From a7f63f254bcb43f52dc45ab5d883ae6517678544 Mon Sep 17 00:00:00 2001
From: Michael R Sweet <michael.r.sweet@gmail.com>
Date: Fri, 13 Dec 2019 09:30:46 -0500
Subject: [PATCH] CVE-2019-2228: Fix ippSetValueTag validation of default
 language.

---
 CHANGES.md | 2 ++
 cups/ipp.c | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/CHANGES.md b/CHANGES.md
index 7220dc9..06f96bc 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -5,6 +5,8 @@ CHANGES - 2.2.8 - 2018-06-05
 Changes in CUPS v2.2.8
 ----------------------
 
+- CVE-2019-2228: The `ippSetValuetag` function did not validate the default
+  language value.
 - Additional changes for the scheduler to substitute default values for invalid
   job attributes when running in "relaxed conformance" mode (Issue #5229)
 - The `ipptool` program no longer checks for duplicate attributes when running
diff --git a/cups/ipp.c b/cups/ipp.c
index 5807de8..1143550 100644
--- a/cups/ipp.c
+++ b/cups/ipp.c
@@ -4654,7 +4654,7 @@ ippSetValueTag(
           return (0);
 
         if (ipp->attrs && ipp->attrs->next && ipp->attrs->next->name &&
-            !strcmp(ipp->attrs->next->name, "attributes-natural-language"))
+            !strcmp(ipp->attrs->next->name, "attributes-natural-language") && (ipp->attrs->next->value_tag & IPP_TAG_CUPS_MASK) == IPP_TAG_LANGUAGE)
         {
          /*
           * Use the language code from the IPP message...
-- 
1.8.3.1