From owner-freebsd-security@FreeBSD.ORG Sat Nov 22 07:18:03 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 61CE01065672; Sat, 22 Nov 2008 07:18:03 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id DC4208FC0C; Sat, 22 Nov 2008 07:18:02 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=V68/oi1dYonRM2wm1gzem+79sNOtDH/QmWb8vX3fZJBoIZdL1Sh8O+6tPwySGqW9iIDQt3ZGcehAdgDtWuwwgmasW20RvY+1zKZ2ujWHtIe2P04v3DyLX93J35MhvY1v8ML1W9MKoC/HQi6dcg1XZ7GO3RZ6azGz3MNExerVi8U=; Received: from phoenix.codelabs.ru (ppp91-78-248-208.pppoe.mtu-net.ru [91.78.248.208]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1L3mki-000CJC-P4; Sat, 22 Nov 2008 10:18:01 +0300 Date: Sat, 22 Nov 2008 10:17:59 +0300 From: Eygene Ryabinkin To: dinoex@FreeBSD.org Message-ID: References: <200811211846.mALIkCQK092821@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZoaI/ZTpAVc4A5k6" Content-Disposition: inline In-Reply-To: <200811211846.mALIkCQK092821@freefall.freebsd.org> Sender: rea-fbsd@codelabs.ru Cc: freebsd-security@freebsd.org, bug-followup@freebsd.org Subject: Re: ports/129001: [vuxml] [patch] print/cups-base: fix NULL-pointer dereference X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Nov 2008 07:18:03 -0000 --ZoaI/ZTpAVc4A5k6 Content-Type: multipart/mixed; boundary="jI8keyz6grp/JLjh" Content-Disposition: inline --jI8keyz6grp/JLjh Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Dirk, good day. Fri, Nov 21, 2008 at 07:46:12PM +0100, dinoex@FreeBSD.org wrote: > Synopsis: [vuxml] [patch] print/cups-base: fix NULL-pointer dereference >=20 > State-Changed-From-To: open->feedback > State-Changed-By: dinoex > State-Changed-When: Fri Nov 21 19:45:23 CET 2008 > State-Changed-Why:=20 >=20 > The patch do not apply. [...] > (Creating file ./files/patch-fix-subscriptions-null-dereference...) > Patching file ./files/patch-fix-subscriptions-null-dereference using Plan= A... > patch: **** malformed patch at line 24: =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D= 3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D= 3D=3D3D=3D3D=3D3D=3D Yeah, I think that you run into issue with query-pr.cgi and line continuations quoted-printable encoding. I have www/127898, but it seems to be incomplete in respect to the attachments. Will try to extend the patch and post followup to the mentioned PR. The patch for CUPS is attached, hope it will be delivered in the unbroken form now. Sorry for confusion. --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --jI8keyz6grp/JLjh Content-Type: text/x-diff; charset=koi8-r Content-Disposition: attachment; filename="1.3.9-to-1.3.9_1-fix-null-deference-upstream.diff" Content-Transfer-Encoding: quoted-printable diff -urN ./Makefile ../cups-base/Makefile --- ./Makefile 2008-11-20 02:48:10.000000000 +0300 +++ ../cups-base/Makefile 2008-11-20 03:07:03.000000000 +0300 @@ -7,6 +7,7 @@ =20 PORTNAME=3D cups PORTVERSION=3D 1.3.9 +PORTREVISION=3D 1 DISTVERSIONSUFFIX=3D -source CATEGORIES=3D print MASTER_SITES=3D EASYSW/${PORTNAME}/${DISTVERSION} diff -urN ./files/patch-fix-subscriptions-null-dereference ../cups-base/fil= es/patch-fix-subscriptions-null-dereference --- ./files/patch-fix-subscriptions-null-dereference 1970-01-01 03:00:00.00= 0000000 +0300 +++ ../cups-base/files/patch-fix-subscriptions-null-dereference 2008-11-20 = 11:33:59.000000000 +0300 @@ -0,0 +1,179 @@ +Obtained from: Michael Sweet, via oss-security list, + http://www.openwall.com/lists/oss-security/2008/11/20/2 + +Index: test/run-stp-tests.sh +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +--- test/run-stp-tests.sh (revision 8145) ++++ test/run-stp-tests.sh (revision 8146) +@@ -307,6 +307,7 @@ + DocumentRoot $root/doc + RequestRoot /tmp/cups-$user/spool + TempDir /tmp/cups-$user/spool/temp ++MaxSubscriptions 3 + MaxLogSize 0 + AccessLog /tmp/cups-$user/log/access_log + ErrorLog /tmp/cups-$user/log/error_log +Index: test/4.4-subscription-ops.test +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +--- test/4.4-subscription-ops.test (revision 8145) ++++ test/4.4-subscription-ops.test (revision 8146) +@@ -116,7 +116,33 @@ + EXPECT notify-events + DISPLAY notify-events + } ++{ ++ # The name of the test... ++ NAME "Check MaxSubscriptions limits" +=20 ++ # The operation to use ++ OPERATION Create-Printer-Subscription ++ RESOURCE / ++ ++ # The attributes to send ++ GROUP operation ++ ATTR charset attributes-charset utf-8 ++ ATTR language attributes-natural-language en ++ ATTR uri printer-uri $method://$hostname:$port/printers/Test1 ++ ++ GROUP subscription ++ ATTR uri notify-recipient-uri testnotify:// ++ ATTR keyword notify-events printer-state-changed ++ ATTR integer notify-lease-duration 5 ++ ++ # What statuses are OK? ++ STATUS client-error-too-many-subscriptions ++ ++ # What attributes do we expect? ++ EXPECT attributes-charset ++ EXPECT attributes-natural-language ++} ++ + # + # End of "$Id$" + # +Index: scheduler/subscriptions.c +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +--- scheduler/subscriptions.c (revision 8145) ++++ scheduler/subscriptions.c (revision 8146) +@@ -341,9 +341,55 @@ + * Limit the number of subscriptions... + */ +=20 +- if (cupsArrayCount(Subscriptions) >=3D MaxSubscriptions) ++ if (MaxSubscriptions > 0 && cupsArrayCount(Subscriptions) >=3D MaxSubsc= riptions) ++ { ++ cupsdLogMessage(CUPSD_LOG_DEBUG, ++ "cupsdAddSubscription: Reached MaxSubscriptions %d", ++ MaxSubscriptions); + return (NULL); ++ } +=20 ++ if (MaxSubscriptionsPerJob > 0 && job) ++ { ++ int count; /* Number of job subscriptions */ ++ ++ for (temp =3D (cupsd_subscription_t *)cupsArrayFirst(Subscriptions), ++ count =3D 0; ++ temp; ++ temp =3D (cupsd_subscription_t *)cupsArrayNext(Subscriptions)) ++ if (temp->job =3D=3D job) ++ count ++; ++ ++ if (count >=3D MaxSubscriptionsPerJob) ++ { ++ cupsdLogMessage(CUPSD_LOG_DEBUG, ++ "cupsdAddSubscription: Reached MaxSubscriptionsPerJob %d " ++ "for job #%d", MaxSubscriptionsPerJob, job->id); ++ return (NULL); ++ } ++ } ++ ++ if (MaxSubscriptionsPerPrinter > 0 && dest) ++ { ++ int count; /* Number of printer subscriptions */ ++ ++ for (temp =3D (cupsd_subscription_t *)cupsArrayFirst(Subscriptions), ++ count =3D 0; ++ temp; ++ temp =3D (cupsd_subscription_t *)cupsArrayNext(Subscriptions)) ++ if (temp->dest =3D=3D dest) ++ count ++; ++ ++ if (count >=3D MaxSubscriptionsPerPrinter) ++ { ++ cupsdLogMessage(CUPSD_LOG_DEBUG, ++ "cupsdAddSubscription: Reached " ++ "MaxSubscriptionsPerPrinter %d for %s", ++ MaxSubscriptionsPerPrinter, dest->name); ++ return (NULL); ++ } ++ } ++ + /* + * Allocate memory for this subscription... + */ +@@ -758,7 +804,6 @@ + cupsdLogMessage(CUPSD_LOG_ERROR, + "Syntax error on line %d of subscriptions.conf.", + linenum); +- break; + } + else if (!strcasecmp(line, "Events")) + { +Index: scheduler/ipp.c +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +--- scheduler/ipp.c (revision 8145) ++++ scheduler/ipp.c (revision 8146) +@@ -2119,24 +2119,25 @@ + if (mask =3D=3D CUPSD_EVENT_NONE) + mask =3D CUPSD_EVENT_JOB_COMPLETED; +=20 +- sub =3D cupsdAddSubscription(mask, cupsdFindDest(job->dest), job, rec= ipient, +- 0); ++ if ((sub =3D cupsdAddSubscription(mask, cupsdFindDest(job->dest), job, ++ recipient, 0)) !=3D NULL) ++ { ++ sub->interval =3D interval; +=20 +- sub->interval =3D interval; ++ cupsdSetString(&sub->owner, job->username); +=20 +- cupsdSetString(&sub->owner, job->username); ++ if (user_data) ++ { ++ sub->user_data_len =3D user_data->values[0].unknown.length; ++ memcpy(sub->user_data, user_data->values[0].unknown.data, ++ sub->user_data_len); ++ } +=20 +- if (user_data) +- { +- sub->user_data_len =3D user_data->values[0].unknown.length; +- memcpy(sub->user_data, user_data->values[0].unknown.data, +- sub->user_data_len); ++ ippAddSeparator(con->response); ++ ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_INTEGER, ++ "notify-subscription-id", sub->id); + } +=20 +- ippAddSeparator(con->response); +- ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_INTEGER, +- "notify-subscription-id", sub->id); +- + if (attr) + attr =3D attr->next; + } +@@ -5590,7 +5591,12 @@ + else + job =3D NULL; +=20 +- sub =3D cupsdAddSubscription(mask, printer, job, recipient, 0); ++ if ((sub =3D cupsdAddSubscription(mask, printer, job, recipient, 0)) = =3D=3D NULL) ++ { ++ send_ipp_status(con, IPP_TOO_MANY_SUBSCRIPTIONS, ++ _("There are too many subscriptions.")); ++ return; ++ } +=20 + if (job) + cupsdLogMessage(CUPSD_LOG_DEBUG, "Added subscription %d for job %d", --jI8keyz6grp/JLjh-- --ZoaI/ZTpAVc4A5k6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkknsicACgkQthUKNsbL7YirpACeO5bSamJHFBMfGM2rSUboKdB0 i/MAn05pqGEo34lcfWwllGvbyEFU8J6W =6nyM -----END PGP SIGNATURE----- --ZoaI/ZTpAVc4A5k6--