[cups/f14] Avoid GIF reader loop (CVE-2011-2896, STR #3914, bug #727800).

Fri Aug 19 11:37:15 UTC 2011

commit cf15da723aa4d465b13a4a4ea7f7690393342e72
Author: Tim Waugh <twaugh at redhat.com>
Date:   Fri Aug 19 11:35:13 2011 +0100

    Avoid GIF reader loop (CVE-2011-2896, STR #3914, bug #727800).

 cups-CVE-2011-2896.patch |   33 +++++++++++++++++++++++++++++++++
 cups.spec                |    8 +++++++-
 2 files changed, 40 insertions(+), 1 deletions(-)
---

diff --git a/cups-CVE-2011-2896.patch b/cups-CVE-2011-2896.patch
new file mode 100644
index 0000000..a949b9d
--- /dev/null
+++ b/cups-CVE-2011-2896.patch
@@ -0,0 +1,33 @@
+diff -up cups-1.4.8/filter/image-gif.c.CVE-2011-2896 cups-1.4.8/filter/image-gif.c
+--- cups-1.4.8/filter/image-gif.c.CVE-2011-2896	2011-06-20 21:37:51.000000000 +0100
++++ cups-1.4.8/filter/image-gif.c	2011-08-19 11:33:37.547911212 +0100
+@@ -648,11 +648,13 @@ gif_read_lzw(FILE *fp,			/* I - File to 
+ 
+     if (code == max_code)
+     {
+-      *sp++ = firstcode;
+-      code  = oldcode;
++      if (sp < (stack + 8192))
++	*sp++ = firstcode;
++
++      code = oldcode;
+     }
+ 
+-    while (code >= clear_code)
++    while (code >= clear_code && sp < (stack + 8192))
+     {
+       *sp++ = table[1][code];
+       if (code == table[0][code])
+@@ -661,8 +663,10 @@ gif_read_lzw(FILE *fp,			/* I - File to 
+       code = table[0][code];
+     }
+ 
+-    *sp++ = firstcode = table[1][code];
+-    code  = max_code;
++    if (sp < (stack + 8192))
++      *sp++ = firstcode = table[1][code];
++
++    code = max_code;
+ 
+     if (code < 4096)
+     {
diff --git a/cups.spec b/cups.spec
index 2912b19..f602c5e 100644
--- a/cups.spec
+++ b/cups.spec
@@ -8,7 +8,7 @@
 Summary: Common Unix Printing System
 Name: cups
 Version: 1.4.8
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2
 Group: System Environment/Daemons
 Source: http://ftp.easysw.com/pub/cups/%{version}/cups-%{version}-source.tar.bz2
@@ -66,6 +66,7 @@ Patch31: cups-dnssd-deviceid.patch
 Patch32: cups-ricoh-deviceid-oid.patch
 Patch33: cups-texttops-rotate-page.patch
 Patch34: cups-polld-busy-loop.patch
+Patch35: cups-CVE-2011-2896.patch
 
 Patch100: cups-lspp.patch
 
@@ -266,6 +267,8 @@ module.
 %patch33 -p1 -b .texttops-rotate-page
 # Avoid busy loop in cups-polld (bug #720921).
 %patch34 -p1 -b .polld-busy-loop
+# Avoid GIF reader loop (CVE-2011-2896, STR #3914, bug #727800).
+%patch35 -p1 -b .CVE-2011-2896
 
 %if %lspp
 # LSPP support.
@@ -574,6 +577,9 @@ rm -rf $RPM_BUILD_ROOT
 %{php_extdir}/phpcups.so
 
 %changelog
+* Fri Aug 19 2011 Tim Waugh <twaugh at redhat.com> 1:1.4.8-2
+- Avoid GIF reader loop (CVE-2011-2896, STR #3914, bug #727800).
+
 * Tue Jul 26 2011 Jiri Popelka <jpopelka at redhat.com> 1:1.4.8-1
 - 1.4.8
 
