Fixing multiple security vulnerabilities, bug #214068, thank Robert Buchholz and all other developers working on that bug.

Package-Manager: portage-2.1.4.4 RepoMan-Options: --force
author: Peter Volkov <pva@gentoo.org> 2008-04-01 19:03:35 +0000
committer: Peter Volkov <pva@gentoo.org> 2008-04-01 19:03:35 +0000
commit: 244269939f0422820da65f9491f35509ff61868f (patch)
tree: 0a436fc73412af9e7dbf8b388bb10231ea3b26cd /net-print/cups
parent: remove unused version (diff)
download: historical-244269939f0422820da65f9491f35509ff61868f.tar.gz
historical-244269939f0422820da65f9491f35509ff61868f.tar.bz2
historical-244269939f0422820da65f9491f35509ff61868f.zip
5 files changed, 309 insertions, 2 deletions
diff --git a/net-print/cups/ChangeLog b/net-print/cups/ChangeLog
index 2e5867a7bed1..3d94a20b0b05 100644
--- a/net-print/cups/ChangeLog
+++ b/net-print/cups/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for net-print/cups
 # Copyright 1999-2008 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-print/cups/ChangeLog,v 1.293 2008/03/23 11:09:38 dertobi123 Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-print/cups/ChangeLog,v 1.294 2008/04/01 19:03:34 pva Exp $
+
+*cups-1.2.12-r7 (01 Apr 2008)
+
+  01 Apr 2008; Peter Volkov <pva@gentoo.org>
+  +files/cups-1.2.12-CVE-2008-0053.patch,
+  +files/cups-1.2.12-CVE-2008-1373.patch, +cups-1.2.12-r7.ebuild:
+  Fixing multiple security vulnerabilities, bug #214068, thank Robert
+  Buchholz and all other developers working on that bug.
 
   23 Mar 2008; Tobias Scherbaum <dertobi123@gentoo.org>
   cups-1.2.12-r6.ebuild:
diff --git a/net-print/cups/Manifest b/net-print/cups/Manifest
index 37481eb37bfa..3a91e425aa6c 100644
--- a/net-print/cups/Manifest
+++ b/net-print/cups/Manifest
@@ -3,7 +3,9 @@ AUX cups-1.2.12-CVE-2007-4045.patch 1737 RMD160 6c239b26443af6cf841a457cc5611a2f
 AUX cups-1.2.12-CVE-2007-4351.patch 3910 RMD160 461a232b2a0ebc52a83cb729112c0f7d3f3d0ffe SHA1 9b7706a34fd08c32b7911a9f09f02a02c790a77c SHA256 1da64de6358dea65971105530795ffb8d100ddfe5b42c03cdbd815432de219c8
 AUX cups-1.2.12-CVE-2007-5849.patch 1017 RMD160 0fd58946d8cfca13460ad07bfde670a3319fe1ff SHA1 4c4cb69d857427de43b5b91b5aceb7cb157be530 SHA256 9288292457f8c8de77b04eab651b547dd6506a03453ed93294577e2fb4f3c67b
 AUX cups-1.2.12-CVE-2008-0047.patch 495 RMD160 860037881672352969caca5a12c9a2592d31643c SHA1 8b1e7071c97e38df6cd33b7cae6a4f34d6d2bd60 SHA256 8edca38a6859360b27fd346e7d681ca864a9e83612f6362072af349ce2ab768f
+AUX cups-1.2.12-CVE-2008-0053.patch 1509 RMD160 f8aa4d6f9722b4adf78d5546005d757e4abf1501 SHA1 e6ff84536f371f9d2b59c5f8fdb773b81a9e4b30 SHA256 7164d26aa572ae759644059ff3a2d1ff4e4f67515bcb57eb54bc358a87c649fe
 AUX cups-1.2.12-CVE-2008-0882.patch 1090 RMD160 f6de4e0a4ebcb70f4969cbcb2cba38e5a98366c5 SHA1 3c834957b3fb625cdde4a0c21e5916c6a8c1667f SHA256 9168456e294e1ca30868580028ab79d68d31aaf208687f80699e3e30f3ad77e6
+AUX cups-1.2.12-CVE-2008-1373.patch 581 RMD160 04990465c98c38a90fec6daf7abe86f09b6abab3 SHA1 1f8813397ceaee5331e7200e61aecc1113a73c7a SHA256 a939de93c6e0206d939fb3e441062d3fb90b96b644c11a8ae0712db482dc9a64
 AUX cups-1.3.0-configure.patch 651 RMD160 e4c7f45d7ddc28157433bf025c7f946c7e3b6d6a SHA1 101bf1893b56640d9fa82078e29319fbbd1449c7 SHA256 d6e5e60a982a3c093c0d0f89cf865e2b4c36290f5b1e188b7bf305d210070736
 AUX cupsd.init 288 RMD160 9bd676af5b43a97ba08ca51f70cefb445faeb8b8 SHA1 922868e1a6acb81b83e87a3c6905149789f16503 SHA256 008eeadc4979ad0e1f05e8ce5d22449eb798375e75ffc3176cbef138a53de4f9
 AUX cupsd.init.d 293 RMD160 19fbef21cee7e472e7028f3101b680baa0089c54 SHA1 e6b27b2638fec258fe2f55c926c2530e909ca3d2 SHA256 b4268a6bae95e96b6af21c3716ecc905073736ce7dc33be1489d574a447f3c48
@@ -13,7 +15,8 @@ DIST cups-1.3.6-source.tar.bz2 4079258 RMD160 1da6420f473562eba27e1e997e13d60e0e
 EBUILD cups-1.2.12-r4.ebuild 7113 RMD160 992518b586d5212e04fcff686cd537d858df1b71 SHA1 624a3559fb603c57aceb1805ef212a6807daf567 SHA256 ffb0514c243014229cfefdcee5102e4d987526b57fb134e4a55dc3ea84ca9ba8
 EBUILD cups-1.2.12-r5.ebuild 7061 RMD160 f81ff74748f4b97a6c1af95a6016f7ae2f93f923 SHA1 4319e1b078464816993fc68e64a1f266b2033cb7 SHA256 11ec60734be3d58ea4ba41ecbcf8aa8e2fb14b0014bb183d953c4dc63845080a
 EBUILD cups-1.2.12-r6.ebuild 7161 RMD160 865b19c33d09ad68cbbd51d754a984c79c1f4209 SHA1 46eb4d47ac6e310665995f583cec1faf53a14f33 SHA256 e78d2fbbad94999cff61495a16416312ce249f761810cb4c9c4c17f09c4afeb6
+EBUILD cups-1.2.12-r7.ebuild 7256 RMD160 f667d004b711dbb92992b21e8e00c9363cf5645a SHA1 13bb64992640d4b75442255f536f20baa27ed16c SHA256 b9cca651b5be7215d3d9597eda255aefddae1b707048bdb7bb1cc705672b1c18
 EBUILD cups-1.3.6-r1.ebuild 8001 RMD160 1e197d8aa903dccd45842c2440bb8043e50fc467 SHA1 ea7c1c99842520426113e9e271b26cb85a25445e SHA256 e1e633dfd00a9664efd42d52ec7b0f05556968ea2d4a3fba809263ada1b27d34
 EBUILD cups-1.3.6-r2.ebuild 8206 RMD160 96b03beb186c05f92fb4b08a635615d97488de91 SHA1 5fa13c31e28177f5f67631c74b54f0883b5135e7 SHA256 5db6ed65222ca3f55d2f67705a81f238d210c4238eef24d0991e054d2e83ea5d
-MISC ChangeLog 42557 RMD160 80e1072d1c9fa2aa7b6eb2a1fa27c2d8dcfc5e4a SHA1 1c39dfa3c8cf36fa6d3dfb9da89879e798c4398e SHA256 029a479ba7f158d50cbf723a4cd5867048d4d075cfcc9616b653f1a43810ebf2
+MISC ChangeLog 42862 RMD160 d630948751b48f04cbc2b1cc56c80aaeb933616a SHA1 d0d097e2877e178782853ca83bed9fb6ec44bab5 SHA256 7a27793651f87c2bd16ec494d2c3ca0e45e9b24744e88b73ad139ff8d69a41e0
 MISC metadata.xml 161 RMD160 1e5b1e42553c8869b93c4a5448e9a2a2ed9fe525 SHA1 209c6a46e4cdd891980115e42ba419e3799f8088 SHA256 7c85e6739a71f5bb23e8de36c88677d772946e61f7285892f7554e37bd2bca76
diff --git a/net-print/cups/cups-1.2.12-r7.ebuild b/net-print/cups/cups-1.2.12-r7.ebuild
new file mode 100644
index 000000000000..b73109518f06
--- /dev/null
+++ b/net-print/cups/cups-1.2.12-r7.ebuild
@@ -0,0 +1,233 @@
+# Copyright 1999-2008 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-print/cups/cups-1.2.12-r7.ebuild,v 1.1 2008/04/01 19:03:34 pva Exp $
+
+inherit autotools eutils flag-o-matic multilib pam
+
+MY_P=${P/_}
+
+DESCRIPTION="The Common Unix Printing System"
+HOMEPAGE="http://www.cups.org/"
+SRC_URI="mirror://sourceforge/cups/${MY_P}-source.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="alpha ~amd64 ~arm hppa ~ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc ~sparc-fbsd x86 ~x86-fbsd"
+IUSE="ldap ssl slp pam php samba nls dbus tiff png ppds jpeg X"
+
+DEP="pam? ( virtual/pam )
+	ssl? ( net-libs/gnutls )
+	slp? ( >=net-libs/openslp-1.0.4 )
+	ldap? ( net-nds/openldap )
+	dbus? ( sys-apps/dbus )
+	png? ( >=media-libs/libpng-1.2.1 )
+	tiff? ( >=media-libs/tiff-3.5.5 )
+	jpeg? ( >=media-libs/jpeg-6b )
+	php? ( dev-lang/php )
+	app-text/libpaper"
+DEPEND="${DEP}
+	!<net-print/foomatic-filters-ppds-20070501
+	!<net-print/hplip-1.7.4a-r1
+	nls? ( sys-devel/gettext )"
+RDEPEND="${DEP}
+	nls? ( virtual/libintl )
+	!virtual/lpr
+	>=app-text/poppler-0.4.3-r1
+	X? ( x11-misc/xdg-utils )"
+
+PDEPEND="
+	ppds? ( || (
+		(
+			net-print/foomatic-filters-ppds
+			net-print/foomatic-db-ppds
+		)
+		net-print/foomatic-filters-ppds
+		net-print/foomatic-db-ppds
+		net-print/hplip
+		media-gfx/gimp-print
+		net-print/foo2zjs
+		net-print/cups-pdf
+	) )
+	samba? ( >=net-fs/samba-3.0.8 )
+	virtual/ghostscript"
+PROVIDE="virtual/lpr"
+
+# upstream includes an interactive test which is a nono for gentoo.
+# therefore, since the printing herd has bigger fish to fry, for now,
+# we just leave it out, even if FEATURES=test
+RESTRICT="test"
+
+S=${WORKDIR}/${MY_P}
+
+pkg_setup() {
+	if use x86 && [ -d "/usr/lib64" ]
+	then
+		eerror "You are running an x86 system, but /usr/lib64 exists, cups will install all library objects into this directory!"
+		eerror "You should remove /usr/lib64, but before you do, you should check for existing objects, and re-compile all affected packages."
+		eerror "You can use qfile (emerge portage-utils to install qfile) to get a list of the affected ebuilds:"
+		eerror "# qfile -qC /usr/lib64"
+		die "lib64 on x86 detected"
+	fi
+
+	enewgroup lp
+	enewuser lp -1 -1 -1 lp
+
+	enewgroup lpadmin 106
+}
+
+src_unpack() {
+	unpack ${A}
+	cd "${S}"
+
+	# CVE-2007-4351 security patch, bug #196736
+	epatch "${FILESDIR}"/${PN}-1.2.12-CVE-2007-4351.patch
+	# CVE-2007-5849 security patch, bug #201570
+	epatch "${FILESDIR}"/${PN}-1.2.12-CVE-2007-5849.patch
+	# CVE-2008-0047 security patch, bug #212364
+	epatch "${FILESDIR}"/${PN}-1.2.12-CVE-2008-0047.patch
+	# CVE-2008-0882 security patch, bug #211449
+	epatch "${FILESDIR}"/${PN}-1.2.12-CVE-2008-0882.patch
+	# CVE-2008-1373 security patch, bug #214068
+	epatch "${FILESDIR}"/${PN}-1.2.12-CVE-2008-1373.patch
+	# CVE-2008-0053 security patch, bug #214068
+	epatch "${FILESDIR}"/${PN}-1.2.12-CVE-2008-0053.patch
+
+	# cups does not use autotools "the usual way" and ship a static config.h.in
+	eaclocal
+	eautoconf
+}
+
+src_compile() {
+	export DSOFLAGS="${LDFLAGS}"
+
+	if use ldap; then
+		append-flags -DLDAP_DEPRECATED
+	fi
+
+	econf \
+		--with-cups-user=lp \
+		--with-cups-group=lp \
+		--with-system-groups=lpadmin \
+		--localstatedir=/var \
+		--with-docdir=/usr/share/cups/html \
+		$(use_enable pam) \
+		$(use_enable ssl) \
+		--enable-gnutls \
+		$(use_enable slp) \
+		$(use_enable nls) \
+		$(use_enable dbus) \
+		$(use_enable png) \
+		$(use_enable jpeg) \
+		$(use_enable tiff) \
+		$(use_with php) \
+		$(use_enable ldap) \
+		--enable-libpaper \
+		--enable-threads \
+		--enable-static \
+		--disable-pdftops \
+		|| die "econf failed"
+
+	# Install in /usr/libexec always, instead of using /usr/lib/cups, as that
+	# makes more sense when facing multilib support.
+	sed -i -e 's:SERVERBIN.*:SERVERBIN = $(BUILDROOT)/usr/libexec/cups:' Makedefs
+	sed -i -e 's:#define CUPS_SERVERBIN.*:#define CUPS_SERVERBIN "/usr/libexec/cups":' config.h
+	sed -i -e 's:cups_serverbin=.*:cups_serverbin=/usr/libexec/cups:' cups-config
+
+	emake || die "emake failed"
+}
+
+src_install() {
+	emake BUILDROOT="${D}" install || die "emake install failed"
+	dodoc {CHANGES{,-1.{0,1}},CREDITS,LICENSE,README}.txt
+
+	# clean out cups init scripts
+	rm -rf "${D}"/etc/{init.d/cups,rc*,pam.d/cups}
+	# install our init scripts
+	newinitd "${FILESDIR}"/cupsd.init cupsd
+	# install our pam script
+	pamd_mimic_system cups auth account
+
+	# correct path
+	sed -i -e "s:server = .*:server = /usr/libexec/cups/daemon/cups-lpd:" "${D}"/etc/xinetd.d/cups-lpd
+	# it is safer to disable this by default, bug 137130
+	grep -w 'disable' "${D}"/etc/xinetd.d/cups-lpd || \
+		sed -i -e "s:}:\tdisable = yes\n}:" "${D}"/etc/xinetd.d/cups-lpd
+
+	# install pdftops filter
+	exeinto /usr/libexec/cups/filter/
+	newexe "${FILESDIR}"/pdftops-1.20.gentoo pdftops
+
+	# only for gs-esp this is correct, see bug 163897
+	if has_version app-text/ghostscript-gpl || has_version app-text/ghostscript-gnu; then
+		sed -i -e "s:#application/vnd.cups-postscript:application/vnd.cups-postscript:" "${D}"/etc/cups/mime.convs
+	fi
+
+	keepdir /usr/share/cups/profiles /usr/libexec/cups/driver /var/log/cups \
+		/var/run/cups/certs /var/cache/cups /var/spool/cups/tmp /etc/cups/ssl
+
+	# .desktop handling. X useflag. xdg-open from freedesktop is preferred
+	if use X; then
+		sed -i -e "s:htmlview:xdg-open:" "${D}"/usr/share/applications/cups.desktop
+	else
+		rm -r "${D}"/usr/share/applications
+	fi
+
+	# Fix a symlink collision, see bug #172341
+	dodir /usr/share/ppd
+	dosym /usr/share/ppd /usr/share/cups/model/foomatic-ppds
+}
+
+pkg_preinst() {
+	# cleanups
+	[ -n "${PN}" ] && rm -fR "${ROOT}"/usr/share/doc/${PN}-*
+}
+
+pkg_postinst() {
+	echo
+	elog "Remote printing: change "
+	elog "Listen localhost:631"
+	elog "to"
+	elog "Listen *:631"
+	elog "in /etc/cups/cupsd.conf"
+	echo
+	elog "For more information about installing a printer take a look at:"
+	elog "http://www.gentoo.org/doc/en/printing-howto.xml."
+	echo
+
+	local good_gs=false
+	for x in app-text/ghostscript-gpl app-text/ghostscript-gnu app-text/ghostscript-esp; do
+		if has_version ${x} && built_with_use ${x} cups; then
+			good_gs=true
+			break
+		fi
+	done;
+	if ! ${good_gs}; then
+		ewarn
+		ewarn "You need to emerge ghostscript with the \"cups\" USE flag turned on"
+	fi
+	if has_version =net-print/cups-1.1*; then
+		ewarn
+		ewarn "The configuration changed with cups-1.2, you may want to save the old"
+		ewarn "one and start from scratch:"
+		ewarn "# mv /etc/cups /etc/cups.orig; emerge -va1 cups"
+		ewarn
+		ewarn "You need to rebuild kdelibs for kdeprinter to work with cups-1.2"
+	fi
+	if [ -e "${ROOT}"/usr/lib/cups ]; then
+		ewarn
+		ewarn "/usr/lib/cups exists - You need to remerge every ebuild that"
+		ewarn "installed into /usr/lib/cups and /etc/cups, qfile is in portage-utils:"
+		ewarn "# FEATURES=-collision-protect emerge -va1 \$(qfile -qC /usr/lib/cups /etc/cups | sed \"s:net-print/cups$::\")"
+		ewarn
+		ewarn "FEATURES=-collision-protect is needed to overwrite the compatibility"
+		ewarn "symlinks installed by this package, it wont be needed on later merges."
+		ewarn "You should also run revdep-rebuild"
+
+		# place symlinks to make the update smoothless
+		for i in "${ROOT}"/usr/lib/cups/{backend,filter}/*; do
+			if [ "${i/\*}" == "${i}" ] && ! [ -e ${i/lib/libexec} ]; then
+				ln -s ${i} ${i/lib/libexec}
+			fi
+		done
+	fi
+}
diff --git a/net-print/cups/files/cups-1.2.12-CVE-2008-0053.patch b/net-print/cups/files/cups-1.2.12-CVE-2008-0053.patch
new file mode 100644
index 000000000000..8924068d6d7f
--- /dev/null
+++ b/net-print/cups/files/cups-1.2.12-CVE-2008-0053.patch
@@ -0,0 +1,40 @@
+Index: cups-1.2.12/filter/hpgl-input.c
+===================================================================
+--- cups-1.2.12.orig/filter/hpgl-input.c
++++ cups-1.2.12/filter/hpgl-input.c
+@@ -56,6 +56,7 @@ ParseCommand(FILE    *fp,	/* I - File to
+ 		i;		/* Looping var */
+   char		buf[262144],	/* String buffer */
+ 		*bufptr;	/* Pointer into buffer */
++  float		temp;		/* Temporary parameter value */
+   static param_t p[MAX_PARAMS];	/* Parameter buffer */
+ 
+ 
+@@ -220,10 +221,10 @@ ParseCommand(FILE    *fp,	/* I - File to
+       case '-' :
+       case '+' :
+           ungetc(ch, fp);
+-          fscanf(fp, "%f", &(p[num_params].value.number));
+-          if (num_params < MAX_PARAMS)
++          if (fscanf(fp, "%f", &temp) == 1 && num_params < MAX_PARAMS)
+           {
+-            p[num_params].type = PARAM_RELATIVE;
++            p[num_params].type         = PARAM_RELATIVE;
++            p[num_params].value.number = temp;
+             num_params ++;
+           }
+           break;
+@@ -239,10 +240,10 @@ ParseCommand(FILE    *fp,	/* I - File to
+       case '9' :
+       case '.' :
+           ungetc(ch, fp);
+-          fscanf(fp, "%f", &(p[num_params].value.number));
+-          if (num_params < MAX_PARAMS)
++          if (fscanf(fp, "%f", &temp) == 1 && num_params < MAX_PARAMS)
+           {
+-            p[num_params].type = PARAM_ABSOLUTE;
++            p[num_params].type         = PARAM_ABSOLUTE;
++            p[num_params].value.number = temp;
+             num_params ++;
+           }
+           break;
diff --git a/net-print/cups/files/cups-1.2.12-CVE-2008-1373.patch b/net-print/cups/files/cups-1.2.12-CVE-2008-1373.patch
new file mode 100644
index 000000000000..299caa5442dd
--- /dev/null
+++ b/net-print/cups/files/cups-1.2.12-CVE-2008-1373.patch
@@ -0,0 +1,23 @@
+Index: cups-1.2.12/filter/image-gif.c
+===================================================================
+--- cups-1.2.12.orig/filter/image-gif.c
++++ cups-1.2.12/filter/image-gif.c
+@@ -47,6 +47,8 @@
+ #define GIF_INTERLACE	0x40
+ #define GIF_COLORMAP	0x80
+ 
++#define MAX_LWZ_BITS	12
++
+ typedef cups_ib_t	gif_cmap_t[256][4];
+ typedef short		gif_table_t[4096];
+ 
+@@ -471,6 +473,9 @@ gif_read_image(FILE         *fp,	/* I - 
+   pass      = 0;
+   code_size = getc(fp);
+ 
++  if (code_size > MAX_LWZ_BITS)
++    return (-1);
++
+   if (gif_read_lzw(fp, 1, code_size) < 0)
+     return (-1);
+
author	Peter Volkov <pva@gentoo.org>	2008-04-01 19:03:35 +0000
committer	Peter Volkov <pva@gentoo.org>	2008-04-01 19:03:35 +0000
commit	244269939f0422820da65f9491f35509ff61868f (patch)
tree	0a436fc73412af9e7dbf8b388bb10231ea3b26cd /net-print/cups
parent	remove unused version (diff)
download	historical-244269939f0422820da65f9491f35509ff61868f.tar.gz historical-244269939f0422820da65f9491f35509ff61868f.tar.bz2 historical-244269939f0422820da65f9491f35509ff61868f.zip