Merge remote-tracking branch 'origin/master' into staging

With resolved conflicts in: gnu/packages/bittorrent.scm gnu/packages/databases.scm gnu/packages/geo.scm gnu/packages/gnupg.scm gnu/packages/gstreamer.scm gnu/packages/gtk.scm gnu/packages/linux.scm gnu/packages/python-xyz.scm gnu/packages/xorg.scm guix/build/qt-utils.scm
author: Maxim Cournoyer <maxim.cournoyer@gmail.com> 2021-10-01 17:10:49 -0400
committer: Maxim Cournoyer <maxim.cournoyer@gmail.com> 2021-10-01 17:10:49 -0400
commit: 2e65e4834a226c570866f2e8976ed7f252b45cd1 (patch)
tree: 21d625bce8d03627680214df4a6622bf8eb79dc9 /gnu/packages/patches/cups-CVE-2020-10001.patch
parent: 9c68ecb24dd1660ce736cdcdea0422a73ec318a2 (diff)
parent: f1a3c11407b52004e523ec5de20d326c5661681f (diff)
1 files changed, 47 insertions, 0 deletions
diff --git a/gnu/packages/patches/cups-CVE-2020-10001.patch b/gnu/packages/patches/cups-CVE-2020-10001.patch
new file mode 100644
index 0000000000..1b16c7d97c
--- /dev/null
+++ b/gnu/packages/patches/cups-CVE-2020-10001.patch
@@ -0,0 +1,47 @@
+From efbea1742bd30f842fbbfb87a473e5c84f4162f9 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Mon, 1 Feb 2021 15:02:32 -0500
+Subject: [PATCH] Fix a buffer (read) overflow in ippReadIO (CVE-2020-10001)
+
+---
+
+diff --git a/cups/ipp.c b/cups/ipp.c
+index 3d529346c..adbb26fba 100644
+--- a/cups/ipp.c
++++ b/cups/ipp.c
+@@ -2866,7 +2866,8 @@ ippReadIO(void       *src,		/* I - Data source */
+   unsigned char		*buffer,	/* Data buffer */
+ 			string[IPP_MAX_TEXT],
+ 					/* Small string buffer */
+-			*bufptr;	/* Pointer into buffer */
++			*bufptr,	/* Pointer into buffer */
++			*bufend;	/* End of buffer */
+   ipp_attribute_t	*attr;		/* Current attribute */
+   ipp_tag_t		tag;		/* Current tag */
+   ipp_tag_t		value_tag;	/* Current value tag */
+@@ -3441,6 +3442,7 @@ ippReadIO(void       *src,		/* I - Data source */
+ 		}
+ 
+                 bufptr = buffer;
++                bufend = buffer + n;
+ 
+ 	       /*
+ 	        * text-with-language and name-with-language are composite
+@@ -3454,7 +3456,7 @@ ippReadIO(void       *src,		/* I - Data source */
+ 
+ 		n = (bufptr[0] << 8) | bufptr[1];
+ 
+-		if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string))
++		if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string))
+ 		{
+ 		  _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
+ 		                _("IPP language length overflows value."), 1);
+@@ -3481,7 +3483,7 @@ ippReadIO(void       *src,		/* I - Data source */
+                 bufptr += 2 + n;
+ 		n = (bufptr[0] << 8) | bufptr[1];
+ 
+-		if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE))
++		if ((bufptr + 2 + n) > bufend)
+ 		{
+ 		  _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
+ 		                _("IPP string length overflows value."), 1);
author	Maxim Cournoyer <maxim.cournoyer@gmail.com>	2021-10-01 17:10:49 -0400
committer	Maxim Cournoyer <maxim.cournoyer@gmail.com>	2021-10-01 17:10:49 -0400
commit	2e65e4834a226c570866f2e8976ed7f252b45cd1 (patch)
tree	21d625bce8d03627680214df4a6622bf8eb79dc9 /gnu/packages/patches/cups-CVE-2020-10001.patch
parent	9c68ecb24dd1660ce736cdcdea0422a73ec318a2 (diff)
parent	f1a3c11407b52004e523ec5de20d326c5661681f (diff)