[foomatic/f14] Fix improper sanitization of command line options (bug #721001, CVE-2011-2697).
Tim Waugh
twaugh at fedoraproject.org
Wed Jul 20 10:51:36 UTC 2011
commit b91dc0f404b9365005046f954c559261c60e26eb
Author: Tim Waugh <twaugh at redhat.com>
Date: Wed Jul 20 10:50:30 2011 +0100
Fix improper sanitization of command line options (bug #721001, CVE-2011-2697).
foomatic-filters-CVE-2011-2697.patch | 209 ++++++++++++++++++++++++++++++++++
foomatic.spec | 11 ++-
2 files changed, 219 insertions(+), 1 deletions(-)
---
diff --git a/foomatic-filters-CVE-2011-2697.patch b/foomatic-filters-CVE-2011-2697.patch
new file mode 100644
index 0000000..81f09c2
--- /dev/null
+++ b/foomatic-filters-CVE-2011-2697.patch
@@ -0,0 +1,209 @@
+diff -up foomatic-filters-4.0.7/foomaticrip.c.CVE-2011-2697 foomatic-filters-4.0.7/foomaticrip.c
+--- foomatic-filters-4.0.7/foomaticrip.c.CVE-2011-2697 2011-07-20 10:41:15.825401233 +0100
++++ foomatic-filters-4.0.7/foomaticrip.c 2011-07-20 10:42:22.784101806 +0100
+@@ -1239,8 +1239,11 @@ int main(int argc, char** argv)
+ }
+
+ /* Check for LPRng first so we do not pick up bogus ppd files by the -ppd option */
+- if (arglist_remove_flag(arglist, "--lprng"))
+- spooler = SPOOLER_LPRNG;
++ if (spooler != SPOOLER_CUPS && spooler != SPOOLER_PPR &&
++ spooler != SPOOLER_PPR_INT) {
++ if (arglist_remove_flag(arglist, "--lprng"))
++ spooler = SPOOLER_LPRNG;
++ }
+
+ /* 'PRINTCAP_ENTRY' environment variable is : LPRng
+ the :ppd=/path/to/ppdfile printcap entry should be used */
+@@ -1262,96 +1265,104 @@ int main(int argc, char** argv)
+ }
+ }
+
+- /* PPD file name given via the command line
+- allow duplicates, and use the last specified one */
+- if (spooler != SPOOLER_LPRNG) {
+- while ((str = arglist_get_value(arglist, "-p"))) {
+- strncpy(job->ppdfile, str, 256);
+- arglist_remove(arglist, "-p");
+- }
+- }
+- while ((str = arglist_get_value(arglist, "--ppd"))) {
+- strncpy(job->ppdfile, str, 256);
+- arglist_remove(arglist, "--ppd");
+- }
+-
+- /* Check for LPD/GNUlpr by typical options which the spooler puts onto
+- the filter's command line (options "-w": text width, "-l": text
+- length, "-i": indent, "-x", "-y": graphics size, "-c": raw printing,
+- "-n": user name, "-h": host name) */
+- if ((str = arglist_get_value(arglist, "-h"))) {
+- if (spooler != SPOOLER_GNULPR && spooler != SPOOLER_LPRNG)
+- spooler = SPOOLER_LPD;
+- strncpy(job->host, str, 127);
+- job->host[127] = '\0';
+- arglist_remove(arglist, "-h");
+- }
+- if ((str = arglist_get_value(arglist, "-n"))) {
+- if (spooler != SPOOLER_GNULPR && spooler != SPOOLER_LPRNG)
+- spooler = SPOOLER_LPD;
+-
+- strncpy(job->user, str, 127);
+- job->user[127] = '\0';
+- arglist_remove(arglist, "-n");
+- }
+- if (arglist_remove(arglist, "-w") ||
+- arglist_remove(arglist, "-l") ||
+- arglist_remove(arglist, "-x") ||
+- arglist_remove(arglist, "-y") ||
+- arglist_remove(arglist, "-i") ||
+- arglist_remove_flag(arglist, "-c")) {
++ /* CUPS calls foomatic-rip only with 5 or 6 positional parameters,
++ not with named options, like for example "-p <string>". Also PPR
++ does not used named options. */
++ if (spooler != SPOOLER_CUPS && spooler != SPOOLER_PPR &&
++ spooler != SPOOLER_PPR_INT) {
++ /* Check for LPD/GNUlpr by typical options which the spooler puts onto
++ the filter's command line (options "-w": text width, "-l": text
++ length, "-i": indent, "-x", "-y": graphics size, "-c": raw printing,
++ "-n": user name, "-h": host name) */
++ if ((str = arglist_get_value(arglist, "-h"))) {
++ if (spooler != SPOOLER_GNULPR && spooler != SPOOLER_LPRNG)
++ spooler = SPOOLER_LPD;
++ strncpy(job->host, str, 127);
++ job->host[127] = '\0';
++ arglist_remove(arglist, "-h");
++ }
++ if ((str = arglist_get_value(arglist, "-n"))) {
+ if (spooler != SPOOLER_GNULPR && spooler != SPOOLER_LPRNG)
+ spooler = SPOOLER_LPD;
+- }
+- /* LPRng delivers the option settings via the "-Z" argument */
+- if ((str = arglist_get_value(arglist, "-Z"))) {
+- spooler = SPOOLER_LPRNG;
+- dstrcatf(job->optstr, "%s ", str);
+- arglist_remove(arglist, "-Z");
+- }
+- /* Job title and options for stock LPD */
+- if ((str = arglist_get_value(arglist, "-j")) || (str = arglist_get_value(arglist, "-J"))) {
+- strncpy_omit(job->title, str, 128, omit_shellescapes);
+- if (spooler == SPOOLER_LPD)
+- dstrcatf(job->optstr, "%s ", job->title);
+- if (!arglist_remove(arglist, "-j"))
+- arglist_remove(arglist, "-J");
+- }
+- /* Check for CPS */
+- if (arglist_remove_flag(arglist, "--cps") > 0)
+- spooler = SPOOLER_CPS;
+-
+- /* Options for spooler-less printing, CPS, or PDQ */
+- while ((str = arglist_get_value(arglist, "-o"))) {
+- strncpy_omit(tmp, str, 1024, omit_shellescapes);
+- dstrcatf(job->optstr, "%s ", tmp);
+- arglist_remove(arglist, "-o");
+- /* If we don't print as PPR RIP or as CPS filter, we print
+- without spooler (we check for PDQ later) */
+- if (spooler != SPOOLER_PPR && spooler != SPOOLER_CPS)
+- spooler = SPOOLER_DIRECT;
+- }
+-
+- /* Printer for spooler-less printing or PDQ */
+- if ((str = arglist_get_value(arglist, "-d"))) {
+- strncpy_omit(job->printer, str, 256, omit_shellescapes);
+- arglist_remove(arglist, "-d");
+- }
+-
+- /* Printer for spooler-less printing, PDQ, or LPRng */
+- if ((str = arglist_get_value(arglist, "-P"))) {
+- strncpy_omit(job->printer, str, 256, omit_shellescapes);
+- arglist_remove(arglist, "-P");
+- }
+-
+- /* Were we called from a PDQ wrapper? */
+- if (arglist_remove_flag(arglist, "--pdq"))
+- spooler = SPOOLER_PDQ;
+
+- /* Were we called to build the PDQ driver declaration file? */
+- genpdqfile = check_pdq_file(arglist);
+- if (genpdqfile)
+- spooler = SPOOLER_PDQ;
++ strncpy(job->user, str, 127);
++ job->user[127] = '\0';
++ arglist_remove(arglist, "-n");
++ }
++ if (arglist_remove(arglist, "-w") ||
++ arglist_remove(arglist, "-l") ||
++ arglist_remove(arglist, "-x") ||
++ arglist_remove(arglist, "-y") ||
++ arglist_remove(arglist, "-i") ||
++ arglist_remove_flag(arglist, "-c")) {
++ if (spooler != SPOOLER_GNULPR && spooler != SPOOLER_LPRNG)
++ spooler = SPOOLER_LPD;
++ }
++ /* LPRng delivers the option settings via the "-Z" argument */
++ if ((str = arglist_get_value(arglist, "-Z"))) {
++ spooler = SPOOLER_LPRNG;
++ dstrcatf(job->optstr, "%s ", str);
++ arglist_remove(arglist, "-Z");
++ }
++ /* Job title and options for stock LPD */
++ if ((str = arglist_get_value(arglist, "-j")) || (str = arglist_get_value(arglist, "-J"))) {
++ strncpy_omit(job->title, str, 128, omit_shellescapes);
++ if (spooler == SPOOLER_LPD)
++ dstrcatf(job->optstr, "%s ", job->title);
++ if (!arglist_remove(arglist, "-j"))
++ arglist_remove(arglist, "-J");
++ }
++
++ /* Check for CPS */
++ if (arglist_remove_flag(arglist, "--cps") > 0)
++ spooler = SPOOLER_CPS;
++
++ /* PPD file name given via the command line
++ allow duplicates, and use the last specified one */
++ if (spooler != SPOOLER_GNULPR && spooler != SPOOLER_LPRNG &&
++ spooler != SPOOLER_LPD) {
++ while ((str = arglist_get_value(arglist, "-p"))) {
++ strncpy(job->ppdfile, str, 256);
++ arglist_remove(arglist, "-p");
++ }
++ while ((str = arglist_get_value(arglist, "--ppd"))) {
++ strncpy(job->ppdfile, str, 256);
++ arglist_remove(arglist, "--ppd");
++ }
++ }
++
++ /* Options for spooler-less printing, CPS, or PDQ */
++ while ((str = arglist_get_value(arglist, "-o"))) {
++ strncpy_omit(tmp, str, 1024, omit_shellescapes);
++ dstrcatf(job->optstr, "%s ", tmp);
++ arglist_remove(arglist, "-o");
++ /* If we don't print as PPR RIP or as CPS filter, we print
++ without spooler (we check for PDQ later) */
++ if (spooler != SPOOLER_PPR && spooler != SPOOLER_CPS)
++ spooler = SPOOLER_DIRECT;
++ }
++
++ /* Printer for spooler-less printing or PDQ */
++ if ((str = arglist_get_value(arglist, "-d"))) {
++ strncpy_omit(job->printer, str, 256, omit_shellescapes);
++ arglist_remove(arglist, "-d");
++ }
++
++ /* Printer for spooler-less printing, PDQ, or LPRng */
++ if ((str = arglist_get_value(arglist, "-P"))) {
++ strncpy_omit(job->printer, str, 256, omit_shellescapes);
++ arglist_remove(arglist, "-P");
++ }
++
++ /* Were we called from a PDQ wrapper? */
++ if (arglist_remove_flag(arglist, "--pdq"))
++ spooler = SPOOLER_PDQ;
++
++ /* Were we called to build the PDQ driver declaration file? */
++ genpdqfile = check_pdq_file(arglist);
++ if (genpdqfile)
++ spooler = SPOOLER_PDQ;
++ }
+
+ /* spooler specific initialization */
+ switch (spooler) {
diff --git a/foomatic.spec b/foomatic.spec
index ef231a0..b8dfe0b 100644
--- a/foomatic.spec
+++ b/foomatic.spec
@@ -4,7 +4,7 @@
Summary: Tools for using the foomatic database of printers and printer drivers
Name: foomatic
Version: %{enginever}
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Libraries
@@ -22,6 +22,10 @@ Patch1: foomatic-filters-libdir.patch
# Use mkstemp, not mktemp.
Patch2: foomatic-mkstemp.patch
+# Fix improper sanitization of command line options (bug #721001,
+# CVE-2011-2697).
+Patch3: foomatic-filters-CVE-2011-2697.patch
+
## PATCHES FOR FOOMATIC-DB-ENGINE (PATCHES 101 TO 200)
# Use libdir.
@@ -85,6 +89,7 @@ CUPS print filters for the foomatic package.
pushd foomatic-filters-%{filtersver}
%patch1 -p1 -b .libdir
%patch2 -p1 -b .mkstemp
+%patch3 -p1 -b .CVE-2011-2697
aclocal
automake
autoconf
@@ -193,6 +198,10 @@ rm -fr %buildroot $RPM_BUILD_DIR/%{name}
%{_mandir}/man1/foomatic-rip.1*
%changelog
+* Wed Jul 20 2011 Tim Waugh <twaugh at redhat.com> - 4.0.7-2
+- Fix improper sanitization of command line options (bug #721001,
+ CVE-2011-2697).
+
* Mon Feb 21 2011 Jiri Popelka <jpopelka at redhat.com> - 4.0.7-1
- 4.0.7
More information about the scm-commits
mailing list