[Pkg-cups-devel] r613 - cupsys/trunk/debian

Kenshi Muto kmuto at debian.org
Fri Nov 2 14:13:09 UTC 2007 

> +    - Fixes CVE-2007-4351
> +      IPP Tags Memory Corruption Vulnerability (closes: #448866)

... And here is a proposed patch for Etch.

diff -u cupsys-1.2.7/debian/patches/00list cupsys-1.2.7/debian/patches/00list
--- cupsys-1.2.7/debian/patches/00list
+++ cupsys-1.2.7/debian/patches/00list
@@ -42,0 +43 @@
+69_CVE2007-4351.dpatch
diff -u cupsys-1.2.7/debian/changelog cupsys-1.2.7/debian/changelog
--- cupsys-1.2.7/debian/changelog
+++ cupsys-1.2.7/debian/changelog
@@ -1,3 +1,10 @@
+cupsys (1.2.7-4etch1) stable-security; urgency=high
+
+  * Fix CVE 2007-4351
+    ippReadIO() could read past the end of a buffer.
+
+ -- Kenshi Muto <kmuto at debian.org>  Fri,  2 Nov 2007 11:54:02 +0000
+
 cupsys (1.2.7-4) unstable; urgency=high
 
   [ Kenshi Muto ]
only in patch2:
unchanged:
--- cupsys-1.2.7.orig/debian/patches/69_CVE2007-4351.dpatch
+++ cupsys-1.2.7/debian/patches/69_CVE2007-4351.dpatch
@@ -0,0 +1,216 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 69_CVE2007-4351.dpatch by Kenshi Muto <kmuto at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad cupsys-1.2.7~/cups/auth.c cupsys-1.2.7/cups/auth.c
+--- cupsys-1.2.7~/cups/auth.c	2007-11-02 12:08:24.089006660 +0000
++++ cupsys-1.2.7/cups/auth.c	2007-11-02 12:08:27.413001119 +0000
+@@ -74,7 +74,7 @@
+   char		prompt[1024],		/* Prompt for user */
+ 		realm[HTTP_MAX_VALUE],	/* realm="xyz" string */
+ 		nonce[HTTP_MAX_VALUE],	/* nonce="xyz" string */
+-		encode[512];		/* Encoded username:password */
++		encode[4096];		/* Encoded username:password */
+   _cups_globals_t *cg;			/* Global data */
+ 
+ 
+diff -urNad cupsys-1.2.7~/cups/ipp.c cupsys-1.2.7/cups/ipp.c
+--- cupsys-1.2.7~/cups/ipp.c	2007-11-02 12:08:24.541005907 +0000
++++ cupsys-1.2.7/cups/ipp.c	2007-11-02 12:08:27.413001119 +0000
+@@ -1023,8 +1023,10 @@
+           ipp_t      *ipp)		/* I - IPP data */
+ {
+   int			n;		/* Length of data */
+-  unsigned char		buffer[32768],	/* Data buffer */
+-			string[255],	/* Small string buffer */
++  unsigned char		buffer[IPP_MAX_LENGTH],
++					/* Data buffer */
++			string[IPP_MAX_NAME],
++					/* Small string buffer */
+ 			*bufptr;	/* Pointer into buffer */
+   ipp_attribute_t	*attr;		/* Current attribute */
+   ipp_tag_t		tag;		/* Current tag */
+@@ -1312,6 +1314,12 @@
+ 	  {
+ 	    case IPP_TAG_INTEGER :
+ 	    case IPP_TAG_ENUM :
++		if (n != 4)
++		{
++		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++		  return (IPP_ERROR);
++		}
++
+ 	        if ((*cb)(src, buffer, 4) < 4)
+ 		{
+ 	          DEBUG_puts("ippReadIO: Unable to read integer value!");
+@@ -1324,6 +1332,12 @@
+                 value->integer = n;
+ 	        break;
+ 	    case IPP_TAG_BOOLEAN :
++		if (n != 1)
++		{
++		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++		  return (IPP_ERROR);
++		}
++
+ 	        if ((*cb)(src, buffer, 1) < 1)
+ 		{
+ 	          DEBUG_puts("ippReadIO: Unable to read boolean value!");
+@@ -1341,6 +1355,12 @@
+ 	    case IPP_TAG_CHARSET :
+ 	    case IPP_TAG_LANGUAGE :
+ 	    case IPP_TAG_MIMETYPE :
++		if (n >= sizeof(buffer))
++		{
++		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++		  return (IPP_ERROR);
++		}
++
+ 		if ((*cb)(src, buffer, n) < n)
+ 		{
+ 		  DEBUG_puts("ippReadIO: unable to read name!");
+@@ -1353,6 +1373,12 @@
+ 		              value->string.text));
+ 	        break;
+ 	    case IPP_TAG_DATE :
++		if (n != 11)
++		{
++		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++		  return (IPP_ERROR);
++		}
++
+ 	        if ((*cb)(src, value->date, 11) < 11)
+ 		{
+ 	          DEBUG_puts("ippReadIO: Unable to date integer value!");
+@@ -1360,6 +1386,12 @@
+ 		}
+ 	        break;
+ 	    case IPP_TAG_RESOLUTION :
++		if (n != 9)
++		{
++		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++		  return (IPP_ERROR);
++		}
++
+ 	        if ((*cb)(src, buffer, 9) < 9)
+ 		{
+ 	          DEBUG_puts("ippReadIO: Unable to read resolution value!");
+@@ -1376,6 +1408,12 @@
+ 		    (ipp_res_t)buffer[8];
+ 	        break;
+ 	    case IPP_TAG_RANGE :
++		if (n != 8)
++		{
++		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++		  return (IPP_ERROR);
++		}
++
+ 	        if ((*cb)(src, buffer, 8) < 8)
+ 		{
+ 	          DEBUG_puts("ippReadIO: Unable to read range value!");
+@@ -1391,7 +1429,7 @@
+ 	        break;
+ 	    case IPP_TAG_TEXTLANG :
+ 	    case IPP_TAG_NAMELANG :
+-	        if (n > sizeof(buffer) || n < 4)
++	        if (n >= sizeof(buffer) || n < 4)
+ 		{
+ 		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ 		  return (IPP_ERROR);
+@@ -1417,22 +1455,27 @@
+ 
+ 		n = (bufptr[0] << 8) | bufptr[1];
+ 
+-                if (n >= sizeof(string))
++		if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)) ||
++		    n >= sizeof(string))
+ 		{
+-		  memcpy(string, bufptr + 2, sizeof(string) - 1);
+-		  string[sizeof(string) - 1] = '\0';
++		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++		  return (IPP_ERROR);
+ 		}
+-		else
+-		{
+-		  memcpy(string, bufptr + 2, n);
+-		  string[n] = '\0';
+-                }
++
++		memcpy(string, bufptr + 2, n);
++		string[n] = '\0';
+ 
+ 		value->string.charset = _cupsStrAlloc((char *)string);
+ 
+                 bufptr += 2 + n;
+ 		n = (bufptr[0] << 8) | bufptr[1];
+ 
++		if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)))
++		{
++		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++		  return (IPP_ERROR);
++		}
++
+ 		bufptr[2 + n] = '\0';
+                 value->string.text = _cupsStrAlloc((char *)bufptr + 2);
+ 	        break;
+@@ -1474,6 +1517,12 @@
+ 		* we need to carry over...
+ 		*/
+ 
++		if (n >= sizeof(buffer))
++		{
++		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++		  return (IPP_ERROR);
++		}
++
+ 	        if ((*cb)(src, buffer, n) < n)
+ 		{
+ 	          DEBUG_puts("ippReadIO: Unable to read member name value!");
+@@ -1495,6 +1544,12 @@
+ 		break;
+ 
+             default : /* Other unsupported values */
++		if (n > sizeof(buffer))
++		{
++		  DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
++		  return (IPP_ERROR);
++		}
++
+                 value->unknown.length = n;
+ 	        if (n > 0)
+ 		{
+@@ -1633,7 +1688,8 @@
+ {
+   int			i;		/* Looping var */
+   int			n;		/* Length of data */
+-  unsigned char		buffer[32768],	/* Data buffer */
++  unsigned char		buffer[IPP_MAX_LENGTH + 2],
++					/* Data buffer + length bytes */
+ 			*bufptr;	/* Pointer into buffer */
+   ipp_attribute_t	*attr;		/* Current attribute */
+   ipp_value_t		*value;		/* Current value */
+@@ -1953,7 +2009,7 @@
+ 		 /*
+ 		  * All simple strings consist of the 2-byte length and
+ 		  * character data without the trailing nul normally found
+-		  * in C strings.  Also, strings cannot be longer than 32767
++		  * in C strings.  Also, strings cannot be longer than IPP_MAX_LENGTH
+ 		  * bytes since the 2-byte length is a signed (twos-complement)
+ 		  * value.
+ 		  *
+diff -urNad cupsys-1.2.7~/cups/ipp.h cupsys-1.2.7/cups/ipp.h
+--- cupsys-1.2.7~/cups/ipp.h	2006-08-24 15:55:42.000000000 +0000
++++ cupsys-1.2.7/cups/ipp.h	2007-11-02 12:08:27.417001112 +0000
+@@ -64,7 +64,8 @@
+  * Common limits...
+  */
+ 
+-#  define IPP_MAX_NAME		256
++#  define IPP_MAX_LENGTH	32767	/* Maximum size of any single value */
++#  define IPP_MAX_NAME		256	/* Maximum length of common name values */
+ #  define IPP_MAX_VALUES	8	/* Power-of-2 allocation increment */
+ 
+

More information about the Pkg-cups-devel mailing list