[Pkg-cups-devel] r733 - in cupsys/trunk: . debian debian/patches

Martin Pitt mpitt at alioth.debian.org
Sat Mar 22 11:42:49 UTC 2008 

Author: mpitt
Date: Sat Mar 22 11:42:49 2008
New Revision: 733

Log:
* Add cgiCompileSearch_buffer_overflow.dpatch: Fix buffer overflow in
  cgiCompileSearch() using crafted search expressions. Exploitable if
  printer sharing is enabled. (CVE-2008-0047, STR #2729, Closes: #472105)

Added:
   cupsys/trunk/debian/patches/cgiCompileSearch_buffer_overflow.dpatch   (contents, props changed)
Modified:
   cupsys/trunk/   (props changed)
   cupsys/trunk/debian/changelog
   cupsys/trunk/debian/patches/00list

Modified: cupsys/trunk/debian/changelog
==============================================================================
--- cupsys/trunk/debian/changelog	(original)
+++ cupsys/trunk/debian/changelog	Sat Mar 22 11:42:49 2008
@@ -10,8 +10,11 @@
   [ Martin Pitt ]
   * debian/local/apparmor-profile: Allow cups-pdf to read files in ~/PDF/, so
     that it can overwrite files. (LP: #161222)
+  * Add cgiCompileSearch_buffer_overflow.dpatch: Fix buffer overflow in
+    cgiCompileSearch() using crafted search expressions. Exploitable if
+    printer sharing is enabled. (CVE-2008-0047, STR #2729, Closes: #472105)
 
- -- Martin Pitt <mpitt at debian.org>  Fri, 21 Mar 2008 14:59:52 +0100
+ -- Martin Pitt <mpitt at debian.org>  Sat, 22 Mar 2008 12:37:57 +0100
 
 cupsys (1.3.6-2) unstable; urgency=low
 

Modified: cupsys/trunk/debian/patches/00list
==============================================================================
--- cupsys/trunk/debian/patches/00list	(original)
+++ cupsys/trunk/debian/patches/00list	Sat Mar 22 11:42:49 2008
@@ -1,3 +1,4 @@
+cgiCompileSearch_buffer_overflow
 freebsd.dpatch
 removecvstag.dpatch
 pam.dpatch

Added: cupsys/trunk/debian/patches/cgiCompileSearch_buffer_overflow.dpatch
==============================================================================
--- (empty file)
+++ cupsys/trunk/debian/patches/cgiCompileSearch_buffer_overflow.dpatch	Sat Mar 22 11:42:49 2008
@@ -0,0 +1,22 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## cgiCompileSearch_buffer_overflow.dpatch by  <mpitt at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix buffer overflow in cgiCompileSearch() when using crafted search
+## DP: queries, when printer sharing is enabled. (CVE-2008-0047, STR #2729)
+
+ at DPATCH@
+diff -urNad trunk~/cgi-bin/search.c trunk/cgi-bin/search.c
+--- trunk~/cgi-bin/search.c	2008-01-16 23:20:33.000000000 +0100
++++ trunk/cgi-bin/search.c	2008-03-22 12:33:49.000000000 +0100
+@@ -167,7 +167,9 @@
+       * string + RE overhead...
+       */
+ 
+-      wlen = (sptr - s) + 4 * wlen + 2 * strlen(prefix) + 4;
++      wlen = (sptr - s) + 2 * 4 * wlen + 2 * strlen(prefix) + 11;
++      if (lword)
++        wlen += strlen(lword);
+ 
+       if (wlen > slen)
+       {

More information about the Pkg-cups-devel mailing list