* [Buildroot] [PATCH] package/cups: add upstream security fix for CVE-2023-4504
@ 2023-10-01 14:20 Peter Korsgaard
2023-10-11 9:00 ` Peter Korsgaard
2023-10-13 18:15 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Peter Korsgaard @ 2023-10-01 14:20 UTC (permalink / raw)
To: buildroot; +Cc: Olivier Schonken, Angelo Compagnucci
Fixes CVE-2023-4504: Postscript Parsing Heap Overflow
https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h
https://takeonme.org/cves/CVE-2023-4504.html
There is a 2.4.7 release with this fix, but upstream unfortunately broke
!gnutls builds, so backport the security fix instead:
https://github.com/OpenPrinting/cups/issues/762
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
...raster-interpret.c-Fix-CVE-2023-4504.patch | 45 +++++++++++++++++++
package/cups/cups.mk | 3 ++
2 files changed, 48 insertions(+)
create mode 100644 package/cups/0005-raster-interpret.c-Fix-CVE-2023-4504.patch
diff --git a/package/cups/0005-raster-interpret.c-Fix-CVE-2023-4504.patch b/package/cups/0005-raster-interpret.c-Fix-CVE-2023-4504.patch
new file mode 100644
index 0000000000..d1dff4e1fa
--- /dev/null
+++ b/package/cups/0005-raster-interpret.c-Fix-CVE-2023-4504.patch
@@ -0,0 +1,45 @@
+From 2431caddb7e6a87f04ac90b5c6366ad268b6ff31 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Wed, 20 Sep 2023 14:45:17 +0200
+Subject: [PATCH] raster-interpret.c: Fix CVE-2023-4504
+
+We didn't check for end of buffer if it looks there is an escaped
+character - check for NULL terminator there and if found, return NULL
+as return value and in `ptr`, because a lone backslash is not
+a valid PostScript character.
+
+Upstream: https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31
+[Peter: drop CHANGES hunk]
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ cups/raster-interpret.c | 14 +++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
+index 6fcf731b5..b8655c8c6 100644
+--- a/cups/raster-interpret.c
++++ b/cups/raster-interpret.c
+@@ -1116,7 +1116,19 @@ scan_ps(_cups_ps_stack_t *st, /* I - Stack */
+
+ cur ++;
+
+- if (*cur == 'b')
++ /*
++ * Return NULL if we reached NULL terminator, a lone backslash
++ * is not a valid character in PostScript.
++ */
++
++ if (!*cur)
++ {
++ *ptr = NULL;
++
++ return (NULL);
++ }
++
++ if (*cur == 'b')
+ *valptr++ = '\b';
+ else if (*cur == 'f')
+ *valptr++ = '\f';
+--
+2.30.2
+
diff --git a/package/cups/cups.mk b/package/cups/cups.mk
index a3bb2f8dfc..4bc5eeedee 100644
--- a/package/cups/cups.mk
+++ b/package/cups/cups.mk
@@ -13,6 +13,9 @@ CUPS_CPE_ID_VENDOR = openprinting
CUPS_SELINUX_MODULES = cups
CUPS_INSTALL_STAGING = YES
+# 0005-raster-interpret.c-Fix-CVE-2023-4504.patch
+CUPS_IGNORE_CVES += CVE-2023-4504
+
# Using autoconf, not autoheader, so we cannot use AUTORECONF = YES.
define CUPS_RUN_AUTOCONF
cd $(@D); $(AUTOCONF) -f
--
2.30.2
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/cups: add upstream security fix for CVE-2023-4504
2023-10-01 14:20 [Buildroot] [PATCH] package/cups: add upstream security fix for CVE-2023-4504 Peter Korsgaard
@ 2023-10-11 9:00 ` Peter Korsgaard
2023-10-13 18:15 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2023-10-11 9:00 UTC (permalink / raw)
To: buildroot; +Cc: Angelo Compagnucci, Olivier Schonken
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes CVE-2023-4504: Postscript Parsing Heap Overflow
> https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h
> https://takeonme.org/cves/CVE-2023-4504.html
> There is a 2.4.7 release with this fix, but upstream unfortunately broke
> !gnutls builds, so backport the security fix instead:
> https://github.com/OpenPrinting/cups/issues/762
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/cups: add upstream security fix for CVE-2023-4504
2023-10-01 14:20 [Buildroot] [PATCH] package/cups: add upstream security fix for CVE-2023-4504 Peter Korsgaard
2023-10-11 9:00 ` Peter Korsgaard
@ 2023-10-13 18:15 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2023-10-13 18:15 UTC (permalink / raw)
To: buildroot; +Cc: Angelo Compagnucci, Olivier Schonken
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes CVE-2023-4504: Postscript Parsing Heap Overflow
> https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h
> https://takeonme.org/cves/CVE-2023-4504.html
> There is a 2.4.7 release with this fix, but upstream unfortunately broke
> !gnutls builds, so backport the security fix instead:
> https://github.com/OpenPrinting/cups/issues/762
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2023.02.x and 2023.08.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-10-13 18:15 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-10-01 14:20 [Buildroot] [PATCH] package/cups: add upstream security fix for CVE-2023-4504 Peter Korsgaard
2023-10-11 9:00 ` Peter Korsgaard
2023-10-13 18:15 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox