b9d9497019
Fixes CVE-2023-4504: Postscript Parsing Heap Overflow https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h https://takeonme.org/cves/CVE-2023-4504.html There is a 2.4.7 release with this fix, but upstream unfortunately broke !gnutls builds, so backport the security fix instead: https://github.com/OpenPrinting/cups/issues/762 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
46 lines
1.3 KiB
Diff
46 lines
1.3 KiB
Diff
From 2431caddb7e6a87f04ac90b5c6366ad268b6ff31 Mon Sep 17 00:00:00 2001
|
|
From: Zdenek Dohnal <zdohnal@redhat.com>
|
|
Date: Wed, 20 Sep 2023 14:45:17 +0200
|
|
Subject: [PATCH] raster-interpret.c: Fix CVE-2023-4504
|
|
|
|
We didn't check for end of buffer if it looks there is an escaped
|
|
character - check for NULL terminator there and if found, return NULL
|
|
as return value and in `ptr`, because a lone backslash is not
|
|
a valid PostScript character.
|
|
|
|
Upstream: https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31
|
|
[Peter: drop CHANGES hunk]
|
|
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
---
|
|
cups/raster-interpret.c | 14 +++++++++++++-
|
|
1 file changed, 14 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
|
|
index 6fcf731b5..b8655c8c6 100644
|
|
--- a/cups/raster-interpret.c
|
|
+++ b/cups/raster-interpret.c
|
|
@@ -1116,7 +1116,19 @@ scan_ps(_cups_ps_stack_t *st, /* I - Stack */
|
|
|
|
cur ++;
|
|
|
|
- if (*cur == 'b')
|
|
+ /*
|
|
+ * Return NULL if we reached NULL terminator, a lone backslash
|
|
+ * is not a valid character in PostScript.
|
|
+ */
|
|
+
|
|
+ if (!*cur)
|
|
+ {
|
|
+ *ptr = NULL;
|
|
+
|
|
+ return (NULL);
|
|
+ }
|
|
+
|
|
+ if (*cur == 'b')
|
|
*valptr++ = '\b';
|
|
else if (*cur == 'f')
|
|
*valptr++ = '\f';
|
|
--
|
|
2.30.2
|
|
|