!46 fix CVE-2020-10001

From: @liuyumeng1 Reviewed-by: @small_leek Signed-off-by: @small_leek
2021-09-24 03:49:09 +00:00 · 2021-09-24 03:49:09 +00:00 · 1d35f46871
commit 1d35f46871
parent fbd73f4114 24df1815ed
2 changed files with 60 additions and 1 deletions
--- a/backport-CVE-2020-10001.patch
+++ b/backport-CVE-2020-10001.patch
@ -0,0 +1,52 @@
+From efbea1742bd30f842fbbfb87a473e5c84f4162f9 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Mon, 1 Feb 2021 15:02:32 -0500
+Subject: [PATCH] Fix a buffer (read) overflow in ippReadIO (CVE-2020-10001)
+
+---
+ cups/ipp.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/cups/ipp.c b/cups/ipp.c
+index 3d52934..84b8da6 100644
+--- a/cups/ipp.c
+++ b/cups/ipp.c
+@@ -2866,7 +2866,8 @@ ippReadIO(void       *src,		/* I - Data source */
+   unsigned char		*buffer,	/* Data buffer */
+ 			string[IPP_MAX_TEXT],
+ 					/* Small string buffer */
+-			*bufptr;	/* Pointer into buffer */
+			*bufptr,	/* Pointer into buffer */
+			*bufend;	/* End of buffer */
+   ipp_attribute_t	*attr;		/* Current attribute */
+   ipp_tag_t		tag;		/* Current tag */
+   ipp_tag_t		value_tag;	/* Current value tag */
+@@ -3441,6 +3442,7 @@ ippReadIO(void       *src,		/* I - Data source */
+ 		}
+ 
+                 bufptr = buffer;
+		bufend = buffer + n;
+ 
+ 	       /*
+ 	        * text-with-language and name-with-language are composite
+@@ -3454,7 +3456,7 @@ ippReadIO(void       *src,		/* I - Data source */
+ 
+ 		n = (bufptr[0] << 8) | bufptr[1];
+ 
+-		if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string))
+		if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string))
+ 		{
+ 		  _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
+ 		                _("IPP language length overflows value."), 1);
+@@ -3481,7 +3483,7 @@ ippReadIO(void       *src,		/* I - Data source */
+                 bufptr += 2 + n;
+ 		n = (bufptr[0] << 8) | bufptr[1];
+ 
+-		if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE))
+		if ((bufptr + 2 + n) > bufend)
+ 		{
+ 		  _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
+ 		                _("IPP string length overflows value."), 1);
+-- 
+2.27.0
+
--- a/cups.spec
+++ b/cups.spec
@ -2,7 +2,7 @@
 Name:    cups
 Epoch:   1
 Version: 2.3.3
-Release: 6
+Release: 7
 Summary: CUPS is the standards-based, open source printing system for linux operating systems.
 License: GPLv2+ and LGPLv2+ with exceptions and AML
 Url:     http://www.cups.org/
@ -42,6 +42,7 @@ Patch27: cups-etimedout.patch
 Patch28: cups-webui-uri.patch
 Patch29: cups-ipptool-mdns-uri.patch 
 Patch30: cups-manual-copies.patch 
+Patch6000: backport-CVE-2020-10001.patch

 Provides: cupsddk cupsddk-drivers cups-filesystem cups-client cups-ipptool cups-lpd 
 Provides: lpd lpr /usr/bin/lpq /usr/bin/lpr /usr/bin/lp /usr/bin/cancel /usr/bin/lprm /usr/bin/lpstat
@ -332,6 +333,12 @@ rm -f %{_exec_prefix}/lib/cups/backend/smb
 %doc %{_datadir}/%{name}/www/apple-touch-icon.png

 %changelog
+* Fri Sep 24 2021 liuyumeng <liuyumeng5@huawei.com> - 2.3.3-7
+- Type:CVE
+- ID:CVE-2020-10001
+- SUG:NA
+- DESC:Fix CVE-2020-10001
+
 * Tue Jun 08 2021 wangkerong <wangkeorng@huawei.com> - 2.3.3-6
 - Type:CVE
 - ID:CVE-2021-25317