Andreas Radke pushed to branch main at Arch Linux / Packaging / Packages /
libcupsfilters
Commits:
8adeef36 by Andreas Radke at 2024-09-27T13:47:19+02:00
upgpkg: 2.0.0-3; apply upstream fix for CVE-2024-47076
- - - - -
3 changed files:
- .SRCINFO
- + CVE-2024-47076.patch
- PKGBUILD
Changes:
=====================================
.SRCINFO
=====================================
@@ -1,10 +1,10 @@
pkgbase = libcupsfilters
pkgdesc = OpenPrinting CUPS Filters - contains all the code of the
filters of the former cups-filters package as library functions
pkgver = 2.0.0
- pkgrel = 2
+ pkgrel = 3
url = https://github.com/OpenPrinting/libcupsfilters
arch = x86_64
- license = Apache
+ license = Apache-2.0 WITH LLVM-exception
checkdepends = ttf-dejavu
makedepends = ghostscript
depends = libcups
@@ -20,6 +20,8 @@ pkgbase = libcupsfilters
depends = gcc-libs
depends = dbus
source =
https://github.com/OpenPrinting/libcupsfilters/releases/download/2.0.0/libcupsfilters-2.0.0.tar.xz
+ source = CVE-2024-47076.patch
sha256sums =
542f2bfbc58136a4743c11dc8c86cee03c9aca705612654e36ac34aa0d9aa601
+ sha256sums =
c3d24aacad3c5641c12a4371697cc6ca602e30604aa79ab2a061f1c8bbb65cf7
pkgname = libcupsfilters
=====================================
CVE-2024-47076.patch
=====================================
@@ -0,0 +1,33 @@
+From 95576ec3d20c109332d14672a807353cdc551018 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <[email protected]>
+Date: Thu, 26 Sep 2024 23:09:29 +0200
+Subject: [PATCH] cfGetPrinterAttributes5(): Validate response attributes
+ before return
+
+The destination can be corrupted or forged, so validate the response
+to strenghten security measures.
+
+Fixes CVE-2024-47076
+---
+ cupsfilters/ipp.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/cupsfilters/ipp.c b/cupsfilters/ipp.c
+index 8d6a9b3d..db10cb3f 100644
+--- a/cupsfilters/ipp.c
++++ b/cupsfilters/ipp.c
+@@ -404,6 +404,14 @@ cfGetPrinterAttributes5(http_t *http_printer,
+ ippDelete(response2);
+ }
+ }
++
++ // Check if the response is valid
++ if (!ippValidateAttributes(response))
++ {
++ ippDelete(response);
++ response = NULL;
++ }
++
+ if (have_http == 0) httpClose(http_printer);
+ if (uri) free(uri);
+ return (response);
=====================================
PKGBUILD
=====================================
@@ -2,11 +2,11 @@
pkgname=libcupsfilters
pkgver=2.0.0
-pkgrel=2
+pkgrel=3
pkgdesc="OpenPrinting CUPS Filters - contains all the code of the filters of
the former cups-filters package as library functions"
arch=('x86_64')
url="https://github.com/OpenPrinting/libcupsfilters";
-license=('Apache')
+license=('Apache-2.0 WITH LLVM-exception')
depends=('libcups' 'libexif' 'qpdf' 'poppler'
'libjpeg-turbo' 'libpng' 'libtiff' 'lcms2' 'fontconfig' 'glibc'
'gcc-libs' 'dbus')
makedepends=(
@@ -14,8 +14,17 @@ makedepends=(
# 'mupdf-tools' ???
)
checkdepends=('ttf-dejavu') # ttf-dejavu for make check
-source=("https://github.com/OpenPrinting/libcupsfilters/releases/download/$pkgver/$pkgname-$pkgver.tar.xz";)
-sha256sums=('542f2bfbc58136a4743c11dc8c86cee03c9aca705612654e36ac34aa0d9aa601')
+source=("https://github.com/OpenPrinting/libcupsfilters/releases/download/$pkgver/$pkgname-$pkgver.tar.xz";
+ CVE-2024-47076.patch)
+sha256sums=('542f2bfbc58136a4743c11dc8c86cee03c9aca705612654e36ac34aa0d9aa601'
+ 'c3d24aacad3c5641c12a4371697cc6ca602e30604aa79ab2a061f1c8bbb65cf7')
+
+prepare() {
+ cd "$pkgname"-$pkgver
+ # The destination can be corrupted or forged, so validate the response
+ # to strenghten security measures.
+ patch -Np1 -i ../CVE-2024-47076.patch
+}
build() {
cd "$pkgname"-$pkgver
@@ -36,4 +45,7 @@ check() {
package() {
cd "$pkgname"-$pkgver
make DESTDIR="$pkgdir/" install
+ # license
+ mkdir -p "${pkgdir}"/usr/share/licenses/${pkgname}
+ install -m644 "${srcdir}"/${pkgname}-${pkgver}/{COPYING,NOTICE}
"${pkgdir}"/usr/share/licenses/${pkgname}/
}
View it on GitLab:
https://gitlab.archlinux.org/archlinux/packaging/packages/libcupsfilters/-/commit/8adeef368dbb1baa936383a37d8ee1040325665f
--
View it on GitLab:
https://gitlab.archlinux.org/archlinux/packaging/packages/libcupsfilters/-/commit/8adeef368dbb1baa936383a37d8ee1040325665f
You're receiving this email because of your account on gitlab.archlinux.org.
