diff options
| author |   Peter Volkov <pva@gentoo.org> | 2008-04-01 19:03:35 +0000 |
|---|---|---|
| committer | Peter Volkov <pva@gentoo.org> | 2008-04-01 19:03:35 +0000 |
| commit | 244269939f0422820da65f9491f35509ff61868f (patch) | |
| tree | 0a436fc73412af9e7dbf8b388bb10231ea3b26cd /net-print/cups/files | |
| parent | remove unused version (diff) | |
| download | historical-244269939f0422820da65f9491f35509ff61868f.tar.gz historical-244269939f0422820da65f9491f35509ff61868f.tar.bz2 historical-244269939f0422820da65f9491f35509ff61868f.zip | |
Fixing multiple security vulnerabilities, bug #214068, thank Robert Buchholz and all other developers working on that bug.
Package-Manager: portage-2.1.4.4
RepoMan-Options: --force
Diffstat (limited to 'net-print/cups/files')
| -rw-r--r-- | net-print/cups/files/cups-1.2.12-CVE-2008-0053.patch | 40 | ||||
| -rw-r--r-- | net-print/cups/files/cups-1.2.12-CVE-2008-1373.patch | 23 |
2 files changed, 63 insertions, 0 deletions
diff --git a/net-print/cups/files/cups-1.2.12-CVE-2008-0053.patch b/net-print/cups/files/cups-1.2.12-CVE-2008-0053.patch new file mode 100644 index 000000000000..8924068d6d7f --- /dev/null +++ b/net-print/cups/files/cups-1.2.12-CVE-2008-0053.patch @@ -0,0 +1,40 @@ +Index: cups-1.2.12/filter/hpgl-input.c +=================================================================== +--- cups-1.2.12.orig/filter/hpgl-input.c ++++ cups-1.2.12/filter/hpgl-input.c +@@ -56,6 +56,7 @@ ParseCommand(FILE *fp, /* I - File to + i; /* Looping var */ + char buf[262144], /* String buffer */ + *bufptr; /* Pointer into buffer */ ++ float temp; /* Temporary parameter value */ + static param_t p[MAX_PARAMS]; /* Parameter buffer */ + + +@@ -220,10 +221,10 @@ ParseCommand(FILE *fp, /* I - File to + case '-' : + case '+' : + ungetc(ch, fp); +- fscanf(fp, "%f", &(p[num_params].value.number)); +- if (num_params < MAX_PARAMS) ++ if (fscanf(fp, "%f", &temp) == 1 && num_params < MAX_PARAMS) + { +- p[num_params].type = PARAM_RELATIVE; ++ p[num_params].type = PARAM_RELATIVE; ++ p[num_params].value.number = temp; + num_params ++; + } + break; +@@ -239,10 +240,10 @@ ParseCommand(FILE *fp, /* I - File to + case '9' : + case '.' : + ungetc(ch, fp); +- fscanf(fp, "%f", &(p[num_params].value.number)); +- if (num_params < MAX_PARAMS) ++ if (fscanf(fp, "%f", &temp) == 1 && num_params < MAX_PARAMS) + { +- p[num_params].type = PARAM_ABSOLUTE; ++ p[num_params].type = PARAM_ABSOLUTE; ++ p[num_params].value.number = temp; + num_params ++; + } + break; diff --git a/net-print/cups/files/cups-1.2.12-CVE-2008-1373.patch b/net-print/cups/files/cups-1.2.12-CVE-2008-1373.patch new file mode 100644 index 000000000000..299caa5442dd --- /dev/null +++ b/net-print/cups/files/cups-1.2.12-CVE-2008-1373.patch @@ -0,0 +1,23 @@ +Index: cups-1.2.12/filter/image-gif.c +=================================================================== +--- cups-1.2.12.orig/filter/image-gif.c ++++ cups-1.2.12/filter/image-gif.c +@@ -47,6 +47,8 @@ + #define GIF_INTERLACE 0x40 + #define GIF_COLORMAP 0x80 + ++#define MAX_LWZ_BITS 12 ++ + typedef cups_ib_t gif_cmap_t[256][4]; + typedef short gif_table_t[4096]; + +@@ -471,6 +473,9 @@ gif_read_image(FILE *fp, /* I - + pass = 0; + code_size = getc(fp); + ++ if (code_size > MAX_LWZ_BITS) ++ return (-1); ++ + if (gif_read_lzw(fp, 1, code_size) < 0) + return (-1); + |