diff options
| author | Maxim Cournoyer <maxim.cournoyer@gmail.com> | 2021-12-13 16:29:21 -0500 |
|---|---|---|
| committer | Maxim Cournoyer <maxim.cournoyer@gmail.com> | 2021-12-13 16:29:21 -0500 |
| commit | 6dffced09ecda024e0884e352778c221ad066fd6 (patch) | |
| tree | 1707e8d8df4d9c47317a39ab6abbfc2ca66a6c29 /gnu/packages/patches/cups-CVE-2020-10001.patch | |
| parent | b603554ed044638dd40b6863d5dada59eefe03b8 (diff) | |
| parent | e3196755e60ba7f1ed9d432e73f26a85e0c8893c (diff) | |
Merge branch 'core-updates-frozen' into 'master'.
At last!
Diffstat (limited to 'gnu/packages/patches/cups-CVE-2020-10001.patch')
| -rw-r--r-- | gnu/packages/patches/cups-CVE-2020-10001.patch | 47 |
1 files changed, 0 insertions, 47 deletions
diff --git a/gnu/packages/patches/cups-CVE-2020-10001.patch b/gnu/packages/patches/cups-CVE-2020-10001.patch deleted file mode 100644 index 1b16c7d97c..0000000000 --- a/gnu/packages/patches/cups-CVE-2020-10001.patch +++ /dev/null @@ -1,47 +0,0 @@ -From efbea1742bd30f842fbbfb87a473e5c84f4162f9 Mon Sep 17 00:00:00 2001 -From: Michael R Sweet <msweet@msweet.org> -Date: Mon, 1 Feb 2021 15:02:32 -0500 -Subject: [PATCH] Fix a buffer (read) overflow in ippReadIO (CVE-2020-10001) - ---- - -diff --git a/cups/ipp.c b/cups/ipp.c -index 3d529346c..adbb26fba 100644 ---- a/cups/ipp.c -+++ b/cups/ipp.c -@@ -2866,7 +2866,8 @@ ippReadIO(void *src, /* I - Data source */ - unsigned char *buffer, /* Data buffer */ - string[IPP_MAX_TEXT], - /* Small string buffer */ -- *bufptr; /* Pointer into buffer */ -+ *bufptr, /* Pointer into buffer */ -+ *bufend; /* End of buffer */ - ipp_attribute_t *attr; /* Current attribute */ - ipp_tag_t tag; /* Current tag */ - ipp_tag_t value_tag; /* Current value tag */ -@@ -3441,6 +3442,7 @@ ippReadIO(void *src, /* I - Data source */ - } - - bufptr = buffer; -+ bufend = buffer + n; - - /* - * text-with-language and name-with-language are composite -@@ -3454,7 +3456,7 @@ ippReadIO(void *src, /* I - Data source */ - - n = (bufptr[0] << 8) | bufptr[1]; - -- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string)) -+ if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string)) - { - _cupsSetError(IPP_STATUS_ERROR_INTERNAL, - _("IPP language length overflows value."), 1); -@@ -3481,7 +3483,7 @@ ippReadIO(void *src, /* I - Data source */ - bufptr += 2 + n; - n = (bufptr[0] << 8) | bufptr[1]; - -- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE)) -+ if ((bufptr + 2 + n) > bufend) - { - _cupsSetError(IPP_STATUS_ERROR_INTERNAL, - _("IPP string length overflows value."), 1); |