Bug#701185: hplip: diff for NMU version 3.12.6-3.1

Fri, 01 Mar 2013 10:21:15 -0800 

Control: tags -1 + pending
thanks

Dear maintainer,

I've prepared an NMU for hplip (versioned as 3.12.6-3.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards
-- 
Sebastian Ramacher

diff -Nru hplip-3.12.6/debian/changelog hplip-3.12.6/debian/changelog
--- hplip-3.12.6/debian/changelog	2012-06-24 08:49:45.000000000 +0200
+++ hplip-3.12.6/debian/changelog	2013-03-01 18:41:56.000000000 +0100
@@ -1,3 +1,12 @@
+hplip (3.12.6-3.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * debian/patches/CVE-2013-0200.patch: Fix CVE-2013-0200 by applying the
+    patch from Red Hat. Additionally increase the buffers to mitigate an
+    regression and a buffer overflow. (Closes: #701185)
+
+ -- Sebastian Ramacher <sramac...@debian.org>  Fri, 01 Mar 2013 18:21:48 +0100
+
 hplip (3.12.6-3) unstable; urgency=low
 
   * [!linux-any] --enable-libusb01_build
diff -Nru hplip-3.12.6/debian/patches/CVE-2013-0200.patch hplip-3.12.6/debian/patches/CVE-2013-0200.patch
--- hplip-3.12.6/debian/patches/CVE-2013-0200.patch	1970-01-01 01:00:00.000000000 +0100
+++ hplip-3.12.6/debian/patches/CVE-2013-0200.patch	2013-03-01 18:52:39.000000000 +0100
@@ -0,0 +1,98 @@
+Description: fix for CVE-2013-0200 (insecure temporary files)
+Origin: vendor, ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/hplip-3.12.4-4.el6.src.rpm
+Last-Update: 2013-03-01
+Bug-Debian: http://bugs.debian.org/701185
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=902163
+
+--- a/prnt/hpcups/HPCupsFilter.cpp
++++ b/prnt/hpcups/HPCupsFilter.cpp
+@@ -656,21 +656,24 @@
+         
+         if (m_iLogLevel & SAVE_INPUT_RASTERS)
+         {
+-            char    szFileName[32];
++            char    szFileName[44];
+             memset(szFileName, 0, sizeof(szFileName));
+-            snprintf (szFileName, sizeof(szFileName), "/tmp/hpcupsfilterc_%d.bmp", current_page_number);
++            snprintf (szFileName, sizeof(szFileName), "/tmp/hpcupsfilterc_%d.bmp.XXXXXX", current_page_number);
+             if (cups_header.cupsColorSpace == CUPS_CSPACE_RGBW ||
+                 cups_header.cupsColorSpace == CUPS_CSPACE_RGB)
+             {
+-                cfp = fopen (szFileName, "w");
+-                chmod (szFileName, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
++		int fd = mkstemp (szFileName);
++		if (fd != -1)
++		    cfp = fdopen (fd, "w");
+             }
+             if (cups_header.cupsColorSpace == CUPS_CSPACE_RGBW ||
+                 cups_header.cupsColorSpace == CUPS_CSPACE_K)
+             {
+-                szFileName[17] = 'k';
+-                kfp = fopen (szFileName, "w");
+-                chmod (szFileName, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
++		int fd;
++		snprintf (szFileName, sizeof(szFileName), "/tmp/hpcupsfilterk_%d.bmp.XXXXXX", current_page_number);
++		fd = mkstemp (szFileName);
++		if (fd != -1)
++		    kfp = fdopen (fd, "w");
+             }
+ 
+             WriteBMPHeader (cfp, cups_header.cupsWidth, cups_header.cupsHeight, COLOR_RASTER);
+--- a/prnt/hpcups/SystemServices.cpp
++++ b/prnt/hpcups/SystemServices.cpp
+@@ -36,10 +36,12 @@
+     m_fp = NULL;
+     if (iLogLevel & SAVE_PCL_FILE)
+     {
+-        char    fname[32];
+-        sprintf(fname, "/tmp/hpcups_job%d.out", job_id);
+-        m_fp = fopen(fname, "w");
+-        chmod(fname, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
++	int	fd;
++        char    fname[40];
++        sprintf(fname, "/tmp/hpcups_job%d.out.XXXXXX", job_id);
++	fd = mkstemp (fname);
++	if (fd != -1)
++	    m_fp = fdopen(fd, "w");
+     }
+ }
+ 
+--- a/prnt/hpijs/hpijs.cpp
++++ b/prnt/hpijs/hpijs.cpp
+@@ -96,13 +96,12 @@
+ 
+     if (pSS->m_iLogLevel & SAVE_PCL_FILE)
+     {
++	int	fd;
+         char    szFileName[32];
+-	sprintf (szFileName, "/tmp/hpijs_%d.out", getpid());
+-	pSS->outfp = fopen (szFileName, "w");
+-	if (pSS->outfp)
+-	{
+-	    chmod (szFileName, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+-	}
++	sprintf (szFileName, "/tmp/hpijs_%d.out.XXXXXX", getpid());
++	fd = mkstemp (szFileName);
++	if (fd != -1)
++	    pSS->outfp = fdopen (fd, "w");
+     }
+ }
+ 
+--- a/prnt/hpps/hppsfilter.c
++++ b/prnt/hpps/hppsfilter.c
+@@ -92,10 +92,12 @@
+     g_fp_outdbgps = NULL;
+     if (g_savepsfile & SAVE_PS_FILE)
+     {
++	int	fd;
+         char    sfile_name[FILE_NAME_SIZE] = {0};
+-        sprintf(sfile_name, DBG_PSFILE, szjob_id);
+-        g_fp_outdbgps= fopen(sfile_name, "w");
+-        chmod(sfile_name, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
++        sprintf(sfile_name, DBG_PSFILE ".XXXXXX", szjob_id);
++	fd = mkstemp (sfile_name);
++	if (fd != -1)
++	    g_fp_outdbgps = fdopen(fd, "w");
+     }
+ }
+ 
diff -Nru hplip-3.12.6/debian/patches/series hplip-3.12.6/debian/patches/series
--- hplip-3.12.6/debian/patches/series	2012-06-24 08:51:04.000000000 +0200
+++ hplip-3.12.6/debian/patches/series	2013-03-01 14:45:50.000000000 +0100
@@ -26,3 +26,4 @@
 hp-mkuri-libnotify-so-4-support.dpatch
 hpaio-option-duplex.diff
 debian-changes
+CVE-2013-0200.patch

Attachment: signature.asc
Description: Digital signature

Reply via email to