guix/gnu/packages/patches/cups-CVE-2020-10001.patch

From efbea1742bd30f842fbbfb87a473e5c84f4162f9 Mon Sep 17 00:00:00 2001
From: Michael R Sweet <msweet@msweet.org>
Date: Mon, 1 Feb 2021 15:02:32 -0500
Subject: [PATCH] Fix a buffer (read) overflow in ippReadIO (CVE-2020-10001)

---

diff --git a/cups/ipp.c b/cups/ipp.c
index 3d529346c..adbb26fba 100644
--- a/cups/ipp.c
+++ b/cups/ipp.c
@@ -2866,7 +2866,8 @@ ippReadIO(void       *src,		/* I - Data source */
   unsigned char		*buffer,	/* Data buffer */
 			string[IPP_MAX_TEXT],
 					/* Small string buffer */
-			*bufptr;	/* Pointer into buffer */
+			*bufptr,	/* Pointer into buffer */
+			*bufend;	/* End of buffer */
   ipp_attribute_t	*attr;		/* Current attribute */
   ipp_tag_t		tag;		/* Current tag */
   ipp_tag_t		value_tag;	/* Current value tag */
@@ -3441,6 +3442,7 @@ ippReadIO(void       *src,		/* I - Data source */
 		}
 
                 bufptr = buffer;
+                bufend = buffer + n;
 
 	       /*
 	        * text-with-language and name-with-language are composite
@@ -3454,7 +3456,7 @@ ippReadIO(void       *src,		/* I - Data source */
 
 		n = (bufptr[0] << 8) | bufptr[1];
 
-		if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string))
+		if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string))
 		{
 		  _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
 		                _("IPP language length overflows value."), 1);
@@ -3481,7 +3483,7 @@ ippReadIO(void       *src,		/* I - Data source */
                 bufptr += 2 + n;
 		n = (bufptr[0] << 8) | bufptr[1];
 
-		if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE))
+		if ((bufptr + 2 + n) > bufend)
 		{
 		  _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
 		                _("IPP string length overflows value."), 1);
gnu: cups: Add replacement to fix CVE-2020-10001. * gnu/packages/patches/cups-CVE-2020-10001.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/cups.scm (cups-minimal/fixed): New variable. (cups-minimal)[replacement]: Assign it to new field. 2021-06-23 10:52:21 +00:00			`From efbea1742bd30f842fbbfb87a473e5c84f4162f9 Mon Sep 17 00:00:00 2001`
			`From: Michael R Sweet <msweet@msweet.org>`
			`Date: Mon, 1 Feb 2021 15:02:32 -0500`
			`Subject: [PATCH] Fix a buffer (read) overflow in ippReadIO (CVE-2020-10001)`

			`---`

			`diff --git a/cups/ipp.c b/cups/ipp.c`
			`index 3d529346c..adbb26fba 100644`
			`--- a/cups/ipp.c`
			`+++ b/cups/ipp.c`
			`@@ -2866,7 +2866,8 @@ ippReadIO(void src, / I - Data source */`
			`unsigned char buffer, / Data buffer */`
			`string[IPP_MAX_TEXT],`
			`/* Small string buffer */`
			`- bufptr; / Pointer into buffer */`
			`+ bufptr, / Pointer into buffer */`
			`+ bufend; / End of buffer */`
			`ipp_attribute_t attr; / Current attribute */`
			`ipp_tag_t tag; /* Current tag */`
			`ipp_tag_t value_tag; /* Current value tag */`
			`@@ -3441,6 +3442,7 @@ ippReadIO(void src, / I - Data source */`
			`}`

			`bufptr = buffer;`
			`+ bufend = buffer + n;`

			`/*`
			`* text-with-language and name-with-language are composite`
			`@@ -3454,7 +3456,7 @@ ippReadIO(void src, / I - Data source */`

			`n = (bufptr[0] << 8) \| bufptr[1];`

			`- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) \|\| n >= (int)sizeof(string))`
			`+ if ((bufptr + 2 + n + 2) > bufend \|\| n >= (int)sizeof(string))`
			`{`
			`_cupsSetError(IPP_STATUS_ERROR_INTERNAL,`
			`_("IPP language length overflows value."), 1);`
			`@@ -3481,7 +3483,7 @@ ippReadIO(void src, / I - Data source */`
			`bufptr += 2 + n;`
			`n = (bufptr[0] << 8) \| bufptr[1];`

			`- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE))`
			`+ if ((bufptr + 2 + n) > bufend)`
			`{`
			`_cupsSetError(IPP_STATUS_ERROR_INTERNAL,`
			`_("IPP string length overflows value."), 1);`