String buffer */ ++ char buf[262144], /* String buffer */ ++ *bufptr; /* Pointer into buffer */ + static param_t p[MAX_PARAMS]; /* Parameter buffer */ + + +@@ -128,9 +129,12 @@ + + if (strcasecmp(name, "LB") == 0) + { +- for (i = 0; (ch = getc(fp)) != StringTerminator; i ++) +- buf[i] = ch; +- buf[i] = '\0'; ++ bufptr = buf; ++ while ((ch = getc(fp)) != StringTerminator) ++ if (bufptr < (buf + sizeof(buf) - 1)) ++ *bufptr++ = ch; ++ *bufptr = '\0'; ++ + p[num_params].type = PARAM_STRING; + p[num_params].value.string = strdup(buf); + num_params ++; +@@ -155,11 +159,12 @@ + } + else if (strcasecmp(name, "PE") == 0) + { +- for (i = 0; i < (sizeof(buf) - 1); i ++) +- if ((buf[i] = getc(fp)) == ';') +- break; ++ bufptr = buf; ++ while ((ch = getc(fp)) != ';') ++ if (bufptr < (buf + sizeof(buf) - 1)) ++ *bufptr++ = ch; ++ *bufptr = '\0'; + +- buf[i] = '\0'; + p[num_params].type = PARAM_STRING; + p[num_params].value.string = strdup(buf); + num_params ++; |