[Pkg-cups-devel] r735 - in cupsys/branches/cups-1.2-ubuntu: . debian debian/local debian/patches

Martin Pitt mpitt at alioth.debian.org
Sat Mar 22 11:56:17 UTC 2008


Author: mpitt
Date: Sat Mar 22 11:56:17 2008
New Revision: 735

Log:
merge with trunk

Added:
   cupsys/branches/cups-1.2-ubuntu/debian/patches/cgiCompileSearch_buffer_overflow.dpatch   (contents, props changed)
Modified:
   cupsys/branches/cups-1.2-ubuntu/   (props changed)
   cupsys/branches/cups-1.2-ubuntu/debian/changelog
   cupsys/branches/cups-1.2-ubuntu/debian/local/apparmor-profile
   cupsys/branches/cups-1.2-ubuntu/debian/patches/00list

Modified: cupsys/branches/cups-1.2-ubuntu/debian/changelog
==============================================================================
--- cupsys/branches/cups-1.2-ubuntu/debian/changelog	(original)
+++ cupsys/branches/cups-1.2-ubuntu/debian/changelog	Sat Mar 22 11:56:17 2008
@@ -1,12 +1,27 @@
-cupsys (1.3.6-2ubuntu3) hardy; urgency=low
+cupsys (1.3.6-3ubuntu1) UNRELEASED; urgency=low
 
+  * Merge recent bug fixes and security fix from Debian unstable.
+
+ -- Martin Pitt <martin.pitt at ubuntu.com>  Sat, 22 Mar 2008 12:48:56 +0100
+
+cupsys (1.3.6-3) unstable; urgency=high
+
+  [ Till Kamppeter ]
   * pdftops-cups-1.4.dpatch: Updated to Mike Sweet's patch version from CUPS
     STR #2716.
   * debian/patches/ppd-poll-with-client-conf.dpatch: If there is a client.conf
     pointing to a remote server, clients were not able to poll the PPD options
     from printers on that server (CUPS STRs #2731, #2763)
 
- -- Till Kamppeter <till.kamppeter at gmail.com>  Thu, 21 Mar 2008 17:01:06 +0100
+  [ Martin Pitt ]
+  * Urgency high due to security fix.
+  * debian/local/apparmor-profile: Allow cups-pdf to read files in ~/PDF/, so
+    that it can overwrite files. (LP: #161222)
+  * Add cgiCompileSearch_buffer_overflow.dpatch: Fix buffer overflow in
+    cgiCompileSearch() using crafted search expressions. Exploitable if
+    printer sharing is enabled. (CVE-2008-0047, STR #2729, Closes: #472105)
+
+ -- Martin Pitt <mpitt at debian.org>  Sat, 22 Mar 2008 12:37:57 +0100
 
 cupsys (1.3.6-2ubuntu2) hardy; urgency=low
 
@@ -102,6 +117,7 @@
 cupsys (1.3.6-1) unstable; urgency=low
 
   * New upstream bugfix release.
+    - Fixes (CVE-2008-0882, bug #467653).
   * Remove the following patches which are upstream now:
     - fix_regression_reactivate_net_ifaces_changes_detection.dpatch
     - web-interface-breaks-default-auth-setting.dpatch

Modified: cupsys/branches/cups-1.2-ubuntu/debian/local/apparmor-profile
==============================================================================
--- cupsys/branches/cups-1.2-ubuntu/debian/local/apparmor-profile	(original)
+++ cupsys/branches/cups-1.2-ubuntu/debian/local/apparmor-profile	Sat Mar 22 11:56:17 2008
@@ -125,8 +125,8 @@
   /bin/bash ixr,
   /etc/papersize r,
   /etc/cups/cups-pdf.conf r,
-  @{HOME}/PDF/ w,
-  @{HOME}/PDF/* w,
+  @{HOME}/PDF/ rw,
+  @{HOME}/PDF/* rw,
   /usr/bin/gs ixr,
   /usr/lib/cups/backend/cups-pdf mr,
   /usr/lib/ghostscript/** mr,

Modified: cupsys/branches/cups-1.2-ubuntu/debian/patches/00list
==============================================================================
--- cupsys/branches/cups-1.2-ubuntu/debian/patches/00list	(original)
+++ cupsys/branches/cups-1.2-ubuntu/debian/patches/00list	Sat Mar 22 11:56:17 2008
@@ -1,3 +1,4 @@
+cgiCompileSearch_buffer_overflow
 freebsd.dpatch
 removecvstag.dpatch
 pam.dpatch

Added: cupsys/branches/cups-1.2-ubuntu/debian/patches/cgiCompileSearch_buffer_overflow.dpatch
==============================================================================
--- (empty file)
+++ cupsys/branches/cups-1.2-ubuntu/debian/patches/cgiCompileSearch_buffer_overflow.dpatch	Sat Mar 22 11:56:17 2008
@@ -0,0 +1,22 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## cgiCompileSearch_buffer_overflow.dpatch by  <mpitt at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix buffer overflow in cgiCompileSearch() when using crafted search
+## DP: queries, when printer sharing is enabled. (CVE-2008-0047, STR #2729)
+
+ at DPATCH@
+diff -urNad trunk~/cgi-bin/search.c trunk/cgi-bin/search.c
+--- trunk~/cgi-bin/search.c	2008-01-16 23:20:33.000000000 +0100
++++ trunk/cgi-bin/search.c	2008-03-22 12:33:49.000000000 +0100
+@@ -167,7 +167,9 @@
+       * string + RE overhead...
+       */
+ 
+-      wlen = (sptr - s) + 4 * wlen + 2 * strlen(prefix) + 4;
++      wlen = (sptr - s) + 2 * 4 * wlen + 2 * strlen(prefix) + 11;
++      if (lword)
++        wlen += strlen(lword);
+ 
+       if (wlen > slen)
+       {



More information about the Pkg-cups-devel mailing list