From b9d9497019f0caa3388f51c458a2469fdeefd146 Mon Sep 17 00:00:00 2001 From: Peter Korsgaard Date: Sun, 1 Oct 2023 16:20:24 +0200 Subject: [PATCH] package/cups: add upstream security fix for CVE-2023-4504 Fixes CVE-2023-4504: Postscript Parsing Heap Overflow https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h https://takeonme.org/cves/CVE-2023-4504.html There is a 2.4.7 release with this fix, but upstream unfortunately broke !gnutls builds, so backport the security fix instead: https://github.com/OpenPrinting/cups/issues/762 Signed-off-by: Peter Korsgaard --- ...raster-interpret.c-Fix-CVE-2023-4504.patch | 45 +++++++++++++++++++ package/cups/cups.mk | 3 ++ 2 files changed, 48 insertions(+) create mode 100644 package/cups/0005-raster-interpret.c-Fix-CVE-2023-4504.patch diff --git a/package/cups/0005-raster-interpret.c-Fix-CVE-2023-4504.patch b/package/cups/0005-raster-interpret.c-Fix-CVE-2023-4504.patch new file mode 100644 index 0000000000..d1dff4e1fa --- /dev/null +++ b/package/cups/0005-raster-interpret.c-Fix-CVE-2023-4504.patch @@ -0,0 +1,45 @@ +From 2431caddb7e6a87f04ac90b5c6366ad268b6ff31 Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal +Date: Wed, 20 Sep 2023 14:45:17 +0200 +Subject: [PATCH] raster-interpret.c: Fix CVE-2023-4504 + +We didn't check for end of buffer if it looks there is an escaped +character - check for NULL terminator there and if found, return NULL +as return value and in `ptr`, because a lone backslash is not +a valid PostScript character. + +Upstream: https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31 +[Peter: drop CHANGES hunk] +Signed-off-by: Peter Korsgaard +--- + cups/raster-interpret.c | 14 +++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c +index 6fcf731b5..b8655c8c6 100644 +--- a/cups/raster-interpret.c ++++ b/cups/raster-interpret.c +@@ -1116,7 +1116,19 @@ scan_ps(_cups_ps_stack_t *st, /* I - Stack */ + + cur ++; + +- if (*cur == 'b') ++ /* ++ * Return NULL if we reached NULL terminator, a lone backslash ++ * is not a valid character in PostScript. ++ */ ++ ++ if (!*cur) ++ { ++ *ptr = NULL; ++ ++ return (NULL); ++ } ++ ++ if (*cur == 'b') + *valptr++ = '\b'; + else if (*cur == 'f') + *valptr++ = '\f'; +-- +2.30.2 + diff --git a/package/cups/cups.mk b/package/cups/cups.mk index a3bb2f8dfc..4bc5eeedee 100644 --- a/package/cups/cups.mk +++ b/package/cups/cups.mk @@ -13,6 +13,9 @@ CUPS_CPE_ID_VENDOR = openprinting CUPS_SELINUX_MODULES = cups CUPS_INSTALL_STAGING = YES +# 0005-raster-interpret.c-Fix-CVE-2023-4504.patch +CUPS_IGNORE_CVES += CVE-2023-4504 + # Using autoconf, not autoheader, so we cannot use AUTORECONF = YES. define CUPS_RUN_AUTOCONF cd $(@D); $(AUTOCONF) -f